Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 63 Next »

The core UH LDAP servers are virtually fronted with ldap.hawaii.edu and are based on the uhEduPerson schema.

For email clients, see http://www.hawaii.edu/askus/823.

Table of Contents

Accessing LDAP

READ WELL: web apps shall not cache or log UH passwords. For security purposes special DNs will be disabled if necessary.

LDAP Environments

host

port

comments

(tick) LDAP, Productionldap.hawaii.edu636 for LDAPS, 389 if using startTLScleartext or anonymous binds are rejected, a Special DN is required
(tick) LDAP, Testldap-test.its.hawaii.edu636 for LDAPS, 389 if using startTLScleartext or anonymous binds are rejected, a Special DN is required
  • Connecting to LDAP is referred to as binding.
  • You cannot bind to LDAP anonymously, credentials are required.
    • You must request a special DN in order to bind per UH Data Governance policies.
    • Special DNs are only granted when CAS (the UH Web Login Service) will not suffice.
    • Special DN requests are subject to E2.215 and may require a Data Governance approval.

Our UH LDAP service features three branches

By default a Special DN provides access to the "people" and "misc" branches.

  • ou=people,dc=hawaii,dc=edu
    • All people who have received a UH Number, meaning anyone who was, is or will shortly be a student, faculty, staff or guest at UH.
    • See also UH Role Assignments and Transitions
    • The UH Online Directory relies on this branch for providing contact information for people.
  • ou=misc,dc=hawaii,dc=edu
    • Departmental/ Group UH Usernames
    • Visiting individuals who have have been granted the ability to access the Internet from our campus(es).
  • ou=dept_listings,dc=hawaii,dc=edu
    • Department listings, primarily used for printing or providing PDFs of the University Phone Directory.

Data Element Dictionary

This dictionary provides a detailed explanation of each of the LDAP attributes.

Using LDAP to verify a UH username and password

  • See LDAP Authentication
  • If you wish to limit use of your app to certain roles and/or campuses, you should retrieve the affiliations of the person associated with the authenticated username, and allow only those matching your criteria to pass through.

CAS recommended as an alternative to LDAP

Consider CAS (the UH Login Service) as the preferred and highly recommended alternative to using LDAP for authentication where feasible. Why use CAS?

Security

  • Passwords are hidden from the app; the app does not have to be responsible for handling passwords securely
  • CAS supports enhanced security with multi-factor authentication (MFA) via DUO

Convenience

  • No login for subsequent apps if SSO is allowed

Consistency

  • One official login page for all of UH

Sample Code

Technical Support

There is an active UH community of developers and a good chance that at least one of them has experience with your scenario.  It is well worth joining this community's email list if you've not already done so.  For details, visit UH Applications Developers Forum page.  Note that the ITS Identity and Access Management team also participates on this list.

  • No labels