OpenLDAP schema upgrade
This is an instruction how to upgrade the LDAP schema for a Connect2id server 2.x or 3.x installation to Connect2id server 4.x if an OpenLDAP directory backend is used.
1. The schema changes
Description of the schema changes:
-
Adds a new optional string
authzActorattribute for authorisation records. Used to specify an authorised actor in impersonation and delegation cases. Intended to be used as part of the record’s RDN (key), in addition to the standardauthzSubjectandauthzClientIDparameters. -
Adds new optional string
oauthClientDataattribute for client registration records. Can be used to store additional client data that doesn’t fit into the standard OAuth and OpenID Connect client registration parameters.
Note that existing directory records are compatible with the new schema. The schema changes simply facilitate some new features introduced in Connect2id server 4.x. Therefore, no migration of existing data is needed.
The LDAP schemas for the Connect2id server are made available in a dedicated Git repo. They have their version numbers:
- Connect2id server 2.x: LDAP schema version 1.0
- Connect2id server 3.x: LDAP schema version 1.4
- Connect2id server 4.x: LDAP schema version 1.5
2. The on-line configuration in OpenLDAP
OpenLDAP uses on-line configuration (OLC) to
enable schema changes with zero downtime. This is facilitated by storing the
configuration in a special directory tree at the cn=config root, which may be
viewed and modified with a regular LDAP client / browser.
3. Accessing the schema
Access to the cn=config directory tree requires administrator permissions and
can be facilitated in two ways:
-
From the command line on the OpenLDAP host: from a superuser account (e.g. via
sudo). -
Remotely from an LDAP client by making a connection to the OpenLDAP server: with the admin DN and password credentials; these are typically set up by the administrator when the OpenLDAP directory is created.
If you’re using a generic LDAP client, such as Apache Directory
Studio, the connection must be
authenticated with the root DN and password, and the cn=config tree must
be specified (otherwise the client will connect to the default data tree).
4. Locate the authorisation records schema
Before we can update the authorisation records schema we must find out its DN
(record address) on the cn=schema, cn=config directory branch. The schema
names are prefixed by a number, such as {1}, to indicate their precedence
when the OpenLDAP server loads them (in case they have dependent attributes).
-
From the command line on the OpenLDAP host:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config '(cn=*oidcAuthz)' dn -
If you’re using a remote LDAP connection make a search request under the
cn=schema,cn=configbranch using the(cn=*oidcAuthz)filter.
Write down the search result, that is the DN of the OpenID Connect authorisation records schema, e.g.
cn={5}oidcAuthz,cn=schema,cn=config
5. Modify the authorisation records schema
Important: Try this first on a test or development LDAP directory. Proceed with production when you’re sure the upgrade works correctly and there are no issues with your particular OpenLDAP setup.
Step 1.
Apply the following LDIF file to upgrade the attribute definitions.
Remember to replace the dn: cn={5}oidcAuthz... with the actual DN of the
authorisation schema that you recorded above!
dn: cn={5}oidcAuthz,cn=schema,cn=config
changetype: modify
replace: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.1 NAME 'authzAccessToken'
DESC 'OAuth 2.0 access token'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.2 NAME 'authzAccessTokenLifetime'
DESC 'OAuth 2.0 access token lifetime, in seconds'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.3 NAME 'authzAccessTokenEncoding'
DESC 'OAuth 2.0 access token encoding'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.23 NAME 'authzAccessTokenEncrypt'
DESC 'OAuth 2.0 access token encrypt flag'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.4 NAME 'authzRefreshToken'
DESC 'OAuth 2.0 refresh token'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.5 NAME ('authzRefreshTokenSecret' 'authzRefreshTokenSalt')
DESC 'OAuth 2.0 refresh token salt'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.6 NAME 'authzIssueRefreshToken'
DESC 'OAuth 2.0 issue refresh token switch'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.24 NAME 'authzRefreshTokenLifetime'
DESC 'OAuth 2.0 refresh token lifetime, in seconds'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.25 NAME 'authzRefreshTokenIssueDate'
DESC 'Refresh token issue date'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.7 NAME 'authzIssuer'
DESC 'Authorization issuer'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.8 NAME 'authzIssueDate'
DESC 'Authorization issue date'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.9 NAME 'authzUpdateDate'
DESC 'Authorization issue date'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.10 NAME 'authzSubject'
DESC 'Authorization subject'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.11 NAME 'authzClientID'
DESC 'Authorized client'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.12 NAME 'authzAudience'
DESC 'Authorized audience'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.13 NAME 'authzScopeValue'
DESC 'Authorized scope value'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.14 NAME 'authzSavedScopeValue'
DESC 'Saved scope value from a previous authorisation'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.26 NAME 'authzActor'
DESC 'Authorized actor in impersonation and delegation cases'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.15 NAME 'authzData'
DESC 'Auxiliary authorization data, as JSON object'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.16 NAME 'authzLastAccessDate'
DESC 'Authorization last access date'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.17 NAME 'oidcIDToken'
DESC 'OpenID Connect ID token'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.18 NAME 'oidcClaimName'
DESC 'Consented OpenID Connect claim name, with optional language tag'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.19 NAME 'oidcSavedClaimName'
DESC 'Saved consented OpenID Connect claim name from a previous authorisation, with optional language tag'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.20 NAME 'oidcClaimsLocales'
DESC 'OpenID Connect claims locales, space separated, by order of preference'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.21 NAME 'oidcPresetUserInfoClaims'
DESC 'Preset OpenID Connect UserInfo claims, as JSON object'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.2.1.22 NAME 'oidcSessionID'
DESC 'Subject session identifier (SID)'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
To apply the LDIF file from the command on the OpenLDAP host:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f authz-schema-attributes-update.ldif
The OpenLDAP directory will automatically assign new {xxxx} prefixes to the
attributes.
Step 2.
Apply the following LDIF file to upgrade the object class definitions.
Remember to replace the dn: cn={5}oidcAuthz... with the actual DN of the
authorisation schema that you recorded above!
dn: cn={5}oidcAuthz,cn=schema,cn=config
changetype: modify
replace: olcObjectClasses
olcObjectClasses: ( 1.3.6.1.4.1.40805.2.2.1 NAME 'oauth2Authz'
DESC 'OAuth 2.0 authorization'
SUP top
STRUCTURAL
MUST (
authzSubject $
authzClientID )
MAY ( description $
authzAccessToken $
authzAccessTokenLifetime $
authzAccessTokenEncoding $
authzAccessTokenEncrypt $
authzRefreshToken $
authzRefreshTokenSecret $
authzIssueRefreshToken $
authzRefreshTokenLifetime $
authzRefreshTokenIssueDate $
authzIssuer $
authzIssueDate $
authzUpdateDate $
authzAudience $
authzScopeValue $
authzSavedScopeValue $
authzActor $
authzData $
authzLastAccessDate )
X-ORIGIN 'OAuth 2.0' )
olcObjectClasses: ( 1.3.6.1.4.1.40805.2.2.2 NAME 'oauth2AuthzAux'
DESC 'OAuth 2.0 authorization'
SUP top
AUXILIARY
MUST (
authzSubject $
authzClientID )
MAY ( description $
authzAccessToken $
authzAccessTokenLifetime $
authzAccessTokenEncoding $
authzAccessTokenEncrypt $
authzRefreshToken $
authzRefreshTokenSecret $
authzIssueRefreshToken $
authzRefreshTokenLifetime $
authzRefreshTokenIssueDate $
authzIssuer $
authzIssueDate $
authzUpdateDate $
authzAudience $
authzScopeValue $
authzSavedScopeValue $
authzActor $
authzData $
authzLastAccessDate )
X-ORIGIN 'OAuth 2.0' )
olcObjectClasses: ( 1.3.6.1.4.1.40805.2.2.3 NAME 'oidcAuthz'
DESC 'OAuth 2.0 authorization'
SUP oauth2Authz
STRUCTURAL
MAY ( oidcIDToken $
oidcClaimName $
oidcSavedClaimName $
oidcClaimsLocales $
oidcPresetUserInfoClaims $
oidcSessionID )
X-ORIGIN 'OAuth 2.0' )
olcObjectClasses: ( 1.3.6.1.4.1.40805.2.2.4 NAME 'oidcAuthzAux'
DESC 'OAuth 2.0 authorization'
SUP oauth2AuthzAux
AUXILIARY
MAY ( oidcIDToken $
oidcClaimName $
oidcSavedClaimName $
oidcClaimsLocales $
oidcPresetUserInfoClaims $
oidcSessionID )
X-ORIGIN 'OAuth 2.0' )
To apply the LDIF file from the command on the OpenLDAP host:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f authz-schema-classes-update.ldif
6. Locate the client registrations schema
The other schema that needs to be updated is for the OAuth / OpenID Connect
client registrations. The procedure for that is the same as for the
authorisation records schema. We first need find out its DN (record address) on
the cn=schema, cn=config directory branch. The schema names are prefixed by
a number, such as {1}, to indicate their precedence when the OpenLDAP server
loads them (in case they have dependent attributes).
-
From the command line on the OpenLDAP host:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config '(cn=*oidcClient)' dn -
If you’re using a remote LDAP connection make a search request under the
cn=schema,cn=configbranch using the(cn=*oidcAuthz)filter.
Write down the search result, that is the DN of the OpenID Connect authorisation records schema, e.g.
cn={4}oidcClient,cn=schema,cn=config
7. Modify the client registrations schema
Important: Try this first on a test or development LDAP directory. Proceed with production when you’re sure the upgrade works correctly and there are no issues with your particular OpenLDAP setup.
Step 1.
Apply the following LDIF file to upgrade the attribute definitions.
Remember to replace the dn: cn={4}oidcClient... with the actual DN of the
authorisation schema that you recorded above!
dn: cn={4}oidcClient,cn=schema,cn=config
changetype: modify
replace: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.1 NAME 'oauthClientID'
DESC 'Client identifier'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.2 NAME 'oauthClientIDIssueTime'
DESC 'Client identifier issue date/time'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.3 NAME 'oauthClientSecret'
DESC 'Client secret'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.4 NAME 'oauthClientSecretExp'
DESC 'Client secret expiration date/time'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.5 NAME 'oauthClientRegistrationAccessToken'
DESC 'Client registration access token'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.6 NAME 'oauthClientRegistrationURI'
DESC 'Client registration URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.100 NAME 'oauthRedirectURI'
DESC 'Redirection URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.101 NAME 'oauthClientName'
DESC 'Client name'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.102 NAME 'oauthClientURI'
DESC 'Client URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.103 NAME 'oauthLogoURI'
DESC 'Logo URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.104 NAME 'oauthTermsOfServiceURI'
DESC 'Terms of service URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.105 NAME 'oauthPolicyURI'
DESC 'Policy URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.106 NAME 'oauthTokenEndpointAuthMethod'
DESC 'OAuth 2.0 Token endpoint authentication method'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.107 NAME 'oauthTokenEndpointJWSAlg'
DESC 'OAuth 2.0 Token endpoint JWS algorithm for JWT client authentication'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'JWT Profile for OAuth 2.0 Client Authentication' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.108 NAME 'oauthScopeValue'
DESC 'OAuth 2.0 scope value'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.109 NAME 'oauthGrantType'
DESC 'OAuth 2.0 grant type'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.110 NAME 'oauthResponseType'
DESC 'OAuth 2.0 response type'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.111 NAME 'oauthJWKSetURI'
DESC 'JWK set URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.112 NAME 'oauthJWKSet'
DESC 'JWK set JSON'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.113 NAME 'oauthSoftwareID'
DESC 'Software identifier'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.114 NAME 'oauthSoftwareVersion'
DESC 'Software version'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.115 NAME 'oauthClientData'
DESC 'Miscellaneous client data'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'Proprietary extension' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.200 NAME 'oidcAppType'
DESC 'Application type: web or native'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.201 NAME 'oidcSectorIdentifierURI'
DESC 'Sector identifier URI for calculating pairwise subject identifiers'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.202 NAME 'oidcSubjectType'
DESC 'Subject identifier type: public or pairwise'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.203 NAME 'oidcRequestJWSAlg'
DESC 'Request object JWS algorithm'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.204 NAME 'oidcRequestJWEAlg'
DESC 'Request object JWE algorithm'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.205 NAME 'oidcRequestJWEEnc'
DESC 'Request object JWE encryption method'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.206 NAME 'oidcRequestURI'
DESC 'Request object URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.207 NAME 'oidcIDTokenJWSAlg'
DESC 'ID Token JWS algorithm'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.208 NAME 'oidcIDTokenJWEAlg'
DESC 'ID Token JWE algorithm'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.209 NAME 'oidcIDTokenJWEEnc'
DESC 'ID Token JWE encryption method'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.210 NAME 'oidcUserInfoJWSAlg'
DESC 'UserInfo JWS algorithm'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.211 NAME 'oidcUserInfoJWEAlg'
DESC 'UserInfo JWE algorithm'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.212 NAME 'oidcUserInfoJWEEnc'
DESC 'UserInfo JWE encryption method'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.213 NAME 'oidcDefaultMaxAge'
DESC 'Default max authentication age'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.214 NAME 'oidcRequireAuthTime'
DESC 'Require authentication time claim'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.215 NAME 'oidcDefaultACR'
DESC 'Default authentication context class reference'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.216 NAME 'oidcInitiateLoginURI'
DESC 'OP initiated login URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.217 NAME 'oidcPostLogoutRedirectURI'
DESC 'Post logout redirect URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
To apply the LDIF file from the command on the OpenLDAP host:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f client-schema-attributes-update.ldif
The OpenLDAP directory will automatically assign new {xxxx} prefixes to the
attributes.
Step 2.
Apply the following LDIF file to upgrade the object class definitions.
Remember to replace the dn: cn={4}oidcClient... with the actual DN of the
client registrations schema that you recorded above!
dn: cn={4}oidcClient,cn=schema,cn=config
changetype: modify
replace: olcObjectClasses
olcObjectClasses: ( 1.3.6.1.4.1.40805.1.2.1 NAME 'oauthClientIdentity'
DESC 'OAuth 2.0 client identity'
SUP top
STRUCTURAL
MUST oauthClientID
MAY ( description $
oauthClientIDIssueTime $
oauthClientSecret $
oauthClientSecretExp $
oauthClientRegistrationAccessToken $
oauthClientRegistrationURI )
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcObjectClasses: ( 1.3.6.1.4.1.40805.1.2.2 NAME 'oauthClientIdentityAux'
DESC 'OAuth 2.0 client identity'
SUP top
AUXILIARY
MUST oauthClientID
MAY ( description $
oauthClientIDIssueTime $
oauthClientSecret $
oauthClientSecretExp $
oauthClientRegistrationAccessToken $
oauthClientRegistrationURI )
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcObjectClasses: ( 1.3.6.1.4.1.40805.1.2.3 NAME 'oauthClientMetadata'
DESC 'OAuth 2.0 client metadata'
SUP oauthClientIdentity
STRUCTURAL
MAY ( mail $
oauthRedirectURI $
oauthClientName $
oauthClientURI $
oauthLogoURI $
oauthTermsOfServiceURI $
oauthPolicyURI $
oauthTokenEndpointAuthMethod $
oauthTokenEndpointJWSAlg $
oauthScopeValue $
oauthGrantType $
oauthResponseType $
oauthJWKSetURI $
oauthJWKSet $
oauthSoftwareID $
oauthSoftwareVersion $
oauthClientData )
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcObjectClasses: ( 1.3.6.1.4.1.40805.1.2.4 NAME 'oauthClientMetadataAux'
DESC 'OAuth 2.0 client metadata'
SUP oauthClientIdentityAux
AUXILIARY
MAY ( mail $
oauthRedirectURI $
oauthClientName $
oauthClientURI $
oauthLogoURI $
oauthTermsOfServiceURI $
oauthPolicyURI $
oauthTokenEndpointAuthMethod $
oauthTokenEndpointJWSAlg $
oauthScopeValue $
oauthGrantType $
oauthResponseType $
oauthJWKSetURI $
oauthJWKSet $
oauthSoftwareID $
oauthSoftwareVersion $
oauthClientData )
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcObjectClasses: ( 1.3.6.1.4.1.40805.1.2.5 NAME 'oidcRelyingParty'
DESC 'OpenID Connect 1.0 Relying Party (RP)'
SUP oauthClientMetadata
STRUCTURAL
MAY ( oidcAppType $
oidcSectorIdentifierURI $
oidcSubjectType $
oidcRequestJWSAlg $
oidcRequestJWEAlg $
oidcRequestJWEEnc $
oidcRequestURI $
oidcIDTokenJWSAlg $
oidcIDTokenJWEAlg $
oidcIDTokenJWEEnc $
oidcUserInfoJWSAlg $
oidcUserInfoJWEAlg $
oidcUserInfoJWEEnc $
oidcDefaultMaxAge $
oidcRequireAuthTime $
oidcDefaultACR $
oidcInitiateLoginURI $
oidcPostLogoutRedirectURI )
X-ORIGIN 'OpenID Connect 1.0' )
olcObjectClasses: ( 1.3.6.1.4.1.40805.1.2.6 NAME 'oidcRelyingPartyAux'
DESC 'OpenID Connect 1.0 Relying Party (RP)'
SUP oauthClientMetadataAux
AUXILIARY
MAY ( oidcAppType $
oidcSectorIdentifierURI $
oidcSubjectType $
oidcRequestJWSAlg $
oidcRequestJWEAlg $
oidcRequestJWEEnc $
oidcRequestURI $
oidcIDTokenJWSAlg $
oidcIDTokenJWEAlg $
oidcIDTokenJWEEnc $
oidcUserInfoJWSAlg $
oidcUserInfoJWEAlg $
oidcUserInfoJWEEnc $
oidcDefaultMaxAge $
oidcRequireAuthTime $
oidcDefaultACR $
oidcInitiateLoginURI $
oidcPostLogoutRedirectURI )
X-ORIGIN 'OpenID Connect 1.0' )
To apply the LDIF file from the command on the OpenLDAP host:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f client-schema-classes-update.ldif
That’s it!
8. Assistance
If you need assistance with the above, just email Connect2id support. We’ll be delighted to help you out.