LDAP Simplification
Background
A simplified, more supportable LDAP was introduced on October 4, 2016.
At Berkeley, our LDAP server had been heavily modified to act as a primary data store for all identity information. As part of the Student Information System development effort, CalNet deployed a new Berkeley Person Registry (BPR). This is a database that sits between the authoritative systems of record and the LDAP servers. BRP replaces LDAP as the primary data store for identity information. As a result of these changes, the considerable complexity of the heavily modified LDAP schema was no longer necessary and was simplified to a more standard deployment.
What Changed
The three main changes to the LDAP structure were:
-
Job Appointment, Affiliate and Term Sub-Entries were deprecated.
-
Approximately 130 LDAP attributes were deprecated.
-
Affiliates and expirations are now handled differently.
What Stayed the Same?
The OU structure is remaining the same, for now. The practice of moving records between OUs will continue at this time. This will be revisited in the future.
Address Sub-Entries also remained the same. These are updated directly from the CalNet Directory update application. This will also be addressed in the future.
Changes to Affiliate IDs
LDAP has traditionally stored unique expiry dates for various affiliations. Those expiry dates indicated the date on which an affiliation would no longer be valid. Account expiration scripts would then use those dates to calculate the grace period for the account. This logic was actually duplicated by consumers trying to align with CalNet’s internal calculations. The affiliation specific expiry dates used to be stored in:
berkeleyEduStuExpDate
berkeleyEduEmpExpDate
berkeleyEduAffExpDate
These fields have been deprecated. Instead CalNet consistently populates the following field:
berkeleyEduExpDate
The value in berkeleyEduExpDate is the official date on which a record will be expired. This means that systems should assume that this person will no longer be able to log in on that date. (It is possible that an Alumni affiliation will cause this record to be moved to ou=advcon but unless you have access to advcon, this is functionally the same as the record being expired).
The grace period will have been calculated and reflected in this date. The presence of a value in this field means that all active affiliations have already expired and the account is in it’s grace period. If a system of record subsequently asserts this person again, the berkeleyEduExpDate will be nulled out.
Why did we change LDAP?
An LDAP schema is effectively a contract between the people who populate the data and the people who consume it. Historically, at Berkeley, it was not treated as such. In everyone’s effort to find the best solution for their applications, we collectively allowed a large and unwieldy LDAP schema to become the defacto contract. This was not a contract that the University could realistically maintain while meeting the increased demand for advanced Identity and Access services, and also being pressured to reduce costs. This new LDAP schema represents a contract that bIT can realistically support into the future, with the understanding that future modifications and renegotiations are always possible.
What if I have problems with the new LDAP?
If your code is dependent on deprecated attributes, you should immediately start engaging with api-central to find a new source for the data.
You can test your application by pointing a test version at test ldap instance:
nds-p6.calnet.berkeley.edu
Appendix A: The new LDAP schema
|
Attribute |
Description |
Single/Multi Value |
|
audio |
Standard LDAP attribute type |
|
|
berkeleyEduHCMID |
This is a unique identifier from HCM. Also known as the Emplid. If a person is a staff or faculty member, this value will also appear in the employeeNumber field. If they are just an HCM Affiliate, this will be the only place to find this value. |
Single |
|
berkeleyEduCadsAffID |
Affiliate ID from ADVCON |
Single |
|
berkeleyEduCalnetAffID |
Affiliate ID from CalNet |
Single |
|
berkeleyEduAffID (ucbaffid) |
Multi value list of Unique identifiers from system of record for affiliates (for backwards compatibility) |
Multi |
|
berkeleyEduAffTypes |
Multi value list of legacy user affiliation types |
Multi |
|
berkeleyEduAffiliations (ucbaffiliations) |
Multi value list of affiliations a person has |
Multi |
|
berkeleyEduBirthDay (ucbbday) |
Birth day |
Single |
|
berkeleyEduBirthMonth (ucbbmonth) |
Birth month |
Single |
|
berkeleyEduCalNetUIDConsolidationDate |
If a duplicate record was consolidated into this record, this was the date it happened |
Single |
|
berkeleyEduAlternateID |
bConnected Email address |
Single |
|
berkeleyEduCalNetIDUpdatedFlag |
Indicates the user has updated their CalNet ID |
Single |
|
berkeleyEduCalNetUIDOld |
If a duplicate record was consolidated into this record, this was the other UID |
Single |
|
berkeleyEduConfidentialFlag (ucbconfidentialflag) |
Flag set by students who don't want their data to show up in the directory |
Single |
|
berkeleyEduCSID |
Unique identifier from Campus Solutions (Emplid) |
Single |
|
berkeleyEduEmailRelFlag (ucbemailrelflag) |
Flag set to indicate that email address should not be displayed in the directory |
Single |
|
berkeleyEduEmpDeptUnitTitleCode |
The title code of the primary job |
Single |
|
berkeleyEduEmpTitleCode (ucbemptitlecode) |
Multi value list of all job codes |
Multi |
|
berkeleyEduExpDate |
The date on which an account will be expired. |
Single |
|
berkeleyEduFirstName |
First name as set by the user |
Single |
|
berkeleyEduIsMemberOf |
Multi value list of all the groups a user is member of |
Multi |
|
berkeleyEduKerberosPrincipalString (ucbkerberosprincipalstringberkeleyEduCalNetID) |
The user's CalNet ID |
Single |
|
berkeleyEduKerberosPrincipalStringOld |
If the user changed their CalNet ID, the old CalNet ID is captured here |
Single |
|
berkeleyEduLastName |
Last name as set by the user |
Single |
|
berkeleyEduOfficialEmail (ucbemail) |
Email address, set to bConnected account address when that is created but can be set by user to any @berkeley.edu email address owned by user. |
Single |
|
berkeleyEduPrimaryDeptUnit (ucbemphomedept) |
Unit code of the user's primary department. |
Single |
|
berkeleyEduSPAUsersGroup |
Applied only to a SPA account |
|
|
berkeleyEduStuID (ucbstuid) |
Student Number, 8 or 10 digits. Should be the same value as berkeleyEduCSID for students |
Single |
|
berkeleyEduTestIDFlag (ucbtestidflag) |
A flag set to indicate this is a CalNet Test ID |
Single |
|
c (countryName) |
Address country as set by user |
Single |
|
cn (commonName) |
Full name in "surname, givenName" format |
Single |
|
departmentNumber |
Multi value list of active department codes |
Multi |
|
description |
Standard LDAP attribute type |
Public |
|
displayName |
Calculated full name based on preferred names from various systems |
Single |
|
employeeNumber |
Employee number from HR should be the same as berkeleyEduHCMID for employees |
Single |
|
employeeType |
Staff or Faculty |
Single |
|
givenName |
first name |
Single |
|
mail (rfc822Mailbox) |
Email address as provided by the user |
Single |
|
ou (organizationalUnitName) |
ou for the record (part of the DN) |
Single |
|
postalAddress |
Built from pieces of the address as entered by the user |
Single |
|
postalCode |
Zip/Postal code as entered by the user |
Single |
|
roomNumber |
Room number in the address as entered by the user |
Single |
|
sn (surname) |
Last name |
Single |
|
st (stateOrProvinceName) |
State or Province from the address the user entered |
Single |
|
street (streetAddress) |
Street Address from the address the user entered |
Single |
|
telephoneNumber |
Phone number as entered by the user |
Single |
|
title |
Title as entered by the user |
Single |
|
UCnetID (ucbnetid) |
UCNetid is an identifier provided by UCOP |
Single |
|
uid (userid) |
Unique identifier assigned by CalNet and returned by CAS |
Single |
|
berkeleyEduMiddleName |
Middle Name as asserted by systems of record or set by the user |
Single |
|
berkeleyEduNameGenerational |
Generational component of name as set by user |
Single |
|
berkeleyEduNameHonorifics |
Honorific as set by user |
Single |
|
berkeleyEduNameSalutation |
Salutation as set by user |
Single |
|
berkeleyEduCalNetIDUpdatedDate |
Date a CalNet ID was created or changed |
Single |
|
berkeleyEduUnitHRDeptName |
HR Department Unit Name from HCM |
Single |
|
facsimileTelephoneNumber |
Fax number as entered by the user |
Single |
|
l (localityName) |
City or County as entered by the user |
Single |
|
labeledURI |
URL as entered by the user |
Single |
|
mobile (mobileTelephoneNumber) |
Mobile number as entered by the user |
Single |
|
o (organizationName) |
value: "University of California, Berkeley" |
Single |
|
eduPersonAssurance |
Kept for compliance with eduPerson schema |
|
|
eduPersonEntitlement |
Kept for compliance with eduPerson schema |
|
|
eduPersonPrincipalName |
Kept for compliance with eduPerson schema |
Appendix B: Deprecated Attributes
THE FOLLOWING ATTRIBUTES WILL NO LONGER BE SUPPORTED
| berkeleyEduAcaSenFlag |
| berkeleyEduAffApptBeginDate |
| berkeleyEduAffApptEndDate |
| berkeleyEduAffBirthMonthDay |
| berkeleyEduAffCreateDate |
| berkeleyEduAffFeePaidDate |
| berkeleyEduAffiliationsDetailed |
| berkeleyEduAffModDate |
| berkeleyEduAffName |
| berkeleyEduAffTerminationDate |
| berkeleyEduAffWorkStudyFlag |
| berkeleyEduAppStandardCalMailDeptAccountTicket |
| berkeleyEduAppStandardCalMailDisallowedBy |
| berkeleyEduAppStandardCalMailDisallowedDate |
| berkeleyEduAppStandardCalMailDisallowedFlag |
| berkeleyEduAppStandardCommuniteAddlMbox |
| berkeleyEduAppStandardCommuniteAdminFlag |
| berkeleyEduAppStandardCommuniteEmailAddress |
| berkeleyEduAppStandardCommuniteEmailHost |
| berkeleyEduAppStandardCommuniteEmailPassword |
| berkeleyEduAppStandardCommuniteEmailUserName |
| berkeleyEduAppStandardDeputyOptOutFlag |
| berkeleyEduAppStandardQuestPerms |
| berkeleyEduAppStandardWebDiskID |
| berkeleyEduAppStandardWmfGid |
| berkeleyEduAppStandardWmfHomeDir |
| berkeleyEduAssistant |
| berkeleyEduCalNetKey |
| berkeleyEduCalNetKeySalt |
| berkeleyEduCrisis* |
| berkeleyEduDeptUnitHierarchyString |
| berkeleyEduDeputyAdminTool |
| berkeleyEduDeputyAuthorizedBy |
| berkeleyEduDeputyClassDate |
| berkeleyEduDeputyComments |
| berkeleyEduDeputyDisabledDate |
| berkeleyEduDeputyDisabledFlag |
| berkeleyEduDeputyIPsAllowed |
| berkeleyEduDeputyPrincipal |
| berkeleyEduDeputyPrincipalProcUnit |
| berkeleyEduDeputyProcUnits |
| berkeleyEduDeputyType |
| berkeleyEduEmpApptBeginDate |
| berkeleyEduEmpApptEndDate |
| berkeleyEduEmpApptType |
| berkeleyEduEmpBirthMonthDay |
| berkeleyEduEmpCreateDate |
| berkeleyEduEmpCTOCode |
| berkeleyEduEmpExpDate |
| berkeleyEduEmpModDate |
| berkeleyEduEmpName |
| berkeleyEduEmpRelationsCode |
| berkeleyEduEmpTerminationDate |
| berkeleyEduEmpWorkStudyFlag |
| berkeleyEduExcludeFlag |
| berkeleyEduFacultyFlag |
| berkeleyEduIdentityVerifiedDate |
| berkeleyEduIMProtocol |
| berkeleyEduIMScreenName |
| berkeleyEduKerberosInstance |
| berkeleyEduKerberosPrimary |
| berkeleyEduKerberosRealm |
| berkeleyEduKerberosStatusCode |
| berkeleyEduMaidenName |
| berkeleyEduMaxExpDate |
| berkeleyEduModDate |
| berkeleyEduOnlineUpdateAllowedFlag |
| berkeleyEduPassphraseCompliant |
| berkeleyEduPersonAddressBuildingCode |
| berkeleyEduPersonAddressCountryCode |
| berkeleyEduPersonAddressDeptDN |
| berkeleyEduPersonAddressHRJobTitle |
| berkeleyEduPersonAddressLocationCode |
| berkeleyEduPersonAddressPublications |
| berkeleyEduPersonAddressReceiveMailFlag |
| berkeleyEduPersonAddressSortOrder |
| berkeleyEduPersonAddressType |
| berkeleyEduPersonAddressUnitCalNetDeptName |
| berkeleyEduPhoneBookOnlyFlag |
| berkeleyEduPhotoIDVerifiedDate |
| berkeleyEduPPSivrStatusFlag |
| berkeleyEduPrimaryDeptUnitHierarchyString |
| berkeleyEduSPAAdminGroup |
| berkeleyEduSPAApproverUID |
| berkeleyEduSPACollection |
| berkeleyEduSSN |
| berkeleyEduStuApprovedWithdrawEndDate |
| berkeleyEduStuBirthDate |
| berkeleyEduStuCollegeCode |
| berkeleyEduStuCollegeName |
| berkeleyEduStuCreateDate |
| berkeleyEduStuEduLevelCode |
| berkeleyEduStuEduLevelName |
| berkeleyEduStuEduRoleCode |
| berkeleyEduStuEduRoleName |
| berkeleyEduStuExpDate |
| berkeleyEduStuMajorCode |
| berkeleyEduStuMajorName |
| berkeleyEduStuModDate |
| berkeleyEduStuName |
| berkeleyEduStuRegStatCode |
| berkeleyEduStuRegStatName |
| berkeleyEduStuTermCode |
| berkeleyEduStuTermName |
| berkeleyEduStuTermStatus |
| berkeleyEduStuTermYear |
| berkeleyEduStuUGCode |
| berkeleyEduTokenIssuer |
| berkeleyEduUasEligFlag |
|
berkeleyEduUnitCalNetDeptName |
| businessCategory |
| carLicense |
| destinationIndicator |
| eduPersonAffiliation |
| eduPersonNickname |
| eduPersonOrgDN |
| eduPersonOrgUnitDN |
| eduPersonPrimaryAffiliation |
| eduPersonPrimaryOrgUnitDN |
| eduPersonScopedAffiliation |
| eduPersonTargetedID |
| homePhone |
| homePostalAddress |
| initials |
| internationaliSDNNumber |
| jpegPhoto |
| manager |
| pager |
| photo |
| physicalDeliveryOfficeName |
| postOfficeBox |
| preferredDeliveryMethod |
| preferredLanguage |
| registeredAddress |
| secretary |
| seeAlso |
| teletexTerminalIdentifier |
| telexNumber |
| UCTrustAssurance |
|
Person Term Subentry Attributes |
|
berkeleyEduStuChangeDate |
|
berkeleyEduStuCollegeCode |
|
berkeleyEduStuCollegeName |
|
berkeleyEduStuEduLevelCode |
|
berkeleyEduStuEduLevelName |
|
berkeleyEduStuEduRoleCode |
|
berkeleyEduStuEduRoleName |
|
berkeleyEduStuMajorCode |
|
berkeleyEduStuMajorName |
|
berkeleyEduStuRegStatCode |
|
berkeleyEduStuRegStatName |
|
berkeleyEduStuTermCode |
|
berkeleyEduStuTermName |
|
berkeleyEduStuTermStatus |
|
berkeleyEduStuTermYear |
|
berkeleyEduStuUGCode |
|
Person Job Appointment Subentry |
|
berkeleyEduPersonJobApptCTOCode |
|
berkeleyEduPersonJobApptDepartment |
|
berkeleyEduPersonJobApptEmpRecNumber |
|
berkeleyEduPersonJobApptPersPgmCode |
|
berkeleyEduPersonJobApptPrimaryFlag |
|
berkeleyEduPersonJobApptRelationsCode |
|
berkeleyEduPersonJobApptRepresentation |
|
berkeleyEduPersonJobApptTitleCode |
|
berkeleyEduPersonJobApptType |
|
berkeleyEduPersonJobApptWOS |
A Note about CAS Authorization
One of the most common reasons people have for binding to LDAP is to check whether an account should have access to a given service. This is one of the primary reasons that AdvCon, People and Guests are separate OUs.
CalNet will be providing enhanced functionality within the CAS single sign-on service that will allow service owners to specify certain populations who should be allowed access. This will mitigate the need for many online services to call LDAP at all as ineligible accounts will not be able to get past the CAS page. Part of this change will be a new default setting for all CAS-protected services that will automatically limit access to people with an employee, student, or other type of affiliation. This will prevent guests or alumni from accessing these services unless the service owners explicitly request access for them. Stay tuned for updates in the coming months.