LDAP anonymous binds are changing on October 1, 2018
The Access Control Instruction (ACI) for the anonymous bind account will be changing starting on October 1, 2018. Currently the ACI permits access to many attributes [1] anonymously, but starting October 1, 2018, access to the berkeleyEduAffiliations attribute will be removed. After further review by various campus security and functional units, further access restrictions are likely to happen at a later date. These changes are already live at ldap-test.
What does this mean for you?
- If you are currently getting berkeleyEduAffiliations data via an anonymous search, your search will fail.
- If you're using an anonymous search, now would be a good time to register a bind account.
- If your regular bind password is incorrect and you are unknowingly using an anonymous bind, be on the lookout for failures.
If your application experiences trouble reaching LDAP after October 1, contact calnet-admin@berkeley.edu with a thorough description of your problem.
[1]
(targetattr="uid ||
objectclass || cn || sn || departmentNumber || displayName ||
facsimileTelephoneNumber || givenName || l || labeledURI || mobile || o ||
ou || pager || physicalDeliveryOfficeName || postOfficeBox || postalAddress ||
postalCode || registeredAddress || roomNumber || st || street ||
berkeleyEduIMScreenName || berkeleyEduIMProtocol || telephoneNumber || title ||
berkeleyEduMiddleName || berkeleyEduFirstName || berkeleyEduLastName ||
berkeleyEduNameSalutation || berkeleyEduNameHonorifics ||
berkeleyEduNameGenerational || berkeleyEduAffiliations ||
berkeleyEduPrimaryDeptUnit || berkeleyEduPrimaryDeptUnitHierarchyString ||
berkeleyEduDeptUnitHierarchyString || berkeleyEduUnitCalNetDeptName ||
berkeleyEduUnitHRDeptName || berkeleyEduModDate || berkeleyEduExpDate ||
berkeleyEduMaxExpDate || berkeleyEduTestIDFlag || eduPersonAffiliation ||
eduPersonNickname || eduPersonOrgDN || eduPersonOrgUnitDN ||
eduPersonPrimaryAffiliation || eduPersonPrincipalName ||
eduPersonEntitlement || eduPersonPrimaryOrgUnitDN ||
eduPersonScopedAffiliation || eduPersonTargetedID || modifyTimestamp ||
modifiersName ")
To apply for a privileged bind, see: https://calnet.berkeley.edu/calnet-technologists/ldap-directory-service/resources-developers/applying-directory-access
CMR: CHG0031961