WO2021068518A1 - Identity authentication method and system, electronic equipment and storage medium - Google Patents

Identity authentication method and system, electronic equipment and storage medium Download PDF

Info

Publication number
WO2021068518A1
WO2021068518A1 PCT/CN2020/092842 CN2020092842W WO2021068518A1 WO 2021068518 A1 WO2021068518 A1 WO 2021068518A1 CN 2020092842 W CN2020092842 W CN 2020092842W WO 2021068518 A1 WO2021068518 A1 WO 2021068518A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
server
ldap server
authentication
login information
Prior art date
Application number
PCT/CN2020/092842
Other languages
French (fr)
Chinese (zh)
Inventor
程小伟
赵阳阳
Original Assignee
山东英信计算机技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 山东英信计算机技术有限公司 filed Critical 山东英信计算机技术有限公司
Publication of WO2021068518A1 publication Critical patent/WO2021068518A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4523Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using lightweight directory access protocol [LDAP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Definitions

  • This application relates to the field of computer technology, in particular to an identity authentication method and system, an electronic device and a storage medium.
  • Web World Wide Web
  • the Web system is a network service built on the Internet. It provides a graphical, easy-to-access and intuitive interface for viewers to find and browse information on the Internet.
  • the documents and hyperlinks in it organize the information nodes on the Internet into one Interrelated network structure.
  • the user's login operation needs to be verified by the local database user in order to query the user's role permissions.
  • the relevant verification data of the user cannot be inquired from the local database in time, resulting in low identity authentication efficiency.
  • the purpose of this application is to provide an identity authentication method, system, an electronic device and a storage medium, which can improve the efficiency of identity authentication.
  • the identity authentication method includes:
  • the user login information includes a user name and a login password
  • the authentication source includes a local database and a target LDAP server, and the target LDAP server is a successfully connected LDAP server;
  • the identity authentication status is set to pass authentication, it also includes:
  • it also includes:
  • the allocating permissions corresponding to the user attributes to the user includes:
  • the user is assigned the permission corresponding to the user attribute by querying the permission correspondence table.
  • querying the user attributes corresponding to the user login information includes:
  • the local database includes the user login information
  • the target LDAP server includes the user login information
  • server configuration parameters before receiving server configuration parameters, it also includes:
  • server configuration parameters to connect to the LDAP server includes:
  • the server configuration parameter when the server configuration parameter is correct, it is determined that the connection to the LDAP server is successful; when the server configuration parameter is incorrect, it is determined that the connection to the LDAP server fails.
  • the server configuration parameters include any one or a combination of any of the server domain name, server port, reference identification name, user class name, user directory, and user attribute.
  • the target LDAP server is an LDAP server in the list of third-party authentication sources
  • a second target LDAP server is determined according to the authentication source increase information, and the second target LDAP server is added to the list of third-party authentication sources.
  • This application also provides an identity authentication system, which includes:
  • the server connection module is used to receive server configuration parameters, and use the server configuration parameters to connect to the LDAP server;
  • the information receiving module is used to receive user login information; wherein, the user login information includes a user name and a login password;
  • the authentication module is configured to determine whether the standard login information stored by the authentication source includes the user login information; wherein the authentication source includes a local database and a target LDAP server, and the target LDAP server is a successfully connected LDAP server;
  • the status setting module is used to set the identity authentication status to pass the authentication when the standard login information includes the user login information.
  • the present application also provides a storage medium on which a computer program is stored, and when the computer program is executed, the steps performed by the above-mentioned identity authentication method are implemented.
  • the present application also provides an electronic device including a memory and a processor, the memory is stored with a computer program, and when the processor invokes the computer program in the memory, the steps performed by the above-mentioned identity authentication method are implemented.
  • This application provides an identity authentication method, including receiving server configuration parameters, and using the server configuration parameters to connect to an LDAP server; receiving user login information; wherein the user login information includes a user name and a login password; and determining what is stored by the authentication source Whether the standard login information includes the user login information; wherein the authentication source includes a local database and a target LDAP server, and the target LDAP server is a successfully connected LDAP server; if so, the identity authentication status is set to pass the authentication.
  • This application connects to the LDAP server according to the server configuration parameters.
  • the LDAP server can store standard login information. That is to say, this application uses the LDAP server only as a device for storing standard login information in addition to the local database, realizing the participation of multiple authentication sources. Verification of user login information. Therefore, after receiving the user name and login password entered by the user, this application verifies the user name and password based on the local database and the target LDAP server to facilitate identity authentication operations. Since this application introduces multiple authentication sources to participate in the identity authentication operation, it is possible to reduce the impact of some authentication sources on the authentication business due to high business pressure or abnormalities, and improve the efficiency of identity authentication.
  • This application also provides an identity authentication system, an electronic device, and a storage medium, which have the above-mentioned beneficial effects, and will not be repeated here.
  • FIG. 1 is a flowchart of an identity authentication method provided by an embodiment of the application
  • FIG. 2 is a flowchart of a method for allocating user permissions provided by an embodiment of the application
  • FIG. 3 is a schematic diagram of the principle of a multi-domain identity authentication method based on an LDAP server and a local database provided by an embodiment of the application;
  • Fig. 4 is a schematic structural diagram of an identity authentication system provided by an embodiment of the application.
  • FIG. 1 is a flowchart of an identity authentication method provided by an embodiment of the application.
  • S101 Receive server configuration parameters, and use the server configuration parameters to connect to the LDAP server;
  • the execution subject of this embodiment may be a Web server, multiple clients are connected to the Web server, and the client may send server configuration parameters to the Web server in order to connect to an LDAP (Lightweight Directory Access Protocol, Lightweight Directory Access Protocol) server.
  • the client can also send user login information to the Web server, so that the Web server authenticates the user login information based on the authentication source.
  • the specific server configuration parameters may include any one of the server domain name, server port, reference identification name, user class name, user directory, and user attributes, or Any combination of several items.
  • the server configuration parameters received in this step can be multiple sets of server configuration parameters connected to multiple LDAP servers, and the successfully connected LDAP server can be set as the target LDAP server.
  • the LDAP server is used to provide directory services, but the existing LDAP server is only used as a database for querying user information, and does not complete the function of logging in to a third-party system.
  • Standard login information can be stored in the LDAP server in this application, and identity authentication can be realized by connecting with the Web server.
  • the following operations can be performed: setting standard configuration parameters for the LDAP server through the Web configuration page.
  • the related operation of S101 may be: sending the server configuration parameters to the LDAP server, so that the LDAP server judges whether the server configuration parameters are correct according to the standard configuration parameters; wherein, when the server configuration parameters are When it is correct, it is determined that the connection to the LDAP server is successful; when the server configuration parameter is incorrect, it is determined that the connection to the LDAP server fails.
  • the user login information received in this step is the user name and login password sent by the client, and the user login information may also be the user name and login password entered by the user on the front-end Web page.
  • S103 Determine whether the standard login information stored by the authentication source includes the user login information; if yes, go to S104; if not, go to S105;
  • the authentication source mentioned in this embodiment may include the local database of the Web server and the successfully accessed LDAP server, and the user login information received in S102 may be matched with the standard login information stored in all authentication sources to determine the authentication. Whether the user log-in information is stored in the source, if the user log-in information is stored, S104 can be entered to set the identity authentication status to be authenticated; if the user log-in information is not stored, a prompt message indicating that the login failed can be returned.
  • the authentication source in this embodiment may include a local database and a target LDAP server, and the target LDAP server is an LDAP server that is successfully connected to S101.
  • the target LDAP server in this embodiment may be an LDAP server that is successfully connected and exists in the list of third-party authentication sources.
  • a list of third-party authentication sources may be set to record the identities that can participate.
  • the LDAP server used as the authentication source in this embodiment is both a server in the list of third-party authentication sources or a successfully connected LDAP server.
  • this embodiment may also have an operation to update the list of third-party authentication sources: when the authentication source deletion information is received, the first target LDAP server is determined according to the authentication source deletion information, and the first target LDAP server Delete from the list of third-party authentication sources; when receiving authentication source addition information, determine a second target LDAP server according to the authentication source addition information, and add the second target to the list of third-party authentication sources LDAP server.
  • the operation of S104 can be entered to set the user to pass identity authentication. If the standard login information stored by the authentication source does not include the user login information, the identity authentication status is set to fail authentication.
  • S104 Set the identity authentication status to pass the authentication.
  • this step is based on the standard login information including the user login information, and the identity authentication status can be set to pass the authentication.
  • the user role corresponding to the user's login information can also be queried, and the user or client corresponding to the user's login information can be queried. Assign the permissions of the user role.
  • This embodiment connects to the LDAP server according to the server configuration parameters.
  • the LDAP server can store standard login information. That is to say, this embodiment uses the LDAP server only as a device for storing standard login information in addition to the local database, realizing multiple authentication sources. Participate in the verification of user login information. Therefore, after receiving the user name and login password input by the user, this embodiment verifies the user name and password based on the local database and the target LDAP server to facilitate identity authentication operations. Since this embodiment introduces multiple authentication sources to participate in the identity authentication operation, it is possible to reduce the impact on the authentication service of competing points due to the high pressure or abnormality of some authentication sources, and improve the efficiency of identity authentication.
  • Figure 2 is a flow chart of a method for allocating user permissions provided by an embodiment of this application; this embodiment is a further supplement to the embodiment corresponding to Figure 1 after the operation of S104, and when the identity authentication is successful Based on the description of the permission distribution scheme, this embodiment can be combined with the embodiment corresponding to FIG. 1 to obtain a more preferred implementation.
  • This embodiment may include the following operations:
  • the relationship between each user name and the user attribute may be recorded in advance.
  • the user attributes may include administrator accounts, ordinary accounts, and sub-accounts.
  • the user attributes may be determined according to the user name in the user login information.
  • each authentication source can store the corresponding relationship between user login information and user attributes. Specifically, when the local database includes the user login information, then The user attribute corresponding to the user login information may be queried according to the local database; when the target LDAP server includes the user login information, the user attribute corresponding to the user login information may be queried according to the target LDAP server.
  • the permission correspondence table may store the correspondence between the user attributes and permissions; correspondingly, the user is assigned the permissions corresponding to the user attributes.
  • the operation may be: allocating the permission corresponding to the user attribute to the user by querying the permission correspondence table.
  • Figure 3 is a schematic diagram of the principle of a multi-domain identity authentication method based on an LDAP server and a local database provided by an embodiment of the application. This embodiment may include the following steps:
  • Step 1 Set LDAP connection parameters.
  • connection parameters (that is, the server configuration parameters) can be input through the Web configuration page.
  • the connection parameters can include the authentication server domain name, port, base DN (that is, base identification name), user class name, user directory, and user unique Attributes.
  • Step 2 Set user role attributes and role changes.
  • the role attribute of the LDAP user can be set, and for a certain user, the user role can be changed by modifying its attribute value.
  • Step 3 Verify LDAP availability.
  • this step uses the configured connection parameters to connect to the LDAP server. If the connection fails, the user is reminded to modify the configuration parameters; if the connection is successful, the system configuration parameters are submitted.
  • Step 4 Open the source of identity authentication.
  • the configured LDAP server information can be viewed on the front-end Web page, and the authentication information source can be turned on or off.
  • Step 5 Query user roles and return user permissions.
  • the user can enter the account password to log in to the Web page.
  • the web server can query multiple authentication sources, and if one of the authentication sources passes the verification, the login is judged to be successful, the permissions granted by the role are queried, and the relevant permissions are returned together with the user role.
  • the foregoing embodiment proposes a multi-domain identity authentication strategy scheme based on an LDAP server and a local database.
  • This embodiment includes LDAP server connection configuration, LDAP user role attribute setting and modification, background identity authentication method addition and deletion, and local database role authority query.
  • the authentication strategy includes the local database and LDAP server. As long as one source passes the identity authentication, the authentication can be completed and the verification can be completed according to the role name.
  • the LDAP server configuration information can be configured through the front-end Web page, the LDAP authentication source can be turned on and off, and the background authentication strategy can be configured. Configure the LDAP server related parameters through the Web page, you can use the LDAP server user to log in to the Web system, and give the lowest authority to view the related content of the Web page.
  • This embodiment improves the access speed of LDAP users and saves manpower and material resources. In this embodiment, multiple LDAPs can be added freely, it is convenient to turn on or turn off the background identity authentication, and the user can directly see
  • FIG. 4 is a schematic structural diagram of an identity authentication system provided by an embodiment of the application.
  • the system may include:
  • the server connection module 100 is configured to receive server configuration parameters, and use the server configuration parameters to connect to the LDAP server;
  • the information receiving module 200 is configured to receive user login information; wherein, the user login information includes a user name and a login password;
  • the authentication module 300 is configured to determine whether the standard login information stored by the authentication source includes the user login information; wherein the authentication source includes a local database and a target LDAP server, and the target LDAP server is a successfully connected LDAP server;
  • the status setting module 400 is configured to set the identity authentication status to pass the authentication when the standard login information includes the user login information.
  • This embodiment connects to the LDAP server according to the server configuration parameters.
  • the LDAP server can store standard login information. That is to say, this embodiment uses the LDAP server only as a device for storing standard login information in addition to the local database, realizing multiple authentication sources. Participate in the verification of user login information. Therefore, after receiving the user name and login password input by the user, this embodiment verifies the user name and password based on the local database and the target LDAP server to facilitate identity authentication operations. Since this embodiment introduces multiple authentication sources to participate in the identity authentication operation, it is possible to reduce the impact on the authentication service of competing points due to the high pressure or abnormality of some authentication sources, and improve the efficiency of identity authentication.
  • the authority assignment module is used to query the user attribute corresponding to the user login information, and assign the authority corresponding to the user attribute to the user.
  • the relationship table construction module is used to construct a permission correspondence table; wherein the permission correspondence table stores the corresponding relationship between the user attributes and permissions;
  • the authority distribution module includes:
  • the first query unit is configured to query the user attribute corresponding to the user login information according to the local database when the local database includes the user login information;
  • the second query unit is configured to query the user attribute corresponding to the user login information according to the target LDAP server when the target LDAP server includes the user login information.
  • the assigning unit is configured to assign the authority corresponding to the user attribute to the user by querying the authority correspondence table.
  • the configuration module is used to set standard configuration parameters for the LDAP server through a Web configuration page before receiving server configuration parameters;
  • the server connection module 100 is configured to receive server configuration parameters, and is also configured to send the server configuration parameters to the LDAP server, so that the LDAP server can determine whether the server configuration parameters are correct according to the standard configuration parameters;
  • the server configuration parameter when the server configuration parameter is correct, it is determined that the connection to the LDAP server is successful; when the server configuration parameter is incorrect, it is determined that the connection to the LDAP server fails.
  • server configuration parameters include any one or a combination of any of the server domain name, server port, reference identification name, user class name, user directory, and user attribute.
  • the target LDAP server is an LDAP server in the list of third-party authentication sources
  • the first list update module is configured to, when receiving the authentication source deletion information, determine the first target LDAP server according to the authentication source deletion information, and delete the first target LDAP server from the third-party authentication source list ;
  • the second list update module is configured to determine a second target LDAP server according to the authentication source addition information when the authentication source addition information is received, and add the second target LDAP server to the third-party authentication source list.
  • the application also provides a storage medium on which a computer program is stored, and when the computer program is executed, the steps provided in the above-mentioned embodiments can be implemented.
  • the storage medium may include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other various media that can store program code.
  • the present application also provides an electronic device, which may include a memory and a processor.
  • the memory stores a computer program.
  • the processor invokes the computer program in the memory, the steps provided in the foregoing embodiments can be implemented.
  • the electronic device may also include various network interfaces, power supplies and other components.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

An identity authentication method and system, an electronic equipment and a storage medium. The method comprises: receiving server configuration parameters and using the server configuration parameters for connecting a LDAP server; receiving user login information, said user login information including a user name and a login password; determining whether standard login information stored in an authentication source includes the user login information, the authentication source including a local database and a target LDAP server, wherein said target LDAP server is a successfully connected LDAP server; and if yes, setting an identity authentication state as authorization passed. The present application can improve identity authentication efficiency.

Description

一种身份认证方法、系统、电子设备及存储介质Identity authentication method, system, electronic equipment and storage medium
本申请要求于2019年10月12日提交中国专利局、申请号为201910968799.6、发明名称为“一种身份认证方法、系统、电子设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on October 12, 2019, the application number is 201910968799.6, and the invention title is "an identity authentication method, system, electronic equipment, and storage medium". The entire content of the application is approved The reference is incorporated in this application.
技术领域Technical field
本申请涉及计算机技术领域,特别涉及一种身份认证方法、系统、一种电子设备及一种存储介质。This application relates to the field of computer technology, in particular to an identity authentication method and system, an electronic device and a storage medium.
背景技术Background technique
Web(World Wide Web)即全球广域网,是一种基于超文本和HTTP的、全球性的、动态交互的、跨平台的分布式图形信息系统。Web系统是建立在Internet上的一种网络服务,为浏览者在Internet上查找和浏览信息提供了图形化的、易于访问的直观界面,其中的文档及超级链接将Internet上的信息节点组织成一个互为关联的网状结构。Web (World Wide Web) is the global wide area network, which is a global, dynamic interactive, cross-platform distributed graphics information system based on hypertext and HTTP. The Web system is a network service built on the Internet. It provides a graphical, easy-to-access and intuitive interface for viewers to find and browse information on the Internet. The documents and hyperlinks in it organize the information nodes on the Internet into one Interrelated network structure.
在现有的Web系统中,用户的登录操作需要通过本地数据库用户校验,以便查询用户角色权限。但是在上述相关技术的用户登录方法中,若本地数据库业务压力较大或出现异常时,无法及时从本地数据库中查询用户的相关校验数据,导致身份认证效率较低。In the existing Web system, the user's login operation needs to be verified by the local database user in order to query the user's role permissions. However, in the user login method of the above-mentioned related technologies, if the local database is under heavy business pressure or abnormalities, the relevant verification data of the user cannot be inquired from the local database in time, resulting in low identity authentication efficiency.
因此,如何提高身份认证效率是本领域技术人员目前需要解决的技术问题。Therefore, how to improve the efficiency of identity authentication is a technical problem that needs to be solved by those skilled in the art.
发明内容Summary of the invention
本申请的目的是提供一种身份认证方法、系统、一种电子设备及一种存储介质,能够提高身份认证效率。The purpose of this application is to provide an identity authentication method, system, an electronic device and a storage medium, which can improve the efficiency of identity authentication.
为解决上述技术问题,本申请提供一种身份认证方法,该身份认证方法包括:In order to solve the above technical problems, this application provides an identity authentication method. The identity authentication method includes:
接收服务器配置参数,并利用所述服务器配置参数连接LDAP服务器;Receiving server configuration parameters, and using the server configuration parameters to connect to the LDAP server;
接收用户登录信息;其中,所述用户登录信息包括用户名和登录密码;Receiving user login information; wherein the user login information includes a user name and a login password;
判断认证源存储的标准登录信息中是否包括所述用户登录信息;其中,所述认证源包括本地数据库和目标LDAP服务器,所述目标LDAP服务器为连接成功的LDAP服务器;Determining whether the standard login information stored by the authentication source includes the user login information; wherein the authentication source includes a local database and a target LDAP server, and the target LDAP server is a successfully connected LDAP server;
若是,则将身份认证状态设置为认证通过。If yes, set the identity authentication status to pass.
可选的,在将身份认证状态设置为认证通过之后,还包括:Optionally, after the identity authentication status is set to pass authentication, it also includes:
查询所述用户登录信息对应的用户属性,并为用户分配所述用户属性对应的权限。Query the user attribute corresponding to the user login information, and assign the user the authority corresponding to the user attribute.
可选的,还包括:Optionally, it also includes:
构建权限对应关系表;其中,所述权限对应关系表中存储有所述用户属性与权限的对应关系;Construct a permission correspondence table; wherein the permission correspondence table stores the correspondence between the user attributes and permissions;
相应的,所述为用户分配所述用户属性对应的权限包括:Correspondingly, the allocating permissions corresponding to the user attributes to the user includes:
通过查询所述权限对应关系表为用户分配所述用户属性对应的权限。The user is assigned the permission corresponding to the user attribute by querying the permission correspondence table.
可选的,查询所述用户登录信息对应的用户属性包括:Optionally, querying the user attributes corresponding to the user login information includes:
当所述本地数据库包括所述用户登录信息时,则根据所述本地数据库查询所述用户登录信息对应的用户属性;When the local database includes the user login information, query the user attribute corresponding to the user login information according to the local database;
当所述目标LDAP服务器包括所述用户登录信息时,则根据所述目标LDAP服务器查询所述用户登录信息对应的用户属性。When the target LDAP server includes the user login information, query the user attribute corresponding to the user login information according to the target LDAP server.
可选的,在接收服务器配置参数之前,还包括:Optionally, before receiving server configuration parameters, it also includes:
通过Web配置页面为所述LDAP服务器设置标准配置参数;Setting standard configuration parameters for the LDAP server through a Web configuration page;
相应的,利用所述服务器配置参数连接LDAP服务器包括:Correspondingly, using the server configuration parameters to connect to the LDAP server includes:
向所述LDAP服务器发送所述服务器配置参数,以便所述LDAP服务器根据所述标准配置参数判断所述服务器配置参数是否正确;Sending the server configuration parameters to the LDAP server, so that the LDAP server judges whether the server configuration parameters are correct according to the standard configuration parameters;
其中,当所述服务器配置参数正确时,则判定连接所述LDAP服务器成功;当所述服务器配置参数不正确时,则判定连接所述LDAP服务器失败。Wherein, when the server configuration parameter is correct, it is determined that the connection to the LDAP server is successful; when the server configuration parameter is incorrect, it is determined that the connection to the LDAP server fails.
可选的,所述服务器配置参数包括服务器域名、服务器端口、基准标识名、用户类名称、用户目录和用户属性中的任一项或任几项的组合。Optionally, the server configuration parameters include any one or a combination of any of the server domain name, server port, reference identification name, user class name, user directory, and user attribute.
可选的,目标LDAP服务器为第三方认证源名单中的LDAP服务器;Optionally, the target LDAP server is an LDAP server in the list of third-party authentication sources;
相应的,还包括:Correspondingly, it also includes:
当接收到认证源删除信息时,根据所述认证源删除信息确定第一目标LDAP服务器,并将所述第一目标LDAP服务器从所述第三方认证源名单中删除;When receiving the authentication source deletion information, determine the first target LDAP server according to the authentication source deletion information, and delete the first target LDAP server from the list of third-party authentication sources;
当接收到认证源增加信息时,根据所述认证源增加信息确定第二目标LDAP服务器,并在所述第三方认证源名单中增加所述第二目标LDAP服务器。When the authentication source increase information is received, a second target LDAP server is determined according to the authentication source increase information, and the second target LDAP server is added to the list of third-party authentication sources.
本申请还提供了一种身份认证系统,该身份认证系统包括:This application also provides an identity authentication system, which includes:
服务器连接模块,用于接收服务器配置参数,并利用所述服务器配置参数连接LDAP服务器;The server connection module is used to receive server configuration parameters, and use the server configuration parameters to connect to the LDAP server;
信息接收模块,用于接收用户登录信息;其中,所述用户登录信息包括用户名和登录密码;The information receiving module is used to receive user login information; wherein, the user login information includes a user name and a login password;
认证模块,用于判断认证源存储的标准登录信息中是否包括所述用户登录信息;其中,所述认证源包括本地数据库和目标LDAP服务器,所述目标LDAP服务器为连接成功的LDAP服务器;The authentication module is configured to determine whether the standard login information stored by the authentication source includes the user login information; wherein the authentication source includes a local database and a target LDAP server, and the target LDAP server is a successfully connected LDAP server;
状态设置模块,用于当所述标准登录信息中包括所述用户登录信息时,将身份认证状态设置为认证通过。The status setting module is used to set the identity authentication status to pass the authentication when the standard login information includes the user login information.
本申请还提供了一种存储介质,其上存储有计算机程序,所述计算机程序执行时实现上述身份认证方法执行的步骤。The present application also provides a storage medium on which a computer program is stored, and when the computer program is executed, the steps performed by the above-mentioned identity authentication method are implemented.
本申请还提供了一种电子设备,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器调用所述存储器中的计算机程序时实现上述身份认证方法执行的步骤。The present application also provides an electronic device including a memory and a processor, the memory is stored with a computer program, and when the processor invokes the computer program in the memory, the steps performed by the above-mentioned identity authentication method are implemented.
本申请提供了一种身份认证方法,包括接收服务器配置参数,并利用所述服务器配置参数连接LDAP服务器;接收用户登录信息;其中,所述用户登录信息包括用户名和登录密码;判断认证源存储的标准登录信息中是否包括所述用户登录信息;其中,所述认证源包括本地数据库和目标LDAP服务器,所述目标LDAP服务器为连接成功的LDAP服务器;若是,则将身份认证状态设置为认证通过。This application provides an identity authentication method, including receiving server configuration parameters, and using the server configuration parameters to connect to an LDAP server; receiving user login information; wherein the user login information includes a user name and a login password; and determining what is stored by the authentication source Whether the standard login information includes the user login information; wherein the authentication source includes a local database and a target LDAP server, and the target LDAP server is a successfully connected LDAP server; if so, the identity authentication status is set to pass the authentication.
本申请根据服务器配置参数连接LDAP服务器,LDAP服务器中可以存 储有标准登录信息,也就是说本申请将LDAP服务器只作为除本地数据库之外存储标准登录信息的装置,实现了多个认证源共同参与用户登录信息的校验。因此在接收到用户输入的用户名和登录密码之后,本申请基于本地数据库和目标LDAP服务器对用户名和密码进行校验,以便身份认证操作。由于本申请引入多个认证源参与身份认证操作,能够降低因部分认证源业务压力较大或出现异常对于争分认证业务的影响,提高了身份认证效率。本申请同时还提供了一种身份认证系统、一种电子设备和一种存储介质,具有上述有益效果,在此不再赘述。This application connects to the LDAP server according to the server configuration parameters. The LDAP server can store standard login information. That is to say, this application uses the LDAP server only as a device for storing standard login information in addition to the local database, realizing the participation of multiple authentication sources. Verification of user login information. Therefore, after receiving the user name and login password entered by the user, this application verifies the user name and password based on the local database and the target LDAP server to facilitate identity authentication operations. Since this application introduces multiple authentication sources to participate in the identity authentication operation, it is possible to reduce the impact of some authentication sources on the authentication business due to high business pressure or abnormalities, and improve the efficiency of identity authentication. This application also provides an identity authentication system, an electronic device, and a storage medium, which have the above-mentioned beneficial effects, and will not be repeated here.
附图说明Description of the drawings
为了更清楚地说明本申请实施例,下面将对实施例中所需要使用的附图做简单的介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the embodiments of the present application more clearly, the following will briefly introduce the drawings needed in the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. As far as personnel are concerned, they can also obtain other drawings based on these drawings without creative work.
图1为本申请实施例所提供的一种身份认证方法的流程图;FIG. 1 is a flowchart of an identity authentication method provided by an embodiment of the application;
图2为本申请实施例所提供的一种用户权限分配方法的流程图;FIG. 2 is a flowchart of a method for allocating user permissions provided by an embodiment of the application;
图3为本申请实施例所提供的一种基于LDAP服务器和本地数据库的多域身份认证方法的原理示意图;3 is a schematic diagram of the principle of a multi-domain identity authentication method based on an LDAP server and a local database provided by an embodiment of the application;
图4为本申请实施例所提供的一种身份认证系统的结构示意图。Fig. 4 is a schematic structural diagram of an identity authentication system provided by an embodiment of the application.
具体实施方式Detailed ways
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be described clearly and completely in conjunction with the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments It is a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of this application.
下面请参见图1,图1为本申请实施例所提供的一种身份认证方法的流程图。Please refer to FIG. 1 below. FIG. 1 is a flowchart of an identity authentication method provided by an embodiment of the application.
具体步骤可以包括:Specific steps can include:
S101:接收服务器配置参数,并利用所述服务器配置参数连接LDAP服务器;S101: Receive server configuration parameters, and use the server configuration parameters to connect to the LDAP server;
其中,本实施例的执行主体可以为Web服务器,多个客户端与Web服务器连接,客户端可以向Web服务器发送服务器配置参数以便连接LDAP(Lightweight Directory Access Protocol,轻量目录访问协议)服务器,客户端还可以向Web服务器发送用户登录信息,以便Web服务器基于认证源对用户登录信息进行身份认证。Among them, the execution subject of this embodiment may be a Web server, multiple clients are connected to the Web server, and the client may send server configuration parameters to the Web server in order to connect to an LDAP (Lightweight Directory Access Protocol, Lightweight Directory Access Protocol) server. The client can also send user login information to the Web server, so that the Web server authenticates the user login information based on the authentication source.
在本步骤之前可以存在客户端向Web服务器发送服务器配置参数的操作,具体的服务器配置参数可以包括服务器域名、服务器端口、基准标识名、用户类名称、用户目录和用户属性中的任一项或任几项的组合。在接收到服务器配置参数之后,可以在Web配置页面中输入上述服务器配置参数以便连接LDAP服务器。在本步骤之前可以存在Web服务器设置LDAP服务器的标准连接参数的操作,若客户端发送的服务器配置参数为标准连接参数,则可以使Web服务器连接LDAP服务器;若客户端发送的服务器配置参数不为标准连接参数,则说明Web服务器连接LDAP服务器失败。Before this step, there may be an operation for the client to send server configuration parameters to the Web server. The specific server configuration parameters may include any one of the server domain name, server port, reference identification name, user class name, user directory, and user attributes, or Any combination of several items. After receiving the server configuration parameters, you can enter the above server configuration parameters on the Web configuration page to connect to the LDAP server. Before this step, there can be an operation for the Web server to set the standard connection parameters of the LDAP server. If the server configuration parameters sent by the client are standard connection parameters, the Web server can be connected to the LDAP server; if the server configuration parameters sent by the client are not Standard connection parameters indicate that the Web server failed to connect to the LDAP server.
作为一种可行的实施方式,本步骤中接收到的服务器配置参数可以为连接多个LDAP服务器的多组服务器配置参数,可以将连接成功的LDAP服务器设置为目标LDAP服务器。在常规技术中,LDAP服务器用于提供目录服务,但是现有的LDAP服务器只是作为一个查询用户信息的数据库,没有完成登录第三方系统的功能。本申请中的LDAP服务器中可以存储有标准登录信息,通过与Web服务器连接实现进行身份认证。As a feasible implementation manner, the server configuration parameters received in this step can be multiple sets of server configuration parameters connected to multiple LDAP servers, and the successfully connected LDAP server can be set as the target LDAP server. In conventional technology, the LDAP server is used to provide directory services, but the existing LDAP server is only used as a database for querying user information, and does not complete the function of logging in to a third-party system. Standard login information can be stored in the LDAP server in this application, and identity authentication can be realized by connecting with the Web server.
作为对于以上步骤的进一步补充,在接收服务器配置参数之前,可以执行以下操作:通过Web配置页面为所述LDAP服务器设置标准配置参数。相应的,S101的相关操作可以为:向所述LDAP服务器发送所述服务器配置参数,以便所述LDAP服务器根据所述标准配置参数判断所述服务器配置参数是否正确;其中,当所述服务器配置参数正确时,则判定连接所述LDAP服务器成功;当所述服务器配置参数不正确时,则判定连接所述LDAP服务器失败。As a further supplement to the above steps, before receiving the server configuration parameters, the following operations can be performed: setting standard configuration parameters for the LDAP server through the Web configuration page. Correspondingly, the related operation of S101 may be: sending the server configuration parameters to the LDAP server, so that the LDAP server judges whether the server configuration parameters are correct according to the standard configuration parameters; wherein, when the server configuration parameters are When it is correct, it is determined that the connection to the LDAP server is successful; when the server configuration parameter is incorrect, it is determined that the connection to the LDAP server fails.
S102:接收用户登录信息;S102: Receive user login information;
其中,在本步骤接收的用户登录信息为客户端发送的用户名和登录密码,用户登录信息也可以为用户在前端Web页面输入的用户名和登录密码。Among them, the user login information received in this step is the user name and login password sent by the client, and the user login information may also be the user name and login password entered by the user on the front-end Web page.
S103:判断认证源存储的标准登录信息中是否包括所述用户登录信息;若是,则进入S104;若否,则进入S105;S103: Determine whether the standard login information stored by the authentication source includes the user login information; if yes, go to S104; if not, go to S105;
其中,本实施例中提到的认证源可以包括Web服务器的本地数据库和接入成功的LDAP服务器,可以将S102接收的用户登录信息与所有认证源中存储的标准登录信息进行匹配,以便判断认证源中是否存储该用户登录信息,若存储有该用户登录信息则可以进入S104以便将身份认证状态设置为认证通过,若未存储有用户登录信息则可以返回登陆失败的提示信息。本实施例中的认证源可以包括本地数据库和目标LDAP服务器,所述目标LDAP服务器为S101连接成功的LDAP服务器。Among them, the authentication source mentioned in this embodiment may include the local database of the Web server and the successfully accessed LDAP server, and the user login information received in S102 may be matched with the standard login information stored in all authentication sources to determine the authentication. Whether the user log-in information is stored in the source, if the user log-in information is stored, S104 can be entered to set the identity authentication status to be authenticated; if the user log-in information is not stored, a prompt message indicating that the login failed can be returned. The authentication source in this embodiment may include a local database and a target LDAP server, and the target LDAP server is an LDAP server that is successfully connected to S101.
作为一种可行的实施方式,本实施例中的目标LDAP服务器可以为连接成功且存在于第三方认证源名单的LDAP服务器,本实施例中可以设置有第三方认证源名单用于记录可以参与身份认证的LDAP服务器。在存在第三方认证源名单的前提下,本实施例中作为认证源的LDAP服务器既是第三方认证源名单中的服务器,还是连接成功的LDAP服务器。相应的,本实施例还可以存在更新第三方认证源名单的操作:当接收到认证源删除信息时,根据所述认证源删除信息确定第一目标LDAP服务器,并将所述第一目标LDAP服务器从所述第三方认证源名单中删除;当接收到认证源增加信息时,根据所述认证源增加信息确定第二目标LDAP服务器,并在所述第三方认证源名单中增加所述第二目标LDAP服务器。As a feasible implementation manner, the target LDAP server in this embodiment may be an LDAP server that is successfully connected and exists in the list of third-party authentication sources. In this embodiment, a list of third-party authentication sources may be set to record the identities that can participate. Authenticated LDAP server. On the premise that there is a list of third-party authentication sources, the LDAP server used as the authentication source in this embodiment is both a server in the list of third-party authentication sources or a successfully connected LDAP server. Correspondingly, this embodiment may also have an operation to update the list of third-party authentication sources: when the authentication source deletion information is received, the first target LDAP server is determined according to the authentication source deletion information, and the first target LDAP server Delete from the list of third-party authentication sources; when receiving authentication source addition information, determine a second target LDAP server according to the authentication source addition information, and add the second target to the list of third-party authentication sources LDAP server.
可以理解的是,本实施例中存在多个认证源,当一个或一个以上的认证源中存储的标准登录信息包括用户登录信息时,则可以进入S104的操作设置用户通过身份认证。若认证源存储的标准登录信息中不包括所述用户登录信息,则将身份认证状态设置为认证不通过。It is understandable that there are multiple authentication sources in this embodiment, and when the standard login information stored in one or more authentication sources includes user login information, the operation of S104 can be entered to set the user to pass identity authentication. If the standard login information stored by the authentication source does not include the user login information, the identity authentication status is set to fail authentication.
S104:将身份认证状态设置为认证通过。S104: Set the identity authentication status to pass the authentication.
其中,本步骤建立在标准登录信息中包括所述用户登录信息的基础上,可以将身份认证状态设置为认证通过。作为一种可行的实施方式,本实施 例在将用户或客户端的身份认证状态设置为认证通过之后,还可以查询该用户登录信息对应的用户角色,并为该用户登录信息对应的用户或客户端分配该用户角色的权限。Wherein, this step is based on the standard login information including the user login information, and the identity authentication status can be set to pass the authentication. As a feasible implementation manner, in this embodiment, after the identity authentication status of the user or client is set to be authenticated, the user role corresponding to the user's login information can also be queried, and the user or client corresponding to the user's login information can be queried. Assign the permissions of the user role.
S105:将身份认证状态设置为认证不通过。S105: Set the identity authentication status to fail authentication.
本实施例根据服务器配置参数连接LDAP服务器,LDAP服务器中可以存储有标准登录信息,也就是说本实施例将LDAP服务器只作为除本地数据库之外存储标准登录信息的装置,实现了多个认证源共同参与用户登录信息的校验。因此在接收到用户输入的用户名和登录密码之后,本实施例基于本地数据库和目标LDAP服务器对用户名和密码进行校验,以便身份认证操作。由于本实施例引入多个认证源参与身份认证操作,能够降低因部分认证源业务压力较大或出现异常对于争分认证业务的影响,提高了身份认证效率。This embodiment connects to the LDAP server according to the server configuration parameters. The LDAP server can store standard login information. That is to say, this embodiment uses the LDAP server only as a device for storing standard login information in addition to the local database, realizing multiple authentication sources. Participate in the verification of user login information. Therefore, after receiving the user name and login password input by the user, this embodiment verifies the user name and password based on the local database and the target LDAP server to facilitate identity authentication operations. Since this embodiment introduces multiple authentication sources to participate in the identity authentication operation, it is possible to reduce the impact on the authentication service of competing points due to the high pressure or abnormality of some authentication sources, and improve the efficiency of identity authentication.
下面请参见图2,图2为本申请实施例所提供的一种用户权限分配方法的流程图;本实施例是对图1对应的实施例中S104操作之后的进一步补充,在身份认证成功的基础上描述了权限分配的方案,可以将本实施例与图1对应的实施例相结合得到更为优选的实施方式,本实施例可以包括以下操作:Please refer to Figure 2 below. Figure 2 is a flow chart of a method for allocating user permissions provided by an embodiment of this application; this embodiment is a further supplement to the embodiment corresponding to Figure 1 after the operation of S104, and when the identity authentication is successful Based on the description of the permission distribution scheme, this embodiment can be combined with the embodiment corresponding to FIG. 1 to obtain a more preferred implementation. This embodiment may include the following operations:
S201:查询所述用户登录信息对应的用户属性;S201: Query the user attribute corresponding to the user login information;
其中,本实施例中可以预先记录每一用户名与用户属性对应的关系,用户属性可以包括管理员账户、普通账户和子账户等,可以根据用户登录信息中的用户名确定用户属性。Among them, in this embodiment, the relationship between each user name and the user attribute may be recorded in advance. The user attributes may include administrator accounts, ordinary accounts, and sub-accounts. The user attributes may be determined according to the user name in the user login information.
若将本实施例与图1对应的实施例相结合,每个认证源中均可以存储用户登录信息与用户属性的对应关系,具体的,当所述本地数据库包括所述用户登录信息时,则可以根据所述本地数据库查询所述用户登录信息对应的用户属性;当所述目标LDAP服务器包括所述用户登录信息时,则可以根据所述目标LDAP服务器查询所述用户登录信息对应的用户属性。If this embodiment is combined with the embodiment corresponding to FIG. 1, each authentication source can store the corresponding relationship between user login information and user attributes. Specifically, when the local database includes the user login information, then The user attribute corresponding to the user login information may be queried according to the local database; when the target LDAP server includes the user login information, the user attribute corresponding to the user login information may be queried according to the target LDAP server.
S202:为用户分配所述用户属性对应的权限。S202: Assign permissions corresponding to the user attributes to the user.
其中,在本步骤之前可以存在构建权限对应关系表的操作,所述权限 对应关系表中可以存储有所述用户属性与权限的对应关系;相应的,所述为用户分配所述用户属性对应权限的操作可以为:通过查询所述权限对应关系表为用户分配所述用户属性对应的权限。Wherein, before this step, there may be an operation of constructing a permission correspondence table, and the permission correspondence table may store the correspondence between the user attributes and permissions; correspondingly, the user is assigned the permissions corresponding to the user attributes. The operation may be: allocating the permission corresponding to the user attribute to the user by querying the permission correspondence table.
下面通过在实际应用中的实施例说明上述实施例描述的流程。请参见图3,图3为本申请实施例所提供的一种基于LDAP服务器和本地数据库的多域身份认证方法的原理示意图,本实施例可以包括以下步骤:The flow described in the foregoing embodiment will be described below through an embodiment in an actual application. Please refer to Figure 3. Figure 3 is a schematic diagram of the principle of a multi-domain identity authentication method based on an LDAP server and a local database provided by an embodiment of the application. This embodiment may include the following steps:
步骤1:设置LDAP连接参数。Step 1: Set LDAP connection parameters.
具体的,在本步骤中可以通过Web配置页面输入连接参数(即服务器配置参数),连接参数可以包括认证服务器域名、端口、基准DN(即基准标识名)、用户类名称、用户目录和用户唯一属性。Specifically, in this step, the connection parameters (that is, the server configuration parameters) can be input through the Web configuration page. The connection parameters can include the authentication server domain name, port, base DN (that is, base identification name), user class name, user directory, and user unique Attributes.
步骤2:设置用户角色属性和角色更改。Step 2: Set user role attributes and role changes.
具体的,在本步骤中可以设置LDAP用户的角色属性,针对某一个用户,修改其属性值可以更改用户角色。Specifically, in this step, the role attribute of the LDAP user can be set, and for a certain user, the user role can be changed by modifying its attribute value.
步骤3:校验LDAP可用性。Step 3: Verify LDAP availability.
具体的,本步骤通过使用配置的连接参数,连接LDAP服务器。若连接失败,则提醒用户修改配置参数;若连接成功,则提交系统配置参数。Specifically, this step uses the configured connection parameters to connect to the LDAP server. If the connection fails, the user is reminded to modify the configuration parameters; if the connection is successful, the system configuration parameters are submitted.
步骤4:打开身份认证来源。Step 4: Open the source of identity authentication.
具体的,本步骤可以在前端Web页面可以查看已经配置的LDAP服务器信息,打开或关闭认证信息来源。Specifically, in this step, the configured LDAP server information can be viewed on the front-end Web page, and the authentication information source can be turned on or off.
步骤5:查询用户角色并返回用户权限。Step 5: Query user roles and return user permissions.
具体的,在本步骤中用户可以输入账号密码登录Web页面。Web服务器可以通过查询多个认证源,其中一个认证源通过校验,则判断登录成功,查询角色赋予的权限,结合用户角色一并返回相关权限。Specifically, in this step, the user can enter the account password to log in to the Web page. The web server can query multiple authentication sources, and if one of the authentication sources passes the verification, the login is judged to be successful, the permissions granted by the role are queried, and the relevant permissions are returned together with the user role.
上述实施例提出一种基于LDAP服务器和本地数据库的多域身份认证策略方案。本实施例包括LDAP服务器连接配置、LDAP用户角色属性设置和更改,后台身份认证方式添加和删除、本地数据库角色权限的查询。认证策略包括本地数据库和LDAP服务器,只要有一个来源通过身份认证,即可认证完成校验,根据角色名查询相关权限。LDAP服务器配置信息通 过前端Web页面可以配置,LDAP认证来源可启动关闭,后台认证策略可配置。通过Web页面配置LDAP服务器相关参数,即可达到使用LDAP服务器用户登录Web系统,赋予最低权限,可以查看Web页面相关内容。本实施例提高了LDAP用户接入速度,节省人力物力。本实施例可自由添加多个LDAP,开启或关闭后台身份认证方便,用户可直接看到页面显示认证来源。The foregoing embodiment proposes a multi-domain identity authentication strategy scheme based on an LDAP server and a local database. This embodiment includes LDAP server connection configuration, LDAP user role attribute setting and modification, background identity authentication method addition and deletion, and local database role authority query. The authentication strategy includes the local database and LDAP server. As long as one source passes the identity authentication, the authentication can be completed and the verification can be completed according to the role name. The LDAP server configuration information can be configured through the front-end Web page, the LDAP authentication source can be turned on and off, and the background authentication strategy can be configured. Configure the LDAP server related parameters through the Web page, you can use the LDAP server user to log in to the Web system, and give the lowest authority to view the related content of the Web page. This embodiment improves the access speed of LDAP users and saves manpower and material resources. In this embodiment, multiple LDAPs can be added freely, it is convenient to turn on or turn off the background identity authentication, and the user can directly see the page displaying the authentication source.
请参见图4,图4为本申请实施例所提供的一种身份认证系统的结构示意图,该系统可以包括:Please refer to FIG. 4. FIG. 4 is a schematic structural diagram of an identity authentication system provided by an embodiment of the application. The system may include:
服务器连接模块100,用于接收服务器配置参数,并利用所述服务器配置参数连接LDAP服务器;The server connection module 100 is configured to receive server configuration parameters, and use the server configuration parameters to connect to the LDAP server;
信息接收模块200,用于接收用户登录信息;其中,所述用户登录信息包括用户名和登录密码;The information receiving module 200 is configured to receive user login information; wherein, the user login information includes a user name and a login password;
认证模块300,用于判断认证源存储的标准登录信息中是否包括所述用户登录信息;其中,所述认证源包括本地数据库和目标LDAP服务器,所述目标LDAP服务器为连接成功的LDAP服务器;The authentication module 300 is configured to determine whether the standard login information stored by the authentication source includes the user login information; wherein the authentication source includes a local database and a target LDAP server, and the target LDAP server is a successfully connected LDAP server;
状态设置模块400,用于当所述标准登录信息中包括所述用户登录信息时,将身份认证状态设置为认证通过。The status setting module 400 is configured to set the identity authentication status to pass the authentication when the standard login information includes the user login information.
本实施例根据服务器配置参数连接LDAP服务器,LDAP服务器中可以存储有标准登录信息,也就是说本实施例将LDAP服务器只作为除本地数据库之外存储标准登录信息的装置,实现了多个认证源共同参与用户登录信息的校验。因此在接收到用户输入的用户名和登录密码之后,本实施例基于本地数据库和目标LDAP服务器对用户名和密码进行校验,以便身份认证操作。由于本实施例引入多个认证源参与身份认证操作,能够降低因部分认证源业务压力较大或出现异常对于争分认证业务的影响,提高了身份认证效率。This embodiment connects to the LDAP server according to the server configuration parameters. The LDAP server can store standard login information. That is to say, this embodiment uses the LDAP server only as a device for storing standard login information in addition to the local database, realizing multiple authentication sources. Participate in the verification of user login information. Therefore, after receiving the user name and login password input by the user, this embodiment verifies the user name and password based on the local database and the target LDAP server to facilitate identity authentication operations. Since this embodiment introduces multiple authentication sources to participate in the identity authentication operation, it is possible to reduce the impact on the authentication service of competing points due to the high pressure or abnormality of some authentication sources, and improve the efficiency of identity authentication.
进一步的,还包括:Further, it also includes:
权限分配模块,用于查询所述用户登录信息对应的用户属性,并为用户分配所述用户属性对应的权限。The authority assignment module is used to query the user attribute corresponding to the user login information, and assign the authority corresponding to the user attribute to the user.
进一步的,还包括:Further, it also includes:
关系表构建模块,用于构建权限对应关系表;其中,所述权限对应关系表中存储有所述用户属性与权限的对应关系;The relationship table construction module is used to construct a permission correspondence table; wherein the permission correspondence table stores the corresponding relationship between the user attributes and permissions;
相应的,所述权限分配模块包括:Correspondingly, the authority distribution module includes:
第一查询单元,用于当所述本地数据库包括所述用户登录信息时,则根据所述本地数据库查询所述用户登录信息对应的用户属性;The first query unit is configured to query the user attribute corresponding to the user login information according to the local database when the local database includes the user login information;
第二查询单元,用于当所述目标LDAP服务器包括所述用户登录信息时,则根据所述目标LDAP服务器查询所述用户登录信息对应的用户属性。The second query unit is configured to query the user attribute corresponding to the user login information according to the target LDAP server when the target LDAP server includes the user login information.
分配单元,用于通过查询所述权限对应关系表为用户分配所述用户属性对应的权限。The assigning unit is configured to assign the authority corresponding to the user attribute to the user by querying the authority correspondence table.
进一步的,还包括:Further, it also includes:
配置模块,用于在接收服务器配置参数之前,通过Web配置页面为所述LDAP服务器设置标准配置参数;The configuration module is used to set standard configuration parameters for the LDAP server through a Web configuration page before receiving server configuration parameters;
相应的,服务器连接模块100,用于接收服务器配置参数,还用于向所述LDAP服务器发送所述服务器配置参数,以便所述LDAP服务器根据所述标准配置参数判断所述服务器配置参数是否正确;Correspondingly, the server connection module 100 is configured to receive server configuration parameters, and is also configured to send the server configuration parameters to the LDAP server, so that the LDAP server can determine whether the server configuration parameters are correct according to the standard configuration parameters;
其中,当所述服务器配置参数正确时,则判定连接所述LDAP服务器成功;当所述服务器配置参数不正确时,则判定连接所述LDAP服务器失败。Wherein, when the server configuration parameter is correct, it is determined that the connection to the LDAP server is successful; when the server configuration parameter is incorrect, it is determined that the connection to the LDAP server fails.
进一步的,所述服务器配置参数包括服务器域名、服务器端口、基准标识名、用户类名称、用户目录和用户属性中的任一项或任几项的组合。Further, the server configuration parameters include any one or a combination of any of the server domain name, server port, reference identification name, user class name, user directory, and user attribute.
进一步的,目标LDAP服务器为第三方认证源名单中的LDAP服务器;Further, the target LDAP server is an LDAP server in the list of third-party authentication sources;
相应的,还包括:Correspondingly, it also includes:
第一名单更新模块,用于当接收到认证源删除信息时,根据所述认证源删除信息确定第一目标LDAP服务器,并将所述第一目标LDAP服务器从所述第三方认证源名单中删除;The first list update module is configured to, when receiving the authentication source deletion information, determine the first target LDAP server according to the authentication source deletion information, and delete the first target LDAP server from the third-party authentication source list ;
第二名单更新模块,用于当接收到认证源增加信息时,根据所述认证源增加信息确定第二目标LDAP服务器,并在所述第三方认证源名单中增加所述第二目标LDAP服务器。The second list update module is configured to determine a second target LDAP server according to the authentication source addition information when the authentication source addition information is received, and add the second target LDAP server to the third-party authentication source list.
由于系统部分的实施例与方法部分的实施例相互对应,因此系统部分的实施例请参见方法部分的实施例的描述,这里暂不赘述。Since the embodiment of the system part and the embodiment of the method part correspond to each other, for the embodiment of the system part, please refer to the description of the embodiment of the method part, which will not be repeated here.
本申请还提供了一种存储介质,其上存有计算机程序,该计算机程序被执行时可以实现上述实施例所提供的步骤。该存储介质可以包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The application also provides a storage medium on which a computer program is stored, and when the computer program is executed, the steps provided in the above-mentioned embodiments can be implemented. The storage medium may include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other various media that can store program code.
本申请还提供了一种电子设备,可以包括存储器和处理器,所述存储器中存有计算机程序,所述处理器调用所述存储器中的计算机程序时,可以实现上述实施例所提供的步骤。当然所述电子设备还可以包括各种网络接口,电源等组件。The present application also provides an electronic device, which may include a memory and a processor. The memory stores a computer program. When the processor invokes the computer program in the memory, the steps provided in the foregoing embodiments can be implemented. Of course, the electronic device may also include various network interfaces, power supplies and other components.
说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的系统而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请原理的前提下,还可以对本申请进行若干改进和修饰,这些改进和修饰也落入本申请权利要求的保护范围内。The various embodiments in the specification are described in a progressive manner. Each embodiment focuses on the differences from other embodiments, and the same or similar parts between the various embodiments can be referred to each other. As for the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method part. It should be pointed out that for those of ordinary skill in the art, without departing from the principles of this application, several improvements and modifications can be made to this application, and these improvements and modifications also fall within the protection scope of the claims of this application.
还需要说明的是,在本说明书中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的状况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should also be noted that in this specification, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply these entities or operations. There is any such actual relationship or sequence between operations. Moreover, the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements not only includes those elements, but also includes those that are not explicitly listed Other elements of, or also include elements inherent to this process, method, article or equipment. Under the condition of no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other same elements in the process, method, article or equipment including the element.

Claims (10)

  1. 一种身份认证方法,其特征在于,包括:An identity authentication method, characterized in that it comprises:
    接收服务器配置参数,并利用所述服务器配置参数连接LDAP服务器;Receiving server configuration parameters, and using the server configuration parameters to connect to the LDAP server;
    接收用户登录信息;其中,所述用户登录信息包括用户名和登录密码;Receiving user login information; wherein the user login information includes a user name and a login password;
    判断认证源存储的标准登录信息中是否包括所述用户登录信息;其中,所述认证源包括本地数据库和目标LDAP服务器,所述目标LDAP服务器为连接成功的LDAP服务器;Determining whether the standard login information stored by the authentication source includes the user login information; wherein the authentication source includes a local database and a target LDAP server, and the target LDAP server is a successfully connected LDAP server;
    若是,则将身份认证状态设置为认证通过。If yes, set the identity authentication status to pass.
  2. 根据权利要求1所述身份认证方法,其特征在于,在将身份认证状态设置为认证通过之后,还包括:The identity authentication method according to claim 1, characterized in that, after the identity authentication status is set to pass authentication, the method further comprises:
    查询所述用户登录信息对应的用户属性,并为用户分配所述用户属性对应的权限。Query the user attribute corresponding to the user login information, and assign the user the authority corresponding to the user attribute.
  3. 根据权利要求2所述身份认证方法,其特征在于,还包括:The identity authentication method according to claim 2, characterized in that it further comprises:
    构建权限对应关系表;其中,所述权限对应关系表中存储有所述用户属性与权限的对应关系;Construct a permission correspondence table; wherein the permission correspondence table stores the correspondence between the user attributes and permissions;
    相应的,所述为用户分配所述用户属性对应的权限包括:Correspondingly, the allocating the authority corresponding to the user attribute to the user includes:
    通过查询所述权限对应关系表为用户分配所述用户属性对应的权限。The user is assigned the permission corresponding to the user attribute by querying the permission correspondence table.
  4. 根据权利要求2所述身份认证方法,其特征在于,查询所述用户登录信息对应的用户属性包括:The identity authentication method according to claim 2, wherein querying the user attributes corresponding to the user login information comprises:
    当所述本地数据库包括所述用户登录信息时,则根据所述本地数据库查询所述用户登录信息对应的用户属性;When the local database includes the user login information, query the user attribute corresponding to the user login information according to the local database;
    当所述目标LDAP服务器包括所述用户登录信息时,则根据所述目标LDAP服务器查询所述用户登录信息对应的用户属性。When the target LDAP server includes the user login information, query the user attribute corresponding to the user login information according to the target LDAP server.
  5. 根据权利要求1所述身份认证方法,其特征在于,在接收服务器配置参数之前,还包括:The identity authentication method according to claim 1, wherein before receiving the server configuration parameters, the method further comprises:
    通过Web配置页面为所述LDAP服务器设置标准配置参数;Setting standard configuration parameters for the LDAP server through a Web configuration page;
    相应的,利用所述服务器配置参数连接LDAP服务器包括:Correspondingly, using the server configuration parameters to connect to the LDAP server includes:
    向所述LDAP服务器发送所述服务器配置参数,以便所述LDAP服务器根据所述标准配置参数判断所述服务器配置参数是否正确;Sending the server configuration parameters to the LDAP server, so that the LDAP server judges whether the server configuration parameters are correct according to the standard configuration parameters;
    其中,当所述服务器配置参数正确时,则判定连接所述LDAP服务器成功;当所述服务器配置参数不正确时,则判定连接所述LDAP服务器失败。Wherein, when the server configuration parameter is correct, it is determined that the connection to the LDAP server is successful; when the server configuration parameter is incorrect, it is determined that the connection to the LDAP server fails.
  6. 根据权利要求1所述身份认证方法,其特征在于,所述服务器配置参数包括服务器域名、服务器端口、基准标识名、用户类名称、用户目录和用户属性中的任一项或任几项的组合。The identity authentication method according to claim 1, wherein the server configuration parameters include any one or a combination of server domain name, server port, reference identification name, user class name, user directory, and user attribute .
  7. 根据权利要求1至6任一项所述身份认证方法,其特征在于,所述目标LDAP服务器为第三方认证源名单中的LDAP服务器;The identity authentication method according to any one of claims 1 to 6, wherein the target LDAP server is an LDAP server in a list of third-party authentication sources;
    相应的,还包括:Correspondingly, it also includes:
    当接收到认证源删除信息时,根据所述认证源删除信息确定第一目标LDAP服务器,并将所述第一目标LDAP服务器从所述第三方认证源名单中删除;When receiving the authentication source deletion information, determine the first target LDAP server according to the authentication source deletion information, and delete the first target LDAP server from the list of third-party authentication sources;
    当接收到认证源增加信息时,根据所述认证源增加信息确定第二目标LDAP服务器,并在所述第三方认证源名单中增加所述第二目标LDAP服务器。When the authentication source increase information is received, a second target LDAP server is determined according to the authentication source increase information, and the second target LDAP server is added to the list of third-party authentication sources.
  8. 一种身份认证系统,其特征在于,包括:An identity authentication system is characterized in that it comprises:
    服务器连接模块,用于接收服务器配置参数,并利用所述服务器配置参数连接LDAP服务器;The server connection module is used to receive server configuration parameters, and use the server configuration parameters to connect to the LDAP server;
    信息接收模块,用于接收用户登录信息;其中,所述用户登录信息包括用户名和登录密码;The information receiving module is used to receive user login information; wherein, the user login information includes a user name and a login password;
    认证模块,用于判断认证源存储的标准登录信息中是否包括所述用户登录信息;其中,所述认证源包括本地数据库和目标LDAP服务器,所述目标LDAP服务器为连接成功的LDAP服务器;The authentication module is configured to determine whether the standard login information stored by the authentication source includes the user login information; wherein the authentication source includes a local database and a target LDAP server, and the target LDAP server is a successfully connected LDAP server;
    状态设置模块,用于当所述标准登录信息中包括所述用户登录信息时,将身份认证状态设置为认证通过。The status setting module is used to set the identity authentication status to pass the authentication when the standard login information includes the user login information.
  9. 一种电子设备,其特征在于,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器调用所述存储器中的计算机程序时实现如权利要求1至7任一项所述身份认证方法的步骤。An electronic device, comprising a memory and a processor, wherein a computer program is stored in the memory, and when the processor calls the computer program in the memory, the identity according to any one of claims 1 to 7 is realized Steps of the authentication method.
  10. 一种存储介质,其特征在于,所述存储介质中存储有计算机可执 行指令,所述计算机可执行指令被处理器加载并执行时,实现如上权利要求1至7任一项所述身份认证方法的步骤。A storage medium, characterized in that computer executable instructions are stored in the storage medium, and when the computer executable instructions are loaded and executed by a processor, the identity authentication method according to any one of claims 1 to 7 is implemented A step of.
PCT/CN2020/092842 2019-10-12 2020-05-28 Identity authentication method and system, electronic equipment and storage medium WO2021068518A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910968799.6A CN110753044A (en) 2019-10-12 2019-10-12 Identity authentication method, system, electronic equipment and storage medium
CN201910968799.6 2019-10-12

Publications (1)

Publication Number Publication Date
WO2021068518A1 true WO2021068518A1 (en) 2021-04-15

Family

ID=69278173

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/092842 WO2021068518A1 (en) 2019-10-12 2020-05-28 Identity authentication method and system, electronic equipment and storage medium

Country Status (2)

Country Link
CN (1) CN110753044A (en)
WO (1) WO2021068518A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117354051A (en) * 2023-12-04 2024-01-05 明阳点时科技(沈阳)有限公司 Opensearch Dashboards unified login realization method and system

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110753044A (en) * 2019-10-12 2020-02-04 山东英信计算机技术有限公司 Identity authentication method, system, electronic equipment and storage medium
CN111475553A (en) * 2020-04-09 2020-07-31 五八有限公司 Data query display method and device, electronic equipment and storage medium
CN111984965A (en) * 2020-08-31 2020-11-24 成都安恒信息技术有限公司 Multi-source user management authentication system and method based on operation and maintenance audit system
CN114844714A (en) * 2022-05-24 2022-08-02 中国民生银行股份有限公司 User identity authentication method and LDAP protocol-based proxy server
CN115150105A (en) * 2022-09-01 2022-10-04 杭州悦数科技有限公司 Identity authentication method and system in distributed graph database

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020116648A1 (en) * 2000-12-14 2002-08-22 Ibm Corporation Method and apparatus for centralized storing and retrieving user password using LDAP
CN101431402A (en) * 2007-11-05 2009-05-13 中兴通讯股份有限公司 High-efficiency linking method for LDAP account source and AAA system
US7996674B2 (en) * 2006-10-19 2011-08-09 International Business Machines Corporation LDAP user authentication
CN102970308A (en) * 2012-12-21 2013-03-13 北京网康科技有限公司 User authentication method and server
US8543712B2 (en) * 2008-02-19 2013-09-24 International Business Machines Corporation Efficient configuration of LDAP user privileges to remotely access clients within groups
CN108377200A (en) * 2018-01-19 2018-08-07 北京大学 Cloud user management method and system based on LDAP and SLURM
CN110753044A (en) * 2019-10-12 2020-02-04 山东英信计算机技术有限公司 Identity authentication method, system, electronic equipment and storage medium

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2841072A1 (en) * 2002-06-14 2003-12-19 France Telecom System for consulting and updating DNS servers and LDAP directories, includes using protocol management unit for searching IP address of server hosting first database and transmitting request for reading and updating record to server
CN100542092C (en) * 2006-09-21 2009-09-16 上海交通大学 Distributed access control method in multistage securities
CN101212457A (en) * 2006-12-27 2008-07-02 鸿富锦精密工业(深圳)有限公司 Webpage privilege control system and method
US7895441B2 (en) * 2007-05-31 2011-02-22 Red Hat, Inc. LDAP grouping for digital signature creation
CN101605031A (en) * 2008-06-13 2009-12-16 新奥特(北京)视频技术有限公司 A kind of cross-domain single login system of using towards TV station
CN201491033U (en) * 2009-08-20 2010-05-26 福建富士通信息软件有限公司 Unified certification platform for operation systems
CN101719238B (en) * 2009-11-30 2013-09-18 中国建设银行股份有限公司 Method and system for managing, authenticating and authorizing unified identities
US20130086669A1 (en) * 2011-09-29 2013-04-04 Oracle International Corporation Mobile application, single sign-on management
CN102843256B (en) * 2012-05-11 2015-01-07 摩卡软件(天津)有限公司 IT (Information Technology) system management method based on lightweight directory access protocol (LDAP)
IN2013DE02979A (en) * 2013-10-07 2015-04-10 Alcatel Lucent
CN105592035A (en) * 2015-04-03 2016-05-18 中国银联股份有限公司 Single sign on method used for multiple application systems
CN105656903B (en) * 2016-01-15 2018-07-27 国家计算机网络与信息安全管理中心 A kind of user safety management system of Hive platforms and application
JP7022306B2 (en) * 2018-01-15 2022-02-18 セイコーエプソン株式会社 Electronics
CN109815659A (en) * 2018-12-15 2019-05-28 深圳壹账通智能科技有限公司 Safety certifying method, device, electronic equipment and storage medium based on WEB project

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020116648A1 (en) * 2000-12-14 2002-08-22 Ibm Corporation Method and apparatus for centralized storing and retrieving user password using LDAP
US7996674B2 (en) * 2006-10-19 2011-08-09 International Business Machines Corporation LDAP user authentication
CN101431402A (en) * 2007-11-05 2009-05-13 中兴通讯股份有限公司 High-efficiency linking method for LDAP account source and AAA system
US8543712B2 (en) * 2008-02-19 2013-09-24 International Business Machines Corporation Efficient configuration of LDAP user privileges to remotely access clients within groups
CN102970308A (en) * 2012-12-21 2013-03-13 北京网康科技有限公司 User authentication method and server
CN108377200A (en) * 2018-01-19 2018-08-07 北京大学 Cloud user management method and system based on LDAP and SLURM
CN110753044A (en) * 2019-10-12 2020-02-04 山东英信计算机技术有限公司 Identity authentication method, system, electronic equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117354051A (en) * 2023-12-04 2024-01-05 明阳点时科技(沈阳)有限公司 Opensearch Dashboards unified login realization method and system
CN117354051B (en) * 2023-12-04 2024-02-20 明阳点时科技(沈阳)有限公司 Opensearch Dashboards unified login realization method and system

Also Published As

Publication number Publication date
CN110753044A (en) 2020-02-04

Similar Documents

Publication Publication Date Title
WO2021068518A1 (en) Identity authentication method and system, electronic equipment and storage medium
EP3695563B1 (en) Apparatus, method, and computing device for selectively granting permissions to group-based objects in a group-based communication system
US9628471B1 (en) Protecting user identity at a cloud using a distributed user identity system
US9003297B2 (en) Integrated enterprise software and social network system user interfaces utilizing cloud computing infrastructures and single secure portal access
US9065817B2 (en) Authenticating linked accounts
US8271536B2 (en) Multi-tenancy using suite of authorization manager components
US8898764B2 (en) Authenticating user through web extension using token based authentication scheme
US8782748B2 (en) Online service access controls using scale out directory features
US7519596B2 (en) Globally trusted credentials leveraged for server access control
US8234336B2 (en) Virtual conference center architecture
US10142378B2 (en) Virtual identity of a user based on disparate identity services
CN106685949A (en) Container access method, container access device and container access system
US9971901B2 (en) Content management apparatus and content management method
US8719948B2 (en) Method and system for the storage of authentication credentials
US9203975B2 (en) System and method for user lifecycle management in traditional telecom/cable operator technology environments
CN112966253A (en) Third-party application integrated login method, login device and platform
US10986081B1 (en) Cross-organization registration for single sign-on
CN114172700A (en) Unified authentication system and method based on cloud platform and domain control server
US8424069B2 (en) Method and system for authenticating subaccount users
US20080229112A1 (en) Access controller
CN108683651A (en) A kind of single-point logging method, server-side and system
CN107864114B (en) Group insurance account login method and system
CN113190607B (en) HTTP request-based database load balancing method, device and medium
CN111277595B (en) User and data management method suitable for multiple users and multiple terminals
CN111541654A (en) User management method and device based on multi-tenant cloud management platform and computer equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20873492

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20873492

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 07.10.2022)

122 Ep: pct application non-entry in european phase

Ref document number: 20873492

Country of ref document: EP

Kind code of ref document: A1