CN109344596B - LDAP-based multi-server management system and method - Google Patents
LDAP-based multi-server management system and method Download PDFInfo
- Publication number
- CN109344596B CN109344596B CN201810998948.9A CN201810998948A CN109344596B CN 109344596 B CN109344596 B CN 109344596B CN 201810998948 A CN201810998948 A CN 201810998948A CN 109344596 B CN109344596 B CN 109344596B
- Authority
- CN
- China
- Prior art keywords
- user
- server
- record
- servers
- users
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
Abstract
An LDAP-based multi-server management system comprising: n users; m servers; the management server comprises an LDAP directory database, wherein the LDAP directory database is used for storing user record items of all users and server record items of all servers, the management server is used for grouping the users, each user in each group corresponds to one user record item, and the user record items at least comprise passwords, object classes and record item attributes; grouping the servers, wherein each server in each group corresponds to a server record item, and the server record item at least comprises a filtering attribute; and judging whether the user logs in successfully or not according to the login request of the user, the user record items and the server record items of the server. The invention provides a cross-platform management system based on LDAP, which reduces the complexity of the relationship between a server and a user, saves a large amount of maintenance manpower and simplifies the records of various user accounts.
Description
Technical Field
The invention relates to the field of server management, in particular to a system and a method for managing multiple servers based on LDAP.
Background
The server is an important work area inside a company and is the core of data storage, calculation and multiple internal network services of the company. The server is a high-availability computer which provides various services for the client computer, and the high performance of the server is mainly reflected in the aspects of high-speed computing capability, long-time reliable operation, strong data throughput capability and the like. The user can complete a large amount of calculation tasks which cannot be completed on the personal computer in a very short time through the high performance provided by the server, and meanwhile, the important data of the user can be stored on the server for a long time due to the characteristics of long-time reliable operation and large hard disk capacity of the server.
Various types of servers are required to provide corresponding services according to different requirements of users, and therefore the number of the servers is often large. On one hand, in order to avoid the damage to the server environment caused by the user's wrong operation, a large amount of manpower is required to be invested for maintenance and user operation authority management, on the other hand, one user often needs multiple types of servers, and great effort is also required to be invested for creating and recording a large number of account passwords (as shown in fig. 1), and thus, the relationship between multiple servers and multiple users is very disordered.
At present, no one has provided an excellent management system to solve the above problems.
Disclosure of Invention
Technical problem to be solved
The present invention is directed to a system and method for LDAP-based multi-server management to solve at least one of the above-mentioned problems.
(II) technical scheme
In one aspect, an embodiment of the present invention provides an LDAP-based multi-server management system, including:
n users, wherein N is more than or equal to 1, and is used for sending login requests;
m servers, wherein M is more than or equal to 1, and is used for receiving login requests of users corresponding to the servers;
the management server comprises an LDAP directory database, wherein the LDAP directory database is used for storing user record items of all users and server record items of all servers; the management server is used for grouping the users, each user in each group corresponds to a user record item, and the user record item at least comprises a password, an object class and record item attributes; grouping the servers, wherein each server in each group corresponds to a server record item, and the server record item at least comprises a filtering attribute; and judging whether the user logs in successfully or not according to the login request, the user record item of the user and the server record item of the server.
In some embodiments of the present invention, the management server determines whether the user successfully logs in according to the login request, the user record item of the user, and the server record item of the server, specifically:
when a user sends a login request to a server corresponding to the user, the login request comprises a password of the user, the management server is used for inquiring whether the LDAP directory database comprises the password in the login request, and if not, the user login fails; if the user is successfully authenticated, the object class or record item attribute of the user is matched with the filtering attribute of the server, if the matching is unsuccessful, the user login is failed, and if the matching is successful, the user login is successful.
In some embodiments of the present invention, the management server is further configured to obtain user entries and server entries of the users and the servers respectively through LDIF syntax of LDAP, and output the user entries and the server entries to the LDAP directory database.
In some embodiments of the present invention, the management server groups the users, specifically: the management server groups the users according to the passwords, the object classes or the record item attributes in the user record items; and/or the management server groups the servers, specifically: the management server groups the servers according to the filter attributes in the server entries.
In some embodiments of the invention, the LDAP directory database is further configured to add or delete user entries and server entries.
In another aspect of the embodiments of the present invention, a management method for multiple servers based on LDAP is further provided, which includes:
grouping N users, wherein each user of each group corresponds to a user record item, the user record item at least comprises a password, an object class and record item attributes, and N is more than or equal to 1;
grouping M servers, wherein each server in each group corresponds to a server record item, and the server record items at least comprise a filtering attribute, wherein M is more than or equal to 1;
and judging whether the user logs in successfully or not according to the login request of the user, the user record item and the server record item of the server.
In some embodiments of the present invention, determining whether the user successfully logs in according to the login request of the user, the user record item, and the server record item of the server includes the following steps:
a user sends a login request to a server corresponding to the user, wherein the login request comprises a password of the user;
inquiring whether the LDAP directory database storing the user record items and the server record items includes the password in the login request, if not, the user login fails; if the user is successfully authenticated, the object class or record item attribute of the user is matched with the filtering attribute of the server, if the matching is unsuccessful, the user login is failed, and if the matching is successful, the user login is successful.
In some embodiments of the invention, further comprising: and respectively obtaining user record items and server record items of the user and the server through LDIF grammar of LDAP, and outputting the user record items and the server record items to the LDAP directory database.
In some embodiments of the present invention, grouping N users specifically refers to: grouping users according to the passwords, the object classes or the record item attributes in the user record items; and/or grouping M servers, specifically: the servers are grouped according to the filter attributes in the server entries.
In some embodiments of the invention, further comprising: and adding or deleting the user record and the server record in the LDAP directory database.
(III) advantageous effects
Compared with the prior art, the LDAP-based multi-server management system and the LDAP-based multi-server management method at least have the following advantages that:
1. based on the LDAP directory database, the management server groups the users and the servers, and judges whether the users can successfully access the servers according to the user record items and the server record items corresponding to the users and the servers, so that the complex relation between a large number of servers and the users is simplified by combining the C/S mode of the LDAP, a large amount of maintenance labor is saved, and the records of various user accounts are simplified.
2. In a traditional mode, the server often needs to edit a local configuration file to distribute the authority of the user, so that the configuration file needs to be edited again when one user or one server is added, and the operation is complicated. The user and server information of the invention is stored in the LDAP directory database, and the authority distribution can be carried out on the server and the user in batch by adding some attribute combinations to the record items, assigning the attributes and adding the filter attribute meeting the authority distribution requirement in the server according to the record items, thereby simplifying the traditional authority distribution mode and reducing the maintenance cost.
3. When the management server judges whether the user can successfully log in the server, firstly, whether the LDAP directory database comprises the password of the user is confirmed so as to confirm whether the management server has the operation authority on the user; after the management server has the operation authority for the user, whether the Filter attribute of the server which the user requests to log in is matched with the object class or the record item attribute of the user is also judged, so that whether the server corresponds to the user is judged, and therefore the management server can be guaranteed to systematically manage the complex relationship between multiple users and multiple servers.
Drawings
FIG. 1 is a diagram illustrating a relationship between a server and a user according to the prior art;
FIG. 2 is a schematic diagram of an LDAP-based multi-server management system according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of the structure of an LDAP directory database according to an embodiment of the present invention;
FIG. 4 is a schematic workflow diagram of a management system according to an embodiment of the present invention;
FIG. 5 is a diagram illustrating steps of a management method for LDAP-based multi-servers according to an embodiment of the present invention.
Detailed Description
In the prior art, the relationship between a server and a user is complex, and the management is troublesome, therefore, the invention provides a management system and a method of multiple servers based on LDAP.
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to specific embodiments and the accompanying drawings.
In one aspect of the embodiments of the present invention, an LDAP-based multi-server management system is provided, and fig. 2 is a schematic structural diagram of the LDAP-based multi-server management system according to the embodiments of the present invention, as shown in fig. 2, the system includes:
n users are used for sending login requests, and N is more than or equal to 1;
the M servers are used for receiving login requests of users corresponding to the M servers, and M is more than or equal to 1;
a management server including an LDAP directory database (see fig. 3) for storing user entries for respective users and server entries for respective servers; the management server is used for grouping the users, each user in each group corresponds to a user record item, and the user record item at least comprises a password, an object class and record item attributes; grouping the servers, wherein each server in each group corresponds to a server record item, and the server record item at least comprises a filtering attribute; and judging whether the user logs in successfully or not according to the login request of the user, the user record items and the server record items of the server.
LDAP (Lightweight Directory Access Protocol) is a Protocol for accessing online Directory services. The LDAP directory database is a specialized distributed database optimized for querying, browsing, and searching, and organizes data in a tree structure. Unlike relational databases, directory databases have excellent read performance, but write performance is poor and is a good choice as a query. LDAP adopts a C/S model, Server is used for storing data, and Client provides a tool for operating directory tree. The invention realizes the multi-server cross-platform management system based on the LDAP database, and provides a better solution for the complex relationship between multiple servers and multiple users in the prior art.
In this embodiment of the present invention, the management server is further configured to obtain user entries and server entries of the user and the server respectively through an LDIF (a file format for describing directory information or performing modification operations on a directory) syntax of the LDAP, and output the user entries and the server entries to the LDAP directory database for storage.
According to an embodiment of the present invention, the management server groups the users, specifically: and the management server groups the users according to the passwords, the object classes or the record item attributes in the user record items. For example, the object classes may be grouped according to different usage groups, and the usage groups may be different, the usage purposes may be different, and the groups may be different.
The management server groups the servers, specifically: the management server groups the servers according to the filter attributes in the server entries. For example, the service types provided by the servers are distinguished, different servers provide different services, facing different groups are different, and the groups are different.
It should be further noted that, the management server determines whether the user logs in successfully according to the login request of the user, the user record item, and the server record item of the server, please refer to fig. 4, and includes the following operations:
when a user sends a login request to a server corresponding to the user, the login request comprises a password of the user, the management server is used for inquiring whether the LDAP directory database comprises the password in the login request, and if not, the user login fails; if the user is successfully authenticated, the object class or record item attribute of the user is matched with the filtering attribute of the server, if the matching is unsuccessful, the user login is failed, and if the matching is successful, the user login is successful.
For example, the user 1 sends a login request to the server 1, where the login request includes a Password of the user 1, and the management server needs to query whether the LDAP directory database includes the Password in the login request, and if not, the management server has no operation right on the user 1 on behalf of the management server, so that the user 1 cannot log in the server 1.
If the LDAP directory database includes the password of the user 1, further screening processing is required, that is, the object class or record item attribute of the user is matched with the filtering attribute of the server. For example, each server after grouping also corresponds to a server Entry (server record) in the LDAP directory database, where each server Entry has a Filter attribute (Filter attribute), login control for different users is implemented through syntax of the Filter, for example, the server 1 only authorizes users whose user attribute has a ginnetwork and whose value is 1000 or 2000 to login, and the Filter attribute expression of the server 1 may be written as follows:
Filter=(|(&(objectClass=posixAccount)(uid=$username)(|(gidNumber=1000)(gidNumber=2000)))。
if the object class or the record item attribute of the user 1 has a gin stub and the value is 1000 or 2000, matching is successful, and the user 1 can successfully log in the server 1; if the matching is unsuccessful, the user 1 cannot log in the server 1.
Therefore, when the management server judges whether the user can successfully log in the server, the management server firstly confirms whether the LDAP directory database comprises the password of the user so as to confirm whether the management server has the operation authority on the user; after the management server has the operation authority for the user, whether the Filter attribute of the server which the user requests to log in is matched with the object class or the record item attribute of the user is also judged, so that whether the server corresponds to the user is judged, and therefore the management server can be guaranteed to systematically manage the complex relationship between multiple users and multiple servers.
In addition, in order to expand the operation authority of the management server to other users or delete some users from the management system, the LDAP directory database is also used for adding or deleting user entries and server entries.
In another aspect of the embodiments of the present invention, a management method for multiple LDAP-based servers is further provided, and fig. 4 is a schematic step diagram of the management method for multiple LDAP-based servers according to the embodiments of the present invention, as shown in fig. 4, the method includes:
and S1, grouping the N users, wherein each user in each group corresponds to a user record item, and the user record item at least comprises a password, an object class and record item attributes.
And S2, grouping the M servers, wherein each server in each group corresponds to one server record item, and the server record items at least comprise a filtering attribute.
And respectively obtaining user record items and server record items of the user and the server through LDIF grammar of LDAP, and outputting the user record items and the server record items to an LDAP directory database for storage.
Grouping N users specifically includes: and grouping the users according to the passwords, the object classes or the record item attributes in the user record items.
Grouping M servers specifically includes: the servers are grouped according to the filter attributes in the server entries.
And S3, judging whether the user logs in successfully according to the login request of the user, the user record item and the server record item of the server.
Wherein, step S3 may be more specifically:
a user sends a login request to a server corresponding to the user, wherein the login request comprises a password of the user;
inquiring whether the LDAP directory database storing the user record items and the server record items includes the password in the login request, if not, the user login fails; if the user is successfully authenticated, the object class or record item attribute of the user is matched with the filtering attribute of the server, if the matching is unsuccessful, the user login is failed, and if the matching is successful, the user login is successful.
In order to be able to extend the operating rights of the management server to other users or to delete certain users from the management system, the LDAP directory database is also used to add or delete user entries and server entries.
To sum up, the management system and method of the LDAP-based multi-server of the invention are based on the LDAP directory database, wherein the management server judges whether the user can successfully access the server according to the user record items and the server record items corresponding to the user and the server, thereby simplifying the complex relations between a large number of servers and users by combining the C/S mode of the LDAP, saving a large amount of maintenance manpower and simplifying the records of various user accounts.
Unless otherwise indicated, the numerical parameters set forth in the specification and attached claims are approximations that can vary depending upon the desired properties sought to be obtained by the present invention. In particular, all numbers expressing quantities of ingredients, reaction conditions, and so forth used in the specification and claims are to be understood as being modified in all instances by the term "about". Generally, the expression is meant to encompass variations of ± 10% in some embodiments, 5% in some embodiments, 1% in some embodiments, 0.5% in some embodiments by the specified amount.
Furthermore, "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the present invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (8)
1. An LDAP-based multi-server management system comprising:
n users, wherein N is more than or equal to 1, and is used for sending login requests;
m servers, wherein M is more than or equal to 1, and is used for receiving login requests of users corresponding to the servers;
the management server comprises an LDAP directory database, wherein the LDAP directory database is used for storing user record items of all users and server record items of all servers; the management server is used for grouping the users, each user in each group corresponds to a user record item, and the user record item at least comprises a password, an object class and record item attributes; grouping the servers, wherein each server in each group corresponds to a server record item, and the server record item at least comprises a filtering attribute; judging whether the user logs in successfully or not according to the login request, the user record item of the user and the server record item of the server;
the management server judges whether the user logs in successfully according to the login request, the user record item of the user and the server record item of the server, and specifically comprises the following steps:
when a user sends a login request to a server corresponding to the user, the login request comprises a password of the user, the management server is used for inquiring whether the LDAP directory database comprises the password in the login request, and if not, the user login fails; if the user is successfully authenticated, the object class or record item attribute of the user is matched with the filtering attribute of the server, if the matching is unsuccessful, the user login is failed, and if the matching is successful, the user login is successful.
2. The management system of claim 1, wherein said management server is further configured to obtain user entries and server entries for users and servers, respectively, via LDIF syntax of LDAP and output to said LDAP directory database.
3. The management system according to claim 1, wherein the management server groups the users, specifically: the management server groups the users according to the passwords, the object classes or the record item attributes in the user record items; and/or
The management server groups the servers, specifically: the management server groups the servers according to the filter attributes in the server entries.
4. The management system of claim 1, wherein said LDAP directory database is further operable to add or delete user entries and server entries.
5. A LDAP-based multi-server management method, comprising:
grouping N users, wherein each user of each group corresponds to a user record item, the user record item at least comprises a password, an object class and record item attributes, and N is more than or equal to 1;
grouping M servers, wherein each server in each group corresponds to a server record item, and the server record items at least comprise a filtering attribute, wherein M is more than or equal to 1;
judging whether the user successfully logs in or not according to the login request of the user, a user record item and a server record item of the server;
judging whether the user logs in successfully according to the login request of the user, the user record items and the server record items of the server, wherein the method comprises the following steps:
a user sends a login request to a server corresponding to the user, wherein the login request comprises a password of the user;
inquiring whether the LDAP directory database storing the user record items and the server record items includes the password in the login request, if not, the user login fails; if the user is successfully authenticated, the object class or record item attribute of the user is matched with the filtering attribute of the server, if the matching is unsuccessful, the user login is failed, and if the matching is successful, the user login is successful.
6. The management method of claim 5, further comprising: and respectively obtaining user record items and server record items of the user and the server through LDIF grammar of LDAP, and outputting the user record items and the server record items to the LDAP directory database.
7. The management method according to claim 5, wherein grouping the N users specifically refers to: grouping users according to the passwords, the object classes or the record item attributes in the user record items; and/or
Grouping M servers specifically includes: the servers are grouped according to the filter attributes in the server entries.
8. The management method of claim 5, further comprising: and adding or deleting the user record and the server record in the LDAP directory database.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810998948.9A CN109344596B (en) | 2018-08-29 | 2018-08-29 | LDAP-based multi-server management system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810998948.9A CN109344596B (en) | 2018-08-29 | 2018-08-29 | LDAP-based multi-server management system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109344596A CN109344596A (en) | 2019-02-15 |
| CN109344596B true CN109344596B (en) | 2021-03-05 |
Family
ID=65292238
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810998948.9A Active CN109344596B (en) | 2018-08-29 | 2018-08-29 | LDAP-based multi-server management system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109344596B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111355607A (en) * | 2020-02-17 | 2020-06-30 | 苏州亿歌网络科技有限公司 | LDAP-based domain management method, system, device, equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102368762A (en) * | 2011-06-21 | 2012-03-07 | 杭州华三通信技术有限公司 | LDAP (Lightweight Directory Access Protocol) user management method and device thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7689584B2 (en) * | 2006-11-29 | 2010-03-30 | Red Hat, Inc. | Hybrid groups |
-
2018
- 2018-08-29 CN CN201810998948.9A patent/CN109344596B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102368762A (en) * | 2011-06-21 | 2012-03-07 | 杭州华三通信技术有限公司 | LDAP (Lightweight Directory Access Protocol) user management method and device thereof |
Non-Patent Citations (2)
| Title |
|---|
| 基于LDAP的校园网统一身份认证系统的设计;夏建兵 等;《现代计算机》;20130325;第2013卷(第9期);第0-3节 * |
| 基于LDAP的用户统一身份认证管理系统的设计与实现;尹文平 等;《计算机系统应用》;20051005;第2005卷(第10期);第1-4节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109344596A (en) | 2019-02-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200327145A1 (en) | Cooperative naming for configuration items in a distributed configuration management database environment | |
| US7620630B2 (en) | Directory system | |
| CN107247778B (en) | System and method for implementing an extensible data storage service | |
| US6606627B1 (en) | Techniques for managing resources for multiple exclusive groups | |
| US8700560B2 (en) | Populating a multi-relational enterprise social network with disparate source data | |
| CN100586112C (en) | Method for establishing contact list and managing contact information in instant communication | |
| US20040123242A1 (en) | Context instantiated application protocol | |
| US20040225680A1 (en) | Declarative rules for metadirectory | |
| US20070112875A1 (en) | Method and apparatus for hierarchical storage management based on data value and user interest | |
| CN103067463A (en) | Centralized management system and centralized management method for user root permission | |
| CN101771723A (en) | Data synchronization method | |
| WO2019161679A1 (en) | Data processing method and device for use in online analytical processing | |
| US20200034473A1 (en) | Asynchronous deletion in non-relational databases | |
| US11971876B2 (en) | Object resolution among account-level namespaces for database platforms | |
| CN113839977A (en) | Message pushing method and device, computer equipment and storage medium | |
| US10855637B2 (en) | Architecture for large data management in communication applications through multiple mailboxes | |
| US11593354B2 (en) | Namespace-based system-user access of database platforms | |
| CN114172700A (en) | Unified authentication system and method based on cloud platform and domain control server | |
| CN101778131A (en) | Data synchronization system | |
| US9819636B2 (en) | User directory system for a hub-based system federating disparate unified communications systems | |
| CN109344596B (en) | LDAP-based multi-server management system and method | |
| US20200177597A1 (en) | Cross-domain authentication in a multi-entity database system | |
| CN101789963A (en) | Data synchronization system | |
| JP2002157158A (en) | Data management method for database system | |
| US8880503B2 (en) | Value-based positioning for outer join queries |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |