OpenID working with LDAP

Something I’ve been meaning to get round to for quite a while is setting up an openID server. I’ve finally done it! Even better, this server is linked into my ldap server which allows for consistent passwords for everything. Getting it working took quite a while. The openid-ldap software was fairly tricky to configure and the apache configuration was a nightmare for me of regular expressions, something that in all my geek years I’ve managed to stay away from in any depth. (I’ve learnt a fair bit through osmosis, but never sat down and looked at some regexp documentation). Read on for my instructions on setting this up.

Before we start

Before we begin, a few assumtions. This article assumes that you have:

  • A working permanent internet connection (DSL/Cable/Better)
  • An apache web server running and accessable from the internet over SSL, preferably with virtual hosting set up
  • A domain name that you want to tie your openid into and full control to add/change A/CNAME records
  • I did this on Debian, most distro’s should be similar but may use different directories
  • An LDAP server up and running (and working! – ie, tied into user logins, imap, etc)

Setup

My first step was to download the openid-ldap software and uncompress it into the root of your web server (eg. /var/www on Debian), then rename the directory to something easier to type.

cd /var/www
wget http://www.openid-ldap.org/releases/openid-ldap-0.8.7-noarc.tar.gz
tar xfzv openid-ldap-0.8.7-noarc.tar.gz
mv openid-ldap-0.8.7 openid
chmod a+r openid/ldap.php

You should be able to now access http://yourserver/openid to make sure it works. If you get any errors you’ll need to check your apache config. If everything is working then the next step is to get the ldap section working. In the openid directory open up the ldap.php and you will see a load of configuration parameters to edit. The important ones are:

$GLOBALS['ldap'] = array (
        # Connection settings
        'primary'               => 'yourldapserver',
        'fallback'              => 'yourbackupldapserver',
        'protocol'              => 3,
        'isad'                  => false, // are we connecting to Active Directory?
        'lookupcn'              => false, // should we extract CN after the search?
        'binddn'                => '',
        'password'              => '',
        'testdn'                => 'uid=%s,ou=People,dc=example,dc=net',
        'searchdn'              => 'ou=People,dc=example,dc=net',
        'filter'                => 'uid=%s',
        'nickname'              => 'uid',
        'email'                 => 'mail',
        'fullname'              => 'displayName',
        'country'               => 'c'
);

binddn and password shouldn’t be needed at all for most ldap servers to check if a user exists. If your server needs authentication, fill in these fields. You’ll also have to lock down the ldap.php file to restrict people seeing the plaintext password. testdn is the dn used to see if a uid exists. searchdn is the base under which to search for valid users.

To check that the ldap configuration is working, go to the url http://yourserver/openid/?user=at which you should see a welcome message. If not, go back and check your ldap configuration. There are some handy hints and tips in the openid-ldap README.

My next step was to set up some virtual hosting. This isn’t strictly nescessary, but it is the difference between an openid of http://www.example.net/openid/user and http://openid.example.net/user. Not much of a difference, but I wanted a challenge. For now, I will assume that we’ll just do a normal set up and I’ll leave the virtual hosting option up to the reader.

Because openid-ldap sends the username and password over basic authentication you should take it as a requirement to use your openid over SSL. I had a fun time getting this working along with the virtual hosting, but will leave this again up to the reader. There are countless helpful web pages out there to get ssl working on an apache web server.

Ok, once you have openid-ldap talking to your ldap server, SSL working, and possibly virtual hosting, it is time for the final bit of configuration. This part took me the longest to get working due to the mod_rewrite instructions that came with openid-ldap not working for me. For the openid to be kept simple and in the form url/user, rather than url/index.php?user=user, openid-ldap makes use of mod_rewrite in apache to (funnily enough) rewrite the url. To do this you need to edit the apache configuration for the directory under which openid sits to add:

RewriteEngine On

   RewriteCond %{REQUEST_URI}      !^/(.+)\.php(.*)$
   RewriteCond %{THE_REQUEST}      ^[A-Z][A-Z][A-Z]\ \/([A-Za-z0-9]+)\?(.*)\ HTTP/
   RewriteRule ^(.*)$        /openid/index.php?user=%1&%2

   RewriteCond %{REQUEST_URI}         !^/(.+)\.php(.*)$
   RewriteRule ^/([A-Za-z0-9]+)$  https://www.example.net/openid/index.php?user=$1

Restart apache and go to the url http://www.example.net/openid/. Hopefully you should see a welcome screen and a login button at the bottom. Click on the login button and a login box should appear. Type in your username and password, click ok, and you should be taken back to the login screen with a message that you are now logged in.

Thats it, you’ve got openid working. As mentioned, you can fine tune this to produce an easier url to type in, but this is a matter of preference. Hopefully someone may find this article useful. If you do, please drop me a mail or add a comment.

Thankyou.