[OpenID] LDAP-to-OpenID gateway?

Troy Benjegerdes hozer at hozed.org
Fri Mar 16 04:14:59 UTC 2007

I see that there's a cardspace module for apache, but I can't figure out
where to get the parts that go from apache authorization to an OpenID

On Mon, Feb 26, 2007 at 04:26:42PM -0500, Brendan O'Connor wrote:
> My understanding is that that functionality will be included as part of 
> the Apache-CardSpace integration; CardSpace would be handled by apache 
> itself, which would then pass the credentials to the OP.
> Someone working on that, care to comment?
> ---Brendan O'Connor
> Troy Benjegerdes wrote:
> >What I would really like is a drop-in php/perl/whatever set of scripts
> >to make an OpenID server that uses Apache authorization to verify the
> >identity of the user.
> >
> >This would allow a completely transparent single-sign-on system for
> >those of us using Kerberos and mod_auth_kerb on apache, and it could
> >also be used to backend to an LDAP database with the apache LDAP auth
> >modules.
> >
> >(For example, my desktop linux box uses kerberos to authenticate me to
> >log in.. I then have kerberos tickets. If I go to my local openid server
> >website, firefox knows how to delegate the kerberos credentials to the
> >apache on the openid server.. what is missing is the little bit of glue
> >to make a simple openid server using apache auth.)
> >
> >On Mon, Feb 26, 2007 at 10:32:06AM -0500, Brendan O'Connor wrote:
> >>What we did (here at Johns Hopkins) is make the account creation step 
> >>verify against our LDAP directory the existence of an account before 
> >>allowing the creation to go through; that's about a six-line addition to 
> >>the PIP code in heraldry, but the code we did wasn't added to heraldry.
> >>
> >>This met our needs, but you might want to do the (also very small) 
> >>checks for existence on login, too, if your users have a time when 
> >>they'd become deactivated, or additional changes depending on need. The 
> >>Ruby LDAP stuff is pretty easy to use, but if you'd like our code 
> >>(written by the Systems head of the local ACM chapter), let me know and 
> >>I'll send it offlist.
> >>
> >>---Brendan O'Connor
> >>
> >>John Fink wrote:
> >>>Hey folks,
> >>>
> >>>Just had my "Aha!" moment with OpenID yesterday night, and since then my 
> >>>mind has been racing.  Is there anything like a LDAP-to-OpenID gateway?  
> >>>That is, something locally runnable that hooks into an LDAP server and 
> >>>generates accounts (and perhaps OpenID URIs too!) based on information 
> >>>from LDAP?  I've searched this list, and it seems like someone at Johns 
> >>>Hopkins has done this, but I'm not sure how or if those instructions 
> >>>were rolled into Heraldry or what.
> >>>
> >>>jf
> >>>
> >>>-- 
> >>>http://libgrunt.blogspot.com -- library culture and technology.
> >>>
> >>>
> >>>------------------------------------------------------------------------
> >>>
> >>>_______________________________________________
> >>>general mailing list
> >>>general at openid.net
> >>>http://openid.net/mailman/listinfo/general
> >>_______________________________________________
> >>general mailing list
> >>general at openid.net
> >>http://openid.net/mailman/listinfo/general
> >

Troy Benjegerdes                'da hozer'                hozer at hozed.org  

Somone asked me why I work on this free (http://www.fsf.org/philosophy/)
software stuff and not get a real job. Charles Shultz had the best answer:

"Why do musicians compose symphonies and poets write poems? They do it
because life wouldn't have any meaning for them if they didn't. That's why
I draw cartoons. It's my life." -- Charles Shultz

More information about the general mailing list