CN113612865A - Method, device and equipment for managing cloud platform LDAP domain account and readable medium - Google Patents
Method, device and equipment for managing cloud platform LDAP domain account and readable medium Download PDFInfo
- Publication number
- CN113612865A CN113612865A CN202110867156.XA CN202110867156A CN113612865A CN 113612865 A CN113612865 A CN 113612865A CN 202110867156 A CN202110867156 A CN 202110867156A CN 113612865 A CN113612865 A CN 113612865A
- Authority
- CN
- China
- Prior art keywords
- domain
- account
- ldap
- cloud platform
- ldap domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000013507 mapping Methods 0.000 claims abstract description 61
- 230000004044 response Effects 0.000 claims abstract description 26
- 238000004590 computer program Methods 0.000 claims description 11
- 238000001514 detection method Methods 0.000 claims description 11
- 238000012217 deletion Methods 0.000 claims description 9
- 230000037430 deletion Effects 0.000 claims description 9
- 230000001360 synchronised effect Effects 0.000 claims description 7
- 238000012795 verification Methods 0.000 claims description 5
- 238000003032 molecular docking Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4523—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using lightweight directory access protocol [LDAP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4552—Lookup mechanisms between a plurality of directories; Synchronisation of directories, e.g. metadirectories
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention provides a method, a device, equipment and a readable medium for managing a cloud platform LDAP domain account, wherein the method comprises the following steps: integrating a keystone component in an account management system of a cloud platform, and butting a configuration interface of the keystone component to an LDAP domain; establishing an LDAP domain account relation mapping table in a keystone component and recording the basic information of the LDAP domain account in a database of a cloud platform; in response to receiving an instruction of a user for logging in a cloud platform, inquiring whether an account name logged in this time is recorded in basic information of an LDAP (lightweight directory access protocol) domain account in a database of the cloud platform; and responding to the record of the account name of the login in the basic information of the LDAP domain account, associating the account name of the login with the corresponding account in the LDAP domain according to the domain account relation mapping table, and verifying the password corresponding to the account name of the login in the LDAP domain. By using the scheme of the invention, the account created in the LDAP domain can log in the cloud platform without repeatedly creating the account in the cloud platform, thereby simplifying the software account management process of the cloud platform and improving the user experience.
Description
Technical Field
The field relates to the field of computers, and more particularly to a method, device, equipment and readable medium for cloud platform LDAP domain account management.
Background
Because the authentication mechanisms of various cloud platform software do not use a uniform standard, and the software has an independent account management system, operation and maintenance personnel need to repeatedly register account numbers and cannot modify passwords of all services at one time, so that the operation and maintenance cost is increased. In the using process of a user, the same account cannot log in a plurality of service systems, so that a plurality of accounts and passwords need to be memorized, the operation of the user is inconvenient, and the frequency of using weak passwords is increased. LDAP provides a standard authentication mechanism that implements the necessary authentication methods and security mechanisms to allow applications running on most computer platforms to obtain information from an LDAP domain, and many software uses LDAP domains as account management systems. Because the LDAP domain is widely used, on the basis of reserving the original account management system of the cloud platform software, the problem that the third-party LDAP domain account can log in and operate the cloud platform software needs to be solved is achieved.
Disclosure of Invention
In view of this, an object of the embodiments of the present invention is to provide a method, an apparatus, a device, and a readable medium for managing an account in an LDAP domain of a cloud platform.
In view of the above object, an aspect of the embodiments of the present invention provides a method for cloud platform LDAP domain account management, comprising the following steps:
integrating a keystone component in an account management system of a cloud platform, and butting a configuration interface of the keystone component to an LDAP domain;
establishing an LDAP domain account relation mapping table in a keystone component and recording the basic information of the LDAP domain account in a database of a cloud platform;
in response to receiving an instruction of a user for logging in a cloud platform, inquiring whether an account name logged in this time is recorded in basic information of an LDAP (lightweight directory access protocol) domain account in a database of the cloud platform;
and responding to the record of the account name of the login in the basic information of the LDAP domain account, associating the account name of the login with the corresponding account in the LDAP domain according to the domain account relation mapping table, and verifying the password corresponding to the account name of the login in the LDAP domain.
According to one embodiment of the invention, integrating a keystone component in an account management system of a cloud platform, and interfacing a keystone component configuration interface to an LDAP domain comprises:
establishing a specific domain in a keystone assembly, and establishing specific domain configuration according to the ID of the specific domain and the information of the LDAP domain;
the keystone component detects the connectivity of the keystone component to the LDAP domain according to the configuration of the specific domain;
in response to detecting the keystone component to LDAP domain connectivity, a user ID is generated for each account in the LDAP domain using the sha256 hash algorithm.
According to one embodiment of the invention, the establishing of the LDAP domain account relation mapping table in the keystone component and the recording of the LDAP domain account basic information in the database of the cloud platform comprise:
and creating an LDAP domain account relation mapping table according to the generated user ID, the ID of the specific domain and the address of the LDAP domain, wherein the domain account relation mapping table is the corresponding relation of each account which is associated to the LDAP domain from the Keystone component.
According to one embodiment of the invention, the keystone component detecting connectivity to the LDAP domain according to the specific domain configuration comprises:
logging in the LDAP domain through a keystone component in the background by using the LDAP domain address, the LDAP domain administrator account and the administrator password;
and responding to normal login, and judging that the keystone component is communicated to the LDAP domain.
According to an embodiment of the present invention, further comprising:
and setting different login rights for the account ID recorded in the database of the cloud platform.
According to an embodiment of the present invention, further comprising:
detecting connectivity to the LDAP domain once every a threshold time interval in the Keystone component;
in response to the detection of the connection, checking whether the account in the LDAP domain has addition and deletion according to the domain account relation mapping table;
and in response to the detection that the addition and deletion of the account in the LDAP domain exist, changing a relational mapping table in the Keystone component, feeding the relational mapping table back to a database of the cloud platform, and adding and deleting corresponding domain account information stored in the database.
According to an embodiment of the present invention, further comprising:
in response to receiving an instruction for deleting the LDAP domain, querying a stored domain id in a database of the cloud platform;
deleting the configuration of the specific domain and the account relation mapping table under the specific domain in the Keystone component according to the domain id;
and deleting the stored LDAP domain information and the account information synchronized in the domain in a database of the cloud platform according to the domain id.
In another aspect of the embodiments of the present invention, there is also provided an apparatus for cloud platform LDAP domain account management, the apparatus including:
the docking module is configured to integrate a keystone component in an account management system of the cloud platform and dock a keystone component configuration interface to the LDAP domain;
the creating module is configured to establish an LDAP domain account relation mapping table in the keystone component and record basic information of the LDAP domain account in a database of the cloud platform;
the query module is configured to respond to a received instruction of a user for logging in the cloud platform and query whether an account name logged in this time is recorded in the basic information of the LDAP domain account in a database of the cloud platform;
and the verification module is configured to respond that the account name of the login is recorded in the basic information of the LDAP domain account, associate the account name of the login with the corresponding account in the LDAP domain according to the domain account relation mapping table and verify the password corresponding to the account name of the login in the LDAP domain.
In another aspect of an embodiment of the present invention, there is also provided a computer apparatus including:
at least one processor; and
a memory storing computer instructions executable on the processor, the instructions when executed by the processor implementing the steps of any of the methods described above.
In another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium storing a computer program, which when executed by a processor implements the steps of any one of the above-mentioned methods.
The invention has the following beneficial technical effects: according to the method for managing the account of the LDAP domain of the cloud platform, a keystone component is integrated in an account management system of the cloud platform, and a configuration interface of the keystone component is connected to the LDAP domain in an abutting mode; establishing an LDAP domain account relation mapping table in a keystone component and recording the basic information of the LDAP domain account in a database of a cloud platform; in response to receiving an instruction of a user for logging in a cloud platform, inquiring whether an account name logged in this time is recorded in basic information of an LDAP (lightweight directory access protocol) domain account in a database of the cloud platform; responding to the fact that the account name of the login is recorded in the basic information of the LDAP domain account, associating the account name of the login with the corresponding account in the LDAP domain according to the domain account relation mapping table, and verifying the password corresponding to the account name of the login in the LDAP domain.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other embodiments can be obtained by using the drawings without creative efforts.
FIG. 1 is a schematic flow diagram of a method of cloud platform LDAP domain account management according to one embodiment of the present invention;
FIG. 2 is a schematic diagram of an apparatus for cloud platform LDAP domain account management according to one embodiment of the present invention;
FIG. 3 is a schematic diagram of a computer device according to one embodiment of the present invention;
fig. 4 is a schematic diagram of a computer-readable storage medium according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention are described in further detail with reference to the accompanying drawings.
In view of the above objects, a first aspect of embodiments of the present invention proposes an embodiment of a method of cloud platform LDAP domain account management. Fig. 1 shows a schematic flow diagram of the method.
As shown in fig. 1, the method may include the steps of:
s1 integrates a keystone component in the account management system of the cloud platform and interfaces the keystone component configuration interface to an LDAP (lightweight directory access protocol) domain.
Keystone (OpenStack Identity service) is a module in the OpenStack framework responsible for managing authentication, service rules, and service token functions. The user needs to verify the identity and authority of the user when accessing the resource, and the authority detection is also needed when the service executes the operation, which need to be processed by Keystone. Adding an LDAP domain in cloud platform software, inputting LDAP domain information by a user, storing the domain information in a database, entering Keystone to dock an LDAP domain device, creating a specific domain in a Keystone component, creating specific domain configuration according to the ID of the domain and the LDAP domain information, wherein the specific domain and the LDAP domain are corresponding, the Keystone component detects the connectivity of the Keystone component to the LDAP domain according to the specific domain configuration, and if the domain is connected, generating public ID (user ID) for each account in the LDAP domain by using a sha256 Hash algorithm, wherein the public ID is global ID and is unique in the Keystone component.
S2, establishing LDAP domain account relation mapping table in keystone component and recording LDAP domain account basic information in database of cloud platform.
Creating an LDAP domain account relation mapping table according to the public id, domain id and the LDAP domain address generated above, wherein the mapping formula is as follows: (public)id,domainid,LDAPurl)→LDAPuserAnd according to the domain account relation mapping table, each account in the LDAP domain can be associated from the Keystone component, the account in the LDAP domain can be an account registered by other software, and the account is connected to the corresponding account in the LDAP domain according to the mapping table for password verification during account login authentication. And synchronizing accounts in a cloud platform database, recording information such as domain id, public id, account name and the like, and keeping one-to-one correspondence with the accounts in a mapping table created in the Keystone component.
S3, responding to the received instruction of the user logging in the cloud platform, inquiring whether the account name logged in this time is recorded in the basic information of the LDAP domain account in the database of the cloud platform.
S4 responding to the account name recorded in LDAP domain account basic information, relating the account name to the corresponding account in LDAP domain according to domain account relation mapping table and verifying the password corresponding to the account name in LDAP domain.
Selecting an LDAP (lightweight directory Access protocol) domain to log in on a cloud platform system login interface, inputting an account and a password, entering an account authentication process, firstly entering a cloud platform database, inquiring whether an account name in the LDAP domain exists or not, if not, prompting an account or password error, failing to log in authentication of the corresponding account, if so, associating the account in the LDAP domain to the corresponding account in a Keystone component according to the created domain-account relation mapping table, then verifying the password of the corresponding account in the LDAP domain, if the password is correct, successfully logging in the cloud platform for authentication of the account, otherwise, prompting an account or password error, and failing to log in the cloud platform for authentication of the account.
By the technical scheme, the account created in the LDAP domain can log in the cloud platform without repeatedly creating the account in the cloud platform, so that the software account management process of the cloud platform is simplified, and the user experience is improved.
In a preferred embodiment of the present invention, integrating a keystone component in an account management system of a cloud platform and interfacing a keystone component configuration interface to an LDAP domain comprises:
establishing a specific domain in a keystone assembly, and establishing specific domain configuration according to the ID of the specific domain and the information of the LDAP domain;
the keystone component detects the connectivity of the keystone component to the LDAP domain according to the configuration of the specific domain;
in response to detecting the keystone component to LDAP domain connectivity, a user ID is generated for each account in the LDAP domain using the sha256 hash algorithm.
In a preferred embodiment of the present invention, establishing the LDAP domain account relationship mapping table in the keystone component and recording the LDAP domain account basic information in the database of the cloud platform includes:
and creating an LDAP domain account relation mapping table according to the generated user ID, the ID of the specific domain and the address of the LDAP domain, wherein the domain account relation mapping table is the corresponding relation of each account which is associated to the LDAP domain from the Keystone component.
In a preferred embodiment of the present invention, the keystone component detecting connectivity to the LDAP domain according to the particular domain configuration comprises:
logging in the LDAP domain through a keystone component in the background by using the LDAP domain address, the LDAP domain administrator account and the administrator password;
and responding to normal login, and judging that the keystone component is communicated to the LDAP domain.
In a preferred embodiment of the present invention, the method further comprises:
and setting different login rights for the account ID recorded in the database of the cloud platform. The domain account synchronized to the cloud platform database and the Keystone component does not have the right to log in and operate the cloud platform at this time, and needs to be authorized. And allocating roles for the accounts in the cloud platform database, allocating the same roles for the corresponding accounts in the Keystone component, and keeping the roles of the same account in different components consistent.
In a preferred embodiment of the present invention, the method further comprises:
detecting connectivity to the LDAP domain once every a threshold time interval in the Keystone component;
in response to the detection of the connection, checking whether the account in the LDAP domain has addition and deletion according to the domain account relation mapping table;
and in response to the detection that the addition and deletion of the account in the LDAP domain exist, changing a relational mapping table in the Keystone component, feeding the relational mapping table back to a database of the cloud platform, and adding and deleting corresponding domain account information stored in the database. In a keystone component, logging in an LDAP domain by using stored domain configuration information (url, an LDAP domain administrator account and a password) every t seconds, acquiring a user list 1 of the LDAP domain, then inquiring a user list 2 of the LDAP domain stored in a local database, comparing the two lists, and increasing and deleting the users of the LDAP domain stored in the local database so as to keep consistency with the users in the LDAP domain. The comparison method is to inquire the deleted user in the LDAP domain, traverse the local storage list 2, determine whether the user exists in the list 1, and delete the user in the list 2 if the user does not exist. And querying a new user added in the LDAP domain, traversing the list 1, judging whether the user in the list exists in the list 2, and if not, adding the user in the list 2.
In a preferred embodiment of the present invention, the method further comprises:
in response to receiving an instruction for deleting the LDAP domain, querying a stored domain id in a database of the cloud platform;
deleting the configuration of the specific domain and the account relation mapping table under the specific domain in the Keystone component according to the domain id;
and deleting the stored LDAP domain information and the account information synchronized in the domain in a database of the cloud platform according to the domain id. After the LDAP domain is deleted, the account in the domain cannot log in the cloud platform system again.
According to the technical scheme, the account established in the third-party LDAP domain can log in and authenticate the cloud platform software without repeatedly establishing the account in the cloud platform, so that the account management process of the cloud platform software is simplified, and the user experience is improved. The method is based on the Keystone component of the openstack, can be quickly integrated into cloud platform software with an independent account management system, and achieves third-party account login authentication of the cloud platform. The method and the system enable the LDAP domain added by the cloud platform software to have expandability, a plurality of third-party LDAP domains can be added, the accounts in the domains can be automatically synchronized to the cloud platform database, and the accounts in the cloud platform software and the accounts in the third-party LDAP domains are mutually independent, so that the account safety among the software is ensured.
It should be noted that, as will be understood by those skilled in the art, all or part of the processes in the methods of the above embodiments may be implemented by instructing relevant hardware through a computer program, and the above programs may be stored in a computer-readable storage medium, and when executed, the programs may include the processes of the embodiments of the methods as described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like. The embodiments of the computer program may achieve the same or similar effects as any of the above-described method embodiments.
Furthermore, the method disclosed according to an embodiment of the present invention may also be implemented as a computer program executed by a CPU, and the computer program may be stored in a computer-readable storage medium. The computer program, when executed by the CPU, performs the above-described functions defined in the method disclosed in the embodiments of the present invention.
In view of the above object, a second aspect of the embodiments of the present invention proposes an apparatus for cloud platform LDAP domain account management, as shown in fig. 2, the apparatus 200 includes:
the docking module 201 is configured to integrate a keystone component in an account management system of the cloud platform, and dock a keystone component configuration interface to an LDAP domain;
the creating module 202, wherein the creating module 202 is configured to establish an LDAP domain account relation mapping table in the keystone component and record basic information of the LDAP domain account in a database of the cloud platform;
the query module 203 is configured to respond to a received instruction of a user for logging in the cloud platform, and query whether an account name logged in this time is recorded in the basic information of the LDAP domain account in a database of the cloud platform;
and the verification module 204, wherein the verification module 204 is configured to respond that the account name logged in this time is recorded in the basic information of the account in the LDAP domain, associate the account name logged in this time with the corresponding account in the LDAP domain according to the domain-account relationship mapping table, and verify the password corresponding to the account name logged in this time in the LDAP domain.
In view of the above object, a third aspect of the embodiments of the present invention provides a computer device. Fig. 3 is a schematic diagram of an embodiment of a computer device provided by the present invention. As shown in fig. 3, an embodiment of the present invention includes the following means: at least one processor S21; and a memory S22, the memory S22 storing computer instructions S23 executable on the processor, the instructions when executed by the processor implementing the method of:
integrating a keystone component in an account management system of a cloud platform, and butting a configuration interface of the keystone component to an LDAP domain;
establishing an LDAP domain account relation mapping table in a keystone component and recording the basic information of the LDAP domain account in a database of a cloud platform;
in response to receiving an instruction of a user for logging in a cloud platform, inquiring whether an account name logged in this time is recorded in basic information of an LDAP (lightweight directory access protocol) domain account in a database of the cloud platform;
and responding to the record of the account name of the login in the basic information of the LDAP domain account, associating the account name of the login with the corresponding account in the LDAP domain according to the domain account relation mapping table, and verifying the password corresponding to the account name of the login in the LDAP domain.
In a preferred embodiment of the present invention, integrating a keystone component in an account management system of a cloud platform and interfacing a keystone component configuration interface to an LDAP domain comprises:
establishing a specific domain in a keystone assembly, and establishing specific domain configuration according to the ID of the specific domain and the information of the LDAP domain;
the keystone component detects the connectivity of the keystone component to the LDAP domain according to the configuration of the specific domain;
in response to detecting the keystone component to LDAP domain connectivity, a user ID is generated for each account in the LDAP domain using the sha256 hash algorithm.
In a preferred embodiment of the present invention, establishing the LDAP domain account relationship mapping table in the keystone component and recording the LDAP domain account basic information in the database of the cloud platform includes:
and creating an LDAP domain account relation mapping table according to the generated user ID, the ID of the specific domain and the address of the LDAP domain, wherein the domain account relation mapping table is the corresponding relation of each account which is associated to the LDAP domain from the Keystone component.
In a preferred embodiment of the present invention, the keystone component detecting connectivity to the LDAP domain according to the particular domain configuration comprises:
logging in the LDAP domain through a keystone component in the background by using the LDAP domain address, the LDAP domain administrator account and the administrator password;
and responding to normal login, and judging that the keystone component is communicated to the LDAP domain.
In a preferred embodiment of the present invention, the method further comprises:
and setting different login rights for the account ID recorded in the database of the cloud platform.
In a preferred embodiment of the present invention, the method further comprises:
detecting connectivity to the LDAP domain once every a threshold time interval in the Keystone component;
in response to the detection of the connection, checking whether the account in the LDAP domain has addition and deletion according to the domain account relation mapping table;
and in response to the detection that the addition and deletion of the account in the LDAP domain exist, changing a relational mapping table in the Keystone component, feeding the relational mapping table back to a database of the cloud platform, and adding and deleting corresponding domain account information stored in the database.
In a preferred embodiment of the present invention, the method further comprises:
in response to receiving an instruction for deleting the LDAP domain, querying a stored domain id in a database of the cloud platform;
deleting the configuration of the specific domain and the account relation mapping table under the specific domain in the Keystone component according to the domain id;
and deleting the stored LDAP domain information and the account information synchronized in the domain in a database of the cloud platform according to the domain id.
In view of the above object, a fourth aspect of the embodiments of the present invention proposes a computer-readable storage medium. FIG. 4 is a schematic diagram illustrating an embodiment of a computer-readable storage medium provided by the present invention. As shown in fig. 4, the computer readable storage medium S31 stores a computer program S32 that when executed by a processor performs the method of:
integrating a keystone component in an account management system of a cloud platform, and butting a configuration interface of the keystone component to an LDAP domain;
establishing an LDAP domain account relation mapping table in a keystone component and recording the basic information of the LDAP domain account in a database of a cloud platform;
in response to receiving an instruction of a user for logging in a cloud platform, inquiring whether an account name logged in this time is recorded in basic information of an LDAP (lightweight directory access protocol) domain account in a database of the cloud platform;
and responding to the record of the account name of the login in the basic information of the LDAP domain account, associating the account name of the login with the corresponding account in the LDAP domain according to the domain account relation mapping table, and verifying the password corresponding to the account name of the login in the LDAP domain.
In a preferred embodiment of the present invention, integrating a keystone component in an account management system of a cloud platform and interfacing a keystone component configuration interface to an LDAP domain comprises:
establishing a specific domain in a keystone assembly, and establishing specific domain configuration according to the ID of the specific domain and the information of the LDAP domain;
the keystone component detects the connectivity of the keystone component to the LDAP domain according to the configuration of the specific domain;
in response to detecting the keystone component to LDAP domain connectivity, a user ID is generated for each account in the LDAP domain using the sha256 hash algorithm.
In a preferred embodiment of the present invention, establishing the LDAP domain account relationship mapping table in the keystone component and recording the LDAP domain account basic information in the database of the cloud platform includes:
and creating an LDAP domain account relation mapping table according to the generated user ID, the ID of the specific domain and the address of the LDAP domain, wherein the domain account relation mapping table is the corresponding relation of each account which is associated to the LDAP domain from the Keystone component.
In a preferred embodiment of the present invention, the keystone component detecting connectivity to the LDAP domain according to the particular domain configuration comprises:
logging in the LDAP domain through a keystone component in the background by using the LDAP domain address, the LDAP domain administrator account and the administrator password;
and responding to normal login, and judging that the keystone component is communicated to the LDAP domain.
In a preferred embodiment of the present invention, the method further comprises:
and setting different login rights for the account ID recorded in the database of the cloud platform.
In a preferred embodiment of the present invention, the method further comprises:
detecting connectivity to the LDAP domain once every a threshold time interval in the Keystone component;
in response to the detection of the connection, checking whether the account in the LDAP domain has addition and deletion according to the domain account relation mapping table;
and in response to the detection that the addition and deletion of the account in the LDAP domain exist, changing a relational mapping table in the Keystone component, feeding the relational mapping table back to a database of the cloud platform, and adding and deleting corresponding domain account information stored in the database.
In a preferred embodiment of the present invention, the method further comprises:
in response to receiving an instruction for deleting the LDAP domain, querying a stored domain id in a database of the cloud platform;
deleting the configuration of the specific domain and the account relation mapping table under the specific domain in the Keystone component according to the domain id;
and deleting the stored LDAP domain information and the account information synchronized in the domain in a database of the cloud platform according to the domain id.
Furthermore, the methods disclosed according to embodiments of the present invention may also be implemented as a computer program executed by a processor, which may be stored in a computer-readable storage medium. Which when executed by a processor performs the above-described functions defined in the methods disclosed in embodiments of the invention.
Further, the above method steps and system elements may also be implemented using a controller and a computer readable storage medium for storing a computer program for causing the controller to implement the functions of the above steps or elements.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosed embodiments of the present invention.
In one or more exemplary designs, the functions may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Also, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk, blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the present disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
It should be understood that, as used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
The numbers of the embodiments disclosed in the embodiments of the present invention are merely for description, and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, and the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, of embodiments of the invention is limited to these examples; within the idea of an embodiment of the invention, also technical features in the above embodiment or in different embodiments may be combined and there are many other variations of the different aspects of the embodiments of the invention as described above, which are not provided in detail for the sake of brevity. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the embodiments of the present invention.
Claims (10)
1. A method for managing an LDAP domain account of a cloud platform is characterized by comprising the following steps:
integrating a keystone component in an account management system of a cloud platform, and butting a configuration interface of the keystone component to an LDAP domain;
establishing an LDAP domain account relation mapping table in the keystone component and recording basic information of the LDAP domain account in a database of a cloud platform;
in response to receiving an instruction of a user for logging in the cloud platform, inquiring whether an account name logged in this time is recorded in the basic information of the LDAP domain account in a database of the cloud platform;
and responding to the record of the account name of the login in the basic information of the LDAP domain account, associating the account name of the login with the corresponding account in the LDAP domain according to the domain account relation mapping table, and verifying the password corresponding to the account name of the login in the LDAP domain.
2. The method of claim 1, wherein integrating a keystone component in an account management system of a cloud platform and interfacing the keystone component configuration interface to an LDAP domain comprises:
establishing a specific domain in the keystone component, and establishing specific domain configuration according to the ID of the specific domain and the information of the LDAP domain;
the keystone component detects connectivity of the keystone component to the LDAP domain according to the specific domain configuration;
in response to detecting connectivity of the keystone component to the LDAP domain, a user ID is generated for each account in the LDAP domain using a sha256 hashing algorithm.
3. The method of claim 2, wherein establishing an LDAP domain account relationship mapping table in the keystone component and recording the LDAP domain account basic information in a database of a cloud platform comprises:
and creating an LDAP domain account relation mapping table according to the generated user ID, the ID of the domain of the specific domain and the address of the LDAP domain, wherein the domain account relation mapping table is the corresponding relation of each account which is associated to the LDAP domain from the Keystone component.
4. The method as described in claim 2, wherein the keystone component detecting connectivity to the LDAP domain according to the particular domain configuration comprises:
logging in the LDAP domain through the keystone component in the background by using the LDAP domain address, the LDAP domain administrator account and the administrator password;
and responding to normal login, and judging that the keystone component is connected to the LDAP domain.
5. The method of claim 1, further comprising:
and setting different login rights for the account ID recorded in the database of the cloud platform.
6. The method of claim 1, further comprising:
detecting connectivity to the LDAP domain once every a threshold time interval in the Keystone component;
in response to the detection of the connection, checking whether the account in the LDAP domain is added or deleted according to the relation mapping table;
and in response to the detection of the addition and deletion of the account in the LDAP domain, changing the relational mapping table in the Keystone component, feeding the relational mapping table back to a database of the cloud platform, and simultaneously adding and deleting corresponding domain account information stored in the database.
7. The method of claim 1, further comprising:
in response to receiving an instruction for deleting the LDAP domain, querying a database of a cloud platform for a stored domain id;
deleting the configuration of a specific domain and an account relation mapping table under the specific domain in the Keystone component according to the domain id;
and deleting the stored LDAP domain information and the account information synchronized in the domain in a database of the cloud platform according to the domain id.
8. An apparatus for cloud platform LDAP domain account management, the apparatus comprising:
the docking module is configured to integrate a keystone component in an account management system of a cloud platform and dock a keystone component configuration interface to an LDAP domain;
the creating module is configured to establish an LDAP domain account relation mapping table in the keystone component and record basic information of the LDAP domain account in a database of a cloud platform;
the query module is configured to respond to a received instruction of a user for logging in the cloud platform and query whether an account name logged in this time is recorded in the basic information of the LDAP domain account in a database of the cloud platform;
and the verification module is configured to respond that the account name of the login is recorded in the basic information of the LDAP domain account, associate the account name of the login with the corresponding account in the LDAP domain according to the domain account relation mapping table and verify the password corresponding to the account name of the login in the LDAP domain.
9. A computer device, comprising:
at least one processor; and
a memory storing computer instructions executable on the processor, the instructions when executed by the processor implementing the steps of the method of any one of claims 1 to 7.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110867156.XA CN113612865A (en) | 2021-07-29 | 2021-07-29 | Method, device and equipment for managing cloud platform LDAP domain account and readable medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110867156.XA CN113612865A (en) | 2021-07-29 | 2021-07-29 | Method, device and equipment for managing cloud platform LDAP domain account and readable medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113612865A true CN113612865A (en) | 2021-11-05 |
Family
ID=78306059
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110867156.XA Pending CN113612865A (en) | 2021-07-29 | 2021-07-29 | Method, device and equipment for managing cloud platform LDAP domain account and readable medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113612865A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114172700A (en) * | 2021-11-24 | 2022-03-11 | 中国人寿保险股份有限公司上海数据中心 | Unified authentication system and method based on cloud platform and domain control server |
| CN116800546A (en) * | 2023-08-24 | 2023-09-22 | 北京建筑大学 | User switching method, system, terminal and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106685977A (en) * | 2017-01-03 | 2017-05-17 | 武汉虹信技术服务有限责任公司 | Account system construction method based on intelligent community cloud platform |
| CN106921481A (en) * | 2015-12-28 | 2017-07-04 | 航天信息股份有限公司 | A kind of system and method for tenant's division and purview certification based on PKI |
| CN109063457A (en) * | 2018-06-22 | 2018-12-21 | 杭州才云科技有限公司 | The cross-platform login unified certification interconnection method of one kind, storage medium, electronic equipment |
| CN109981743A (en) * | 2019-02-27 | 2019-07-05 | 苏州浪潮智能科技有限公司 | A kind of ICOS5.5-LDAP merges dispositions method with AS-13000 storage multinode |
| CN110830512A (en) * | 2019-12-10 | 2020-02-21 | 宝付网络科技(上海)有限公司 | Multi-platform unified authentication system based on domain account |
| CN111541654A (en) * | 2020-04-08 | 2020-08-14 | 曙光信息产业(北京)有限公司 | User management method and device based on multi-tenant cloud management platform and computer equipment |
-
2021
- 2021-07-29 CN CN202110867156.XA patent/CN113612865A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106921481A (en) * | 2015-12-28 | 2017-07-04 | 航天信息股份有限公司 | A kind of system and method for tenant's division and purview certification based on PKI |
| CN106685977A (en) * | 2017-01-03 | 2017-05-17 | 武汉虹信技术服务有限责任公司 | Account system construction method based on intelligent community cloud platform |
| CN109063457A (en) * | 2018-06-22 | 2018-12-21 | 杭州才云科技有限公司 | The cross-platform login unified certification interconnection method of one kind, storage medium, electronic equipment |
| CN109981743A (en) * | 2019-02-27 | 2019-07-05 | 苏州浪潮智能科技有限公司 | A kind of ICOS5.5-LDAP merges dispositions method with AS-13000 storage multinode |
| CN110830512A (en) * | 2019-12-10 | 2020-02-21 | 宝付网络科技(上海)有限公司 | Multi-platform unified authentication system based on domain account |
| CN111541654A (en) * | 2020-04-08 | 2020-08-14 | 曙光信息产业(北京)有限公司 | User management method and device based on multi-tenant cloud management platform and computer equipment |
Non-Patent Citations (1)
| Title |
|---|
| 田晓丽等: ""OpenStack 认证后端的安全性研究与改进"", 《北京电子科技学院学报》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114172700A (en) * | 2021-11-24 | 2022-03-11 | 中国人寿保险股份有限公司上海数据中心 | Unified authentication system and method based on cloud platform and domain control server |
| CN116800546A (en) * | 2023-08-24 | 2023-09-22 | 北京建筑大学 | User switching method, system, terminal and storage medium |
| CN116800546B (en) * | 2023-08-24 | 2023-11-03 | 北京建筑大学 | User switching method, system, terminal and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10853511B2 (en) | Securely accessing and processing data in a multi-tenant data store | |
| JP6599341B2 (en) | Method, device and system for dynamic network access management | |
| US9432358B2 (en) | System and method of authenticating user account login request messages | |
| US9179312B2 (en) | Registration and login method and mobile terminal | |
| US11522720B1 (en) | Dynamic object creation and certificate management | |
| US10230722B2 (en) | Trusted status transfer between associated devices | |
| WO2015165423A1 (en) | Account login method, apparatus, and system | |
| WO2012081404A1 (en) | Authentication system, authentication server, service provision server, authentication method, and computer-readable recording medium | |
| US9292672B2 (en) | Service providing method, recording medium, and information processing apparatus | |
| CN113360862A (en) | Unified identity authentication system, method, electronic device and storage medium | |
| TW201828645A (en) | Network authentication method and apparatus | |
| CN113612865A (en) | Method, device and equipment for managing cloud platform LDAP domain account and readable medium | |
| US20200382500A1 (en) | Methods, systems, and computer readable mediums for securely establishing credential data for a computing device | |
| CN112118269A (en) | Identity authentication method, system, computing equipment and readable storage medium | |
| EP3704622B1 (en) | Remote locking a multi-user device to a set of users | |
| CN113079396B (en) | Service management and control method and device, terminal equipment and storage medium | |
| US20230362263A1 (en) | Automatically Executing Responsive Actions Upon Detecting an Incomplete Account Lineage Chain | |
| US9143494B2 (en) | Method and apparatus for accessing a network | |
| CN106209816B (en) | A kind of web camera login method and system | |
| CN102571874B (en) | On-line audit method and device in distributed system | |
| US20200076793A1 (en) | Management device, management system, and non-transitory computer readable medium | |
| KR101879843B1 (en) | Authentication mehtod and system using ip address and short message service | |
| CN113852596B (en) | Application authentication proxy method and system based on Kubernetes | |
| CN111814130B (en) | Single sign-on method and system | |
| CN117882337A (en) | Certificate revocation as a service at a data center |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211105 |