The core UH LDAP server is ldap1.its.hawaii.edu and is based on the uhEduPerson schema.
The current LDAP will be retired
The current LDAP server will be retired January 21, 2014. New services should utilize our Next Generation LDAP (see below).
Next General LDAP
The next generation of our LDAP service is now in Production. Please see below for details:
Our core UH LDAP service currently has data in three branches:
- ou=people,dc=hawaii,dc=edu
- All people who have received a UH Number, meaning anyone who was, is or will shortly be a student, faculty, staff or guest at UH.
- See also UH Role Assignments, Role Transitions and Systems of Record
- The UH Online Directory relies on this branch for providing contact information for people.
- ou=misc,dc=hawaii,dc=edu
- Departmental/ Group UH Usernames
- Visiting individuals who have have been granted the ability to access the Internet from our campus(es).
- ou=dept_listings,dc=hawaii,dc=edu
- Department listings, primarily used for printing the University Phone Directory.
Accessing LDAP
host |
port |
comments |
|---|---|---|
ldap1.its.hawaii.edu |
389 |
data goes over cleartext, do not provide any passwords when you connect |
ldap1.its.hawaii.edu |
636 |
LDAPS, encrypted, always use this when providing a password |
- Connecting to LDAP is referred to as binding.
- You can bind to LDAP anonymously (without using any credentials)
- This only gets you public information for faculty and staff. No students.
- This is the only time you should connect in cleartext to port 389
- You can bind to LDAP using a special DN
- You must request a special DN if you wish to access students or other non-public information
- Always bind using secure LDAP over port 636.
UNIX LDAP commands (e.g. ldapsearch) may not print an error message if you provide an incorrect special DN or password. These commands will continue working as if you had bound anonymously, and this is misleading. You may think you are using your special DN, but in reality, you are only able to get at public information (e.g. you can't search for students)
Using LDAP to verify a UH username and password
- See LDAP Authentication
- If you wish to limit use of your app to certain roles and/or campuses, you should retrieve the affiliations of the person associated with the authenticated username, and allow only those matching your criteria to pass through.
You should also look into CAS (Web Login Service) as an alternative to using LDAP for authentication.