目录服务和身份管理系统在电力企业中的设计与应用毕业设计论文.doc

毕毕 业业 设设 计计( 论论 文文) 目录服务和身份管理系统在电力企业中的设计与应用目录服务和身份管理系统在电力企业中的设计与应用 论论文作者姓名：文作者姓名： 申申请请学位学位专业专业： ： 申申请请学位学位类别类别： ： 指指导导教教师师姓姓名名（ （职职称称） ）： ： 论论文提交日期：文提交日期： 目录服务和身份管理系统在电力企业中的设计与应用目录服务和身份管理系统在电力企业中的设计与应用 摘摘 要要 21 世纪初，人类社会继工业文明之后进入新经济时代。在这个时代里，如何降低用户 管理及其对应用系统访问的复杂性和成本，防止擅自使用企业信息，如何提高灵动性，以 便系统能响应不断变化的业务需求已经成为限制企业发展的重要因素。 国家电网公司在十一五期间启动了“sg186”工程。本文以此工程为背景，通过对现有 电力企业内系统的调查，提出一套以身份目录、企业资源目录和认证目录为核心的目录服 务来集中统一的存储、管理和展现用户身份信息。并在此基础上使用身份管理产品对现有 和即将投入运营的系统进行整合，以此实现整个电力企业系统中高效且无需手工维护的用 户生命周期管理。同时为了保证系统稳定高效的运行，在本文中还对影响整个系统效率的 关键要点进行了性能测试和分析并获得预期结果。 关键词：关键词：目录服务；身份管理；用户生命周期 the design and application of directory services and identification management system in electric power enterprise abstract at the beginning of the 21st century, human society entered a new economic era following the industrial civilization. nowadays, there are several problems we have to face, for instance, the way to reduce the cost and complexity of user management and the access to application system; the method to protect the information of the company; how to improve the flexibility of the system in order to respond the business requirements. the “sg186“ project that state grid corp. started in the 11th five-year plan period is the background of this thesis. with the research of the system in electric power enterprise, a set of identity directory, enterprise resource directory and authentication directory has been proposed which provides a core directory services. and then it is used to store, manage and display user identity information. base on that, in order to achieve efficient and automatic lifecycle management of the electric power enterprise system, the existing and upcoming operational systems with identity management products has been commix. meanwhile, in order to ensure that the system is stable and efficient, the key features which affect the efficiency of the system were tested and analyzed and the expected results were obtained in this thesis. key words：directory service; identity management; user lifecycle 目目 录录 论文总页数：33 页 1引言1 1.1设计的目的和意义 1 1.2技术背景 1 1.2.1技术简介1 1.2.2目录服务与数据库系统的差异2 1.2.3应用历史及现状3 1.3项目背景 4 1.4设计方法 5 1.5全文结构 5 1.6术语定义 5 2总体框架设计.6 2.1目录服务 6 2.1.1目录服务组成6 2.1.2总部目录6 2.1.3网省公司目录7 2.2身份管理 7 2.2.1身份信息的集中管理7 2.2.2身份同步8 3逻辑设计8 3.1目录服务 8 3.1.1逻辑架构8 3.1.2目录树结构设计9 3.1.3目录 schema 设计11 3.1.4目录命名编码设计13 3.1.5目录同步设计14 3.2身份管理 16 3.2.1逻辑架构16 3.2.2身份生命周期管理16 3.2.3身份同步19 4物理设计21 4.1物理架构 21 4.2高可用性设计 22 4.2.1目录服务22 4.2.2身份管理22 4.3系统监控设计 23 4.3.1目录服务24 4.3.2身份管理24 4.4备份和恢复设计 23 4.4.1目录服务24 4.4.2身份管理24 4.5安全性设计 24 4.5.1目录服务25 4.5.2身份管理25 4.6目录的分级授权 25 4.6.1目录的分级授权机制26 4.6.2目录的授权要素26 4.6.3目录的授权方式26 4.7操作系统调优 27 4.7.1关闭后台进程27 4.7.2关闭 gui.27 4.7.3处理器子系统调优27 4.7.4内存子系统调优27 4.7.5文件系统调优28 4.7.6网络子系统调优28 5性能测试28 5.1目录系统测试 28 5.1.1数据初始化28 5.1.2查询效率28 5.1.3负载均衡28 5.2身份管理系统测试 29 5.2.1用户身份同步29 5.2.2高可用性29 结 论29 参考文献29 致 谢31 声 明32 第 1 页 共 33 页 1 1引言引言 1.11.1设计的目的和意义设计的目的和意义 我们知道每一个公司都需要保护其 it 基础设施，从而防止信息失窃，遵守法规并确保 客户、合作伙伴和员工信息的秘密。这就需要以经济的方法确保和保护公司资产的安全， 同时还不能错失新的业务机会或降低工作效率。但事实并不总如人意，让我们考虑以下几 种情况。 情景一：在当今的大多数企业中，每个公司几乎都在众多的 it 系统中拥有多个身份信 息存储库，例如：人力资源系统、电子邮件系统和财务系统。如果需要更改系统中某个人 员相关的信息，it 工作人员只能以人工的方式更新每个系统中的信息，这是一项既昂贵又 耗时的工作，而且还容易出现错误，使系统容易遭受攻击。例如：当一个员工到企业报道 之后，却因为需要手工更新应用系统账号的原因而迟迟不能获得与其工作相关的应用系统 账号，导致该员工无法进行正常的工作，这将会大大降低员工工作的积极性，同时对于企 业来说这也是一种资源的浪费。因此，需要一种集中化的方式来管理用户和访问，以确保 安全和实时性。 情景二：据美国联邦密情局和计算机应急相应组（cert）的联合报告显示，在所有 针对公司网络的非法访问中，有一半以上都是带有不满情绪的离职员工所为。为用户配置 资源访问权限这一过程非常乏味且耗时，对于大多数公司而言，该人工流程会显著降低工 作效率。此外，当员工离职后，取消他们的访问权限的手工流程成为最大的安全隐患。因 此，需要一种流程化的自动账号配置，在企业中强制实施一致的安全策略。 情景三：如果一个企业中，员工必须记住大量的密码才能访问日常应用程序和服务， 这种情况可能会危及数据安全并降低工作效率。同样，如果依靠 it 部门人工重置每个忘记 的密码，一个公司将无法高效运作。因此，需要让员工负责管理自身的密码并通过单点登 陆取代多个密码的使用。 针对以上情况，我们需要一套完整而合理的方案来解决企业信息化发展中所遇到的问 题，而目录服务和身份管理系统正是为了解决这些问题而诞生的。通过对目录服务和身份 管理系统的应用设计，我们将会得到一套完整的解决方案以降低企业中管理用户及其对系 统访问的复杂性和成本、防止擅自使用企业信息和使系统适应不断变化的业务需求。 1.21.2技术背景技术背景 1.2.11.2.1技术简介技术简介 目录服务是统一身份管理系统所依赖的主要支撑技术，提供跨平台身份信息存储管理 和认证支持功能。具体的说，目录服务是指以一定的格式记录了大量企业资源信息，并将 各种资源信息集中管理起来，以对象的方式予以记录，明确设定每个对象的“身份”和“位置” 。在某种程度上讲它就是符合国际标准协议的一种基于对象的数据库，支持的对象种类较 第 2 页 共 33 页 多，在各种平台都能够比较好的结合，在大量数据情况下，读取信息的速度快。对象在目 录的倒置树型数据结构中分层存储，便于建立一个与企业组织结构一致的结构和层次。目 录服务提供认证和授权机制，管理员只需设定管理策略和规则，使得特定用户只能访问特 定的或者授权的应用系统。从功能上来说，目录服务通过复制技术，保持数据信息的一致 性。 身份管理利用集中式数据储存在应用程序、数据库和目录之间同步、转换和分发信息。 当一个系统中的数据发生更改时，同步机制引擎将会根据定义的业务规则检测这些更改， 并将这些更改同步到其它已连接系统中，达到数据共享的目的。身份管理内容主要有用户 身份的生命周期的管理和实现跨地区的信息同步和用户认证，定制不同安全级别的访问控 制和数据加密等。通过对用户身份的生命周期的管理，实现了用户账号信息的创建、变更、 注销整个周期过程的控制。利用身份同步，可以实现连接系统的数据信息的自动同步，确 保数据信息的安全、性能和容错。根据应用系统的情况，指定权威数据源，通过身份同步 机制，形成了全网范围内最完整、准确的中央身份库。 1.2.21.2.2目录服务与数据库系统的差异目录服务与数据库系统的差异 就像 sybase、oracle、informix 或 microsoft 的数据库管理系统（dbms）是用于处理 查询和更新关系型数据库那样，目录服务也是用来处理查询和更新目录树的。换句话来说 目录也是一种类型的数据库，但是不是关系型数据库。下面从几个不同的方面来比较目录 服务与数据库的差异性。 （1）协议的标准性）协议的标准性 目录服务所基于的 ldap 协议是跨平台的和标准的协议，因此应用程序就不用为目录 服务放在什么样的服务器上操心了。实际上，目录服务得到了业界的广泛认可，因为它是 internet 的标准。产商都很愿意在产品中加入对 ldap 的支持，因为他们根本不用考虑另一 端（客户端或服务端）是怎么样的。目录服务可以是任何一个开发源代码或商用的目录服 务，可以用同样的协议、客户端连接软件包或查询命令与目录服务进行交互。 与目录服务不同的是，如果软件产商想在软件产品中集成对 dbms 的支持，那么通常 都要对每一个数据库服务器单独定制。 不像很多商用的关系型数据库，你不必为目录服务的每一个客户端连接或许可协议付 费。 （2）分布性）分布性 目录服务可以用“推“或“拉“的方法复制部分或全部数据，例如：可以把数据“推“到远程 的办公室，以增加数据的安全性。复制技术是内置在目录服务中的而且很容易配置。如果 要在 dbms 中使用相同的复制功能，数据库产商就会要你支付额外的费用，而且也很难管 理。 （3）高读写比）高读写比 第 3 页 共 33 页 大多数的目录服务都为读密集型的操作进行专门的优化。因此，当从目录服务中读取 数据的时候会比从专门为 oltp 优化的关系型数据库中读取数据快一个数量级。也是因为 专门为读的性能进行优化，大多数的目录服务并不适合存储需要经常改变的数据。 （4）层次化的数据）层次化的数据 目录以树状的层次结构来存储数据。如果对自顶向下的 dns 树或 unix 文件的目录树 比较熟悉，也就很容易掌握目录树这个概念了。就像 dns 的主机名那样，目录记录的标 识名（distinguished name，简称 dn）是用来读取单个记录，以及回溯到树的顶部。 （5）静态数据）静态数据 目录中所存放的数据为半规则数据，即元数据，允许有不规则的层次化的数据存在。 而数据库中存放的数据为规则数据，即交易数据。 （6）固定的可扩展的）固定的可扩展的 schema 在目录中，不仅通过 schema 定义目录中所存储的信息对象的类型，而且通过 schema 定义信息对象之间的关系，从而形成目录的完整的结构定义。换句话说，目录中一个对象 的结构是从它的上级中继承下来的。 不像数据库，一旦表结构定义后想要对其中的 schema 进行扩展是件很麻烦得事情， 而且数据库中的 schema 扩展只能针对表来进行。然而在目录服务中，可以很容易的根据 需要对单独的对象的属性进行扩展。 （7）安全和访问控制）安全和访问控制 目录服务根据需要提供复杂的不同层次的访问控制或 acl（访问控制列表）来控制对 数据读和写的权限。例如，设备管理员可以有权改变员工的工作地点和办公室号码，但是 不允许改变记录中其它的域。acl 可以根据谁访问数据、访问什么数据、数据存在什么地 方以及其它对数据进行访问控制。因为这些都是由目录服务器完成的，所以不用担心在客 户端的应用程序上是否要进行安全检查。 1.2.31.2.3应用历史及现状应用历史及现状 随着信息化产业的发展和实际应用的需求，一个名为 x.500 的目录访问协议诞生了， 该协议由 iso 组织(international standards organization)定义，它提供了一种方法，开发一个 组织中的成员电子目录，使得世界各地具有因特网访问权限的任何人都可以访问作为全球 目录一部分的该目录。但不幸的是，x.500 协议相当复杂，这使得要遵循它来开发服务程 序和客户端具有了很大的难度。 随后，为了弥补 x.500 协议的不足，美国密歇根州立大学开发了一个名为 ldap(lightweight directory access protocol，轻量级目录访问协议)的协议，它基于 x.500 标准，但去除了其中一些难以实现且实用意义不大的部分。ldap 协议的最新版本 为 v3，如今，ldap 协议已经成为目录访问的标准，其核心规范在 rfc 中都有定义。 目录服务与身份管理应用在国外的应用已有近 20 年的历史，其中有很多著名的产品， 第 4 页 共 33 页 包括：netscape directory service(后被 redhat 收购，现名为 redhat directory service)、 sunone(sun java system directory server)、novell edirectory if i pursue you i will not catch you, and if i catch you-through your own slowness and clumsiness-i will not kill you, and if i kill you i will not eat you.“ nicholas had begun to back away, and at the last; words, realizing that they were a signal, he turned and began to run, splashing through the shallow water. ignacio ran after him, much helped by his longer legs, his hair flying behind his dark young face, his square teeth-each white as a bone and as big as nicholass thumbnail-showing like spectators who lined the railings of his lips. “dont run, nicholas,“ dr. island said with the voice of a wave. “it only makes him angry that you run.“ nicholas did not answer, but cut to his left, up the beach and among the trunks of the palms, sprinting all the way because he had no way of knowing ignacio was not right behind him, about to grab him by the neck. when he stopped it was in the thick jungle, among the boles of the hardwoods, where he leaned,.; out of breath, the thumping of his own heart the only . sound in an atmosphere silent and unwaked as earths long, prehuman day. for a time he listened for any sound ignacio might make searching for him; there was none. he drew a deep breath then and said, “well, thats over,“ expecting dr. island to answer from somewhere; there was only the green hush. the light was still bright and strong and nearly, shadowless, but some interior sense told him the day, was nearly over, and he noticed that such faint shades as he could see stretched long, horizontal distortions of their objects. he felt no hunger, but he had fasted be- fore and knew on which side of hunger he stood; he was not as strong as he had been only a day past, and by this time next day he would probably be unable to outrun ignacio. he should, he now realized, have eaten the monkey he had killed; but his stomach revolted at the thought of the raw flesh, and he did not know how he might build a fire, although ignacio seemed to have done so the night before. raw fish, even if he were able to catch a fish, would be as bad, or worse, than raw monkey; he remembered his effort to open a coconut-he had failed, but it was surely not impossible. his mind was hazy as to what a coconut might contain, but there had to be an edible core, because they were eaten in books. he decided to make a wide sweep through the jungle that would bring him back to the beach well away from ignacio; he had several times seen coconuts lying in the sand under the trees. he moved quietly, still a little afraid, trying to think of ways to open the coconut when he found it. he imagined himself standing before a large and raggedly faceted stone, holding the coconut in both hands. he raised it and smashed it down, but when it struck it was no longer a coconut but mayas head; he heard her nose cartilage break with a distinct, rubbery snap. her eyes, as blue as the sky above madhya pradesh, the sparkling blue sky of the egg, looked up at him, but he could no longer look into them, they retreated from his own, and it came to him quite suddenly that lucifer, in falling, must have fallen up, into the fires and the coldness of space, never again to see the warm blues and browns and greens of earth: 1 was watching satan fall as lightning from heaven. he had heard that on tape somewhere, but he could not remember where. he had read that on earth lightning did not come down from the clouds, but leaped up from the planetary surface toward them, never to return. “nicholas.“ he listened, but did not hear his name again. faintly water was babbling; had dr. island used that sound to speak to him? he walked toward it and found a little rill that threaded a way among the trees, and followed it. in a hundred steps it grew broader, slowed, and ended in a long blind pool under a dome of leaves. . diane was sitting on moss on the side opposite him; she looked up as she saw him, and smiled. “hello,“ he said. “hello, nicholas. i thought i heard you. i wasnt mistaken after all, was i?“ “i didnt think i said anything.“ he tested the dark water with his foot and found that it was very cold. 第 33 页 共 33 页 “you gave a little gasp, i fancy. i heard it, and i said to myself, thats nicholas, and i called you. then i thought i might be wrong, or that it might be ignacio.“ “ignacio was chasing me. maybe he still is, but h think hes probably given up by now.“ the girl nodded, looking into the dark waters of they pool, but did not seem to have heard him. he began to work his way around to her, climbing across the snakelike roots of the crowding trees. “why does ignacio want to kill me, diane?“ “sometimes he wants to kill me, too,“ the girl said. “but why?“ “i think hes a bit frightened of us. have you ever talked to him, nicholas?“ “today i did a little. he told me a story about a pet fish he used to have.“ “ignacio grew up all alone; did he tell you that? on= earth. on a plantation in brazil, way up the amazon -dr. island told me.“ “i thought it was crowded on earth.“ “the cities are crowded, and the countryside closes to the cities. but there are places where its emptie than it used to be. where ignacio was, there would have been red indian hunters two or three hundred years ago; when he was there, there wasnt anyone, just the machines. now he doesnt want to be looked at, doesnt want anyone around him.“ nicholas said slowly, “dr. island said lots of people wouldnt be sick if only there werent other people around all the time. remember that?“ a “only there. are other people around all the time; thats how the world is.“ “not in brazil, maybe,“ nicholas said. he was trying to remember something about brazil, but the only thing he could think of was a parrot singing in a straw hat from the comview cartoons; and then a turtle and a hedgehog that turned into armadillos for the love of god, montressor. he said, “why didnt he stay there?“ “did i tell you about the bird, nicholas?“ she had been not listening again. “what bird?“ “i have a bird. inside.“ she patted the flat stomach below her small breasts, and for a moment, nicholas thought she had really found food. “she sits in here. she has tangled a nest in my entrails, where she sits and tears at my breath with her beak. i look healthy to you, dont i? but inside im hollow and rotten and turning brown, dirt and old feathers, oozing away. her beak will break through soon.“ “okay.“ nicholas turned to go. “ive been drinking water here, trying to drown her. i think ive swallowed so much i couldnt stand up now if i tried, but she isnt even wet, and do you know something, nicholas? ive found out im not really me, im her.“ turning back nicholas asked, “when was the last time you had anything to eat?“ “i dont know. two, three days ago. ignacio gave me something.“ “im going to try to open a coconut. if i can ill bring you back some.“ when he reached the beach, nicholas turned and walked slowly back in the direction of the dead fire, this time along the rim of dampened sand between the sea and the palms. he was thinking about machines. there were hundreds of thousands, perhaps millions, of machines out beyond the belt, but few or none of the sophisticated servant robots of earth-those were luxuries. would ignacio, in brazil (whatever that was like), have had such luxuries? nicholas thought not; those robots were almost like people, and living with them would be like living with people. nicholas wished that he could speak brazilian. there had been the therapy robots at st. johns; nicholas had not liked them, and he did not think ignacio would have liked them either. if he had liked his therapy robot he probably would not have 第 34 页 共 33 页 had to be sent here. he thought of the chipped and rusted old machine that had cleaned the corridors-maya had called it corradora, but no one else ever called it any- f thing but hey! it could not (or at least did not) speak, 1 and nicholas doubted that it had emotions, except possibly a sort of love of cleanness that did not extend to its own person. “you will understand,“ someone was saying inside his head, “that motives of all sorts can be divided into two sorts.“ a doctor? a therapy robot? it did not matter. “extrinsic and intrinsic. an extrinsic motive has always some further end in view, and that end we call an intrinsic motive. thus when we have reduced motivation to intrinsic motivation we have reduced it to its simplest parts. take that machine over there.“ what machine? “freud would have said that it was fixated at the latter anal stage, perhaps due to the care its builders exercised in seeing that the dirt it collects is not released again. because of its fixation it is, as you see, obsessed with cleanliness and order; compulsive sweeping and scrubbing palliate its anxieties. it is a strength of freuds theory, and not a weakness, that it serves to explain many of the activities of machines as well as the acts of persons.“ hello there, corradora. and hello, ignacio. my head, moving from side to side, must remind you of a radar scanner. my steps are measured, slow, and precise. 1 emit a scarcely audible humming as 1 walk, and my eyes are fixed, as 1 swing my head, not on you, ignacio, but on the waves at the edge of sight, where they curve up into the sky. 1 stop ten meters short of you, and 1 stand. you go 1 follow, ten meters behind. what do 1 want? nothing. yes, 1 will pick up the sticks, and 1 will follow-five meters behind. “break them, and put them on the fire. not all of them, just a few.“ yes. “ignacio keeps the fire here burning all the time. sometimes he takes the coals of fire from it to start others, but here, under the big palm log, he has a fire always. the rain does not strike it here. always the fire. do you know how he made it the first time? reply to him!“ “ “ no. “no, patrdo!“ “ no, patrao.“ “ignacio stole it from the gods, from poseidon. now poseidon is dead, lying at the bottom of the water. which is the top. would you like to see him?“ “if you wish it, patrdo.“ “it will soon be dark, and that is the time to fish; do you have a spear?“ “no, patrdo.“ “then ignacio will get you one.“ ignacio took a handful of the sticks and thrust the ends into the fire, blowing on them. after a moment nicholas leaned over and blew, too, until all the sticks were blazing. 第 35 页 共 33 页 “now we must find you some bamboo, and there is some back here. follow me.“ the light, still nearly shadowless, was dimming now, so that it seemed to nicholas that they walked on insubstantial soil, though he could feel it beneath his feet. ignacio stalked ahead, holding up the burning sticks until the fire seemed about to die, then pointing the ends down, allowing it to lick upward toward his hand and come to life again. there was a gentle wind blowing out toward the sea, carrying away the sound of the surf and bringing a damp coolness; and when they had been walking for several minutes, nicholas heard in it a faint, dry, almost rhythmic rattle. ignacio looked back at him and said, “the music. the big stems talking; hear it?“ they found a cane a little thinner than nicholass wrist and piled the burning sticks around its base, then added more. when it fell, ignacio burned through the upper end, too, making a pole about as long as nicholas was tall, and with the edge of a seashell scraped the larger end to a point. “now you are a fisherman,“ he said. nicholas said, “yes, pardo,“ still careful not to meet his eyes. “you are h