CN103220172B - A kind of apparatus and method based on LDAP user authority managements - Google Patents
A kind of apparatus and method based on LDAP user authority managements Download PDFInfo
- Publication number
- CN103220172B CN103220172B CN201310120233.0A CN201310120233A CN103220172B CN 103220172 B CN103220172 B CN 103220172B CN 201310120233 A CN201310120233 A CN 201310120233A CN 103220172 B CN103220172 B CN 103220172B
- Authority
- CN
- China
- Prior art keywords
- application system
- ldap
- packet
- organizational unit
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000007726 management method Methods 0.000 title claims abstract description 17
- 230000001360 synchronised effect Effects 0.000 claims abstract description 41
- 238000013475 authorization Methods 0.000 claims description 6
- 230000008520 organization Effects 0.000 claims description 6
- 230000008859 change Effects 0.000 claims description 2
- 230000008569 process Effects 0.000 abstract description 8
- 238000012360 testing method Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000012423 maintenance Methods 0.000 description 5
- 238000011160 research Methods 0.000 description 4
- 238000012827 research and development Methods 0.000 description 2
- BQCADISMDOOEFD-UHFFFAOYSA-N Silver Chemical compound [Ag] BQCADISMDOOEFD-UHFFFAOYSA-N 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 229910052709 silver Inorganic materials 0.000 description 1
- 239000004332 silver Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of apparatus and method based on LDAP user authority managements, applies on the server of the application system interacted with ldap server, and the device performs following handling process:A, sets the synchronous Directory Scopes of LDAP;B, the organizational unit under the LDAP synchronous Directory Scope is synchronized in application system, and the user under the organizational unit is synchronized in application system under packet corresponding with the organizational unit;C, function mandate is carried out to the packet in application system.By technical scheme, efficiently solve the problems, such as that keeper's workload of application system in the prior art is big, improve Consumer's Experience.
Description
Technical field
The present invention relates to communication technical field, more particularly to a kind of apparatus and method based on LDAP user authority managements.
Background technology
LDAP(Lightweight Directory Access Protocol, Light Directory Access Protocol)It is a use
To issue directory information to the agreement of many different application resources.LDAP is used such as equivalent to telephone directory similar to us
NIS (Network Information Service, the network information service), DNS (Domain Name Service, domain name clothes
Business) etc. network directory.LDAP is a storage concept higher than relational database abstraction hierarchy, with general database not
Together, LDAP to inquiry be optimized, compared with write performance the reading performance of LDAP want it is outstanding a lot.Can be stored in ldap directory
Various types of data, e.g., e-mail address, mail routing information, human resource data, public key, contacts list
Deng.
At present, increasing enterprise application system is using LDAP as user management resource, by itself and itself application system
Integrate, so as to realize being managed collectively LDAP user authentication, and different function privileges are authorized for different users, that is, carry out
Rights management.
From ldap server be synchronized in system specified LDAP user according to configuration strategy by application system, so that real
The now unified certification to LDAP user is managed.The configuration strategy includes that scope is set and two parts of filter condition constitute.Model
Enclose setting form shape such as:Ou=sales, dc=test, dc=com, it is meant that and limits organizational unit as sales;Filter condition lattice
Formula shape is such as:(& (objectclass=*) (cn=zhao*)), implication is only synchronous surname user Zhao.The user of above-mentioned condition will be met
Import from ldap server, then for different user sets different function privileges.But in actual applications, it is necessary to same
OU (Organization Unit, organizational unit) series of step can be a lot, are related to the number of personnel also very huge, may reach
To hundreds thousand of or even up to a million, therefore, it is huge to authorize function privilege workload one by one for unique user, in the prior art typically
Way be first in application system create packet, then specify user packet, authority identical user is included same
In packet, finally authorized for different grouping again.Whether per user mandate or grouping authorization, prior art are all deposited
In the big shortcoming of system maintenance work amount, and make corresponding power when user right changes, it is necessary in application system
Limit adjustment so that the maintenance task of system is heavier.
The content of the invention
In view of this, the present invention provides a kind of apparatus and method based on LDAP user authority managements, to solve existing skill
The deficiency that art is present.
Specifically, described device is applied on the server of the application system interacted with ldap server, and the device includes:
Configuration module, the Directory Scope synchronous for setting LDAP;
Synchronization module, for the organizational unit under the LDAP synchronous Directory Scope to be synchronized in application system, and
User under the organizational unit is synchronized in application system under packet corresponding with the organizational unit;
Authorization module, for carrying out function mandate to the packet in application system after synchronization.
The described method comprises the following steps:
A, the Directory Scope that LDAP synchronizations are set;
B, the organizational unit under the LDAP synchronous Directory Scope is synchronized in application system, and the tissue is single
User under unit is synchronized in application system under packet corresponding with the organizational unit;
C, function mandate is carried out to the packet in application system.
From above technical scheme, be synchronized to for the user on ldap server by setting synchronization policy by the present invention
In application system, intelligent packet is realized, greatly reduce the maintenance load of keeper.
Brief description of the drawings
Fig. 1 is the device logic chart of one embodiment of the present invention;
Fig. 2 is the method flow diagram of one embodiment of the present invention;
Fig. 3 is the LDAP institutional framework schematic diagrames of certain company in one embodiment of the present invention;
Fig. 4 be shown in Fig. 3 the present invention under certain application scenarios application system packet series be 2 LDAP personnel packet show
It is intended to;
Fig. 5 be shown in Fig. 3 the present invention under certain application scenarios application system packet series be 1 LDAP personnel packet show
It is intended to.
Specific embodiment
For problems of the prior art, the invention provides a kind of device based on LDAP user authority managements and
Method, applies on the server of the application system interacted with ldap server.Fig. 1 and Fig. 2 is refer to, the device includes, matches somebody with somebody
Put module, synchronization module and authorization module.The device performs following handling process when the present invention is realized:
Step 101, configuration module sets the synchronous Directory Scopes of LDAP.
In ldap server, ldap directory carrys out data storage with tree-shaped hierarchical structure.The host name of similar DNS that
Sample, ldap directory identification name(Distinguished Name, abbreviation DN)It is for reading single record, you can to understand that DN is
The node of tree, the top of ldap directory tree is exactly root, that is, Base DN, Base DN usually using company domain name
Represent, under the root directory, data are logically distinguished with OU.
When application system authority is set, first have to determine to use the user scope of the system.In this step, set
Synchronous DN is needed, is exactly the node for specifying tree on ldap server, the user below the node can subsequently walk
It is synchronized in application system in rapid, that is to say, that all users below the node would have access to the application system.
Step 102, configuration module sets application system and carries out the packet series of rights management.
In this step, the packet series is the operational factor set according to actual needs by keeper, in reality
In, keeper can be separately provided for certain LDAP service, it is also possible to carry out unifying to set for global LDAP services
Put.
Step 103, synchronization module is used to the OU below DN will be specified to be synchronized in application system on ldap server, specifically
Ground, is that the user under the OU is synchronized in application system under packet corresponding with the OU.
In this step, when the not corresponding packet of the LDAP organizational unit synchronous with needs in application system, synchronous mould
Block further creates new packet corresponding with the LDAP organizational units in the application system.The corresponding packet can be with
OU is of the same name, or the packet name that presets, and exabyte for example can be added before OU according to situation.
Explained so that packet name and OU are of the same name as an example below.This step is specifically divided into two kinds of situations when performing.Please join
Examine the LDAP organization charts of certain the IT company shown in Fig. 3, it is assumed that LDAP roots are specified in step 101 as synchronous DN, then in clothes
The level of the OU of market and software is 1 on business device, and the level of the OU of sales, sells, test and research is
2。
If the first, configuration module sets the packet series more than or equal to 2, then the level on server where OU does not just have
Have beyond the packet series.In this step, the OU such as market, software, sales are synchronized to application system by synchronization module
In in packet of the same name, specifically the OU is synchronized in application system in corresponding packet, and by the use below the OU
Family is synchronized under application system packet of the same name.LDAP personnel as shown in Figure 4 can be formed after synchronously completing in application system
Packet schematic diagram, wherein solid line represent the connection between packet, and dotted line represents the connection between packet and its user.
If it is 1 that the 2, configuration module sets the packet series, then OU layers of market and software on server
It is secondary that without departing from the packet series, synchronization module can be synchronized in packet of the same name in application system, and sales,
The OU levels of sells, test and research are 2, beyond the packet series, now, and in embodiments of the present invention, meeting
The user of these organizational units is synchronized in packet of the same name with the parent organization unit of the organizational unit in application system, tool
Body ground, the user Jack and Peter under sales and sells is synchronized under market packets, by under test and research
User John and Tom are synchronized under software packets.Being formed after synchronously completing can form as shown in Figure 5 in application system
LDAP personnel are grouped schematic diagram, and wherein solid line represents the connection between packet, and dotted line represents the connection between packet and its user.
Step 104, authorization module is carrying out function mandate after synchronously completing to the packet in application system.
In this step, authorization module is authorized according to the instruction of keeper.With reference to two kinds of situations in step 103.
First, by taking the LDAP personnel packet schematic diagram shown in Fig. 4 as an example, different rights can be set as needed for user,
For example, Hellen is used as market department(market)Leader, authorize it to consult in application system, process sale and sell
Related business afterwards;Jack is used as sales department(sales)Employee, can only consult, process the related business of sale;Peter
As department after sale(sells)Employee, can only consult, process after sale related business;Bill is used as software division
(software)Leader, authorize it to consult in application system, process the related business of all research and development;And John conducts
Test organization(test)Employee, can only consult, the business that process test is related;Tom is used as research and development department(research)'s
Employee, can only consult, process the related business of exploitation.
2nd, by taking the LDAP personnel packet schematic diagram shown in Fig. 5 as an example, the leader and employee of market department are interior in a packet,
Their authorities are identical, and equally, the leader and employee of software division are also in a packet, and their authority is also identical.In reality
In, some human resources or financial software for leader and employee, authority be it is the same, now, it is possible to logical
Cross in step 102 to set application system and carry out the packet series of rights management and carry out the work of streamlining management person.It should be noted that
Step 102 is not required in that step, in actual applications, it is also possible to be not provided with the series, will directly be specified on server
All OU under node synchronously come, if some softwares do not differentiate between the authority of some packets, that is just by keeper to those points
Group sets same authority.Flexible control of the keeper to administration authority is realized by setting steps 102 in the present invention, for silver
Hang Deng large enterprises, staffing levels are a lot, and for system manager, or consider from function privilege angle, may be simultaneously
So need not be classified more, accordingly, it is possible to consider to set packet series, so that series when reducing synchronization, to reduce system
Maintenance load.
It is above-mentioned be provided with after, after each user just logs in application system with oneself account, can only just access each quilt
The business for accessing is authorized, so as to realize the purpose of control of authority.
Step 105, when the user under the organizational unit on ldap server changes, re-executes step
103。
When company personnel's registration, leaving office, promotion, the authority of the employee is possible to change, for example
Jack is promoted as the leader of market department, i.e. Jack is transferred under ou=market on ldap server, now and need not manage
Reason person adjusts the corresponding authorities of Jack in application system, it is only necessary to which re-synchronization, Jack can be grouped into application system automatically
Market is grouped.In this step, the re-synchronization sets as needed, can be that cycle synchronisation, or craft are held
Row is synchronous, specifically, can be according to predetermined cycle periodic synchronization, or keeper after the notice for being connected to personnel amendment
Synchronization is performed again.
By above description as can be seen that the technical scheme that the present invention is provided can realize automatic grouping management, convenient pipe
Reason person carries out function mandate, greatly reduces the workload of user authority management, while keeper can be according to itself application system
The need for system, flexible control authority manages level.When user changes, it is not required that reset authority, pipe is alleviated
The maintenance load of reason person.Because LDAP has been widely applied in each big, medium-sized and small enterprises, so the present invention is applied widely, can be with
Preferably improve Consumer's Experience.
Presently preferred embodiments of the present invention is the foregoing is only, is not intended to limit the invention, it is all in essence of the invention
Within god and principle, any modification, equivalent substitution and improvements done etc. should be included within the scope of protection of the invention.
Claims (8)
1. a kind of device based on LDAP user authority managements, applies the server in the application system interacted with ldap server
On, it is characterised in that the device includes:
Configuration module, the Directory Scope synchronous for setting LDAP;
Synchronization module, for the organizational unit under the LDAP synchronous Directory Scope to be synchronized in application system, and by institute
The user under organizational unit is stated to be synchronized in application system under packet corresponding with the organizational unit;
Authorization module, for carrying out function mandate to the packet in application system after synchronization.
2. device according to claim 1, it is characterised in that
Configuration module is further used for setting the packet series for carrying out application system rights management;
Synchronization module is further used for when the level where the organizational unit is beyond the packet series, by the tissue
The user of unit is synchronized in the packet corresponding to the parent organization unit of the organizational unit in application system.
3. device according to claim 1, it is characterised in that when the not no LDAP synchronous with needs tissues in application system
During the corresponding packet of unit, the synchronization module is further used for creating new packet corresponding with the organizational unit.
4. device according to claim 1, it is characterised in that when the user under the organizational unit on ldap server has
When change, synchronization module re-executes synchronization.
5. a kind of method based on LDAP user authority managements, applies the server in the application system interacted with ldap server
On, it is characterised in that the method is comprised the following steps:
A, the Directory Scope that LDAP synchronizations are set;
B, the organizational unit under the LDAP synchronous Directory Scope is synchronized in application system, and by under the organizational unit
User be synchronized in application system under packet corresponding with the organizational unit;
C, function mandate is carried out to the packet in application system.
6. method according to claim 5, it is characterised in that also included step B1 before step B,
B1, setting carry out the packet series of rights management to application system;
Step B is further included, when the level where the organizational unit is beyond the packet series, by the tissue list
The user of unit is synchronized in the packet corresponding to the parent organization unit of the organizational unit in application system.
7. method according to claim 5, it is characterised in that when the not no LDAP synchronous with needs tissues in application system
During the corresponding packet of unit, the step B further includes to create new packet corresponding with the organizational unit.
8. method according to claim 5, it is characterised in that the method also includes step D,
D, when the user under the organizational unit on ldap server changes, re-execute step B.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310120233.0A CN103220172B (en) | 2013-04-08 | 2013-04-08 | A kind of apparatus and method based on LDAP user authority managements |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310120233.0A CN103220172B (en) | 2013-04-08 | 2013-04-08 | A kind of apparatus and method based on LDAP user authority managements |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103220172A CN103220172A (en) | 2013-07-24 |
| CN103220172B true CN103220172B (en) | 2017-06-30 |
Family
ID=48817657
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310120233.0A Active CN103220172B (en) | 2013-04-08 | 2013-04-08 | A kind of apparatus and method based on LDAP user authority managements |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103220172B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015100545A1 (en) * | 2013-12-30 | 2015-07-09 | 华为终端有限公司 | Method and device for rights management |
| CN107659427B (en) * | 2016-08-26 | 2020-11-17 | 平安科技(深圳)有限公司 | Project switch control method and system |
| CN107193949A (en) * | 2017-05-22 | 2017-09-22 | 携程旅游信息技术(上海)有限公司 | The method and system of newly-built tissue based on Active Directory organizational structure |
| CN107862508A (en) * | 2017-11-08 | 2018-03-30 | 搜易贷(北京)金融信息服务有限公司 | A kind of method of automatic data processing |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7185361B1 (en) * | 2000-01-31 | 2007-02-27 | Secure Computing Corporation | System, method and computer program product for authenticating users using a lightweight directory access protocol (LDAP) directory server |
| CN1794724A (en) * | 2005-10-27 | 2006-06-28 | 华为技术有限公司 | Method of realizing data synchronization on SyncML layer |
| CN102088351B (en) * | 2009-12-08 | 2014-10-08 | 长春吉大正元信息技术股份有限公司 | Authorization management system and implementation method thereof |
| CN102368762A (en) * | 2011-06-21 | 2012-03-07 | 杭州华三通信技术有限公司 | LDAP (Lightweight Directory Access Protocol) user management method and device thereof |
| US8789157B2 (en) * | 2011-09-06 | 2014-07-22 | Ebay Inc. | Hybrid cloud identity mapping infrastructure |
-
2013
- 2013-04-08 CN CN201310120233.0A patent/CN103220172B/en active Active
Non-Patent Citations (1)
| Title |
|---|
| SOA环境下的高校统一用户管理系统的研究与实现;黄露怡;《中国优秀硕士学位论文全文库》;20130115(第1期);正文第13-32、42-43页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103220172A (en) | 2013-07-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2510473B1 (en) | Unified user login for co-location facilities | |
| CN105357201B (en) | A kind of object cloud storage access control method and system | |
| CN104050401B (en) | Method for managing user right and system | |
| US9047462B2 (en) | Computer account management system and realizing method thereof | |
| CN108701182A (en) | The data management of multi-tenant identity cloud service | |
| CN109565505A (en) | Tenant's Self-Service troubleshooting for multi-tenant identity and data safety management cloud service | |
| CN109344603A (en) | A kind of unified entry system | |
| CN112583887B (en) | A method for trusted data sharing based on blockchain | |
| CN104134113A (en) | Information system and integration method based on cloud computing SaaS service model | |
| CN103220172B (en) | A kind of apparatus and method based on LDAP user authority managements | |
| CN103886104A (en) | Distributed real-time database management system and implementation method applicable to electric system | |
| CN104754287B (en) | Video monitoring equipment configuration parameter delivery method and system | |
| CN102595340A (en) | Method for managing contact person information and system thereof | |
| CN108920914A (en) | A kind of authority control method and device | |
| CN103595713A (en) | Enterprise identity information unified management and authentication platform | |
| CN105827873A (en) | Method and device for solving limitation in service handling of nonlocal customers | |
| Huo et al. | A blockchain-enabled trusted identifier co-governance architecture for the industrial internet of things | |
| CN113377882A (en) | Method for realizing relation model in internet organization and among organizations | |
| CN112989373A (en) | Hierarchical authorization control management engine based on RBAC | |
| CN108009422A (en) | A kind of more domain classification methods and system based on multi-layer user grouping management | |
| CN113935063A (en) | Authority service platform, method and system | |
| CN104539687A (en) | Community cloud resource safety sharing method based on trust negotiation | |
| Hu et al. | A cloud oriented account service mechanism for SME SaaS ecosystem | |
| CN116074100B (en) | A method for replacing AD domain to provide unified authentication based on ldap protocol | |
| CN112580001B (en) | Access control system and method based on distributed intercommunication system database |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou science and Technology Development Zone, Zhejiang high tech park, No. six and road, No. 310 Applicant before: Huasan Communication Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |