The core UH LDAP server is ldap1.its.hawaii.edu and is based on the uhEduPerson schema.
The current LDAP will be retired
The current LDAP server will be retired January 21, 2014. New services should utilize our Next Generation LDAP (see below).
Next General LDAP
The next generation of our LDAP service is now in Production. Please see below for details:
Our core UH LDAP service currently has data in three branches:
- ou=people,dc=hawaii,dc=edu
- All people who have received a UH Number, meaning anyone who was, is or will shortly be a student, faculty, staff or guest at UH.
- See also UH Role Assignments, Role Transitions and Systems of Record
- The UH Online Directory relies on this branch for providing contact information for people.
- ou=misc,dc=hawaii,dc=edu
- Departmental/ Group UH Usernames
- Visiting individuals who have have been granted the ability to access the Internet from our campus(es).
- ou=dept_listings,dc=hawaii,dc=edu
- Department listings, primarily used for printing the University Phone Directory.
Accessing LDAP
| LDAP Generation | host | port | comments |
|---|---|---|---|
 Next Generation LDAP, Production | ldap.hawaii.edu | 389 | only for STARTTLS, clear binds are rejected, a Special DN is required |
| Next Generation LDAP, Test | ldap-test.hawaii.edu | 389 | only for STARTTLS, clear binds are rejected, a Special DN is required |
 Older, Slated for Retirement | ldap1.its.hawaii.edu | 389 | data goes over cleartext, do not provide any passwords when you connect |
| Older, Slated for Retirement | ldap1.its.hawaii.edu | 636 | LDAPS, encrypted, always use this when providing a password |
- Connecting to LDAP is referred to as binding.
You can bind to LDAP anonymously (without using any credentials)This only gets you public information for faculty and staff. No students.This is the only time you should connect in cleartext to port 389
- You must bind to our Next Generation LDAP using a special DN
- You must request a special DN in order to bind per UH Data Governance policies.
UNIX LDAP commands (e.g. ldapsearch) may not print an error message if you provide an incorrect special DN or password. These commands will continue working as if you had bound anonymously, and this is misleading. You may think you are using your special DN, but in reality, you are only able to get at public information (e.g. you can't search for students)
Using LDAP to verify a UH username and password
- See LDAP Authentication
- If you wish to limit use of your app to certain roles and/or campuses, you should retrieve the affiliations of the person associated with the authenticated username, and allow only those matching your criteria to pass through.
You should also look into CAS (Web Login Service) as an alternative to using LDAP for authentication.