shibboleth-dev - Re: [Shib-Dev] LDAP StoredID DataConnector?
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: [Shib-Dev] LDAP StoredID DataConnector?
- Date: Mon, 04 Apr 2011 19:14:06 -0400
- Organization: Itumi, LLC
Etan, from JHU, mentioned wanting something like this (and filed a
feature request for it, I think), but to the best of my knowledge no one
has done such an implementation.
If I were deploying the IdP at a place with a good enterprise directory
set up I'd probably store the persistent ID there. I've also found it a
hell of lot easier to make LDAP systems resilient than RDBMSes.
On 4/4/11 5:26 PM, Tom Poage wrote:
> Greetings,
>
> I've lightly entertained the idea of LDAP as a (persistent) StoredID
> repository, and am wondering if there have already been (a number of)
> requests for such a feature, if it's already implemented somewhere,
> whether it's been ruled out as unfeasible, etc.
>
> I'm thinking that stored name IDs are read much more often than written,
> so if an institution has gone to the effort of building out a solid LDAP
> service, one's IdP deployment could be overall less complicated/more
> reliable with fewer data stores (I currently do not run a relational
> backing store on my IdP).
>
> First glance looking at Java files implementing StoredID for an RDBMS,
> it seems the task would not be too arduous. First cut schema might look
> like (DSEE):
>
>> attributeTypes: ( <OID> NAME 'localEntity' SYNTAX
>> 1.3.6.1.4.1.1466.115.121.1.26 )
>> attributeTypes: ( <OID> NAME 'peerEntity' SYNTAX
>> 1.3.6.1.4.1.1466.115.121.1.26 )
>> attributeTypes: ( <OID> NAME 'principalName' SYNTAX
>> 1.3.6.1.4.1.1466.115.121.1.15 )
>> attributeTypes: ( <OID> NAME 'localId' SYNTAX
>> 1.3.6.1.4.1.1466.115.121.1.15 )
>> attributeTypes: ( <OID> NAME 'persistentId' SYNTAX
>> 1.3.6.1.4.1.1466.115.121.1.15 )
>> attributeTypes: ( <OID> Name 'peerProvidedId' SYNTAX
>> 1.3.6.1.4.1.1466.115.121.1.15 )
>> attributeTypes: ( <OID> NAME 'creationDate' SYNTAX
>> 1.3.6.1.4.1.1466.115.121.1.24 )
>> attributeTypes: ( <OID> NAME 'deactivationDate' SYNTAX
>> 1.3.6.1.4.1.1466.115.121.1.24 )
>>
>> objectClasses: ( <OID> NAME 'shibpid' SUP top
>> MUST ( localEntity $ peerEntity $ principalName $ localId $
>> persistentId $ creationDate )
>> MAY ( peerProvidedId $ deactivationDate ) )
>
> .15 == Directory String (e.g. 'uid')
> .24 == Generalized Time
> .26 == IA5 String (e.g. 'labeledURI')
>
> If one of the attrs contains UUID, I don't know if it makes sense to
> define as octets whether (UTF-8) directory string suffices.
>
> Thanks.
> Tom.
>
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
- [Shib-Dev] LDAP StoredID DataConnector?, Tom Poage, 04/04/2011
- Re: [Shib-Dev] LDAP StoredID DataConnector?, Chad La Joie, 04/04/2011
Archive powered by MHonArc 2.6.16.