How can I use LDAP based WebIDs??

What?

Use of LDAP scheme (ldap:) URIs as bona fide WebIDs? that are verifiable using the WebID? protocol.

Why?

As a protocol, WebID? is about verifying Identity via de-referencable URIs for Agents (people, organizations, programs). Thus, bearing in mind the multi scheme essence of URIs, and the fact that many existing systems already leverage X.500 names as part of LDAP setups, its vital that WebID? usage extends naturally to these setups; especially, when introducing WebID? to organizations, unobtrusively.

How?

The steps that follow walk you through the process of generating an X.509 Certificate that has an ldap: URI value in the Subject Alternate Name (SAN) and then using this Certificate to verify Identity using the WebID? protocol.

Basic steps for setting up LDAP Server, generating and importing certificate with WebID? in the LDAP server

  1. Setup LDAP to Virtuoso instance binding via Conductor UI.
  2. As LDAP query works based on the attribute=value from profile, perform LDAP lookup test:
    1. Access the following URL: 

      https://mail.openlinksw.com/ldapinfo.php?dn=uid=john,ou=Accounts,o=OpenLink%20Software,c=US





    2. Post successful authentication should show the user details:



  3. Set up of an X.509 certificate issuer and HTTPS listener
  4. Generate certificate with LDAP based WebID? via ODS or another method, by placing LDAP: scheme URI in SAN of the Certificate to be generate, for ex: 

    ldap://mail.openlinksw.com/cn=John%20Smith%2Cou=Accounts%2Co=OpenLink%20Software%2Cc=US









  5. Convert from p12 to DER format: Suppose the certificate generated from the previous step is exported as p12 format . To convert it to DER format, one should perform the following commands: 

    openssl pkcs12 -in mykey.p12 -nokeys > mykey.pem

openssl x509 -in mykey.pem -outform DER > mykey.crt

  6. LDAP Setup:
    1. Start LDAP manager UI e.g. http://mail.openlinksw.com
    2. Post successful authentication click on Profile
    3. Update the "Country" and "Company" (Organization) fields if empty



    4. Go to security section as import X.509 Cert so that DN is now associated with a Public Key.



  7. The LDAP based WebId? is ready to be used.

Verification Tests

  1. Make sure the steps from above are performed.
  2. If you generated Cert. using ODS and enabled WebID? login, attempt a WebID? login:
    1. Access https://id.myopenlink.net/ods
    2. Select when prompted from your browser, the certificate generated from above.



    3. As result should be presented the ODS Log in form. Click the "WebID? Login"



    4. Post successful authentication should show ODS home page for the logged in user
  3. Access https://id.myopenlink.net/ods/webid_demo.html







  4. Click "Check"
  5. The verification result message should be shown:



Other Examples

cURL Examples

Example with No Certificate using the WebID? Testing Service endpoint at https://host/ods/webid_check.vsp 


$ curl -i -k   https://localhost:4433/ods/webid_check.vsp?callback=http://localhost:8894/myapp/
HTTP/1.1 302 Found
Server: Virtuoso/06.02.3129 (Win32) i686-generic-win-32  VDB
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
Date: Tue, 24 May 2011 11:15:09 GMT
Accept-Ranges: bytes
Location: http://localhost:8894/myapp/?error=noCert&ts=2011-05-24T13%3A15%3A09%2B02%3A00&signature=rT1gooyUcPjWo3yhIdx7y8j05oM%3
Content-Length: 0



Example with Valid WebID? 


$ openssl pkcs12 -in mykey.p12 > mykey2.pem

$ curl -i -k --cert mykey2.pem  https://localhost:4433/ods/webid_check.vsp?callback=http://localhost:8894/myapp/
Enter PEM pass phrase:
HTTP/1.1 302 Found
Server: Virtuoso/06.02.3129 (Linux) x86_64-generic-linux-glibc25-64  VDB
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Date: Tue, 24 May 2011 13:47:08 GMT
Accept-Ranges: bytes
Location: http://localhost:8894/myapp/?webid=http%3A%2F%2Flocalhost:8894%2Fdataspace%2Fperson%2Fdemo%23this&ts=201
00001-04%3A00&signature=7KYzL7vwpH2LtF4bZ%2FtAEWCC8gY%3D
Content-Length: 0

Related