OpenLDAP schema update
This is an instruction how to update the LDAP schema for a Connect2id server 6.x installation to Connect2id server 7.3 if the server data is persisted to an OpenLDAP directory.
1. The schema changes
Summary of the schema changes from v6.x to 7.3:
-
LDAP schema
oidc-session-schema-openldap.ldif:- Adds a new sessionRelyingParty attribute.
-
LDAP schema
oidc-client-schema-openldap.ldif:- Adds a new oidcFrontChannelLogoutURI attribute.
- Adds a new oidcFrontChannelLogoutSessionRequired attribute.
- Adds a new oidcBackChannelLogoutURI attribute.
- Adds a new oidcBackChannelLogoutSessionRequired attribute.
Existing data stored by Connect2id server 6.x in OpenLDAP is forward-compatible with Connect2id server 7.3 and can continue to be used as it is.
The LDAP schemas for the Connect2id server are made available in a dedicated Git repo. The versions map as follows:
- Connect2id server 2.x: LDAP schema version 1.0
- Connect2id server 3.x: LDAP schema version 1.4
- Connect2id server 4.x: LDAP schema version 1.5
- Connect2id server 5.x: LDAP schema version 1.5
- Connect2id server 6.x: LDAP schema version 1.8
- Connect2id server 7.3: LDAP schema version 1.9
2. The on-line configuration in OpenLDAP
OpenLDAP uses on-line configuration (OLC) to
enable schema changes with zero downtime. This is facilitated by storing the
configuration in a special directory tree at the cn=config root, which may be
viewed and modified with a regular LDAP client / browser.
3. Accessing the schema
Access to the cn=config directory tree requires administrator permissions and
can be facilitated in two ways:
-
From the command line on the OpenLDAP server host: from a superuser account (e.g. via
sudo). -
Remotely from an LDAP client by making a connection to the OpenLDAP server: with the admin DN and password credentials; these are typically set up by the administrator when the OpenLDAP directory is created.
If you’re using a generic LDAP client, such as Apache Directory
Studio, the connection must be
authenticated with the root DN and password, and the cn=config tree must
be specified (otherwise the client will connect to the default data tree).
4. Instructions
Important: Try this first on a test or development LDAP directory. Proceed with production when you’re sure the upgrade works correctly and there are no issues with your particular OpenLDAP setup.
Step 1: Locate the session schema
Before we can update the session schema we must find out its DN (location) on
the cn=schema, cn=config directory branch. The schema names are prefixed by
a number, such as {1}, to set their precedence when the OpenLDAP server loads
them (in case they have dependent attributes).
-
From the command line on the OpenLDAP host:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config '(cn=*oidcSession)' dn -
If you’re using a remote LDAP connection make a search request under the
cn=schema,cn=configbranch using the(cn=*oidcSession)filter.
Write down the search result, that is, the DN of the session schema, e.g.
cn={5}oidcSession,cn=schema,cn=config
Step 2. Update the session attributes schema
Apply the following LDIF file to update the session attributes schema.
Remember to replace the dn: cn={5}oidcSession... with the actual DN of the
session store schema that you recorded above!
dn: cn={5}oidcSession,cn=schema,cn=config
changetype: modify
replace: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.40805.3.1.1 NAME 'sessionKey'
DESC 'Session key'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'Connect2id Session Store' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.3.1.2 NAME 'sessionN'
DESC 'Session number'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'Connect2id Session Store' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.3.1.3 NAME 'sessionSubject'
DESC 'Session subject'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'Connect2id Session Store' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.3.1.4 NAME 'sessionAuthDate'
DESC 'Subject authentication date'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'Connect2id Session Store' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.3.1.5 NAME 'sessionACR'
DESC 'Authentication Context Class Reference (ACR) for the session'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'Connect2id Session Store' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.3.1.6 NAME 'sessionAMR'
DESC 'Authentication Method Reference (AMR) for the session'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'Connect2id Session Store' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.3.1.7 NAME 'sessionCreationDate'
DESC 'Session creation date'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'Connect2id Session Store' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.3.1.8 NAME 'sessionLastAccessDate'
DESC 'Session last access date'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'Connect2id Session Store' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.3.1.9 NAME 'sessionMaxLife'
DESC 'Session max life time, in minutes, unlimited if negative'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'Connect2id Session Store' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.3.1.10 NAME 'sessionAuthLife'
DESC 'Session authentication life time, in minutes, unlimited if negative'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'Connect2id Session Store' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.3.1.11 NAME 'sessionMaxIdle'
DESC 'Session max idle time, in minutes, unlimited if negative'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'Connect2id Session Store' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.3.1.12 NAME 'sessionClaims'
DESC 'Session claims, as JSON object'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'Connect2id Session Store' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.3.1.14 NAME 'sessionRelyingParty'
DESC 'Logged-in OpenID relying party'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'Connect2id Session Store' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.3.1.13 NAME 'sessionData'
DESC 'Auxiliary session data, as JSON object'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'Connect2id Session Store' )
To apply the LDIF file from the command on the OpenLDAP host:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f session-schema-attributes-update.ldif
The OpenLDAP directory will automatically assign new {xxxx} prefixes to the
attributes.
Step 3. Update the session object classes schema
Apply the following LDIF file to update the session object classes schema.
Remember to replace the dn: cn={5}oidcSession... with the actual DN of the
session schema that you recorded above!
dn: cn={5}oidcSession,cn=schema,cn=config
changetype: modify
replace: olcObjectClasses
olcObjectClasses: ( 1.3.6.1.4.1.40805.3.2.1 NAME 'subjectSession'
DESC 'OpenID Connect subject session'
SUP top
STRUCTURAL
MUST ( sessionKey $
sessionSubject $
sessionAuthDate $
sessionCreationDate $
sessionLastAccessDate )
MAY ( description $
sessionACR $
sessionAMR $
sessionMaxLife $
sessionAuthLife $
sessionMaxIdle $
sessionClaims $
sessionRelyingParty $
sessionData )
X-ORIGIN 'Connect2id Session Store' )
olcObjectClasses: ( 1.3.6.1.4.1.40805.3.2.2 NAME 'subjectIndex'
DESC 'OpenID Connect subject session index'
SUP top
STRUCTURAL
MUST ( sessionSubject $
sessionN $
sessionKey )
MAY ( description )
X-ORIGIN 'Connect2id Session Store' )
To apply the LDIF file from the command on the OpenLDAP host:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f session-schema-classes-update.ldif
Step 4: Locate the client schema
Before we can update the client schema we must find out its DN (location) on
the cn=schema, cn=config directory branch. The schema names are prefixed by
a number, such as {1}, to set their precedence when the OpenLDAP server loads
them (in case they have dependent attributes).
-
From the command line on the OpenLDAP host:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config '(cn=*oidcClient)' dn -
If you’re using a remote LDAP connection make a search request under the
cn=schema,cn=configbranch using the(cn=*oidcClient)filter.
Write down the search result, that is, the DN of the client schema, e.g.
cn={5}oidcSession,cn=schema,cn=config
Step 5. Update the client attributes schema
Apply the following LDIF file to update the client attributes schema.
Remember to replace the dn: cn={5}oidcClient... with the actual DN of the
client schema that you recorded above!
dn: cn={5}oidcClient,cn=schema,cn=config
changetype: modify
replace: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.1 NAME 'oauthClientID'
DESC 'Client identifier'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.2 NAME 'oauthClientIDIssueTime'
DESC 'Client identifier issue date/time'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.3 NAME 'oauthClientSecret'
DESC 'Client secret'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.4 NAME 'oauthClientSecretExp'
DESC 'Client secret expiration date/time'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.5 NAME 'oauthClientRegistrationAccessToken'
DESC 'Client registration access token'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.6 NAME 'oauthClientRegistrationURI'
DESC 'Client registration URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.100 NAME 'oauthRedirectURI'
DESC 'Redirection URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.101 NAME 'oauthClientName'
DESC 'Client name'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.102 NAME 'oauthClientURI'
DESC 'Client URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.103 NAME 'oauthLogoURI'
DESC 'Logo URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.104 NAME 'oauthTermsOfServiceURI'
DESC 'Terms of service URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.105 NAME 'oauthPolicyURI'
DESC 'Policy URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.106 NAME 'oauthTokenEndpointAuthMethod'
DESC 'OAuth 2.0 Token endpoint authentication method'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.107 NAME 'oauthTokenEndpointJWSAlg'
DESC 'OAuth 2.0 Token endpoint JWS algorithm for JWT client authentication'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'JWT Profile for OAuth 2.0 Client Authentication' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.108 NAME 'oauthScopeValue'
DESC 'OAuth 2.0 scope value'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.109 NAME 'oauthGrantType'
DESC 'OAuth 2.0 grant type'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.110 NAME 'oauthResponseType'
DESC 'OAuth 2.0 response type'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.111 NAME 'oauthJWKSetURI'
DESC 'JWK set URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.112 NAME 'oauthJWKSet'
DESC 'JWK set JSON'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.113 NAME 'oauthSoftwareID'
DESC 'Software identifier'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.114 NAME 'oauthSoftwareVersion'
DESC 'Software version'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.115 NAME 'oauthClientData'
DESC 'Miscellaneous client data'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'Proprietary extension' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.200 NAME 'oidcAppType'
DESC 'Application type: web or native'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.201 NAME 'oidcSectorIdentifierURI'
DESC 'Sector identifier URI for calculating pairwise subject identifiers'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.202 NAME 'oidcSubjectType'
DESC 'Subject identifier type: public or pairwise'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.203 NAME 'oidcRequestJWSAlg'
DESC 'Request object JWS algorithm'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.204 NAME 'oidcRequestJWEAlg'
DESC 'Request object JWE algorithm'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.205 NAME 'oidcRequestJWEEnc'
DESC 'Request object JWE encryption method'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.206 NAME 'oidcRequestURI'
DESC 'Request object URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.207 NAME 'oidcIDTokenJWSAlg'
DESC 'ID Token JWS algorithm'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.208 NAME 'oidcIDTokenJWEAlg'
DESC 'ID Token JWE algorithm'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.209 NAME 'oidcIDTokenJWEEnc'
DESC 'ID Token JWE encryption method'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.210 NAME 'oidcUserInfoJWSAlg'
DESC 'UserInfo JWS algorithm'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.211 NAME 'oidcUserInfoJWEAlg'
DESC 'UserInfo JWE algorithm'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.212 NAME 'oidcUserInfoJWEEnc'
DESC 'UserInfo JWE encryption method'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.213 NAME 'oidcDefaultMaxAge'
DESC 'Default max authentication age'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.214 NAME 'oidcRequireAuthTime'
DESC 'Require authentication time claim'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.215 NAME 'oidcDefaultACR'
DESC 'Default authentication context class reference'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.216 NAME 'oidcInitiateLoginURI'
DESC 'OP initiated login URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.217 NAME 'oidcPostLogoutRedirectURI'
DESC 'Post logout redirect URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.218 NAME 'oidcFrontChannelLogoutURI'
DESC 'Front-channel logout URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.219 NAME 'oidcFrontChannelLogoutSessionRequired'
DESC 'Front-channel logout session required flag'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.220 NAME 'oidcBackChannelLogoutURI'
DESC 'Back-channel logout URI'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.40805.1.1.221 NAME 'oidcBackChannelLogoutSessionRequired'
DESC 'Back-channel logout session required flag'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OpenID Connect 1.0' )
To apply the LDIF file from the command on the OpenLDAP host:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f client-schema-attributes-update.ldif
The OpenLDAP directory will automatically assign new {xxxx} prefixes to the
attributes.
Step 6. Update the client object classes schema
Apply the following LDIF file to update the client object classes schema.
Remember to replace the dn: cn={5}oidcClient... with the actual DN of the
session schema that you recorded above!
dn: cn={5}oidcSession,cn=schema,cn=config
changetype: modify
replace: olcObjectClasses
olcObjectClasses: ( 1.3.6.1.4.1.40805.1.2.1 NAME 'oauthClientIdentity'
DESC 'OAuth 2.0 client identity'
SUP top
STRUCTURAL
MUST oauthClientID
MAY ( description $
oauthClientIDIssueTime $
oauthClientSecret $
oauthClientSecretExp $
oauthClientRegistrationAccessToken $
oauthClientRegistrationURI )
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcObjectClasses: ( 1.3.6.1.4.1.40805.1.2.2 NAME 'oauthClientIdentityAux'
DESC 'OAuth 2.0 client identity'
SUP top
AUXILIARY
MUST oauthClientID
MAY ( description $
oauthClientIDIssueTime $
oauthClientSecret $
oauthClientSecretExp $
oauthClientRegistrationAccessToken $
oauthClientRegistrationURI )
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcObjectClasses: ( 1.3.6.1.4.1.40805.1.2.3 NAME 'oauthClientMetadata'
DESC 'OAuth 2.0 client metadata'
SUP oauthClientIdentity
STRUCTURAL
MAY ( mail $
oauthRedirectURI $
oauthClientName $
oauthClientURI $
oauthLogoURI $
oauthTermsOfServiceURI $
oauthPolicyURI $
oauthTokenEndpointAuthMethod $
oauthTokenEndpointJWSAlg $
oauthScopeValue $
oauthGrantType $
oauthResponseType $
oauthJWKSetURI $
oauthJWKSet $
oauthSoftwareID $
oauthSoftwareVersion $
oauthClientData )
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcObjectClasses: ( 1.3.6.1.4.1.40805.1.2.4 NAME 'oauthClientMetadataAux'
DESC 'OAuth 2.0 client metadata'
SUP oauthClientIdentityAux
AUXILIARY
MAY ( mail $
oauthRedirectURI $
oauthClientName $
oauthClientURI $
oauthLogoURI $
oauthTermsOfServiceURI $
oauthPolicyURI $
oauthTokenEndpointAuthMethod $
oauthTokenEndpointJWSAlg $
oauthScopeValue $
oauthGrantType $
oauthResponseType $
oauthJWKSetURI $
oauthJWKSet $
oauthSoftwareID $
oauthSoftwareVersion $
oauthClientData )
X-ORIGIN 'OAuth 2.0 Dynamic Client Registration Protocol' )
olcObjectClasses: ( 1.3.6.1.4.1.40805.1.2.5 NAME 'oidcRelyingParty'
DESC 'OpenID Connect 1.0 Relying Party (RP)'
SUP oauthClientMetadata
STRUCTURAL
MAY ( oidcAppType $
oidcSectorIdentifierURI $
oidcSubjectType $
oidcRequestJWSAlg $
oidcRequestJWEAlg $
oidcRequestJWEEnc $
oidcRequestURI $
oidcIDTokenJWSAlg $
oidcIDTokenJWEAlg $
oidcIDTokenJWEEnc $
oidcUserInfoJWSAlg $
oidcUserInfoJWEAlg $
oidcUserInfoJWEEnc $
oidcDefaultMaxAge $
oidcRequireAuthTime $
oidcDefaultACR $
oidcInitiateLoginURI $
oidcPostLogoutRedirectURI $
oidcFrontChannelLogoutURI $
oidcFrontChannelLogoutSessionRequired $
oidcBackChannelLogoutURI $
oidcBackChannelLogoutSessionRequired )
X-ORIGIN 'OpenID Connect 1.0' )
olcObjectClasses: ( 1.3.6.1.4.1.40805.1.2.6 NAME 'oidcRelyingPartyAux'
DESC 'OpenID Connect 1.0 Relying Party (RP)'
SUP oauthClientMetadataAux
AUXILIARY
MAY ( oidcAppType $
oidcSectorIdentifierURI $
oidcSubjectType $
oidcRequestJWSAlg $
oidcRequestJWEAlg $
oidcRequestJWEEnc $
oidcRequestURI $
oidcIDTokenJWSAlg $
oidcIDTokenJWEAlg $
oidcIDTokenJWEEnc $
oidcUserInfoJWSAlg $
oidcUserInfoJWEAlg $
oidcUserInfoJWEEnc $
oidcDefaultMaxAge $
oidcRequireAuthTime $
oidcDefaultACR $
oidcInitiateLoginURI $
oidcPostLogoutRedirectURI $
oidcFrontChannelLogoutURI $
oidcFrontChannelLogoutSessionRequired $
oidcBackChannelLogoutURI $
oidcBackChannelLogoutSessionRequired )
X-ORIGIN 'OpenID Connect 1.0' )
To apply the LDIF file from the command on the OpenLDAP host:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f session-schema-classes-update.ldif
Step 7. Validate the compliance of the schema after the updates
You can do that with the slapschema utility included with OpenLDAP:
sudo slapschema
5. Assistance
If you need assistance with the above, email Connect2id support.