An out-of-the-box OpenID server built atop OpenDS and Java EE

I've been tinkering with public domain OpenIDs for the past few months and found the OpenID service, as it is described, to be useful indeed. I say "as described" since it is clearly not the end all be all Internet authentication service, however, it is interesting and worth exploring further. To that end, I've developed a light-weight, demo quality, OpenID provider. It's easily deployable atop any Java EE container and backed by the OpenDS directory server. Note: Credit goes to Paul Bryan (an OpenSSO contributor) for the initial OpenID protocol handler.

Why develop yet another OpenID provider? Unfortunately, I could not find a maintained, easily deployable, Java EE based provider that actually worked. In addition, as a directory guy, I believe people and identity centric data belong in the directory and not spread amongst n different databases. I'm currently at the O'Reilly Web 2.0 Expo and have been informally polling attendees on general identity management topics; e.g., where are your users stored?, what authentication protocols do you support?, and the like. Brandon, I was wrong - you are right, new applications are still emerging with their own, siloed "user tables" to stuff people and their passwords. Evidently, there is still much education to be done around directory. I trust that this proof-of-concept will assist in showing others the light on how simple it is to support the newest of the new protocols. Give it a try.

I'm running the demo atop Ubuntu, Java 6, Glassfish V2, and the latest OpenDS download. Ensure you obtain a build dated 4/21/2007 or later.
  1. Install OpenDS
  2. Drop in the OpenID schema file. In the case of OpenDS simply drop this file in $opends_home/config and restart OpenDS.
  3. Download the OpenID application (WAR) and deploy to your application server. Please note the fine print below.
  4. To get started register a new user by "claiming in ID" via the bundled user interface http://localhost:8080/opendsidp/. Copy the generated claim URL; e.g., http://yourhost/opendsidp/claims/username and go use it. For starters try using your claim at http://jyte.com.

The fine print:
Since this is demoware, I made many assumptions about the environment. Most of these assumptions are configurable though a few currently are not. Also, I've left a few features out. In particular, I've left manually accepting/rejecting trust roots for another day.

Please note the following: It is assumed the directory server is on the localhost, listening on port 1389, and may be read by the user cn="directory manager" with the password "password". The base DN is "dc=example,dc=com" and the people base DN is "ou=people,dc=example,dc=com". Additionally, it is required that all OpenID users must belong to the group "openidusers" and that group is located in ou=groups,dc=example,dc=com. The OpenID configuration and authentication tokens (user cookies) are stored in ou=openid, dc=example,dc=com. You do not need to create the groups or openid configuration buckets, they will be created on startup. If your ldap host, port, query user, based dn, or base people dn are different you are free to change the default values by editing the web.xml file located in the WEB-INF directory. The attributes that need changing should be obvious. Confused? Don't be, if you install OpenDS out-of-the-box and accept the default installation configuration you'll be good to go. Good luck!

Posted on: Apr 22, 2007

Posted by: treydrake

Category: OpenDS

Permanent link to this entry

Comments:

Hi there, Found what seems to be a bug (or problem with my setup): I get an error on startup which is preventing the OpenID server from running:
netscape.ldap.LDAPException: error result (65); Entry ou=openid,dc=example,dc=com violates the Directory Server schema configuration because it includes multiple conflicting structural objectclasses openidserverconfiguration and organizationalUnit
Any ideas? Am I running the wrong version of anything? I'm running on Tomcat 5.5.23, OpenDS 0.9. Thanks, Dan

Posted by Daniel on May 21, 2007 at 09:57 AM CDT #

Hi Dan, Odd. Try downloading the war again and re-deploy (I checked the code and rebuilt). If you have any further difficulties email me and I'll post the result. FYI: The OpenDS OpenID provider above will not be open sourced in its current form, rather the code will be merged into the new openid.dev.java.net project. Thanks, Trey

Posted by Trey Drake on May 21, 2007 at 01:32 PM CDT #

Oops! The ldif file should be dropped in $opends_home/config/schema. I'll file an OpenDS bug on the error message as the error you're getting certainly doesn't point you in the right direction (missing schema). Thanks, Trey

Posted by Trey Drake on May 23, 2007 at 07:08 PM CDT #

Hi Trey, I am getting following error during webapp start..not sure what I did wrong during setup. SEVERE: Servlet /opendsidp threw load() exception java.lang.ClassNotFoundException: javax.faces.webapp.FacesServlet I am running on OpenDS 0.9 and Apache Tomcat/6.0.13 Thanks -G.

Posted by Gulshan on July 02, 2007 at 10:11 AM CDT #

Looks like you're missing the JSF bits. I deployed on Glassfish w/o issue as JSF is included as part of Java EE 5. I encourage you to look at the OpenID provider developed within the OpenSSO project @ https://opensso.dev.java.net/public/extensions/openid/ Its production quality and can be wired up to OpenDS. Thanks, Trey

Posted by Trey Drake on July 03, 2007 at 10:29 AM CDT #

Thanks. Your instructions worked very well for me and I have the demo up and running on my old G5 Mac running OS X.4. I am running OpenDS on the same box.

Posted by Mark Rogers on October 09, 2007 at 01:35 PM CDT #

Hi Trey. I have installed your OpenId application and it runs. But when I use the generated claim URL, it seems that your application doesn't return back the user's attribute "mail". Is it right or have I some problem with my OpenDS or application server? I'm runnining OpenDS and Glassfish on windows XP.Thanks

Posted by Luca Milano on April 16, 2008 at 07:57 AM CDT #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog copyright 2009 by treydrake