Looking into running an OpenID server
Friday, May 1st, 2009One of the first things that struck me about the IT systems at my current gig is that there are a bunch of different, unsyncronized authentication systems. In other words, to add a new user, you go to a handful of different admin interfaces and type in the same username and password for that person.
Being a programmer, this kind of duplication smells bad to me, so I dug around for possible solutions. One of the systems happens to be Apple’s Open Directory, which speaks LDAP — seemed like the obvious integration point. However, it turned out that none of our other systems was predisposed to pulling in the auth info over LDAP. Since I only have a few dozen users to support, I filed the whole thing deep on my todo list and basically forgot about it.
Now, however, I’m starting to roll out new services, which are mostly web-based. Being loath to make the dup auth situation worse, I gave some more thought to this issue, and realized that OpenID might be a good solution. Off I went in search of an in-house OpenID server to store my user data. ( there is a tool for OpenID-enabling your LDAP server, but reading about implementing it makes my head hurt )
Surprisingly, there don’t seem to be a huge amount of people running their own organization-level OpenID providers. After digging around for a while, I ended up at a page on the openid.net wiki, which does list a number of projects that enable you to run your own OpenID provider. Most of them look a bit half-baked or abandoned, but two appear to be alive and potentially appropriate for my needs: clamshell and community-ID.
Next steps, then, are to install one or both & see how it goes.
