CN116668096A - LDAP-based unified identity verification method and system - Google Patents
LDAP-based unified identity verification method and system Download PDFInfo
- Publication number
- CN116668096A CN116668096A CN202310554728.8A CN202310554728A CN116668096A CN 116668096 A CN116668096 A CN 116668096A CN 202310554728 A CN202310554728 A CN 202310554728A CN 116668096 A CN116668096 A CN 116668096A
- Authority
- CN
- China
- Prior art keywords
- authentication
- server
- ldap
- request
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012795 verification Methods 0.000 title claims abstract description 100
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000013461 design Methods 0.000 description 10
- 238000007726 management method Methods 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
- Hardware Redundancy (AREA)
Abstract
The application provides an LDAP-based unified authentication method and system in the technical field of authentication, wherein the method comprises the following steps: step S10, configuring a reverse proxy of the web application on a reverse proxy server for forwarding a verification request of the web application to an authentication server; step S20, creating user data for authentication on an LDAP server; s30, intercepting the verification request of the web application by the reverse proxy server, and forwarding the intercepted verification request to the authentication server; step S40, the authentication server forwards the authentication request to an LDAP server, and the LDAP server generates an authentication result after carrying out identity authentication on the authentication request based on user data; step S50, the LDAP server sends the verification result to the web application through the authentication server, the reverse proxy server and the network firewall in sequence; step S60, the web application performs a login operation based on the received verification result. The application has the advantages that: the convenience and the safety of unified identity verification are greatly improved.
Description
Technical Field
The application relates to the technical field of authentication, in particular to an LDAP-based unified authentication method and system.
Background
With the development of the internet, more and more web applications emerge to provide various services to users. However, this also presents a problem: the user needs to input a user name and a password in the web system corresponding to each web application to log in, which not only brings trouble to the user, but also increases the risk of information leakage of the user. In order to solve this problem, a unified authentication concept is proposed, and the objective is to enable a user to log in only one web system, so that the user can log in other web systems automatically without inputting a user name and a password again.
Traditionally, there are several methods to achieve unified identity verification:
one is realized through session data sharing or session persistence, and although the methods can achieve the aim of unified identity verification, additional components or data storage layers are required to be maintained, so that the complexity of a web system is increased, and the situation of large-scale concurrent access cannot be well dealt with.
Another is to integrate multiple web systems using Single Sign On (SSO), which allows a user to automatically log in one web system after logging in the other web system. However, this approach adds complexity to the web system because additional components and trust relationships need to be maintained, a certain modification to the web system is required, different authentication clients need to be developed according to the authentication servers, and security risks are also brought, because once the authentication server is breached, an attacker can obtain access rights to all web systems.
Therefore, how to provide an authentication method and system based on LDAP, to improve the convenience and safety of authentication, is a technical problem to be solved.
Disclosure of Invention
The application aims to solve the technical problem of providing an LDAP-based unified authentication method and system for identity, which can improve the convenience and safety of unified authentication.
In a first aspect, the present application provides an LDAP-based unified authentication method, comprising the steps of:
step S10, configuring a reverse proxy of the web application on a reverse proxy server for forwarding a verification request of the web application to an authentication server;
step S20, creating user data for authentication on an LDAP server;
s30, intercepting a verification request of the web application by the reverse proxy server, and forwarding the intercepted verification request to the authentication server;
step S40, the authentication server forwards the authentication request to an LDAP server, and the LDAP server generates an authentication result after carrying out authentication on the authentication request based on the user data;
step S50, the LDAP server sends the verification result to the web application through an authentication server, a reverse proxy server and a network firewall in sequence;
step S60, the web application executes login operation based on the received verification result.
Further, the step S20 specifically includes:
user data for authentication is created on an LDAP server and stored to a pre-created LDAP directory.
Further, the step S30 specifically includes:
the reverse proxy server intercepts a verification request of the web application through a network firewall, encrypts the intercepted verification request by using a preset key and forwards the encrypted verification request to the authentication server based on a security protocol; the verification request carries at least data to be verified and a request time.
Further, the step S40 specifically includes:
the authentication server stores URL, DN and password for connecting with the LDAP server in advance; the authentication server forwards the authentication request to an LDAP server based on the URL, the DN and the password, the LDAP server decrypts the authentication request by using a preset key, and an authentication result is generated after the authentication request is authenticated based on the user data.
Further, the step S50 specifically includes:
and after the verification result is encrypted by the LDAP server through a preset secret key, the LDAP server sequentially transmits the verification result to the web application through the authentication server, the reverse proxy server and the network firewall based on a security protocol, records a log in the verification process, and monitors the log in real time based on a preset supervision rule.
In a second aspect, the present application provides an LDAP-based unified authentication system, comprising:
a reverse proxy server configuration module for configuring a reverse proxy of the web application on the reverse proxy server for forwarding a verification request of the web application to the authentication server;
an LDAP server configuration module for creating user data for authentication on the LDAP server;
the authentication request interception module is used for intercepting an authentication request of the web application by the reverse proxy server and forwarding the intercepted authentication request to the authentication server;
the authentication module is used for transmitting the authentication request to an LDAP server by the authentication server, and generating an authentication result after the authentication request is authenticated by the LDAP server based on the user data;
the authentication result sending module is used for sending the authentication result to the web application through the authentication server, the reverse proxy server and the network firewall in sequence by the LDAP server;
and the login module is used for the web application to execute login operation based on the received verification result.
Further, the LDAP server configuration module is specifically configured to:
user data for authentication is created on an LDAP server and stored to a pre-created LDAP directory.
Further, the verification request interception module is specifically configured to:
the reverse proxy server intercepts a verification request of the web application through a network firewall, encrypts the intercepted verification request by using a preset key and forwards the encrypted verification request to the authentication server based on a security protocol; the verification request carries at least data to be verified and a request time.
Further, the identity verification module is specifically configured to:
the authentication server stores URL, DN and password for connecting with the LDAP server in advance; the authentication server forwards the authentication request to an LDAP server based on the URL, the DN and the password, the LDAP server decrypts the authentication request by using a preset key, and an authentication result is generated after the authentication request is authenticated based on the user data.
Further, the verification result sending module is specifically configured to:
and after the verification result is encrypted by the LDAP server through a preset secret key, the LDAP server sequentially transmits the verification result to the web application through the authentication server, the reverse proxy server and the network firewall based on a security protocol, records a log in the verification process, and monitors the log in real time based on a preset supervision rule.
The application has the advantages that:
intercepting and forwarding an authentication request of the web application through a reverse proxy server to an authentication server, forwarding the authentication request to an LDAP server by the authentication server, generating an authentication result after the authentication request is authenticated by the LDAP server based on the created user data, and sending the authentication result to the web application sequentially through the authentication server, the reverse proxy server and a network firewall, wherein the web application executes login operation based on the received authentication result; the authentication request of the web application is forwarded to the LDAP server for authentication through the reverse proxy server, the LDAP server allows a user to perform seamless switching among a plurality of web applications, login in each web application is not needed, and identity authentication can be realized without invading the web applications, so that convenience of uniform identity authentication is greatly improved; the network firewall is used for protecting data transmitted between the web application and the reverse proxy server, the data transmission is carried out among the reverse proxy server, the authentication server and the LDAP server through a security protocol, the transmitted data are encrypted, the logs in the verification process are recorded in combination, the logs are monitored in real time based on preset supervision rules, five security measures are adopted before and after, and therefore the security of identity unified verification is greatly improved.
Drawings
The application will be further described with reference to examples of embodiments with reference to the accompanying drawings.
FIG. 1 is a flow chart of an LDAP-based unified authentication method of the present application.
FIG. 2 is a schematic diagram of the structure of an LDAP-based unified authentication system of the present application.
Detailed Description
The technical scheme in the embodiment of the application has the following overall thought: the authentication request of the web application is forwarded to the LDAP server for authentication through the reverse proxy server, the LDAP server allows a user to perform seamless switching among a plurality of web applications, login in each web application is not needed, and the authentication is non-invasive, so that the convenience of unified authentication of the identity is improved; the network firewall is used for protecting the transmitted data, the reverse proxy server, the authentication server and the LDAP server are used for transmitting the data through a security protocol, the transmitted data are encrypted, and the logs in the verification process are combined with the logs, so that the logs are monitored in real time based on preset supervision rules, and the security of unified identity verification is improved.
Referring to fig. 1 to 2, a preferred embodiment of an LDAP-based authentication method according to the present application includes the following steps:
step S10, configuring a reverse proxy of the web application on a reverse proxy server (such as Nginx) for forwarding a verification request of the web application to an authentication server;
step S20, creating user data for authentication on an LDAP server;
an LDAP server is deployed on an independent server, all web applications are configured to use the LDAP server for authentication, unified management of user data can be achieved, when a user logs in one web application, credentials of the user are sent to the LDAP server for authentication, the user is granted access right after authentication is successful, and the user does not need to log in again when switching to other web applications, user experience is greatly improved, and trouble of switching among a plurality of systems is reduced for the user. Compared with other authentication servers (such as OAuth 2), the LDAP server has the advantages of light weight and high efficiency, and can quickly respond to the authentication request of the user.
S30, intercepting a verification request of the web application by the reverse proxy server, and forwarding the intercepted verification request to the authentication server;
step S40, the authentication server forwards the authentication request to an LDAP server, and the LDAP server generates an authentication result after carrying out authentication on the authentication request based on the user data;
step S50, the LDAP server sends the verification result to the web application through an authentication server, a reverse proxy server and a network firewall in sequence;
step S60, the web application executes login operation based on the received verification result, namely single sign-on and unified user identity authentication are realized without modifying the web application.
In the aspect of user authentication design, based on the LDAP design thought, the application designs a more effective authentication architecture, so that the user management of a plurality of web applications is more efficient, and better single sign-on experience is achieved. In the aspect of network security design, based on the design thought of a reverse proxy server, a more effective identity verification architecture is designed, so that request interception and identity verification of web applications are more efficient, and the aim of realizing single sign-on under the condition of not modifying the web applications is fulfilled.
The step S20 specifically includes:
user data for authentication is created on an LDAP server and stored to a pre-created LDAP directory. User data of all web applications and systems are unified into the LDAP catalogue, so that user management is simplified, and an administrator can manage and maintain the user data more easily.
The LDAP provides an information service called directory service, can be regarded as a special database system, can effectively solve the problem of user accounts of a plurality of network services, defines a unified identity information database, an identity authentication mechanism and an interface, realizes unified management of resources and information, and ensures consistency and integrity of the user data.
The step S30 specifically includes:
the reverse proxy server intercepts a verification request of the web application through a network firewall, encrypts the intercepted verification request by using a preset key and forwards the encrypted verification request to the authentication server based on a security protocol; the verification request carries at least data to be verified and a request time.
The reverse proxy server intercepts the verification request of the web application and performs identity verification, and then forwards the verified verification request to the web application, so that single sign-on can be realized without modifying the web application; and the reverse proxy server is deployed behind the network firewall and used as a front end to control and protect the access to the back end server on the private network, so that the back end server can be effectively protected from attack, and the security of the system is improved.
The step S40 specifically includes:
the authentication server stores URL, DN and password for connecting with the LDAP server in advance; the authentication server forwards the authentication request to an LDAP server based on the URL, the DN and the password, the LDAP server decrypts the authentication request by using a preset key, and an authentication result is generated after the authentication request is authenticated based on the user data.
The step S50 specifically includes:
and after the verification result is encrypted by the LDAP server through a preset secret key, the LDAP server sequentially transmits the verification result to the web application through the authentication server, the reverse proxy server and the network firewall based on a security protocol, records a log in the verification process, and monitors the log in real time based on a preset supervision rule.
The application discloses a preferred embodiment of an LDAP-based identity unified verification system, which comprises the following modules:
a reverse proxy server configuration module for configuring a reverse proxy of the web application on a reverse proxy server (e.g., nginnx) for forwarding a validation request of the web application to an authentication server;
an LDAP server configuration module for creating user data for authentication on the LDAP server;
an LDAP server is deployed on an independent server, all web applications are configured to use the LDAP server for authentication, unified management of user data can be achieved, when a user logs in one web application, credentials of the user are sent to the LDAP server for authentication, the user is granted access right after authentication is successful, and the user does not need to log in again when switching to other web applications, user experience is greatly improved, and trouble of switching among a plurality of systems is reduced for the user. Compared with other authentication servers (such as OAuth 2), the LDAP server has the advantages of light weight and high efficiency, and can quickly respond to the authentication request of the user.
The authentication request interception module is used for intercepting an authentication request of the web application by the reverse proxy server and forwarding the intercepted authentication request to the authentication server;
the authentication module is used for transmitting the authentication request to an LDAP server by the authentication server, and generating an authentication result after the authentication request is authenticated by the LDAP server based on the user data;
the authentication result sending module is used for sending the authentication result to the web application through the authentication server, the reverse proxy server and the network firewall in sequence by the LDAP server;
and the login module is used for the web application to execute login operation based on the received verification result, namely, single sign-on and unified user identity authentication are realized under the condition of not modifying the web application.
In the aspect of user authentication design, based on the LDAP design thought, the application designs a more effective authentication architecture, so that the user management of a plurality of web applications is more efficient, and better single sign-on experience is achieved. In the aspect of network security design, based on the design thought of a reverse proxy server, a more effective identity verification architecture is designed, so that request interception and identity verification of web applications are more efficient, and the aim of realizing single sign-on under the condition of not modifying the web applications is fulfilled.
The LDAP server configuration module is specifically used for:
user data for authentication is created on an LDAP server and stored to a pre-created LDAP directory. User data of all web applications and systems are unified into the LDAP catalogue, so that user management is simplified, and an administrator can manage and maintain the user data more easily.
The LDAP provides an information service called directory service, can be regarded as a special database system, can effectively solve the problem of user accounts of a plurality of network services, defines a unified identity information database, an identity authentication mechanism and an interface, realizes unified management of resources and information, and ensures consistency and integrity of the user data.
The verification request interception module is specifically configured to:
the reverse proxy server intercepts a verification request of the web application through a network firewall, encrypts the intercepted verification request by using a preset key and forwards the encrypted verification request to the authentication server based on a security protocol; the verification request carries at least data to be verified and a request time.
The reverse proxy server intercepts the verification request of the web application and performs identity verification, and then forwards the verified verification request to the web application, so that single sign-on can be realized without modifying the web application; and the reverse proxy server is deployed behind the network firewall and used as a front end to control and protect the access to the back end server on the private network, so that the back end server can be effectively protected from attack, and the security of the system is improved.
The identity verification module is specifically used for:
the authentication server stores URL, DN and password for connecting with the LDAP server in advance; the authentication server forwards the authentication request to an LDAP server based on the URL, the DN and the password, the LDAP server decrypts the authentication request by using a preset key, and an authentication result is generated after the authentication request is authenticated based on the user data.
The verification result sending module is specifically configured to:
and after the verification result is encrypted by the LDAP server through a preset secret key, the LDAP server sequentially transmits the verification result to the web application through the authentication server, the reverse proxy server and the network firewall based on a security protocol, records a log in the verification process, and monitors the log in real time based on a preset supervision rule.
To facilitate an understanding of the application, the following examples are provided for further explanation:
1. setting up Nginx, and configuring a reverse proxy and identity verification:
1. configuring a reverse proxy on nginnx: in the configuration file of Nginx, a new server block is added for forwarding the request of Kibana to the Kibana server. For example:
2. configuration of authentication on ng nx: in the configuration file of nginnx, the ngx _http_auth_request_module module is used to implement LDAP authentication. For example:
the use of the ngx http authrequest module of Nginx to effect LDAP authentication provides more flexibility in allowing sub-requests to be sent to external authentication servers prior to processing the request, and the use of this module to send authentication requests to an LDAP-enabled authentication server, such as an authldap, which is responsible for receiving authentication requests from Nginx and communicating with the LDAP server using the LDAP protocol to verify the identity of the user, thus flexibly configuring the authentication flow as required to meet the needs of different applications.
2. Building an LDAP server:
creating a new user on the LDAP server for use in Kibana authentication, for example:
dn:uid=kibanauser,ou=people,dc=yourdomain,dc=com
objectClass:top
objectClass:person
objectClass:organizationalPerson
objectClass:inetOrgPerson
uid:kibanauser
cn:Kibana User
sn:User
givenName:Kibana
mail:kibanauser@yourdomain.com
userPassword:{CLEARTEXT}password
3. application configuration:
in the Kibana's profile, the elastiscearch. Username and elastiscearch. Password are set to null so that Kibana can be authenticated and authorized through nginnx. Specifically, the following needs to be added to the kibana. Yml file:
```
elasticsearch.username:""
elasticsearch.password:""
```
4. LDAP-enabled Authentication Server authentication server building and configuration:
the authentication server is responsible for receiving authentication requests from nmginx and communicating with the LDAP server using the LDAP protocol to verify the identity of the user. The implementation can be realized by writing python codes by oneself, and an OAuth2 authorization server can also be installed.
If the security requirement on the system is not high, the ldap_server can be directly configured in the Nginx, the authentication server is skipped, the authentication is directly performed on the ldap server, and the configuration of the ldap_server in the Nginx is as follows:
configuring an auth-ldap module. You need to add an ldap_server block in the configuration file of nginnx, which is used for configuring related information of the LDAP server. For example:
in summary, the application has the advantages that:
intercepting and forwarding an authentication request of the web application through a reverse proxy server to an authentication server, forwarding the authentication request to an LDAP server by the authentication server, generating an authentication result after the authentication request is authenticated by the LDAP server based on the created user data, and sending the authentication result to the web application sequentially through the authentication server, the reverse proxy server and a network firewall, wherein the web application executes login operation based on the received authentication result; the authentication request of the web application is forwarded to the LDAP server for authentication through the reverse proxy server, the LDAP server allows a user to perform seamless switching among a plurality of web applications, login in each web application is not needed, and identity authentication can be realized without invading the web applications, so that convenience of uniform identity authentication is greatly improved; the network firewall is used for protecting data transmitted between the web application and the reverse proxy server, the data transmission is carried out among the reverse proxy server, the authentication server and the LDAP server through a security protocol, the transmitted data are encrypted, the logs in the verification process are recorded in combination, the logs are monitored in real time based on preset supervision rules, five security measures are adopted before and after, and therefore the security of identity unified verification is greatly improved.
While specific embodiments of the application have been described above, it will be appreciated by those skilled in the art that the specific embodiments described are illustrative only and not intended to limit the scope of the application, and that equivalent modifications and variations of the application in light of the spirit of the application will be covered by the claims of the present application.
Claims (10)
1. An LDAP-based unified identity authentication method is characterized in that: the method comprises the following steps:
step S10, configuring a reverse proxy of the web application on a reverse proxy server for forwarding a verification request of the web application to an authentication server;
step S20, creating user data for authentication on an LDAP server;
s30, intercepting a verification request of the web application by the reverse proxy server, and forwarding the intercepted verification request to the authentication server;
step S40, the authentication server forwards the authentication request to an LDAP server, and the LDAP server generates an authentication result after carrying out authentication on the authentication request based on the user data;
step S50, the LDAP server sends the verification result to the web application through an authentication server, a reverse proxy server and a network firewall in sequence;
step S60, the web application executes login operation based on the received verification result.
2. An LDAP-based unified authentication method as set forth in claim 1, wherein: the step S20 specifically includes:
user data for authentication is created on an LDAP server and stored to a pre-created LDAP directory.
3. An LDAP-based unified authentication method as set forth in claim 1, wherein: the step S30 specifically includes:
the reverse proxy server intercepts a verification request of the web application through a network firewall, encrypts the intercepted verification request by using a preset key and forwards the encrypted verification request to the authentication server based on a security protocol; the verification request carries at least data to be verified and a request time.
4. An LDAP-based unified authentication method as set forth in claim 1, wherein: the step S40 specifically includes:
the authentication server stores URL, DN and password for connecting with the LDAP server in advance; the authentication server forwards the authentication request to an LDAP server based on the URL, the DN and the password, the LDAP server decrypts the authentication request by using a preset key, and an authentication result is generated after the authentication request is authenticated based on the user data.
5. An LDAP-based unified authentication method as set forth in claim 1, wherein: the step S50 specifically includes:
and after the verification result is encrypted by the LDAP server through a preset secret key, the LDAP server sequentially transmits the verification result to the web application through the authentication server, the reverse proxy server and the network firewall based on a security protocol, records a log in the verification process, and monitors the log in real time based on a preset supervision rule.
6. An LDAP-based identity unified verification system is characterized in that: the device comprises the following modules:
a reverse proxy server configuration module for configuring a reverse proxy of the web application on the reverse proxy server for forwarding a verification request of the web application to the authentication server;
an LDAP server configuration module for creating user data for authentication on the LDAP server;
the authentication request interception module is used for intercepting an authentication request of the web application by the reverse proxy server and forwarding the intercepted authentication request to the authentication server;
the authentication module is used for transmitting the authentication request to an LDAP server by the authentication server, and generating an authentication result after the authentication request is authenticated by the LDAP server based on the user data;
the authentication result sending module is used for sending the authentication result to the web application through the authentication server, the reverse proxy server and the network firewall in sequence by the LDAP server;
and the login module is used for the web application to execute login operation based on the received verification result.
7. An LDAP-based unified authentication system as set forth in claim 6, wherein: the LDAP server configuration module is specifically used for:
user data for authentication is created on an LDAP server and stored to a pre-created LDAP directory.
8. An LDAP-based unified authentication system as set forth in claim 6, wherein: the verification request interception module is specifically configured to:
the reverse proxy server intercepts a verification request of the web application through a network firewall, encrypts the intercepted verification request by using a preset key and forwards the encrypted verification request to the authentication server based on a security protocol; the verification request carries at least data to be verified and a request time.
9. An LDAP-based unified authentication system as set forth in claim 6, wherein: the identity verification module is specifically used for:
the authentication server stores URL, DN and password for connecting with the LDAP server in advance; the authentication server forwards the authentication request to an LDAP server based on the URL, the DN and the password, the LDAP server decrypts the authentication request by using a preset key, and an authentication result is generated after the authentication request is authenticated based on the user data.
10. An LDAP-based unified authentication system as set forth in claim 6, wherein: the verification result sending module is specifically configured to:
and after the verification result is encrypted by the LDAP server through a preset secret key, the LDAP server sequentially transmits the verification result to the web application through the authentication server, the reverse proxy server and the network firewall based on a security protocol, records a log in the verification process, and monitors the log in real time based on a preset supervision rule.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310554728.8A CN116668096A (en) | 2023-05-17 | 2023-05-17 | LDAP-based unified identity verification method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310554728.8A CN116668096A (en) | 2023-05-17 | 2023-05-17 | LDAP-based unified identity verification method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116668096A true CN116668096A (en) | 2023-08-29 |
Family
ID=87719862
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310554728.8A Pending CN116668096A (en) | 2023-05-17 | 2023-05-17 | LDAP-based unified identity verification method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116668096A (en) |
-
2023
- 2023-05-17 CN CN202310554728.8A patent/CN116668096A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7313816B2 (en) | Method and system for authenticating a user in a web-based environment | |
| US6662228B1 (en) | Internet server authentication client | |
| US6490679B1 (en) | Seamless integration of application programs with security key infrastructure | |
| US6198824B1 (en) | System for providing secure remote command execution network | |
| EP1595190B1 (en) | Service provider anonymization in a single sign-on system | |
| US20020147927A1 (en) | Method and system to provide and manage secure access to internal computer systems from an external client | |
| US20010020274A1 (en) | Platform-neutral system and method for providing secure remote operations over an insecure computer network | |
| US20060206616A1 (en) | Decentralized secure network login | |
| EP2544117A1 (en) | Method and system for sharing or storing personal data without loss of privacy | |
| US20110170696A1 (en) | System and method for secure access | |
| CN111770088A (en) | Data authentication method, device, electronic equipment and computer readable storage medium | |
| EP2021938A2 (en) | Policy driven, credential delegation for single sign on and secure access to network resources | |
| EP1388060A1 (en) | Method and apparatus for serving content from a semi-trusted server | |
| Oksiiuk et al. | Security technique for authentication process in the cloud environment | |
| CN117354032A (en) | Multiple authentication method based on code server | |
| Rosenthal | EINet: a secure, open network for electronic commerce | |
| EP1530343B1 (en) | Method and system for creating authentication stacks in communication networks | |
| CN116668096A (en) | LDAP-based unified identity verification method and system | |
| CN105871788B (en) | Password generation method and device for login server | |
| Snow et al. | Simple authentication | |
| Blundo et al. | A lightweight approach to authenticated web caching | |
| CN114900372B (en) | Resource protection system based on zero trust security sentinel system | |
| KR100406292B1 (en) | Password Transmission system and method in Terminal Communications | |
| CN115130116A (en) | Business resource access method, device, equipment, readable storage medium and system | |
| He et al. | A single sign-on scheme for cross domain web applications based on SOA |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |