CN102368762A - LDAP (Lightweight Directory Access Protocol) user management method and device thereof - Google Patents
LDAP (Lightweight Directory Access Protocol) user management method and device thereof Download PDFInfo
- Publication number
- CN102368762A CN102368762A CN2011101673452A CN201110167345A CN102368762A CN 102368762 A CN102368762 A CN 102368762A CN 2011101673452 A CN2011101673452 A CN 2011101673452A CN 201110167345 A CN201110167345 A CN 201110167345A CN 102368762 A CN102368762 A CN 102368762A
- Authority
- CN
- China
- Prior art keywords
- user
- application system
- authentication
- condition
- collocation strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses an LDAP (Lightweight Directory Access Protocol) user management method and a device thereof. The method comprises the following steps: an application system judges that whether a user initiating a request meets set conditions of a user configuration strategy of the application system after receiving a user authentication request, and requests an LDAP server to carry out user authentication after the request is judged to be meet the condition; and the application system adds the information of the user into the application system under the condition that the information of the user is not stored in the application system and self License is not transfinite after receiving the user authentication success information returned by the LDAP server, and the user authentication is completed. According to the invention, the user management efficiency of the application system can be improved.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of LDAP user management method and device thereof.
Background technology
LDAP (Lightweight Directory Access Protocol, Light Directory Access Protocol) is a kind of agreement of directory information to many different resources that be used for issuing.LDAP is equivalent to telephone directory, is similar to such as NIS (Network Information Service, the network information service), DNS (network directories such as (Domain Name Service, domain name service).LDAP is a storage notion higher than relational database abstraction hierarchy, and different with general database, LDAP optimizes inquiry, compares the performance of reading of LDAP with write performance and wants outstanding a lot.Can store various types of data in the ldap directory, as, e-mail address, mail routing iinformation, human resource data, public close spoon, contacts list or the like.
At present, the more and more enterprises application system as the user management resource, with itself and self application system integration, thereby realizes LDAP to the unified management of LDAP authentification of user.Fig. 1 shows the LDAP authentification of user flow process that is adopted at present.
As shown in Figure 1; Before carrying out verification process; Need qualified user be synchronized in the application system according to collocation strategy, collocation strategy generally is made up of locking range (such as certain OU or LDAP organize synchronously) and filtercondition two parts, promptly passes through filtercondition with specific OU (Organization Unit; OU) or the user of LDAP group be synchronized in the application system, then application system is carried out authentication according to the user profile that is synchronized in this system to the user of initiation request.Idiographic flow comprises:
In application system configuration synchronization strategy, the synchronization policy setting comprises the scope setting, form shape is like ou=sales, dc=test, dc=com (implication is sales for limiting OU); Filtercondition is provided with, form shape as: (& (objectclass=*) is (cn=xu*)) (implication for only synchronous xu surname user), the user that will meet above-mentioned condition imports to application system from ldap server.After the user side initiation request (step 101), judge at first whether this user exists (step 102) in application system, if there is not prompting wrong (step 103); If exist, then solicited message sent to ldap server (step 104).Ldap server back-checking result (step 105), if verification failure prompting wrong (step 106), if verification succeeds prompting authentication success message (step 107).
Can find out that application system is synchronized to the system from ldap server according to the LDAP user of collocation strategy with appointment, thereby realize unified certification management LDAP user.
Under most of situation; User in the specified locking range of collocation strategy only individual user need include application system in and carries out the unified certification management; Promptly; Do not need all to carry out ldap authentication, therefore, (License is licence not need the user of unified certification management just to waste a large amount of License of application system; Application system limits the quantity of its leading subscriber usually through the License instrument), and carry out to application system also that operations such as user inquiring, statistics are made troubles and the reduction of search efficiency.
Summary of the invention
The invention provides a kind of LDAP user management method and device thereof,, and improve the application system user (asu) efficiency of management in order to the License resource of saving application system.
LDAP user management method provided by the invention comprises:
After application system was received user authentication request, whether the user who judges initiation request met the condition that user's collocation strategy of this application system is provided with, and the request ldap server carries out authentication to this user under the situation about meeting being judged as;
Application system receive that ldap server returns to this authentification of user information of successful after; Under the situation that the information that self does not store this user and the License of self do not transfinite; This user's information is added in the application system, accomplish authentication said user.
Application server provided by the invention comprises:
Receiver module is used to receive user authentication request;
First judge module, whether the user who is used to judge initiation request meets the condition that user's collocation strategy of the application system that this this application server moves is provided with;
Authentication module is used for being judged as said user at said first judge module and meets that the request ldap server carries out authentication to this user under the situation of condition of user's collocation strategy setting, and receives the authentication result that ldap server returns;
Second judge module, be used for receive that ldap server returns to this authentification of user information of successful after, judge whether information and License that whether application system that this application server moves stores this user transfinite;
User management module is used for judging that at said second judge module application system does not store under this user's information and the situation that License does not transfinite, and this user's information is added in this application system, accomplishes the authentication to said user.
Useful technique effect of the present invention comprises:
Among the present invention, when having the user to initiate authentication, judge at first whether this user meets this user's collocation strategy; And under situation about meeting, forward ldap server again to and carry out authentication, and under the situation that the License of authentication success and application system does not transfinite, just this user is imported in the application system; Thereby under the situation that does not exceed application system License restricted number; The user who professional user demand only will be arranged, meets user's collocation strategy and authentication success imports application system, then in advance it is not imported application system for the user who does not have business demand, like this; According to synchronization policy a large number of users being imported application system in advance with prior art compares; Reduced License and taken,, and then improved the efficient that application system is carried out operations such as user inquiring, statistics owing to the userbase that imports reduces relatively.
Description of drawings
Fig. 1 is a LDAP authentification of user schematic flow sheet of the prior art;
The authentification of user schematic flow sheet that Fig. 2 provides for the embodiment of the invention;
The structural representation of the application server that Fig. 3 provides for the embodiment of the invention.
Embodiment
To the problem that prior art exists, the embodiment of the invention has proposed a kind of implementation method of managing LDAP user as required, takies thereby reach minimizing License, improves the purpose of the efficiency of management.
In the embodiment of the invention, need user's collocation strategy be set in advance in application system, the user who only meets the qualifications of this user's collocation strategy just might use this application system.The concrete configuration method of user's collocation strategy can same prior art.During practical implementation, user's collocation strategy can be made up of user scope (such as certain OU or LDAP organize synchronously) and filtercondition two parts, promptly has only the interior user who satisfies this filtercondition of this scope just to meet the requirement of this user's collocation strategy.For example, the setting of user's collocation strategy comprises the scope setting, and form shape is like ou=sales, dc=test, dc=com (implication is sales for limiting OU); Filtercondition is provided with, and form shape is like (& (objectclass=*) (cn=xu*)) (implication is only for deciding xu surname user).
Different with prior art is; Though the embodiment of the invention is provided with user's collocation strategy in advance in application system; But can in advance the Any user in user's collocation strategy scope not imported in the application system; But when having the user to initiate authentication, after the user is through ldap authentication, just include it in management.Concrete, judge at first whether this user meets this user's collocation strategy, and under situation about meeting, forward ldap server again to and carry out authentication; And under the situation that the License of authentication success and application system does not transfinite; Just this user is imported in the application system, thereby under the situation that does not exceed application system License restricted number, professional user demand only will be arranged, the user that meets user's collocation strategy and authentication success imports application system; Then in advance it is not imported application system for the user who does not have business demand; Like this, according to synchronization policy a large number of users is imported application system in advance with prior art and compare, reduced License and taken; Because the userbase that imports reduces relatively, and then improved the efficient that application system is carried out operations such as user inquiring, statistics.
Below in conjunction with accompanying drawing 2, above-mentioned identifying procedure is described in detail.As shown in the figure, this flow process can may further comprise the steps 201~211:
After step 202, application system receive the Client-initiated authentication request, judge that whether this user meets the condition that user's collocation strategy is provided with, if meet, then changes step 204 over to; If do not meet, then change step 203 over to.
During concrete the realization; When application system is initialized, can set up casual user table in advance, and according to user's collocation strategy; Obtain the user's who meets the condition that this user's collocation strategy is provided with account number from ldap server, and these user account numbers are stored in this subscriber's meter.This temporary table can be independent of application system, but the system that can be employed visits.Consider the characteristics of ldap directory; Can there be the user of same username down in different OU, and to this situation, above-mentioned user account number not only comprises information such as ID, user name; The routing information that also will comprise this user account number is such as the information such as OU under this user.
Further; Consider more news (adjust, Add User etc.) of ldap directory such as department; Synchronous in order to guarantee data and ldap server in this casual user's table in the application system; Application system can be obtained the user's of the condition that meets the setting of user's collocation strategy account number from ldap server according to the synchronous indication of setting-up time or setting cycle or system manager's submission, so that upgrade the user account number in this casual user's table.Ldap server also can send indication or information synchronously to this application system when ldap directory upgrades, so that application system can in time be carried out the synchronous of user account number according to this indication or information.
After application system is receiving the Client-initiated authentication request; Can from this request, obtain this user's usersaccount information such as sign or title; Judge then whether this user account number is present in this casual user's table,, show that then this user meets the condition of user's collocation strategy setting of this application system if exist; If do not exist, show that then this user does not meet the condition of user's collocation strategy setting of this application system.
Step 203, user authentication failure, application system prompting mistake finishes this identifying procedure.
After step 205, ldap server are carried out authentication to this user, to application system return authentication result, if authentication success then changes step 207 over to; If authentification failure then changes step 206 over to.
Step 211, application system is increased to this user in the application system, finishes this identifying procedure.During practical implementation; Application system can be through the request of obtaining this user's information to the ldap server initiation; And receive this user profile that ldap server returns; Thereby obtain this user's information from ldap server, and the user profile that gets access to is added in the application system, the validated user of this user as this application system.After being increased to this user in the application system, this user will take a License.
Need to prove that the information indicating in the above-mentioned flow process is operated (like prompting authentication success, prompting authentification failure, prompting License mistake etc.) but is selection operation.
Based on identical technical conceive, the embodiment of the invention also provides a kind of application server that moves above-mentioned application system.
Referring to Fig. 3, the structural representation of the application server that provides for the embodiment of the invention, as shown in the figure, this application server can comprise:
In the above-mentioned application server, also can comprise: user profile maintenance module 306.User profile maintenance module 306 can be used for safeguarding that the casual user shows, and comprises the user's of the condition that the user's collocation strategy that meets said application system that application server gets access to from ldap server is provided with account in the said casual user table; Accordingly; First judge module 302 can obtain the account number of initiating this requesting users from said user authentication request; Judge whether this user account number is present in said casual user's table, if exist, then this user meets the condition of user's collocation strategy setting of this application system; Otherwise this user does not meet the condition of user's collocation strategy setting of this application system.
In the above-mentioned application server, user profile maintenance module 306 can be at this application server or wherein during the configured application system initialization, obtains the user's who meets the condition that user's collocation strategy is provided with account from ldap server; And; After initialization is accomplished; According to setting-up time or setting cycle or the synchronous indication that receives, obtain the user's who meets the condition that this user's collocation strategy is provided with account from ldap server, and upgrade said casual user's table according to the usersaccount information that gets access to.
In the above-mentioned application server, authentication module 303 also is used for, if first judge module 302 judges that the user of initiation request does not meet the condition that user's collocation strategy is provided with, and then to said user authentication failure, and finishes this authentication.
In the above-mentioned application server, user management module 305 also is used for, if second judge module 304 judges that said application system has stored this user's information, then to said authentification of user success, and finishes this authentication; If second judge module 304 judges that the License of said application system transfinites, and then to said user authentication failure, and finishes this authentication.
Through the description of above execution mode, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding; The part that technical scheme of the present invention contributes to prior art in essence in other words can be come out with the embodied of software product; This computer software product is stored in the storage medium, comprise some instructions with so that a station terminal equipment (can be mobile phone, personal computer; Server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
The above only is a preferred implementation of the present invention; Should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; Can also make some improvement and retouching, these improvement and retouching also should be looked protection scope of the present invention.
Claims (10)
1. a Light Directory Access Protocol LDAP user management method is characterized in that, comprising:
After application system was received user authentication request, whether the user who judges initiation request met the condition that user's collocation strategy of this application system is provided with, and the request ldap server carries out authentication to this user under the situation about meeting being judged as;
Application system receive that ldap server returns to this authentification of user information of successful after; Under the situation that the information that self does not store this user and the License of self do not transfinite; This user's information is added in the application system, accomplish authentication said user.
2. the method for claim 1; It is characterized in that; Dispose casual user table in the said application system, comprise the user's of the condition that the user's collocation strategy that meets this application system that application system gets access to from ldap server is provided with account in said casual user's table;
Application system judges that whether the user of initiation request meets the condition of the collocation strategy setting of this application system, comprising:
Application system is obtained the account number of initiating this requesting users from said user authentication request, judge whether this user account number is present in said casual user's table, if exist, then this user meets the condition of user's collocation strategy setting of this application system; Otherwise this user does not meet the condition of user's collocation strategy setting of this application system.
3. method as claimed in claim 2 is characterized in that, said application system is obtained the user's of the condition that user's collocation strategy of meeting this application system is provided with account from ldap server when initialization, after initialization is accomplished, also comprise:
Said application system is according to setting-up time or setting cycle or the synchronous indication that receives; Obtain the user's of the condition that user's collocation strategy of meeting this application system is provided with account from ldap server, and upgrade said casual user's table of this application system according to the usersaccount information that gets access to.
4. the method for claim 1 is characterized in that, also comprises:
When application system judges that the user of initiation request does not meet the condition of user's collocation strategy setting,, and finish this authentication to said user authentication failure.
5. the method for claim 1 is characterized in that, also comprises:
When application system receiving that ldap server returns to this authentification of user information of successful after, if judge and self stored this user's information,, and finish this authentication then to said authentification of user success; Transfinite if judge the License of self,, and finish this authentication then to said user authentication failure.
6. an application server is characterized in that, comprising:
Receiver module is used to receive user authentication request;
First judge module, whether the user who is used to judge initiation request meets the condition that user's collocation strategy of the application system that this this application server moves is provided with;
Authentication module is used for being judged as said user at said first judge module and meets that the request ldap server carries out authentication to this user under the situation of condition of user's collocation strategy setting, and receives the authentication result that ldap server returns;
Second judge module, be used for receive that ldap server returns to this authentification of user information of successful after, judge whether information and License that whether application system that this application server moves stores this user transfinite;
User management module is used for judging that at said second judge module application system does not store under this user's information and the situation that License does not transfinite, and this user's information is added in this application system, accomplishes the authentication to said user.
7. application server as claimed in claim 6 is characterized in that, also comprises: the user profile maintenance module;
Said user profile maintenance module is used to safeguard that the casual user shows, and comprises the user's of the condition that the user's collocation strategy that meets said application system that application server gets access to from ldap server is provided with account in the said casual user table;
Said first judge module specifically is used for; From said user authentication request, obtain the account number of initiating this requesting users; Judge whether this user account number is present in said casual user's table, if exist, then this user meets the condition of user's collocation strategy setting of this application system; Otherwise this user does not meet the condition of user's collocation strategy setting of this application system.
8. application server as claimed in claim 7 is characterized in that, said user profile maintenance module specifically is used for, and when initialization, obtains the user's who meets the condition that user's collocation strategy is provided with account from ldap server; And; After initialization is accomplished; According to setting-up time or setting cycle or the synchronous indication that receives, obtain the user's who meets the condition that user's collocation strategy is provided with account from ldap server, and upgrade said casual user's table according to the usersaccount information that gets access to.
9. application server as claimed in claim 6; It is characterized in that said authentication module also is used for, do not meet the condition that user's collocation strategy is provided with if said first judge module is judged the user of initiation request; Then to said user authentication failure, and finish this authentication.
10. application server as claimed in claim 6 is characterized in that said user management module also is used for, if said second judge module judges that said application system has stored this user's information, then to said authentification of user success, and finishes this authentication; If said second judge module judges that the License of said application system transfinites,, and finish this authentication then to said user authentication failure.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2011101673452A CN102368762A (en) | 2011-06-21 | 2011-06-21 | LDAP (Lightweight Directory Access Protocol) user management method and device thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2011101673452A CN102368762A (en) | 2011-06-21 | 2011-06-21 | LDAP (Lightweight Directory Access Protocol) user management method and device thereof |
Publications (1)
Publication Number | Publication Date |
---|---|
CN102368762A true CN102368762A (en) | 2012-03-07 |
Family
ID=45761312
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2011101673452A Pending CN102368762A (en) | 2011-06-21 | 2011-06-21 | LDAP (Lightweight Directory Access Protocol) user management method and device thereof |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102368762A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103220172A (en) * | 2013-04-08 | 2013-07-24 | 杭州华三通信技术有限公司 | Device and method based on LDAP (lightweight directory access protocol) user authorization management |
CN108377200A (en) * | 2018-01-19 | 2018-08-07 | 北京大学 | Cloud user management method and system based on LDAP and SLURM |
CN109344596A (en) * | 2018-08-29 | 2019-02-15 | 北京声智科技有限公司 | The management system and method for multiserver based on LDAP |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2010282596A (en) * | 2009-06-02 | 2010-12-16 | Canon Software Information Systems Inc | Information processing apparatus, method of controlling the same, information processing system, program, and recording medium |
-
2011
- 2011-06-21 CN CN2011101673452A patent/CN102368762A/en active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2010282596A (en) * | 2009-06-02 | 2010-12-16 | Canon Software Information Systems Inc | Information processing apparatus, method of controlling the same, information processing system, program, and recording medium |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103220172A (en) * | 2013-04-08 | 2013-07-24 | 杭州华三通信技术有限公司 | Device and method based on LDAP (lightweight directory access protocol) user authorization management |
CN108377200A (en) * | 2018-01-19 | 2018-08-07 | 北京大学 | Cloud user management method and system based on LDAP and SLURM |
CN109344596A (en) * | 2018-08-29 | 2019-02-15 | 北京声智科技有限公司 | The management system and method for multiserver based on LDAP |
CN109344596B (en) * | 2018-08-29 | 2021-03-05 | 北京声智科技有限公司 | LDAP-based multi-server management system and method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN100538699C (en) | Utilize mobile communication equipment integrated content automatically from multiple information stores | |
CN101771723A (en) | Data synchronization method | |
WO2010006497A1 (en) | Address list system and implementation method thereof | |
US10542524B1 (en) | Intelligently assigning an IP address to a mobile device | |
RU2010116210A (en) | SYSTEMS AND METHODS FOR ENSURING WIRELESS DEVICES ON THE BASIS OF MANY PROFILE PROFILES OF NETWORK SERVICES SERVICES AND RESOLUTION OF CONFLICTS OF DATA SESSION | |
US20090097458A1 (en) | Method and System for Agent Redirecting the Terminal Request | |
CN102486785A (en) | Data synchronization method, device and system | |
CN102970308B (en) | A kind of user authen method and server | |
CN112995171B (en) | Cloud computing container management method based on regional position | |
WO2019179423A1 (en) | Card calling method and device, information pushing method and device, and card allocation system | |
RU2005120234A (en) | SYSTEM AND METHOD FOR RESOLUTION OF NAMES | |
CN101778131A (en) | Data synchronization system | |
CN101730085B (en) | Address book data synchronizing method and system | |
CN102368762A (en) | LDAP (Lightweight Directory Access Protocol) user management method and device thereof | |
CN101789963A (en) | Data synchronization system | |
CN114567553A (en) | Equipment network access method and device based on industrial Internet identification analysis system | |
CN101662734B (en) | Method for obtaining on-line state of mobile terminal PTT business contact and system | |
CN106506239B (en) | Method and system for authentication in organization unit domain | |
US8326933B2 (en) | Appearance package management method, system and device | |
CN103107976A (en) | Content provider/service provider (CP/SP) user identification authentication method and system and authentication support device | |
CN110378494B (en) | Remote facing slip method, remote facing slip device, storage medium and computer equipment | |
CN102082883B (en) | Method for customer service system to provide information for customers and customer service system | |
CN104463619A (en) | LDAP-based internet product catalogue selling system and control method | |
CN103220172A (en) | Device and method based on LDAP (lightweight directory access protocol) user authorization management | |
CN101068141B (en) | Data synchronizing method and device between communication terminal and network communication system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120307 |