[OpenID] LDAP-to-OpenID gateway?

Troy Benjegerdes hozer at hozed.org
Mon Feb 26 21:02:38 UTC 2007 

What I would really like is a drop-in php/perl/whatever set of scripts
to make an OpenID server that uses Apache authorization to verify the
identity of the user.

This would allow a completely transparent single-sign-on system for
those of us using Kerberos and mod_auth_kerb on apache, and it could
also be used to backend to an LDAP database with the apache LDAP auth
modules.

(For example, my desktop linux box uses kerberos to authenticate me to
log in.. I then have kerberos tickets. If I go to my local openid server
website, firefox knows how to delegate the kerberos credentials to the
apache on the openid server.. what is missing is the little bit of glue
to make a simple openid server using apache auth.)

On Mon, Feb 26, 2007 at 10:32:06AM -0500, Brendan O'Connor wrote:
> What we did (here at Johns Hopkins) is make the account creation step 
> verify against our LDAP directory the existence of an account before 
> allowing the creation to go through; that's about a six-line addition to 
> the PIP code in heraldry, but the code we did wasn't added to heraldry.
> 
> This met our needs, but you might want to do the (also very small) 
> checks for existence on login, too, if your users have a time when 
> they'd become deactivated, or additional changes depending on need. The 
> Ruby LDAP stuff is pretty easy to use, but if you'd like our code 
> (written by the Systems head of the local ACM chapter), let me know and 
> I'll send it offlist.
> 
> ---Brendan O'Connor
> 
> John Fink wrote:
> > Hey folks,
> > 
> > Just had my "Aha!" moment with OpenID yesterday night, and since then my 
> > mind has been racing.  Is there anything like a LDAP-to-OpenID gateway?  
> > That is, something locally runnable that hooks into an LDAP server and 
> > generates accounts (and perhaps OpenID URIs too!) based on information 
> > from LDAP?  I've searched this list, and it seems like someone at Johns 
> > Hopkins has done this, but I'm not sure how or if those instructions 
> > were rolled into Heraldry or what.
> > 
> > jf
> > 
> > -- 
> > http://libgrunt.blogspot.com -- library culture and technology.
> > 
> > 
> > ------------------------------------------------------------------------
> > 
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

-- 
--------------------------------------------------------------------------
Troy Benjegerdes                'da hozer'                hozer at hozed.org  

Somone asked me why I work on this free (http://www.fsf.org/philosophy/)
software stuff and not get a real job. Charles Shultz had the best answer:

"Why do musicians compose symphonies and poets write poems? They do it
because life wouldn't have any meaning for them if they didn't. That's why
I draw cartoons. It's my life." -- Charles Shultz

More information about the general mailing list