Opened 7 years ago

Last modified 5 months ago

#1824 new task

Setup an OpenID provider using the LDAP database as input

Reported by: strk Owned by: strk
Priority: normal Milestone:
Component: SysAdmin Keywords: userid, ldap, openid


This may simplify integration of the LDAP users with other services. Could be served by SimpleID and its LDAP plugin (PHP):

Also, it might be good to plan for "OpenID Connect" (successor of OpenID), while still keeping the LDAP backend, for example via

Change History (10)

comment:1 by strk, 7 years ago

Debian packages exist for both simpleid and its ldap backend:

Where could I experiment installing one ? Should it be on "secure" VM (I don't think it needs be). Do we want to register an "id" subdomain ?

comment:2 by strk, 18 months ago

For the record: is now a registered subdomain. The current way to set things up is using LXD containers, so simpleid/ldap should probably go in one of these

comment:3 by robe, 18 months ago

If I had a clue what is involved I might volunteer to do it.

At anyrate, should probably go on osgeo9. Which I'm focussing on putting shared services on.

osgeo8 would be for project specific services.

comment:4 by strk, 18 months ago

Should just need apache-php and -- my own OpenID is using SimpleID but not with the LDAP backend, so I don't have more hints about LDAP. Oh, and I use Apache but if you know how to do that you may also opt for nginx.

comment:5 by robe, 18 months ago

yah I've done lots of php apps behind nginx. I'll take a stab at it on osgeo9 what dns name would you want to opt for since is taken.

Perhaps ?

comment:6 by strk, 18 months ago

I would not really bother with another name. OpenID doesn't need top-level, it can be just like we have (and in the future we might also have or something like that...

comment:7 by robe, 18 months ago

okay so we just put in same container then. works for me.

comment:8 by strk, 5 months ago

Recent use if OSGeo Gitea as auth provider for OSGeo Discourse showed the advantage of having an OpenID provider and limitations of using a service which is not specifically focused on authentication ( )

See also #1690 for a request to use this service for trac login

Last edited 5 months ago by strk (previous) (diff)

comment:9 by strk, 5 months ago

An OSGeo authentication provider could also more easily be usable by third parties, like for instance the instance, see

Last edited 5 months ago by strk (previous) (diff)

comment:10 by robe, 5 months ago

Owner: changed from sac@… to strk
Note: See TracTickets for help on using tickets.