views:

259

answers:

1

I am seeking examples of how others have modified LDAP schemas to support Cardspace and/or OpenID. Links to LDIFs or other documentation is greatly appreciated.

A: 

Without having done a LDAP-InfoCard-OpenID-integration I don't think that modifying the LDAP schema to incorporate the required information is that difficult.

For OpenID you have to store the OpenID and for identifiying InfoCard-authorized users you have to store the private personal identifier (PPID) of the respective InfoCard in your LDAP user object.

As an OpenID is merely a URI the LDAP attribute can be of the same type as for example labeledURI (Directory String (1.3.6.1.4.1.1466.115.121.1.15), caseExactMatch (2.5.13.5)).

The InfoCard private personal identifier (PPID) is a base64-encoded byte array (the length is undefined so you should require an appropriate maximum length; just a guess, but I think 48 characters will be enough as the PPID is a SHA256 hash with 32 bytes and base64-encoding will require about 1.3 times the storage space), so you could go with an IA5 String.

Stefan Gehrig