CN103220172A - Device and method based on LDAP (lightweight directory access protocol) user authorization management - Google Patents
Device and method based on LDAP (lightweight directory access protocol) user authorization management Download PDFInfo
- Publication number
- CN103220172A CN103220172A CN2013101202330A CN201310120233A CN103220172A CN 103220172 A CN103220172 A CN 103220172A CN 2013101202330 A CN2013101202330 A CN 2013101202330A CN 201310120233 A CN201310120233 A CN 201310120233A CN 103220172 A CN103220172 A CN 103220172A
- Authority
- CN
- China
- Prior art keywords
- ldap
- application system
- grouping
- user
- synchronized
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 15
- 238000013475 authorization Methods 0.000 title claims abstract description 8
- 230000001360 synchronised effect Effects 0.000 claims abstract description 42
- 230000008520 organization Effects 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 9
- 238000012360 testing method Methods 0.000 description 7
- 238000012423 maintenance Methods 0.000 description 5
- 238000011160 research Methods 0.000 description 4
- 238000012827 research and development Methods 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a device and method based on LDAP (lightweight directory access protocol) user authorization management, which are applied to a server of an application system interacting with an LDAP server. The device comprises the following processing flows of A. setting the synchronized directory range of an LDAP; B, synchronizing organization units in the synchronized directory range of the LDAP into the application system, and synchronizing users in the organization units into each group corresponding to the organization units in the application system; and C, authorizing functions on the groups in the application system. By adopting the technical scheme, the problem of large workload of administrators of the application system of the prior art is effectively solved, and the experience of a user is improved.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of apparatus and method based on the LDAP user authority management.
Background technology
LDAP(Lightweight Directory Access Protocol, Light Directory Access Protocol) is one and is used for issuing the agreement of directory information to many different application resources.LDAP is equivalent to telephone directory, is similar to our use such as NIS (Network Information Service, the network information service), DNS network directories such as (Domain Name Service, domain name service).LDAP is a storage notion higher than relational database abstraction hierarchy, and different with general database, LDAP optimizes inquiry, compares the performance of reading of LDAP with write performance and wants outstanding a lot.Can store various types of data in the ldap directory, as, e-mail address, mail routing iinformation, human resource data, public secret key, contacts list etc.
At present, the more and more enterprises application system as the user management resource, with itself and self application system integration, thereby realizes LDAP to the unified management of LDAP authentification of user, and authorizes different function privileges at different users, promptly carries out rights management.
Application system is synchronized in the system from ldap server according to the LDAP user of collocation strategy with appointment, thereby realizes the unified certification management to LDAP user.Described collocation strategy comprises scope setting and two part compositions of filtercondition.Scope is provided with form shape as ou=sales, dc=test, and dc=com, its implication is that to limit OU be sales; Filtercondition form shape is as (﹠ (objectclass=*) (cn=zhao*)), and implication is Zhao's surname user synchronously only.The user that will meet above-mentioned condition imports from ldap server, for different user different function privileges is set then.But in actual applications, need synchronous OU (Organization Unit, OU) progression can be a lot, and the number that relates to personnel is also very huge, may reach hundreds thousand of even up to a million, therefore, it is huge to authorize the function privilege workload one by one at unique user, and general way is to create grouping, the grouping of designated user then earlier in application system in the prior art, the user that authority is identical includes in the same grouping, authorizes at different grouping more at last.No matter be per user mandate or grouping authorization, all there is the big shortcoming of system maintenance work amount in prior art, and when user right changes, need do corresponding authority adjustment in application system, makes that the maintenance task of system is heavier.
Summary of the invention
In view of this, the invention provides a kind of apparatus and method, to solve the deficiency that prior art exists based on the LDAP user authority management.
Particularly, described device is applied on the server with the mutual application system of ldap server, and this device comprises:
Configuration module is used to be provided with the synchronous catalogue scope of LDAP;
Synchronization module, the OU that is used under the catalogue scope that described LDAP is synchronous is synchronized to application system, and the user under the described OU is synchronized under the grouping corresponding with this OU in the application system;
Authorization module is used for after synchronously the function mandate being carried out in the grouping of application system.
Said method comprising the steps of:
A, the synchronous catalogue scope of LDAP is set;
OU under B, the catalogue scope that described LDAP is synchronous is synchronized in the application system, and the user under the described OU is synchronized under the grouping corresponding with this OU in the application system;
C, the function mandate is carried out in the grouping in the application system.
By above technical scheme as seen, the present invention is synchronized to the user on the ldap server in the application system by synchronization policy is set, and realizes intelligent packet, greatly reduces keeper's maintenance load.
Description of drawings
Fig. 1 is the device logic diagram of one embodiment of the present invention;
Fig. 2 is the method flow diagram of one embodiment of the present invention;
Fig. 3 is the LDAP institutional framework schematic diagram of certain company in one embodiment of the present invention;
Fig. 4 is that the present invention shown in Figure 3 application system grouping progression under certain application scenarios is 2 the LDAP personnel schematic diagrames that divide into groups;
Fig. 5 is that the present invention shown in Figure 3 application system grouping progression under certain application scenarios is 1 the LDAP personnel schematic diagrames that divide into groups.
Embodiment
At problems of the prior art, the invention provides a kind of apparatus and method based on the LDAP user authority management, be applied on the server with the mutual application system of ldap server.Please refer to Fig. 1 and Fig. 2, this device comprises, configuration module, synchronization module and authorization module.This device is carried out following handling process when realization is of the present invention:
Step 101, configuration module are provided with the synchronous catalogue scope of LDAP.
In ldap server, ldap directory is stored data with tree-shaped hierarchical structure.The host name of similar DNS is such, ldap directory identification name (Distinguished Name, be called for short DN) be to be used for reading single record, promptly can understand the node that DN is a tree, the top of ldap directory tree is exactly a root, Base DN just, and Base DN uses the domain name of company to represent usually, under root, with OU data from distinguishing in logic.
When the application system authority is set, at first to determine to use the user scope of this system.In this step, being provided with needs synchronous DN, specify the node of tree on the ldap server exactly, this node following user all can be synchronized in subsequent step in the application system, that is to say all following users of this node this application system of all will having the right to visit.
Step 102, configuration module are provided with the grouping progression that application system is carried out rights management.
In this step, described grouping progression is an operational factor that is provided with according to actual needs by the keeper, and in actual applications, the keeper can be provided with separately at certain LDAP service, also can unify to be provided with at the LDAP service of the overall situation.
Step 103, synchronization module are used for specifying the OU below the DN to be synchronized to application system on the ldap server, particularly, are that the user under the described OU is synchronized under the grouping corresponding with this OU in the application system.
In this step, when grouping not corresponding with the synchronous LDAP OU of needs in the application system, synchronization module is created the new grouping corresponding with this LDAP OU further in this application system.The grouping of described correspondence can be of the same name with OU, also can be the packet name that presets, and for example can add exabyte before the OU name according to situation.
Below with packet name and OU with example explanation by name.This step specifically is divided into two kinds of situations when carrying out.Please refer to the LDAP organization chart of certain IT company shown in Figure 3, suppose and specify the LDAP root in the step 101 as synchronous DN, the level of the OU of market and software is 1 on server so, and the level of the OU of sales, sells, test and research is 2.
If a configuration module is provided with described grouping progression more than or equal to 2, the level at OU place does not just exceed described grouping progression on the server so.In this step, synchronization module is synchronized to OU such as market, software, sales in the grouping of the same name in the application system, particularly, be that described OU is synchronized in the grouping corresponding in the application system, and the user below this OU is synchronized under the application system grouping of the same name.As shown in Figure 4 the LDAP personnel of can in application system, forming after finishing the synchronously schematic diagram that divides into groups, the connection between wherein solid line is represented to divide into groups, dotted line represent to divide into groups with its user between be connected.
Two, if it is 1 that configuration module is provided with described grouping progression, the OU level of market and software does not exceed described grouping progression on the server so, synchronization module can be synchronized to it in the grouping of the same name in application system, and sales, sells, the OU level of test and research is 2, exceeded described grouping progression, at this moment, in embodiments of the present invention, the user of these OUs can be synchronized in the application system with the grouping of the same name of higher level's OU of this OU in, particularly, user Jack under sales and the sells and Peter are synchronized to the market grouping down, user John under test and the research and Tom are synchronized to the software grouping down.Formation can form as shown in Figure 5 the LDAP personnel schematic diagram that divides into groups after finishing synchronously in application system, the connection between wherein solid line is represented to divide into groups, dotted line represent to divide into groups with its user between be connected.
Step 104, authorization module carries out the function mandate to the grouping in the application system after finishing synchronously.
In this step, authorization module is authorized according to keeper's indication.Two kinds of situations in the refer step 103.
One, be example with the LDAP personnel shown in Figure 4 schematic diagram that divides into groups, can for the user different rights be set as required, for example, Hellen authorizes it can consult, handle sale and relevant after sale business in application system as the leader of market department (market); Jack can only consult, handle the relevant business of selling as the employee of sales department (sales); The Peter conduct is the employee of department (sells) after sale, can only consult, handle relevant after sale business; Bill authorizes it can consult, handle the relevant business of all research and development in application system as the leader of software department (software); And John can only consult, handle the relevant business of test as the employee of test organization (test); Tom can only consult, handle the relevant business of exploitation as the employee of research and development department (research).
Two, be example with the LDAP personnel shown in Figure 5 schematic diagram that divides into groups, the leader of market department and employee are in a grouping, and their authority is identical, and same, also in a grouping, their authority is also identical for the leader of software department and employee.In actual applications, some human resources or financial software are for leader and employee, and authority is the same, at this moment, just can carry out the work that the grouping progression of rights management comes streamlining management person by application system is set in the step 102.It should be noted that, step 102 is not essential step, in actual applications, also described progression can be set, directly all OU under the specified node on the server are come synchronously, if some software is not distinguished the authority of some grouping, that just is provided with same authority by the keeper to those groupings.By being set, step 102 realizes the flexible control of keeper among the present invention to administration authority, for large enterprises such as banks, personnel's classification is a lot, and for the system manager, perhaps consider from the function privilege angle, may not need so many classifications, therefore, just can consider grouping progression is set, thereby dwindle progression when synchronous, to reduce the system maintenance burden.
After above-mentioned setting was finished, each user was just after the number of the account login application system with oneself, just can only visit to be authorized to the business of visiting separately, thus the purpose of realization control of authority.
Step 105 when the user under the above OU of ldap server is vicissitudinous, re-executes step 103.
In the time of company personnel's registration, leaving office, promotion, this employee's authority just might change, for example Jack is promoted as the leader of market department, promptly, transfer under the ou=market at Jack on the ldap server, do not need this moment the keeper to adjust the authority of Jack correspondence in application system, only needs are synchronous again, and Jack can be grouped into market grouping in the application system automatically.In this step, describedly setting as required synchronously again, can be cycle synchronisation, also can be manual the execution synchronously, particularly, can be regularly synchronous according to the predetermined cycle, also can be that the keeper carries out synchronously after receiving the notice of personnel amendment again.
By above description as can be seen, technical scheme provided by the invention can realize automatic grouping management, makes things convenient for the keeper to carry out the function mandate, has significantly reduced the workload of user authority management, simultaneously the keeper can be according to the needs of self application system, control authority administrative structure flexibly.When the user changes, do not need to reset authority yet, alleviated keeper's maintenance load.Because LDAP has been widely applied in each big, medium-sized and small enterprises, so the present invention is applied widely, can better improve user experience.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (8)
1. device based on the LDAP user authority management is applied on the server with the mutual application system of ldap server, it is characterized in that this device comprises:
Configuration module is used to be provided with the synchronous catalogue scope of LDAP;
Synchronization module, the OU that is used under the catalogue scope that described LDAP is synchronous is synchronized to application system, and the user under the described OU is synchronized under the grouping corresponding with this OU in the application system;
Authorization module is used for after synchronously the function mandate being carried out in the grouping of application system.
2. device according to claim 1 is characterized in that,
Configuration module is further used for being provided with the grouping progression that the application system is carried out rights management;
When synchronization module is further used for level when described OU place and exceeds described grouping progression, the user of this OU is synchronized in the pairing grouping of higher level's OU of this OU in the application system.
3. device according to claim 1 is characterized in that, when grouping not corresponding with the synchronous LDAP OU of needs in the application system, described synchronization module is further used for creating the new grouping corresponding with this OU.
4. device according to claim 1 is characterized in that, when the user under the above OU of ldap server was vicissitudinous, synchronization module re-executed synchronously.
5. method based on the LDAP user authority management is applied on the server with the mutual application system of ldap server, it is characterized in that this method may further comprise the steps:
A, the synchronous catalogue scope of LDAP is set;
OU under B, the catalogue scope that described LDAP is synchronous is synchronized in the application system, and the user under the described OU is synchronized under the grouping corresponding with this OU in the application system;
C, the function mandate is carried out in the grouping in the application system.
6. method according to claim 5 is characterized in that, also comprises step B1 before step B,
B1, the grouping progression that the application system is carried out rights management is set;
Step B further comprises, when the level at described OU place exceeds described grouping progression, the user of this OU is synchronized in the pairing grouping of higher level's OU of this OU in the application system.
7. method according to claim 5 is characterized in that, when grouping not corresponding with the synchronous LDAP OU of needs in the application system, described step B further comprises and creates the new grouping corresponding with this OU.
8. method according to claim 5 is characterized in that this method also comprises step D,
D, when the user under the above OU of ldap server is vicissitudinous, re-execute step B.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310120233.0A CN103220172B (en) | 2013-04-08 | 2013-04-08 | A kind of apparatus and method based on LDAP user authority managements |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310120233.0A CN103220172B (en) | 2013-04-08 | 2013-04-08 | A kind of apparatus and method based on LDAP user authority managements |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103220172A true CN103220172A (en) | 2013-07-24 |
| CN103220172B CN103220172B (en) | 2017-06-30 |
Family
ID=48817657
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310120233.0A Active CN103220172B (en) | 2013-04-08 | 2013-04-08 | A kind of apparatus and method based on LDAP user authority managements |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103220172B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104169938A (en) * | 2013-12-30 | 2014-11-26 | 华为终端有限公司 | Permission management method and permission management device |
| CN107193949A (en) * | 2017-05-22 | 2017-09-22 | 携程旅游信息技术(上海)有限公司 | The method and system of newly-built tissue based on Active Directory organizational structure |
| CN107659427A (en) * | 2016-08-26 | 2018-02-02 | 平安科技(深圳)有限公司 | Project method of controlling switch and system |
| CN107862508A (en) * | 2017-11-08 | 2018-03-30 | 搜易贷(北京)金融信息服务有限公司 | A kind of method of automatic data processing |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1794724A (en) * | 2005-10-27 | 2006-06-28 | 华为技术有限公司 | Method of realizing data synchronization on SyncML layer |
| US7185361B1 (en) * | 2000-01-31 | 2007-02-27 | Secure Computing Corporation | System, method and computer program product for authenticating users using a lightweight directory access protocol (LDAP) directory server |
| CN102088351A (en) * | 2009-12-08 | 2011-06-08 | 长春吉大正元信息技术股份有限公司 | Authorization management system and implementation method thereof |
| CN102368762A (en) * | 2011-06-21 | 2012-03-07 | 杭州华三通信技术有限公司 | LDAP (Lightweight Directory Access Protocol) user management method and device thereof |
| US20130061306A1 (en) * | 2011-09-06 | 2013-03-07 | Richard Sinn | Hybrid cloud identity mapping infrastructure |
-
2013
- 2013-04-08 CN CN201310120233.0A patent/CN103220172B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7185361B1 (en) * | 2000-01-31 | 2007-02-27 | Secure Computing Corporation | System, method and computer program product for authenticating users using a lightweight directory access protocol (LDAP) directory server |
| CN1794724A (en) * | 2005-10-27 | 2006-06-28 | 华为技术有限公司 | Method of realizing data synchronization on SyncML layer |
| CN102088351A (en) * | 2009-12-08 | 2011-06-08 | 长春吉大正元信息技术股份有限公司 | Authorization management system and implementation method thereof |
| CN102368762A (en) * | 2011-06-21 | 2012-03-07 | 杭州华三通信技术有限公司 | LDAP (Lightweight Directory Access Protocol) user management method and device thereof |
| US20130061306A1 (en) * | 2011-09-06 | 2013-03-07 | Richard Sinn | Hybrid cloud identity mapping infrastructure |
Non-Patent Citations (3)
| Title |
|---|
| 冯威: "基于LDAP的服务注册中心的设计与实现", 《中国优秀硕士学位论文全文数据库》 * |
| 郑辉: "基于LDAP的统一身份认证目录服务系统研究与设计", 《中国优秀硕士学位论文全文数据库》 * |
| 黄露怡: "SOA环境下的高校统一用户管理系统的研究与实现", 《中国优秀硕士学位论文全文库》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104169938A (en) * | 2013-12-30 | 2014-11-26 | 华为终端有限公司 | Permission management method and permission management device |
| WO2015100545A1 (en) * | 2013-12-30 | 2015-07-09 | 华为终端有限公司 | Method and device for rights management |
| CN107659427A (en) * | 2016-08-26 | 2018-02-02 | 平安科技(深圳)有限公司 | Project method of controlling switch and system |
| CN107659427B (en) * | 2016-08-26 | 2020-11-17 | 平安科技(深圳)有限公司 | Project switch control method and system |
| CN107193949A (en) * | 2017-05-22 | 2017-09-22 | 携程旅游信息技术(上海)有限公司 | The method and system of newly-built tissue based on Active Directory organizational structure |
| CN107862508A (en) * | 2017-11-08 | 2018-03-30 | 搜易贷(北京)金融信息服务有限公司 | A kind of method of automatic data processing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103220172B (en) | 2017-06-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9595013B2 (en) | Delegated and restricted asset-based permissions management for co-location facilities | |
| CA2803839C (en) | Online service access controls using scale out directory features | |
| CN105357201B (en) | A kind of object cloud storage access control method and system | |
| AU2004290093A1 (en) | A directory system | |
| CN110032886A (en) | The method and apparatus of access authorization for resource management | |
| CN104123616A (en) | Cloud computing system towards multiple tenants | |
| CN112583887B (en) | A method for trusted data sharing based on blockchain | |
| CN103886104A (en) | Distributed real-time database management system and implementation method applicable to electric system | |
| CN109408523A (en) | Data sharing method, device, data sharing platform, electronic equipment | |
| CN103023921A (en) | Authentication and access method and authentication system | |
| CN107659450A (en) | Distribution method, distributor and the storage medium of big data cluster resource | |
| CN111611220A (en) | File sharing method and system based on hierarchical nodes | |
| CN103220172A (en) | Device and method based on LDAP (lightweight directory access protocol) user authorization management | |
| CN114866416A (en) | Multi-cluster unified management system and deployment method | |
| CN105827873A (en) | Method and device for solving limitation in service handling of nonlocal customers | |
| CN101778131A (en) | Data synchronization system | |
| CN101789963A (en) | Data synchronization system | |
| CN107609128A (en) | A kind of enterprise management system based on LIST SERVER | |
| TWI772721B (en) | System and method using blockchain to manage network devices | |
| CN102368762A (en) | LDAP (Lightweight Directory Access Protocol) user management method and device thereof | |
| Zhou et al. | Research and application of battery production data management system based on microservice | |
| US20150304242A1 (en) | Dynamic information service method and system | |
| CN110968568B (en) | Database management system | |
| CN108989395A (en) | A kind of multiple enterprises Application share method and device based on converged communication technology | |
| Liu et al. | An organization-oriented model for federated indentity management and its application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou science and Technology Development Zone, Zhejiang high tech park, No. six and road, No. 310 Applicant before: Huasan Communication Technology Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |