The present disclosure relates generally to Lightweight Directory Access Protocol (LDAP), and more particularly, to techniques for improving query performance on an LDAP server. One particular technique includes receiving a LDAP query having search criteria, identifying one or more search filters within the search criteria, determining candidate indices based on the identified one or more search filters, evaluating the candidate indices based on statistics collected for the candidate indices, selecting one or more indices from the candidate indices based on the evaluating, and executing the LDAP query on an LDAP directory using the selected one or more indices.

The present disclosure relates generally to Lightweight Directory Access Protocol (LDAP), and more particularly, to techniques for improving query performance on an LDAP server. One particular technique includes receiving a LDAP query having search criteria, identifying one or more search filters within the search criteria, determining candidate indices based on the identified one or more search filters, evaluating the candidate indices based on statistics collected for the candidate indices, selecting one or more indices from the candidate indices based on the evaluating, and executing the LDAP query on an LDAP directory using the selected one or more indices.

A system that converts standardized lightweight database access protocol (LDAP) requests into a series of domain name system (DNS) requests to look up requested information. DNS responses are validated using DNS security extensions (DNSSEC) to ensure their validity, then converted into standardized LDAP responses. The system is either operated as a service for public use on the Internet or private use in an enterprise; or as an application running on end user machines, e.g., laptops, mobile phones, to guarantee end-to-end security by validating responses on the end user machine. The standardized, widespread nature of the LDAP allows existing applications to immediately reap the benefits of global, ubiquitous, cross-organizational, trans-national data distribution via DNS secured by DNSSEC.

A system and method is disclosed of extracting information from real-time network packet data to analyze connectivity data for client devices in a network. The method includes: detecting when client devices initiate a connectivity event; after detecting a connectivity event, waiting a period of time for the client device to either reach or fail to reach a network connected state; after waiting a period of time, recording connectivity event information; and sending the recorded connectivity event information to an analytics system for network incident and/or network congestion analysis.

A system and method is disclosed of extracting information from real-time network packet data to analyze connectivity data for client devices in a network. The method includes: detecting when client devices initiate a connectivity event; after detecting a connectivity event, waiting a period of time for the client device to either reach or fail to reach a network connected state; after waiting a period of time, recording connectivity event information; and sending the recorded connectivity event information to an analytics system for network incident and/or network congestion analysis.

A global endpoint may be associated with an organization name and a plurality of directories located in different geographic regions. The global endpoint may be a computing system that hosts a page used by users to access an application or service. A user may be able to access the application or service using already existing credentials. For example, the user may access the application or service using credentials stored and maintained by an entity with which the user is affiliated. Users having credentials stored in different geographic regions may be able to access the application or service via the same global endpoint.

A global endpoint may be associated with an organization name and a plurality of directories located in different geographic regions. The global endpoint may be a computing system that hosts a page used by users to access an application or service. A user may be able to access the application or service using already existing credentials. For example, the user may access the application or service using credentials stored and maintained by an entity with which the user is affiliated. Users having credentials stored in different geographic regions may be able to access the application or service via the same global endpoint.

Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application the command is ignored and a simulated acknowledgment is sent or, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source. Responses from an active directory server may be intercepted and modified to reference a decoy server when not addressed to a sanctioned application. Requests to view network resources may be responded to with references to a decoy server.

A Secure/Multipurpose Internet Mail Extensions (S/MIME) key material publication system that converts cryptographic material extracted from digitally signed and validated S/MIME messages it receives into key material formats suitable for populating email address books. Publication of the address book contents both internal and external to an organization is done using the standard address book lightweight database access protocol (LDAP). The wide availability and coordination of such automated address books distributing key material across the Internet allows the large installed base of S/MIME email clients to immediately send secure encrypted email across organizational boundaries. The system serves the role of public key server thus removing a barrier to ubiquitous secure encrypted email by simplifying global key management.

A method for monitoring a directory environment of a computer network to detect vulnerabilities. The method comprises, at a first computer on the computer network, changing a configuration of the directory environment and, with a replication service, replicating the change at a second computer on the computer network. The method further comprises extracting information relating to the change from the replication service and using the extracted information to detect a vulnerability in the directory environment.