Versions Compared

Version Old Version 15 New Version Current
Changes made by

mhodges

mhodges

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The core UH LDAP server is ldap1.its.hawaii.edu and is based on the uhEduPerson schema.

...

titleThe "legacy" LDAP (ldap1.its.hawaii.edu) will be retired

...

  1. The "legacy" schema will be migrated from the Sun LDAP server on Solaris to the open source 389DS server on Read Hat Enterprise Linux. (January 25, 2014 at the earliest, stay tuned).
  2. The "legacy" schema will be fully retired no later than end of calendar year 2014.

...

titleNext General LDAP

...

...

Table of Contents

Table of Contents
excludeTable of Contents

LDAP for Directory Services

LDAP for directory services is supported by special request and requires executive management approval.  Contact the IAM team at <its-iam-help@lists.hawaii.edu> to inquire.

LDAP for Authentication

Warning

DEPRECATED: see the UH Login service instead

Expand
titleClick for more information...

Using LDAP to verify a UH username and password

  • See LDAP Authentication

  • If you wish to limit use of your app to certain roles and/or campuses, you should retrieve the affiliations of the person associated with the authenticated username, and allow only those matching your criteria to pass through.

Sample Code

Technical Overview

Info

The core UH LDAP servers are virtually fronted with ldap.hawaii.edu and are based on the uhEduPerson schema.

For email clients, see http://www.hawaii.edu/askus/823.

Accessing LDAP

LDAP Environments

host

port

comments

LDAP, Production

ldap.hawaii.edu

636 for LDAPS, 389 if using startTLS

cleartext or anonymous binds are rejected, a Special DN is required

LDAP, Test

ldap-test.its.hawaii.edu

636 for LDAPS, 389 if using startTLS

cleartext or anonymous binds are rejected, a Special DN is required

  • Connecting to LDAP is referred to as binding.

  • You cannot bind to LDAP anonymously, credentials are required.

    • You must request a special DN in order to bind per UH Data Governance policies.

    • Special DNs are only granted when CAS (the UH Web Login Service) will not suffice.

    • Special DN requests are subject to E2.215 and may require a Data Governance approval.

  • If you use persistent connections to LDAP, you should have code that detects broken connections and re-establishes them.

Our UH LDAP service features three branches

By default a Special DN provides access to the "people" and "misc" branches.

  • ou=people,dc=hawaii,dc=edu

    • All people who have received a UH Number, meaning anyone who was, is or will shortly be a student, faculty, staff or guest at UH.

    • See also UH Role Assignments

      , Role Transitions and Systems of Record

      and Transitions

    • The UH Online Directory relies on this branch for providing contact information for people.

  • ou=misc,dc=hawaii,dc=edu

    • Departmental/ Group UH Usernames

    • Visiting individuals who have have been granted the ability to access the Internet from our campus(es).

  • ou=dept_listings,dc=hawaii,dc=edu

    • Department listings, primarily used for printing or providing PDFs of the University Phone Directory.

...

Additional LDAP

...

LDAP Generation

host

port

comments

(tick) Next Generation LDAP, Productionldap.hawaii.edu389only for STARTTLS, clear binds are rejected, a Special DN is required
(tick) Next Generation LDAP, Testldap-test.hawaii.edu389only for STARTTLS, clear binds are rejected, a Special DN is required
(minus) Older, Slated for Retirement

ldap1.its.hawaii.edu

389

data goes over cleartext, do not provide any passwords when you connect

(minus) Older, Slated for Retirement

ldap1.its.hawaii.edu

636

LDAPS, encrypted, always use this when providing a password

  • Connecting to LDAP is referred to as binding.
  • You can bind to LDAP anonymously (without using any credentials)
    • This only gets you public information for faculty and staff. No students.
    • This is the only time you should connect in cleartext to port 389
  • You must bind to our Next Generation LDAP using a special DN
    • You must request a special DN in order to bind per UH Data Governance policies.
    • (warning) UNIX LDAP commands (e.g. ldapsearch) may not print an error message if you provide an incorrect special DN or password. These commands will continue working as if you had bound anonymously, and this is misleading. You may think you are using your special DN, but in reality, you are only able to get at public information (e.g. you can't search for students)

Using LDAP to verify a UH username and password

  • See LDAP Authentication
  • If you wish to limit use of your app to certain roles and/or campuses, you should retrieve the affiliations of the person associated with the authenticated username, and allow only those matching your criteria to pass through.

You should also look into CAS (Web Login Service) as an alternative to using LDAP for authentication.

Additional Information

...

Info

Data Element Dictionary

This dictionary provides a detailed explanation of each of the LDAP attributes.

Technical Support

There is an active UH community of developers and a good chance that at least one of them has experience with your scenario.  It is well worth joining this community's email list if you've not already done so.  For details, visit UH Applications Developers Forum page.  Note that the ITS Identity and Access Management team also participates on this list.