Opened 7 years ago

Last modified 5 months ago

#1824 new task

Setup an OpenID provider using the LDAP database as input

Reported by: strk Owned by: strk
Priority: normal Milestone:
Component: SysAdmin Keywords: userid, ldap, openid
Cc:

Description

This may simplify integration of the LDAP users with other services. Could be served by SimpleID and its LDAP plugin (PHP): https://github.com/simpleid/simpleid-ldap

Also, it might be good to plan for "OpenID Connect" (successor of OpenID), while still keeping the LDAP backend, for example via https://github.com/coreos/dex

Change History (10)

comment:1 by strk, 7 years ago

Debian packages exist for both simpleid and its ldap backend: https://packages.debian.org/search?keywords=simpleid

Where could I experiment installing one ? Should it be on "secure" VM (I don't think it needs be). Do we want to register an "id" subdomain ?

comment:2 by strk, 18 months ago

For the record: id.osgeo.org is now a registered subdomain. The current way to set things up is using LXD containers, so simpleid/ldap should probably go in one of these

comment:3 by robe, 18 months ago

If I had a clue what is involved I might volunteer to do it.

At anyrate, should probably go on osgeo9. Which I'm focussing on putting shared services on.

osgeo8 would be for project specific services.

comment:4 by strk, 18 months ago

Should just need apache-php and https://github.com/simpleid/simpleid-ldap -- my own OpenID is using SimpleID but not with the LDAP backend, so I don't have more hints about LDAP. Oh, and I use Apache but if you know how to do that you may also opt for nginx.

comment:5 by robe, 18 months ago

yah I've done lots of php apps behind nginx. I'll take a stab at it on osgeo9 what dns name would you want to opt for since id.osgeo.org is taken.

Perhaps openid.osgeo.org ?

comment:6 by strk, 18 months ago

I would not really bother with another name. OpenID doesn't need top-level, it can be just id.osgeo.org/openid like we have id.osgeo.org/ldap (and in the future we might also have id.osgeo.org/oauth or something like that...

comment:7 by robe, 18 months ago

okay so we just put in same container then. works for me.

comment:8 by strk, 5 months ago

Recent use if OSGeo Gitea as auth provider for OSGeo Discourse showed the advantage of having an OpenID provider and limitations of using a service which is not specifically focused on authentication ( https://discourse.osgeo.org/t/psc-vote-lets-move-this-list-to-discourse/6528/22 )

See also #1690 for a request to use this service for trac login

Last edited 5 months ago by strk (previous) (diff)

comment:9 by strk, 5 months ago

An OSGeo authentication provider could also more easily be usable by third parties, like for instance the mapstodon.space instance, see https://mapstodon.space/@jeremy/111714945533217839

Last edited 5 months ago by strk (previous) (diff)

comment:10 by robe, 5 months ago

Owner: changed from sac@… to strk
Note: See TracTickets for help on using tickets.