JP5463757B2 - Information processing apparatus, control method therefor, information processing system, and program - Google Patents

Description

  The present invention relates to an authentication method in a WEB conference system.

  Currently, there is a WEB conference system that can realize a WEB conference via a WEB browser.

  A user operates a client terminal equipped with a WEB camera, and accesses the WEB conference system, so that the user can hold a WEB conference while viewing each other's moving images with other users accessing the WEB conference system. .

  Since it is easy to hold meetings with users in remote locations, it is used in various situations such as regular meetings, working from home, and training.

  By the way, in order to make the WEB conference system available to users, the administrator must register as a user.

  However, the greater the number of registered users, the greater the burden of user registration, and the maintenance work becomes more difficult.

  Therefore, a method of performing user registration and user authentication in the WEB conference system using user information managed by the LDAP server is conceivable. However, when this method is used, a user not managed by the LDAP server (for example, temporary (A guest user) cannot use the WEB conference system.

  Patent Document 1 discloses a technique for providing a network conference system capable of authentication according to an actual conference form.

  JP 2003-167856 A

  However, the invention described in Patent Document 1 is a network conference in which a plurality of terminals are connected via a network and a conference is performed between a host on the organizer side that invites the conference and a terminal on the participant side that participates in the conference In system authentication, authentication information used to indicate to the participant terminal that the host is correct is generated on the organizer terminal side, and the authentication information is provided to the participant terminal to request participation in the conference. , Waits for the meeting participation request from the organizer terminal, the operator determines whether or not the meeting connection is possible based on the provided authentication information in response to the meeting participation request from the organizer terminal, It does not solve the problem that a user who performs connection processing and is not managed by the LDAP server cannot use the WEB conference system.

Therefore, the present invention solves the above-mentioned problem, and in a mechanism for performing authentication using an existing authentication server in which user information of general users is registered, authentication of guest users not managed by the authentication server is also possible. It is possible to provide a technique that enables a guest user to participate in an invited destination in the case of an access request from the guest user.

The present invention is an information processing apparatus that accepts access by a guest user who has been temporarily invited and access by a general user, and performs user authentication, in order to invite a guest user, In response to receiving user information at least by the guest user information receiving means, the guest user information receiving means for receiving user information including at least the guest user's mail address and password , the mail address as the user information If, further, the guest user information registration means for registering a password used for authentication of the guest user, in the storage means, based on the guest user information guest user information registered in the registration means, the information of the guest user Access including at least the password information included and the invitees to invite Notification means for notifying information to the email address of the guest user to be invited, access request according to the access information by the operation of the guest user from the client terminal, and access by the general user login screen by the operation of the general user An access request receiving unit that receives a request, and a determination unit that determines whether the access request received by the access request receiving unit is an access request based on a login screen of a general user or an access request according to the access information notified by the notification unit If the determination means determines that the access request is based on the login screen of the general user, the authentication server is requested to perform authentication processing using the user ID and password included in the access request. , Notified by the notification means by the determination means If it is determined that the access request conforms to the access information, the guest user information registration unit performs authentication processing according to the user information stored in the storage unit, using the password included in the access request. When a general user is authenticated by the authentication unit and the authentication unit, the general user included in the access request is an access destination to be accessed. On the other hand, when a guest user is authenticated, the access request is Login means for performing a login process in order to make a transition to the invitation destination to be included is included.

According to the present invention, in a mechanism for performing authentication using an existing authentication server in which user information of a general user is registered, it is possible to authenticate a guest user who is not managed by the authentication server, and from the guest user In the case of the access request, the guest user can participate in the invited destination .

It is a figure which shows the structure of the WEB conference system which concerns on this Embodiment. It is a block diagram which shows the hardware structural example of the information processing apparatus applicable to a WEB conference server. It is a figure which shows the component in a WEB conference system, and those relationship. It is a figure which shows the screen which reserves a conference room. It is a figure which shows the screen which participates in a meeting. It is a figure which shows the screen of a WEB meeting. It is a figure which shows the screen which inputs the guest user to invite. It is a figure which shows an example of the mail transmitted to a guest user. It is a figure which shows the screen which sets an LDAP server. It is a figure which shows the screen which performs LDAP setting. It is a figure which shows the user management table which manages the user information of a WEB conference system. It is a figure which shows the relationship of the table which manages the various information of a WEB conference system. It is a table which manages the information regarding the invited guest user when a guest user is invited to a WEB meeting. It is a flowchart which shows the whole flow of the authentication process until it uses a WEB conference system. It is a flowchart which shows the flow of a process when the client terminal 103 logs in from a login screen. It is a flowchart which shows the flow of a process when the client terminal 103 logs in from a login screen. It is a flowchart which shows the flow of a process when the client terminal 103 logs in from a guest login screen. It is a flowchart which shows the flow of a process when the client terminal 103 logs in from URL.

  DESCRIPTION OF EMBODIMENTS Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

  FIG. 1 is a diagram showing a configuration of a WEB conference system (information processing system) according to the present embodiment.

  As shown in FIG. 1, a WEB conference server 101 (information processing apparatus) communicates with an LDAP server 102 and a client terminal 103 connected to a network 104 via a local area network (communication medium).

  The WEB conference server 101 is a server that realizes a WEB conference using a WEB browser. In order to provide an interface to the client terminal 103, the user can perform a WEB conference by operating the client terminal 103 and accessing the WEB conference server 101.

  The LDAP server 102 is a server that provides a directory service that can be connected by the LDAP protocol. In this embodiment, the LDAP server 102 is a server that centrally manages personal information such as employee name, affiliation, email address, telephone number, and password. . Note that LDAP is an abbreviation for “Lightweight Directory Access Protocol” and refers to a protocol for accessing a directory database in a TCP / IP network such as the Internet.

  The client terminal 103 is a personal computer operated by a user using the WEB conference system, and a WEB browser for accessing the WEB conference server 101 and a dedicated module are installed. Note that this dedicated module is an ActiveX component that is downloaded from the WEB conference server 101 via, for example, a WEB browser. Note that a WEB camera (not shown) is connected when transmitting a moving image of itself in a WEB conference, and a microphone (not shown) is connected when transmitting audio. Also, a speaker (not shown) is connected to view the other party's voice.

  Next, the hardware configuration of the WEB conference server 101 shown in FIG. 1 will be described with reference to FIG.

  FIG. 2 is a block diagram illustrating a hardware configuration example of an information processing apparatus applicable to the WEB conference server 101. Note that the block diagram of FIG. 2 can also be applied to the LDAP server 102 and the client terminal 103.

  As shown in FIG. 2, the WEB conference server 101 includes a CPU (Central Processing Unit) 201, a RAM (Random Access Memory) 203, a ROM (Read Only Memory) 202, an input controller 205, and a video controller 206 via a system bus 204. The memory controller 207, the communication I / F controller 208, and the like are connected.

  The CPU 201 comprehensively controls each device and controller connected to the system bus 204.

  Further, the ROM 202 or the external memory 211 will be described later, which is necessary for realizing the functions executed by each server or each PC, such as BIOS (Basic Input / Output System) and OS (Operating System) which are control programs of the CPU 201. Various programs are stored. Further, information necessary for carrying out the present invention is stored. The external memory may be a database.

  The RAM 203 functions as a main memory, work area, and the like for the CPU 201. The CPU 201 implements various operations by loading a program or the like necessary for executing the processing from the ROM 202 or the external memory 211 to the RAM 203 and executing the loaded program.

  The input controller 205 controls input from a keyboard (KB) 209 or a pointing device such as a mouse (not shown).

  The video controller 206 controls display on a display device such as the display 210. The display device may be a display device such as a liquid crystal display. These are used by the administrator as needed.

  The memory controller 207 is an external storage device (hard disk (HD)), flexible disk (FD), or PCMCIA (Personal Computer) that stores a boot program, various applications, font data, user files, editing files, various data, and the like. Controls access to an external memory 211 such as a Compact Flash (registered trademark) memory connected to a Memory Card International Association (Card Memory) card slot via an adapter.

  The communication I / F controller 208 is connected to and communicates with an external device via a network (for example, the LAN 400 shown in FIG. 1), and executes communication control processing in the network. For example, communication using TCP / IP (Transmission Control Protocol / Internet Protocol) is possible.

  The CPU 201 can display on the display 210 by executing an outline font rasterization process on a display information area in the RAM 203, for example. Further, the CPU 201 enables a user instruction using a mouse cursor (not shown) on the display 210.

  Various programs to be described later for realizing the present invention are recorded in the external memory 211 and executed by the CPU 201 by being loaded into the RAM 203 as necessary. Furthermore, definition files and various information tables used when the above program is executed are also stored in the external memory 211, and a detailed description thereof will be described later.

  FIG. 3 is a diagram showing components in the WEB conference system and their relationship.

  All users and rooms (conference rooms) belong to a group (301, 303).

  FIG. 3 shows the structure of groups, users, and rooms in the WEB conference system.

  There are multiple types of users.

  The system administrator 302 is an administrator of the entire WEB conference system, and registers, changes, and deletes groups and group administrators, and performs various settings related to the WEB conference system.

  The group manager 304 is a manager in the WEB conference system, and registers, changes, and deletes general users and hearing users, rooms, and tags in the group.

  The general user 305 is a user who actually performs a conference within the group, and can reserve, change, and delete the conference room, and can participate in the reserved conference and participate in the free space. Note that the group manager can reserve a conference room and participate in a conference in the same manner as a general user.

  In addition, there are “guest users” who can participate only in meetings invited by e-mail, and “listening users” who listen to meetings held in groups.

  In order to hold a conference, it is necessary to register a room, and the room manager registers the room.

  The room is a room that participates by restricting participants on the date and time, a conference room 306 that needs to be reserved before the conference, and a room that can be freely joined regardless of the date and time and participants. There are two types of free space 307 in which a conference can be held at any time without making a conference reservation.

  The user uses “conference room” and “free space” depending on the content of the conference.

  Next, the flow until the user uses the WEB conference system will be described with reference to FIGS.

  FIG. 4 is a diagram showing a screen for reserving a conference room.

  The user logs in to the WEB conference server 101 from the user terminal 103 and then transitions from the top screen to the WEB conference room menu, and then selects the conference room reservation 401 to reserve the conference room.

  When reserving a conference room, input / selection is performed for each item of the conference room name 402, the conference title 403, the usage date 404, the usage time 405, the participant 406, the guest participant 407, and the conference recording 408. The conference room is reserved by pressing the “Reserve” button 409.

  FIG. 5 is a diagram showing a screen for participating in the conference.

  The user logs in to the WEB conference server 101 from the user terminal 103 and then transitions from the top screen to the WEB conference room menu, and then selects the conference participation 501 to participate in the conference.

  When joining a conference, the user joins the conference by pressing a “join” button 502.

  FIG. 6 shows a WEB conference screen.

  The user can hold a WEB conference while viewing the moving image of each participant and his own moving image (or the moving image of the group manager) via the WEB browser.

  By the way, a WEB conference is normally held by users managed by the WEB conference system, but in some cases, a user who is not managed by the WEB conference system may want to participate in the WEB conference.

  In such a case, a mechanism is required for a temporary user (referred to as a guest user in this embodiment) to participate in the WEB conference.

  Then, the method to invite a guest user to a WEB meeting is demonstrated next.

  There are two methods for inviting guest users. In the screen for reserving the conference room in FIG. 4, a method for selecting “Invite” in the item of guest participant 407, or in the screen for joining the conference in FIG. There is a method of pressing a button 503 for inviting a guest user.

  When it is selected to invite a guest user by the above two methods, the screen of FIG. 7 is displayed. In addition, when inviting from the screen of FIG. 4, an e-mail address and a password can be input from the screen shown in FIG.

  FIG. 7 is a diagram showing a screen for inputting a guest user to invite.

  A mail address of a user who wants to be invited as a guest to the WEB conference is input to the mail address 701. When inviting multiple emails, enter multiple email addresses.

  When a send button 703 is pressed, an e-mail indicating participation in the WEB conference is sent to the e-mail address input to the e-mail address 701.

  FIG. 8 is a diagram illustrating an example of mail transmitted to the guest user.

  In the body of the email, a conference room name 801, a conference title 802, a start time 803, an end time 804, a participant 805, and a URL 806 are described.

  The guest user who has received the e-mail can access the URL 806 to directly transition to the WEB conference screen shown in FIG. 6 and participate in the WEB conference.

  Note that authentication information for identifying a guest user participating in the WEB conference is added to the URL as a parameter. The WEB conference system authenticates the validity of the guest user by using this parameter. This authentication method will be described later in detail.

  Further, apart from the method in which the guest user directly participates in the WEB conference by accessing the URL, in the case of participating from the login screen, the password used when participating from the login screen is input to the password 702.

  The guest user who received the mail can log in to the WEB conference system by inputting the mail address and password from the dedicated login screen.

  The flow until the user uses the WEB conference system has been described above.

  Next, the flow of settings for performing authentication using user information managed by the LDAP server will be described with reference to FIGS. 9 and 10.

  FIG. 9 is a diagram showing a screen for setting an LDAP server.

  The LDAP server is set by the system administrator of the WEB conference system.

  The system administrator logs in to the WEB conference server 101 from the administrator terminal and then transitions from the top screen to the system management menu, and then selects the LDAP setting 901 to set the LDAP server.

  When a new LDAP server setting is to be performed, the “new registration” button 902 is pressed to input / select each item from the setting screen shown in FIG.

  FIG. 10 is a diagram illustrating a screen for performing LDAP setting.

  The system administrator inputs / selects the LDAP server URL 1002, connected user 1003, connected user mapping 1004, and user information mapping 1005.

  In the LDAP server URL 1002, an LDAP server protocol, host name, and port number are input. For example, it is specified in a format such as “ldap: // host name: port number” or “LDAPS // host name: port number”.

  An ID, an identification name pattern, and a password are input to the connected user 1003.

  In ID, an ID for connecting to the LDAP server is input. In the identification name pattern, the DN attribute value for the ID for connecting to the LDAP server is input. As the password, the password for the ID for connecting to the LDAP server is input.

  The user attribute mapping 1004 includes a search base, a search filter, a search scope, a user ID, a user name, a user name (reading), an e-mail address, a user classification, an effective period (start), an effective period (end), and a login possible time. Enter (start), login time (end), login day of the week, use of recording function, profile name, tag.

  In the search base, the DN attribute value of the node serving as a base point for searching for user entries is input. In the search filter, a conditional expression for specifying a user entry is input (the conditional expression conforms to RFC2254). In the search scope, a range from the search base to search for user entries is specified (a search base and a node below it, or a search node and all nodes below it). As the user ID, an attribute name corresponding to the user ID of the WEB conference system is input. As the user name, an attribute name corresponding to the user name of the WEB conference system is input. In the user name (reading), an attribute name corresponding to the user name (reading) of the WEB conference system is input. As the mail address, an attribute name corresponding to the mail address of the WEB conference system is input. In the user category, an attribute name corresponding to the user category of the WEB conference system is input. In the effective period (start), an attribute name corresponding to the effective period (start) of the WEB conference system is input. In the effective period (end), an attribute name corresponding to the effective period (end) of the WEB conference system is input. In the login possible time (start), an attribute name corresponding to the login possible time (start) of the WEB conference system is input. In the login possible time (end), an attribute name corresponding to the login possible time (end) of the WEB conference system is input. In the login possible day of the week, an attribute name corresponding to the login day of the WEB conference system is input. To use the recording function, an attribute name corresponding to the use of the recording function of the WEB conference system is input. In the profile name, an attribute name corresponding to the profile of the WEB conference system is input. In the tag, an attribute name corresponding to the tag of the WEB conference system is input.

  In the tag information mapping 1005, a search base, a search filter, a search scope, and a tag name are input when tag information mapping is used.

  In the search base, the DN attribute value of the node serving as a base point for searching for the group entry is input. In the search filter, a conditional expression for specifying the group entry is input. The search scope specifies the range from which the group entry is searched from the search base (the conditional expression conforms to RFC2254). As the tag name, an attribute name corresponding to the tag name of the WEB conference system is input.

  Finally, the system administrator inputs predetermined items and then presses a “register” button 1006 to end the registration process. Various input items are registered in an external storage device of the WEB conference server 101.

  By registering the LDAP server in this way, it becomes possible to perform user registration / authentication using the user information managed by the LDAP server in the WEB conference system. A specific method of using user registration / authentication will be described in detail later.

  Next, an example of various tables managed by the WEB conference server 101 using an external storage device will be described with reference to FIGS.

  FIG. 11 is a diagram showing a user management table for managing user information of the WEB conference system.

  Conventionally, a system administrator has to register user information for each user in order to allow a general user to use the WEB conference system.

  In the present embodiment, in order to reduce this registration burden, the user information managed by the LDAP management server is used to register user information in the user management table or update the user information. It was possible.

  The user ID 1101 is a user ID in the user's WEB conference system. The group ID 1102 is a group ID in this user's WEB conference system. A password 1103 is a password in the user's WEB conference system. The user name 1104 is a user name in the user's WEB conference system. A user type 1105 indicates the type of user (system administrator, group administrator, general user, etc.) in this user's WEB conference system. The effective date (start) 1106 indicates the effective date (start) of the user in the WEB conference system, and the effective date (end) 1107 indicates the effective date (end) of the user in the WEB conference system. That is, the period of 1106 and 1107 is the effective period of this user. A mail address 1108 is a mail address in the WEB conference system of this user. The login possible time (start) 1109 indicates the login possible time (start) of this user in the WEB conference system, and the login allowable time (end) 1110 indicates the login possible time (end) of this user in the WEB conference system. In other words, the times 1109 and 1110 are login times for this user. The registration date 1111 indicates the date registered in the user management table, and the update date 1112 indicates the date updated. The recording permission flag 1113 indicates whether recording permission is permitted in the user's WEB conference system. A profile name 1114 indicates a profile name of the user in the WEB conference system. The password update date 1115 indicates a date for updating the password in the user's WEB conference system. The sort key 1116 indicates a sort key in this user's WEB conference system.

  In the present embodiment, one guest record is prepared in advance in this user management table in order to use a guest user in the WEB conference system.

  FIG. 12 is a diagram showing a relationship between tables for managing various information of the WEB conference system.

  The group management table 121 and the LDAP management table 122 are related via the LDAP group table 123.

  The group management table 121 is a table for managing information regarding groups in the present embodiment shown in FIG. 3 in units of groups.

  The group ID 1201 is a group ID in this group's WEB conference system. The group name 1202 is a group name in this group's WEB conference system. The registration date 1203 indicates the date registered in the group management table, and the update date 1204 indicates the date updated. A profile name 1205 is a profile name in the WEB conference system of this group. The maximum number of users 1206 indicates the maximum number of users in this group's WEB conference system. The maximum number of rooms 1207 indicates the maximum number of rooms in this group's WEB conference system. The maximum room capacity 1208 indicates the maximum number of room capacity in the web conference system of this group. The maximum tag number 1209 indicates the maximum number of tags in the WEB conference system of this group. A sort key 1210 indicates a sort key in the web conference system of this group. The room use 1211 indicates whether or not “conference room” and “free space” can be used.

  The LDAP management table 122 is a table for managing various items input by the system administrator in FIG.

  Since the items 1212 to 1243 basically correspond to the items input by the system administrator in FIG. 10, description of each item is omitted here. In addition, explanations of unpublished parameters and unused parameters considering expansion are also omitted.

  By using the correspondence relationship of each item in the LDAP management table 122, it is possible to extract necessary information from the user information acquired from the LDAP server and register the user information in the user management table.

  The LDAP group table 123 is a table that associates the group management table 121 and the LDAP management table 122.

  The group ID 1244 in the LDAP group table and the group ID 1201 in the group management table have a correspondence relationship, and the LDAP ID 1245 in the LDAP group table and the LDAP ID 1212 in the group management table have a correspondence relationship.

  FIG. 13 is a table for managing information related to invited guest users when guest users are invited to a WEB conference.

  The conference room reservation ID 1301 indicates a reservation ID for specifying the invited conference room. The email address 1302 indicates the email address of the invited guest user. The guest type 1303 indicates the type of invited guest user (such as a guest participant or a hearing user).

  Next, the flow of authentication processing until the WEB conference system is used will be described using the flowcharts of FIGS.

  FIG. 14 is a flowchart showing the entire flow of authentication processing until the WEB conference system is used.

  The user operates the client terminal 103 to access the WEB conference server 101 via the WEB browser. In step S1401, the client terminal 103 accesses the WEB conference server 101 in response to an instruction from the user.

  Here, the access method has the following three patterns. There are three patterns: (1) a method of logging in from a login screen, (2) a method of logging in from a guest login screen, and (3) a method of directly accessing from a URL described in a notification mail.

  (1) In (2), the user inputs the user ID and password from the login screen, and the client terminal 103 transmits the input user ID and password to the WEB management server 101. In (3), the client terminal 101 directly accesses the URL. An example of the mail is as shown in FIG. 8, and parameters necessary for accessing the WEB conference server 101 are added to this URL.

  In step S1402, the WEB conference server 101 receives an access request from the user terminal 103 (access request reception).

  In step S1403, the WEB conference server 101 determines the form of access from the user terminal 103 (which of the above-described three patterns). Specifically, since the normal login screen and the guest login screen have different access destinations, it is possible to determine whether the access is from the normal login screen or the guest login screen depending on the access destination. . Further, when accessing directly from a URL, the determination can be made based on the URL. If it is determined that “Login from login screen”, the process proceeds to step S1404 (authentication process 1). If it is determined that “Login from guest login screen”, the process proceeds to step S1405 (authentication process 2). If it is determined that “Login from URL”, the process proceeds to step S1406 (authentication process 3).

  Step S1404 (authentication process 1) will be described in detail later with reference to FIGS. Step S1405 (authentication process 2) will be described later in detail with reference to FIG. Step S1406 (authentication process 3) will be described later in detail with reference to FIG.

  In steps S1404 to S1406, authentication is performed to determine whether the user who has received access in step S1402 is a valid user. If it is determined that the user is a valid user, the process advances to step S1407.

  In step S1407, the WEB conference server 101 determines whether the validity period of the currently authenticated user has expired. If it is not cut, the process proceeds to step S1408. If it is cut, the process proceeds to step S1413. This expiration date is determined using the effective date (start) 1106 and the effective date (end) 1107 of the user management table shown in FIG. 11 corresponding to the authenticated user.

  In step S1408, the WEB conference server 101 determines whether the currently authenticated user is able to log in. If it is login possible time, the process proceeds to step S1409, and if it is not login possible time, the process proceeds to step S1413. This login possible time is determined using the login possible time (start) 1109 and login possible time (end) 1110 of the user management table shown in FIG. 11 corresponding to the authenticated user.

  In step S1409, the WEB conference server 101 determines whether the currently authenticated user is a log-in day. If it is a login-enabled day, the process proceeds to step S1410. If it is not a login-enabled day, the process proceeds to step S1413. This login day of the week is determined using a login ID table (not shown) using a user ID corresponding to the authenticated user.

  In step S <b> 1410, the WEB conference server 101 determines whether the authenticated user is a user who is not subject to LDAP cooperation. If the user is not subject to LDAP cooperation, the process proceeds to step S1411. If the user is subject to LDAP cooperation, the process proceeds to step S1412. Whether the user is excluded from the LDAP cooperation is determined based on whether the authenticated user is a user managed by the LDAP management table shown in FIG. Here, the determination is made because the LDAP cooperation target user acquires user information including the password from the LDAP server 102, and the WEB conference server 101 does not change the password. This is because it is not necessary to check the expiration date of the password required for this function.

  In step S1411, the WEB conference server determines the validity of the password of the authenticated user. If it is determined that it is valid, the process proceeds to step S1412. If it is determined that it is not valid (invalid), the process proceeds to step S1413. The validity of the password is determined by using the password update date 1115 in the user management table shown in FIG. 11 corresponding to the authenticated user.

  In step S1412, the WEB conference server performs login processing. Specifically, the WEB conference server transmits data for displaying the screen shown in FIG. 6 after login to the client terminal 103. The client terminal 103 can participate in the WEB conference by receiving the screen data.

  On the other hand, in step S <b> 1413, the WEB conference server 101 transmits a login error screen or data for displaying a login screen to the client terminal 103.

  Next, the authentication process 1 in step S1404 will be described using FIG. 15 and FIG.

  FIG. 15 and FIG. 16 are flowcharts showing the flow of processing when the client terminal 103 logs in from the login screen.

  In step S1501, the WEB conference server 101 determines whether the access source user is a general user. If it is a general user, the process proceeds to step S1502, and if it is not a general user, the process proceeds to step S1524. Specifically, when the user ID of the access source user is a system administrator or group administrator in the user management table, it is determined that the user is not a general user. Accordingly, the process proceeds to step S1502 even in the case of a user ID that is not managed in the user management table.

  In step S1502, the WEB conference server 101 determines whether the user ID of the access source user is managed in the user management table. If not managed, the process proceeds to step S1503. If managed, the process proceeds to step S1504.

  In step S1503, the WEB conference server 101 determines whether there is a record in the LDAP management table. If there is a record, the process proceeds to step S1505. If there is no record, the process proceeds to step S1524. In this way, whether or not there is a record in the LDAP management table is determined to be an error if the corresponding user is not managed in step S1502, but if there is a record in the LDAP management table / LDAP group table. This is because the user corresponding to the currently accessed user ID may be a user managed by LDAP. Therefore, even for a user who has accessed the WEB conference server 101 for the first time, as long as there is a record in the LDAP management table, it is possible to perform LDAP authentication. It is possible to register predetermined items in the table.

  In step S1504, the WEB conference server 101 determines whether there is a record used by the own group in the LDAP management table. If there is no record, the process proceeds to step S1525. If there is a record, the process proceeds to step S1505. This is because LDAP authentication is performed only when there is a record.

  In step S1505, the WEB conference server 101 transmits the user ID and password acquired in step S1402 to the LDAP server 102 (performs an authentication request).

  In step S 1506, the LDAP server 102 receives the user ID and password transmitted from the WEB conference server 101.

  In step S1507, the LDAP server 102 performs user authentication processing using the received user ID and password.

  In step S1508, the LDAP server 102 transmits an authentication result to the WEB conference server 101.

  In step S 1509, the WEB conference server 101 receives the authentication result transmitted from the LDAP server 102.

  In step S1510, the WEB conference server 101 determines whether the received authentication result is successful. If the authentication is successful, the process proceeds to step S1511. If the authentication is unsuccessful, the process proceeds to step S1526.

  In step S1511, the WEB conference server 101 requests user information managed in the LDAP server 102 corresponding to the user ID that has been successfully authenticated.

  In step S <b> 1512, the LDAP server 102 receives a request for user information from the WEB conference server 101.

  In step S <b> 1513, the LDAP server 102 acquires user information corresponding to the requested user ID from a database (not shown) managed by the LDAP server 102 and transmits the user information to the WEB conference server 101.

  In step S <b> 1514, the WEB conference server 101 receives user information from the LDAP server 102. The user information received here is attribute information set by mapping user information on the LDAP registration screen shown in FIG. Therefore, attribute information that has not been set is not acquired.

  In step S1515, the WEB conference server 101 determines the validity of the user corresponding to the received user information. If valid, the process proceeds to step S1516, and if invalid, the process proceeds to step S1526. In this validity determination, the validity / invalidity is determined based on the result of the input value check of the acquired user information.

  In step S1516, the WEB conference server 101 registers each attribute information of the received user information in the user management table.

  In step S1517, the WEB conference server 101 deletes the user tag. As an example of the user tag, there is group information to which the user belongs. For example, when belonging to tags of group 1, group 2, and group 3, all user tags of group 1, group 2, and group 3 are deleted from the database. In this way, by deleting all tags so that they do not belong to any tag, the latest tag can be registered by subsequent tag registration processing.

  In step S1518, the WEB conference server 101 uses tag mapping and determines whether there is tag information. If tag mapping is used and there is tag information, the process proceeds to step S1519; otherwise, the process proceeds to step S1527. Here, whether to use tag mapping is acquired from the information on the LDAP registration screen (information in the LDAP management table) in FIG. 10, and the presence or absence of tag information is in the user information received in step S1514. Obtained from the information of the group to which the user belongs. Specifically, since information indicating which group the user belongs to is included in a part of the user information (user name, e-mail address, etc.), this is used. Therefore, if no group belongs to the group, there is no tag information.

  In step S <b> 1519, the WEB conference server 101 requests tag information from the LDAP server 102.

  In step S1520, the LDAP server 102 receives a tag information request from the WEB conference server 101.

  In step S1521, the LDAP server 102 specifies the requested tag information and transmits it to the WEB conference server 101.

  In step S1522, the WEB conference server 101 receives tag information from the LDAP server 102.

  In step S1523, the WEB conference server 101 registers in the user management table using the received tag information.

  In step S1527, the WEB conference server 101 temporarily stores the result of successful LDAP authentication, and proceeds to step S1601 in FIG. In step S1524, the WEB conference server 101 temporarily stores the result that there is no LDAP authentication (there is a user), and proceeds to step S1601 in FIG. In step S1525, the WEB conference server 101 temporarily stores the result that there is no LDAP authentication (being a user), and proceeds to step S1601 in FIG. In step S1526, the result of LDAP authentication failure is temporarily stored, and the process proceeds to step S1601 in FIG.

  In step S1601, the WEB conference server 101 determines whether the LDAP authentication is successful based on the temporarily stored result. If successful, the process proceeds to step S1407. If unsuccessful, the process proceeds to step S1602.

  In step S1602, the WEB conference server 101 determines whether the temporarily stored result is that there is no LDAP authentication (there is a user). If YES, the process proceeds to step S1603. If NO, the process proceeds to step S1605.

  In step S1603, the WEB conference server 101 performs an authentication process by the WEB conference server. In other words, authentication processing is performed using the user management table (password validity check). The authentication process by the WEB conference server is performed when the user is a system administrator or a group administrator, or when the user is a general user who does not perform LDAP authentication (a user without a record in the LDAP management table).

  In step S1604, the WEB conference server 101 determines whether the authentication process is successful. If successful, the process proceeds to step S1407, and if unsuccessful, the process proceeds to step S1605.

  In step S <b> 1605, the WEB conference server 101 transmits a login error screen or data for displaying a login screen to the client terminal 103.

  The authentication process 1 in step S1404 has been described above with reference to FIGS. 15 and 16.

  Next, the authentication process 2 in step S1405 will be described with reference to FIG.

  FIG. 17 is a flowchart showing the flow of processing when the client terminal 103 logs in from the guest login screen.

  In step S1701, the WEB conference server 101 determines whether the access source user is a user managed in the user management table. If there is a corresponding user, the process proceeds to step S1702, and if there is no corresponding user, the process proceeds to step S1704. In this embodiment, this determination is made based on whether a user ID corresponding to the received user ID exists in the user management table. In this embodiment, even if there is no corresponding record in the user management table, if there is one record for guest, it is determined that there is a corresponding user (in this case, it is a guest user). Can be determined.)

  In step S1702, the WEB conference server 101 performs an authentication process by the WEB conference server. Specifically, using the user ID received in S1402, the corresponding record is specified from the user management table, and the password is extracted from the record. Then, an authentication process is performed by comparing the extracted password with the password received in S1402 (password validity check). In the case of a guest user, the user ID received in S1402 is the guest user's own mail address, and the password is a password arbitrarily set by the administrator at the time of guest invitation shown in FIG. This password is notified to the guest user by being described in the guest invitation mail, or is notified by the system administrator by another method. The specific authentication procedure is as follows. First, using the mail address received in S1402, the corresponding record is specified from the guest invitation table shown in FIG. 13, and the password is extracted from the record. Then, an authentication process is performed by comparing the extracted password with the password received in S1402.

  In step S1703, the WEB conference server 101 determines whether the authentication process is successful. If successful, the process proceeds to step S1407, and if unsuccessful, the process proceeds to step S1704.

  In step S 1704, the WEB conference server 101 transmits a login error screen or data for displaying a login screen to the client terminal 103.

  The authentication process 2 in step S1405 has been described above using FIG.

  Next, the authentication process 3 in step S1406 will be described with reference to FIG.

  FIG. 18 is a flowchart showing a processing flow when the client terminal 103 logs in from a URL.

  In step S1801, the WEB conference server 101 determines whether the access source user is a user managed in the user management table. If there is a corresponding user, the process proceeds to step S1802, and if there is no corresponding user, the process proceeds to step S1806. In the present embodiment, this determination is performed by receiving the parameter added to the URL as request data and using the user ID included in the request data to determine whether the user ID is managed by the user management table. judge. Here, it is assumed that the request data includes (1) a user ID, (2) a conference room reservation ID, and (3) authentication data. In the case of a guest user, when there is one guest record in the user management table, it is determined that there is a corresponding user.

  In step S1802, the WEB conference server 101 determines whether the access source user is a guest user. If it is a guest user, the process proceeds to S1802, and if it is not a guest user, the process proceeds to S1804. Specifically, the determination is made based on whether the user ID of the access source user matches the user ID of the record prepared for the guest in the user management table.

  In step S1803, the WEB conference server 101 determines whether there is a record corresponding to the guest invitation table shown in FIG. If there is a record, the process proceeds to step S1804. If there is no record, the process proceeds to step S1806. Specifically, the determination is made based on whether a conference room reservation ID that matches the conference room reservation ID included in the request parameter exists in the guest invitation table.

  In step S1804, the WEB conference server 101 performs authentication with the authentication information. In the present embodiment, unique hashed authentication data is received as request data, and authentication processing is performed using that data. The specific procedure is as follows. First, a record that matches the user ID of the access source user is identified from the user management table, and a password is extracted from the record. Data obtained by hashing a character string obtained by combining the user ID and conference room reservation ID acquired as request data and the extracted password is compared with the authentication data acquired as request data. If they match, authentication is OK, and if they do not match, authentication NG.

  In step S1805, the WEB conference server 101 determines whether the authentication process is successful. If successful, the process proceeds to step S1407, and if unsuccessful, the process proceeds to step S1806.

  In step S1806, the WEB conference server 101 transmits a login error screen or data for displaying a login screen to the client terminal 103.

  The authentication process 3 in step S1406 has been described above with reference to FIG.

  As described above, according to the embodiment of the present invention, the general user is authenticated using the user information managed by the LDAP server, and the guest user is managed by the WEB conference system. By performing authentication using the WEB conference system, the WEB conference system can be used even by guests who are not managed by the LDAP server.

  It should be noted that the configuration and contents of the various data described above are not limited to this, and it goes without saying that the various data and configurations are configured according to the application and purpose.

  Although one embodiment has been described above, the present invention can take an embodiment as, for example, a system, apparatus, method, program, or recording medium, and specifically includes a plurality of devices. The present invention may be applied to a system including a single device.

  Further, the program according to the present invention is a program that can execute the processing method of FIGS. 14 to 18, and the storage medium of the present invention stores a program that can execute the processing method of FIGS. . Note that the program in the present invention may be a program for each processing method of each apparatus shown in FIGS.

  As described above, a recording medium that records a program that implements the functions of the above-described embodiments is supplied to a system or apparatus, and a computer (or CPU or MPU) of the system or apparatus stores the program stored in the recording medium. It goes without saying that the object of the present invention can also be achieved by executing the reading.

  In this case, the program itself read from the recording medium realizes the novel function of the present invention, and the recording medium storing the program constitutes the present invention.

  As a recording medium for supplying the program, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, DVD-ROM, magnetic tape, nonvolatile memory card, ROM, EEPROM, silicon A disk or the like can be used.

  Further, by executing the program read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) operating on the computer based on an instruction of the program is actually It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the processing and the processing is included.

  Furthermore, after the program read from the recording medium is written to the memory provided in the function expansion board inserted into the computer or the function expansion unit connected to the computer, the function expansion board is based on the instructions of the program code. It goes without saying that the case where the CPU or the like provided in the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

  Further, the present invention may be applied to a system composed of a plurality of devices or an apparatus composed of a single device. Needless to say, the present invention can be applied to a case where the present invention is achieved by supplying a program to a system or apparatus. In this case, by reading a recording medium storing a program for achieving the present invention into the system or apparatus, the system or apparatus can enjoy the effects of the present invention.

  Furthermore, by downloading and reading a program for achieving the present invention from a server, database, etc. on a network by a communication program, the system or apparatus can enjoy the effects of the present invention.

101 WEB conference server 102 LDAP server 103 client terminal 104 network

Claims (10)

An information processing apparatus that accepts access by a guest user temporarily invited and access by a general user and authenticates the user,
In order to invite guest users, guest user information receiving means for receiving user information including at least the guest user's email address and password from the user of the invitation source,
Guest user information registration means for registering in the storage means, as the user information, the e-mail address and the password used for authentication of the guest user in response to receiving the user information by the guest user information receiving means When,
Based on said guest user information guest user information registered in the registration means, at least the password information included in the information of the guest user, the access information including the invite invitee, notifies the mail address of the invited guest user Notification means to
An access request accepting means for accepting an access request according to the access information by a guest user operation from a client terminal and an access request by a general user login screen by an ordinary user operation;
A determination unit that determines whether the access request received by the access request reception unit is an access request based on a login screen of a general user or an access request according to the access information notified by the notification unit;
When it is determined by the determination means that the access request is based on the login screen of the general user, the authentication server is requested to perform an authentication process using the user ID and password included in the access request. If the determination means determines that the access request is in accordance with the access information notified by the notification means, the guest user information registration means uses the password included in the access request to store the storage means. Authentication means for performing authentication processing in accordance with stored user information;
When the general user is authenticated by the authentication means, the general user included in the access request is an access destination to be accessed. On the other hand, when the guest user is authenticated, the invitation included in the access request In order to make a transition to the invitation destination, login means for login processing,
An information processing apparatus comprising: The storage means can further store at least user ID and password information corresponding to a general user as user information so as to be distinguishable from the user information of the guest user,
User information including at least the user ID and password of the general user registered in the authentication server when the authentication requested by the authentication unit is successful using a user ID and password that specify a general user. General user registration means that is acquired from the authentication server and stores at least the user ID and password of the user as user information of the user in the storage means so as to be distinguishable from the user information of the guest user;
Further comprising
The authentication means further includes a case where the determination means determines that the access request received by the access request reception means is an access request from a general user, and the user included in the access request is Using at least a user ID and password that can be specified, and authenticating as a general user when there is user information that can be identified as a general user corresponding to the user ID and the password in the storage means The information processing apparatus according to claim 1, wherein: The access information is a URL indicating the location within the server that executes the authentication process, and at least the guest user's e-mail address, password, and WEB meeting as an invitation destination are specified as parameters of the URL. Including information to
Wherein said user information storage means stores as the information of the guest user, the information identifying the invite WEB meeting the guest user, be possible to further include,
It said authentication means, access source user accepted by the access request receiving unit, when the information of the guest user, identifying at least the email address and password and WEB conference can identify the user from the parameters of those the URL Information is extracted, and authentication is performed using the extracted information, an email address and a password included in user information that is guest user information stored in the storage unit, and information specifying a WEB meeting. The information processing apparatus according to claim 1 or 2.   The guest user information mail address and password stored in the storage means are received by the guest user information receiving means, and the mail address is used as a user ID of the guest user. The information processing apparatus according to claim 1 to 3.   The information processing apparatus according to any one of claims 1 to 4, wherein the authentication server is an LDAP server. An information processing system capable of communicating with a client terminal and an information processing apparatus that accepts access by a guest user temporarily invited and access by a general user and performs user authentication,
In order to invite a guest user from the client terminal, guest user information receiving means for receiving user information including at least the email address of the guest user and a password from the user of the invitation source,
Guest user information registration means for registering in the storage means, as the user information, the e-mail address and the password used for authentication of the guest user in response to receiving the user information by the guest user information receiving means When,
Based on said guest user information guest user information registered in the registration means, at least the password information included in the information of the guest user, the access information including the invite invitee, notifies the mail address of the invited guest user Notification means to
An access request accepting means for accepting an access request according to the access information by an operation of a guest user from the client terminal, and an access request by a general user login screen by an operation of a general user;
A determination unit that determines whether the access request received by the access request reception unit is an access request based on a login screen of a general user or an access request according to the access information notified by the notification unit;
When it is determined by the determination means that the access request is based on the login screen of the general user, the authentication server is requested to perform an authentication process using the user ID and password included in the access request. If the determination means determines that the access request is in accordance with the access information notified by the notification means, the guest user information registration means uses the password included in the access request to store the storage means. Authentication means for performing authentication processing in accordance with stored user information;
When the general user is authenticated by the authentication means, the general user included in the access request is an access destination to be accessed. On the other hand, when the guest user is authenticated, the invitation included in the access request In order to make a transition to the invitation destination, login means for login processing,
An information processing system comprising: A control method for an information processing apparatus that accepts access by a guest user who is temporarily invited and access by a general user, and performs user authentication,
A guest user information receiving unit for receiving user information including at least an email address of the guest user and a password from the inviting user in order to invite the guest user;
When the guest user information registration means accepts the user information in the guest user information acceptance step, as the user information, the email address and the password used for authentication of the guest user are stored in the storage means. Guest user information registration step to be registered,
Notifying means, on the basis of the guest user information registration step guest user information registered in at least the password information included in the information of the guest user, the access information including the invite invitee, invite the guest user A notification step to notify the email address;
An access request accepting step for accepting an access request according to the access information by a guest user operation and an access request by a general user login screen by a general user operation from a client terminal;
A determination step for determining whether the access request received in the access request reception step is an access request based on a login screen of a general user or an access request according to the access information notified in the notification step;
If it is determined in the determination step that the authentication unit is an access request based on a login screen of a general user, the authentication unit requests the authentication server for authentication processing using the user ID and password included in the access request. On the other hand, if it is determined by the determination step that the access request is in accordance with the access information notified in the notification step, by using the password included in the access request, by the guest user information registration step, An authentication step of performing an authentication process according to the user information stored in the storage means;
When a general user is authenticated in the authentication step, the login means is an access destination to be accessed by the general user included in the access request, while when a guest user is authenticated, A login step for performing a login process in order to transition to the invitation destination to be included;
A method for controlling an information processing apparatus, comprising: A program that can be executed in an information processing apparatus that accepts access by a guest user temporarily invited and access by a general user and authenticates the user,
In order to invite a guest user, guest user information receiving means for receiving user information including at least the email address of the guest user and a password from the inviting user,
Guest user information registration means for registering in the storage means, as the user information, the e-mail address and the password used for authentication of the guest user in response to receiving the user information by the guest user information receiving means ,
Based on said guest user information guest user information registered in the registration means, at least the password information included in the information of the guest user, the access information including the invite invitee, notifies the mail address of the invited guest user Notification means,
An access request accepting unit that accepts an access request according to the access information by a guest user operation from a client terminal and an access request by a general user login screen by an ordinary user operation;
A determination unit that determines whether the access request received by the access request reception unit is an access request based on a login screen of a general user or an access request according to the access information notified by the notification unit;
When it is determined by the determination means that the access request is based on the login screen of the general user, the authentication server is requested to perform an authentication process using the user ID and password included in the access request. If the determination means determines that the access request is in accordance with the access information notified by the notification means, the guest user information registration means uses the password included in the access request to store the storage means. Authentication means for performing authentication processing in accordance with stored user information;
When the general user is authenticated by the authentication means, the general user included in the access request is an access destination to be accessed. On the other hand, when the guest user is authenticated, the invitation included in the access request Login means to log in to invite to the destination,
Program for causing the information processing apparatus to function. An information processing system control method capable of communicating with a client terminal, an access by a guest user temporarily invited, and an access by a general user and communicating with an information processing apparatus for authenticating the user,
A guest user information accepting step for accepting user information including at least an email address of the guest user and a password from the inviting user in order for the guest user information accepting means to invite the guest user from the client terminal; ,
When the guest user information registration accepts the user information in the guest user information acceptance step, the user information is registered in the storage means with the email address and the password used for authentication of the guest user. Guest user information registration step,
Notifying means, on the basis of the guest user information registration step guest user information registered in at least the password information included in the information of the guest user, the access information including the invite invitee, invite the guest user A notification step to notify the email address;
An access request accepting step for accepting an access request according to the access information by an operation of a guest user and an access request by a general user login screen by an operation of a general user from the client terminal;
A determination step for determining whether the access request received in the access request reception step is an access request based on a login screen of a general user or an access request according to the access information notified in the notification step;
If it is determined in the determination step that the authentication unit is an access request based on a login screen of a general user, the authentication unit requests the authentication server for authentication processing using the user ID and password included in the access request. On the other hand, if it is determined by the determination step that the access request is in accordance with the access information notified in the notification step, by using the password included in the access request, by the guest user information registration step, An authentication step of performing an authentication process according to the user information stored in the storage means;
When a general user is authenticated in the authentication step, the login means is an access destination to be accessed by the general user included in the access request, while when a guest user is authenticated, A login step for performing a login process in order to transition to the invitation destination to be included;
A method for controlling an information processing system comprising: A program that can be executed in an information processing system capable of communicating with a client terminal, an access by a guest user who is temporarily invited, and an access by a general user and capable of communicating with an information processing apparatus that performs user authentication,
In order to invite a guest user from the client terminal, guest user information receiving means for receiving user information including at least the email address and password of the guest user from the user of the invitation source,
Guest user information registration means for registering in the storage means, as the user information, the e-mail address and the password used for authentication of the guest user in response to receiving the user information by the guest user information receiving means ,
Based on said guest user information guest user information registered in the registration means, at least the password information included in the information of the guest user, the access information including the invite invitee, notifies the mail address of the invited guest user Notification means,
An access request receiving means for receiving an access request according to the access information by an operation of a guest user from the client terminal, and an access request by a general user login screen by an operation of a general user;
A determination unit that determines whether the access request received by the access request reception unit is an access request based on a login screen of a general user or an access request according to the access information notified by the notification unit;
When it is determined by the determination means that the access request is based on the login screen of the general user, the authentication server is requested to perform an authentication process using the user ID and password included in the access request. If the determination means determines that the access request is in accordance with the access information notified by the notification means, the guest user information registration means uses the password included in the access request to store the storage means. Authentication means for performing authentication processing in accordance with stored user information;
When the general user is authenticated by the authentication means, the general user included in the access request is an access destination to be accessed. On the other hand, when the guest user is authenticated, the invitation included in the access request Login means to log in to invite to the destination,
A program characterized by functioning as

Images