Shibboleth Developers

[Tom Poage <>]

Greetings,

I've lightly entertained the idea of LDAP as a (persistent) StoredID
repository, and am wondering if there have already been (a number of)
requests for such a feature, if it's already implemented somewhere,
whether it's been ruled out as unfeasible, etc.

I'm thinking that stored name IDs are read much more often than written,
so if an institution has gone to the effort of building out a solid LDAP
service, one's IdP deployment could be overall less complicated/more
reliable with fewer data stores (I currently do not run a relational
backing store on my IdP).

First glance looking at Java files implementing StoredID for an RDBMS,
it seems the task would not be too arduous. First cut schema might look
like (DSEE):

> attributeTypes: ( <OID> NAME 'localEntity' SYNTAX 
> 1.3.6.1.4.1.1466.115.121.1.26 )
> attributeTypes: ( <OID> NAME 'peerEntity' SYNTAX 
> 1.3.6.1.4.1.1466.115.121.1.26 )
> attributeTypes: ( <OID> NAME 'principalName' SYNTAX 
> 1.3.6.1.4.1.1466.115.121.1.15 )
> attributeTypes: ( <OID> NAME 'localId' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 
> )
> attributeTypes: ( <OID> NAME 'persistentId' SYNTAX 
> 1.3.6.1.4.1.1466.115.121.1.15 )
> attributeTypes: ( <OID> Name 'peerProvidedId' SYNTAX 
> 1.3.6.1.4.1.1466.115.121.1.15 )
> attributeTypes: ( <OID> NAME 'creationDate' SYNTAX 
> 1.3.6.1.4.1.1466.115.121.1.24 )
> attributeTypes: ( <OID> NAME 'deactivationDate' SYNTAX 
> 1.3.6.1.4.1.1466.115.121.1.24 )
> 
> objectClasses: ( <OID> NAME 'shibpid' SUP top
>         MUST ( localEntity $ peerEntity $ principalName $ localId $ 
> persistentId $ creationDate )
>         MAY ( peerProvidedId $ deactivationDate ) )

.15 == Directory String (e.g. 'uid')
.24 == Generalized Time
.26 == IA5 String (e.g. 'labeledURI')

If one of the attrs contains UUID, I don't know if it makes sense to
define as octets whether (UTF-8) directory string suffices.

Thanks.
Tom.