1. connect2id Avatar connect2id
  2. OAuth
  3. OpenID Connect LDAP Schema

Wiki

Clone wiki

OpenID Connect LDAP Schema / Home

View History

Important Update

This project is now obsolete and has been replaced by https://bitbucket.org/connect2id/server-ldap-schemas/

2017-02-01

-----------------------------------------

OpenID Connect 1.0 Client LDAP schema

This git repo offers an LDAP schema for storing OpenID Connect Relying Party (RP) client registrations in a directory server.

An OpenID Connect Provider (OP) needs to keep a record for each registered RP client, keyed by its client_id and detailing the application type, name, logo and redirect URIs as well as the JOSE/JWT crypto preferences for securing the protocol messages. The schema provided here allows for storing that client registration data in a LDAP directory.

The LDAP attribute names and syntax defined in the schema comply with the following specifications:

Note that the schema may undergo changes as the OAuth 2.0 draft evolves towards final RFC status.

The schema is defined in the LDIF file oidc-schema.ldif and can be used under the Apache 2.0 licence terms. Connect2id developers have tested it with OpenDJ 2.4.6 directory server. Please use the repo ticket system to submit issues and suggestions for improvement.

Schema support for representing OP information is on the to do list.

Licence

The LDAP schema is provided under the terms of the Apache 2.0 licence.

Adding OIDC schema to OpenDJ 2.4 and OpenDJ 2.6

A simple offline method to add the OIDC schema to an OpenDJ directory:

  1. Make sure the directory server is stopped. This can be checked with the bin/status utility. To stop it run the bin/stop-ds script in the OpenDJ installation directory.
  2. Get the oidc-schema.ldif file and save it in the config/schema directory, with a suitable prefix number to ensure it's loaded after all standard schema definitions, e.g. as 90-oidc.ldif
  3. Start the directory server with bin/start-ds
  4. Now you should be able to create structural oidcRelyingParty object in your directory. Each such object must contain an oidcClientID attribute which defines a unique identifier for the RP. All other OIDC attributes are marked as optional but may be required depending on your OP setup.

Importing example OIDC client entries

The example-ldap-entry-tree.ldif file contains three example OIDC client entries. In order to import the LDIF you need to a have a base directory DN dc=wonderland,dc=net .

example-ldap-entry-screenshot.png

In OpenDJ you can import the LDIF like this:

  1. Start the OpenDJ Control Panel
  2. Click on "Directory Data" -> "Import LDIF..."
  3. Point "File to import" to the location of example-ldap-entry-tree.ldif
  4. Make sure "Import Type" is "Append to existing data"
  5. Click on "OK" and you're done

Alternatively, if you have Apache Directory Studio you can import the LDIF like this:

  1. Menu "File" -> "Import..."
  2. Choose import source "LDAP browser" -> "LDIF into LDAP"
  3. Click on "Next"
  4. Under LDIF file select the location of example-ldap-entry-tree.ldif
  5. Click on "Finish" and you're done

Updated