LDAP Simplification and Standardization

LDAP Simplification


Background 

A simplified, more supportable LDAP was introduced on October 4, 2016.

At Berkeley, our LDAP server had been heavily modified to act as a primary data store for all identity information. As part of the Student Information System development effort, CalNet deployed a new Berkeley Person Registry (BPR). This is a database that sits between the authoritative systems of record and the LDAP servers. BRP replaces LDAP as the primary data store for identity information.  As a result of these changes, the considerable complexity of the heavily modified LDAP schema was no longer necessary and was simplified to a more standard deployment. 


What Changed

The three main changes to the LDAP structure were:

  1. Job Appointment, Affiliate and Term Sub-Entries were deprecated.

  2. Approximately 130 LDAP attributes were deprecated.

    1. See Appendix B for list of deprecated attributes

  3. Affiliates and expirations are now handled differently.


What Stayed the Same?

The OU structure is remaining the same, for now.  The practice of moving records between OUs will continue at this time. This will be revisited in the future.

Address Sub-Entries also remained the same. These are updated directly from the CalNet Directory update application. This will also be addressed in the future.


Changes to Affiliate IDs

LDAP has traditionally stored unique expiry dates for various affiliations.  Those expiry dates indicated the date on which an affiliation would no longer be valid.  Account expiration scripts would then use those dates to calculate the grace period for the account. This logic was actually duplicated by consumers trying to align with CalNet’s internal calculations.  The affiliation specific expiry dates used to be stored in:

berkeleyEduStuExpDate

berkeleyEduEmpExpDate

berkeleyEduAffExpDate

 

These fields have been deprecated.  Instead CalNet consistently populates the following field:

berkeleyEduExpDate

 

The value in berkeleyEduExpDate is the official date on which a record will be expired. This means that systems should assume that this person will no longer be able to log in on that date. (It is possible that an Alumni affiliation will cause this record to be moved to ou=advcon but unless you have access to advcon, this is functionally the same as the record being expired).

The grace period will have been calculated and reflected in this date.  The presence of a value in this field means that all active affiliations have already expired and the account is in it’s grace period.  If a system of record subsequently asserts this person again, the berkeleyEduExpDate will be nulled out.


Why did we change LDAP?

An LDAP schema is effectively a contract between the people who populate the data and the people who consume it. Historically, at Berkeley, it was not treated as such. In everyone’s effort to find the best solution for their applications, we collectively allowed a large and unwieldy LDAP schema to become the defacto contract.  This was not a contract that the University could realistically maintain while meeting the increased demand for advanced Identity and Access services, and also being pressured to reduce costs.  This new LDAP schema represents a contract that IST can realistically support into the future, with the understanding that future modifications and renegotiations are always possible.


What if I have problems with the new LDAP?

If your code is dependent on deprecated attributes, you should immediately start engaging with api-central to find a new source for the data. 

You can test your application by pointing a test version at test ldap instance:

nds-p6.calnet.berkeley.edu


Appendix A: The new LDAP schema

 

Attribute

Description

Single/Multi Value

audio

Standard LDAP attribute type

berkeleyEduHCMID

This is unique identifier from HCM. Also known as the Emplid. If a person is a staff or faculty member, this value will also appear in the employeeNumber field. If they are just an HCM Affiliate, this is will be the only place to find this value.

Single

berkeleyEduCadsAffID

Affiliate ID from ADVCON

Single

berkeleyEduCalnetAffID

Affiliate ID from CalNet

Single

berkeleyEduAffID (ucbaffid)

Multi value list of Unique identifiers from system of record for affiliates (for backwards compatibility)

Multi

berkeleyEduAffiliations (ucbaffiliations)

Multi value list of affiliations a person has

Multi

berkeleyEduBirthDay (ucbbday)

Birth day

Single

berkeleyEduBirthMonth (ucbbmonth)

Birth month

Single

berkeleyEduBirthYear

Birth year (value is not generally populated)

Single

berkeleyEduCalNetUIDConsolidationDate

If a duplicate record was consolidated into this record, this was the date it happened

Single

berkeleyEduAlternateID

bConnected Email address

Single

berkeleyEduCalNetUIDOld

If a duplicate record was consolidated into this record, this was the other UID

Single

berkeleyEduConfidentialFlag (ucbconfidentialflag)

Flag set by students who don't want their data to show up in the directory

Single

berkeleyEduCSID

Unique identifier from Campus Solutions (Emplid)

Single

berkeleyEduEmailRelFlag (ucbemailrelflag)

Flag set to indicate that email address should not be displayed in the directory

Single

berkeleyEduEmpDeptUnitTitleCode

The title code of the primary job

Single

berkeleyEduEmpTitleCode (ucbemptitlecode)

Multi value list of all job codes

Multi

berkeleyEduExpDate

The date on which an account will be expired and no longer able to log in

Single

berkeleyEduFirstName

First name as set by the user

Single

berkeleyEduIsMemberOf

Multi value list of all the groups a user is member of

Mutli

berkeleyEduKerberosPrincipalString (ucbkerberosprincipalstringberkeleyEduCalNetID)

The user's CalNet ID

Single

berkeleyEduKerberosPrincipalStringOld

If the user changed their CalNet ID, the old CalNet ID is captured here

Single

berkeleyEduLastName

Last name as set by the user

Single

berkeleyEduOfficialEmail (ucbemail)

Email address, set to bConnected account address when that is created  but can be set by user to any @berkeley.edu email address owned by user.

Single

berkeleyEduPrimaryDeptUnit (ucbemphomedept)

Unit code of the user's primary department.

Single

berkeleyEduSPAUsersGroup

Applied only to a SPA account

berkeleyEduStuID (ucbstuid)

Student Number, 8 or 10 digits. Should be the same value as berkeleyEduCSID for students

Single

berkeleyEduTestIDFlag (ucbtestidflag)

A flag set to indicate this is a CalNet Test ID

Single

c (countryName)

Address country as set by user

Single

cn (commonName)

Full name in "surname, givenName" format

Single

departmentNumber

Multi value list of active department codes

Multi

description

Standard LDAP attribute type

Public

displayName

Calculated full name based on preferred names from various systems

Single

employeeNumber

Employee number from HR should be the same as berkeleyEduHCMID for employees

Single

employeeType

Staff or Faculty

Single

givenName

first name

Single

mail (rfc822Mailbox)

Email address as provided by the user

Single

ou (organizationalUnitName)

ou for the record (part of the DN)

Single

postalAddress

Built from pieces of the address as entered by the user

Single

postalCode

Zip/Postal code as entered by the user

Single

roomNumber

Room number in the address as entered by the user

Single

sn (surname)

Last name

Single

st (stateOrProvinceName)

State or Province from the address the user entered

Single

street (streetAddress)

Street Address from the address the user entered

Single

telephoneNumber

Phone number as entered by the user

Single

title

Title as entered by the user

Single

UCnetID (ucbnetid)

UCNetid is an identifier provided by UCOP

Single

uid (userid)

Unique identifier assigned by CalNet and returned by CAS

Single

berkeleyEduMiddleName

Middle Name as asserted by systems of record or set by the user

Single

berkeleyEduNameGenerational

Generational component of name as set by user

Single

berkeleyEduNameHonorifics

Honorific as set by user

Single

berkeleyEduNameSalutation

Salutation as set by user

Single

berkeleyEduCalNetIDUpdatedDate

Date a CalNet ID was created or changed

Single

berkeleyEduUnitHRDeptName

HR Department Unit Name from HCM

Single

facsimileTelephoneNumber

Fax number as entered by the user

Single

l (localityName)

City or County as entered by the user

Single

labeledURI

URL as entered by the user

Single

mobile (mobileTelephoneNumber)

Mobile number as entered by the user

Single

o (organizationName)

value: "University of California, Berkeley"

Single

eduPersonAssurance

Kept for compliance with eduPerson schema

eduPersonEntitlement

Kept for compliance with eduPerson schema

eduPersonPrincipalName

Kept for compliance with eduPerson schema

 


Appendix B: Deprecated Attributes

THE FOLLOWING ATTRIBUTES WILL NO LONGER BE SUPPORTED

berkeleyEduAcaSenFlag
berkeleyEduAffApptBeginDate
berkeleyEduAffApptEndDate
berkeleyEduAffBirthMonthDay
berkeleyEduAffCreateDate
berkeleyEduAffExpDate
berkeleyEduAffFeePaidDate
berkeleyEduAffiliationsDetailed
berkeleyEduAffModDate
berkeleyEduAffName
berkeleyEduAffTerminationDate
berkeleyEduAffTypes
berkeleyEduAffWorkStudyFlag
berkeleyEduAppStandardCalMailDeptAccountTicket
berkeleyEduAppStandardCalMailDisallowedBy
berkeleyEduAppStandardCalMailDisallowedDate
berkeleyEduAppStandardCalMailDisallowedFlag
berkeleyEduAppStandardCommuniteAddlMbox
berkeleyEduAppStandardCommuniteAdminFlag
berkeleyEduAppStandardCommuniteEmailAddress
berkeleyEduAppStandardCommuniteEmailHost
berkeleyEduAppStandardCommuniteEmailPassword
berkeleyEduAppStandardCommuniteEmailUserName
berkeleyEduAppStandardDeputyOptOutFlag
berkeleyEduAppStandardQuestPerms
berkeleyEduAppStandardWebDiskID
berkeleyEduAppStandardWmfGid
berkeleyEduAppStandardWmfHomeDir
berkeleyEduAssistant
berkeleyEduCalNetIDUpdatedFlag
berkeleyEduCalNetKey
berkeleyEduCalNetKeySalt
berkeleyEduCrisis*
berkeleyEduDeptUnitHierarchyString
berkeleyEduDeputyAdminTool
berkeleyEduDeputyAuthorizedBy
berkeleyEduDeputyClassDate
berkeleyEduDeputyComments
berkeleyEduDeputyDisabledDate
berkeleyEduDeputyDisabledFlag
berkeleyEduDeputyIPsAllowed
berkeleyEduDeputyPrincipal
berkeleyEduDeputyPrincipalProcUnit
berkeleyEduDeputyProcUnits
berkeleyEduDeputyType
berkeleyEduEmpApptBeginDate
berkeleyEduEmpApptEndDate
berkeleyEduEmpApptType
berkeleyEduEmpBirthMonthDay
berkeleyEduEmpCreateDate
berkeleyEduEmpCTOCode
berkeleyEduEmpExpDate
berkeleyEduEmpModDate
berkeleyEduEmpName
berkeleyEduEmpRelationsCode
berkeleyEduEmpTerminationDate
berkeleyEduEmpWorkStudyFlag
berkeleyEduExcludeFlag
berkeleyEduFacultyFlag
berkeleyEduIdentityVerifiedDate
berkeleyEduIMProtocol
berkeleyEduIMScreenName
berkeleyEduKerberosInstance
berkeleyEduKerberosPrimary
berkeleyEduKerberosRealm
berkeleyEduKerberosStatusCode
berkeleyEduMaidenName
berkeleyEduMaxExpDate
berkeleyEduModDate
berkeleyEduOnlineUpdateAllowedFlag
berkeleyEduPassphraseCompliant
berkeleyEduPersonAddressBuildingCode
berkeleyEduPersonAddressCountryCode
berkeleyEduPersonAddressDeptDN
berkeleyEduPersonAddressHRJobTitle
berkeleyEduPersonAddressLocationCode
berkeleyEduPersonAddressPublications
berkeleyEduPersonAddressReceiveMailFlag
berkeleyEduPersonAddressSortOrder
berkeleyEduPersonAddressType
berkeleyEduPersonAddressUnitCalNetDeptName
berkeleyEduPhoneBookOnlyFlag
berkeleyEduPhotoIDVerifiedDate
berkeleyEduPPSivrStatusFlag
berkeleyEduPrimaryDeptUnitHierarchyString
berkeleyEduSPAAdminGroup
berkeleyEduSPAApproverUID
berkeleyEduSPACollection
berkeleyEduSSN
berkeleyEduStuApprovedWithdrawEndDate
berkeleyEduStuBirthDate
berkeleyEduStuCollegeCode
berkeleyEduStuCollegeName
berkeleyEduStuCreateDate
berkeleyEduStuEduLevelCode
berkeleyEduStuEduLevelName
berkeleyEduStuEduRoleCode
berkeleyEduStuEduRoleName
berkeleyEduStuExpDate
berkeleyEduStuMajorCode
berkeleyEduStuMajorName
berkeleyEduStuModDate
berkeleyEduStuName
berkeleyEduStuRegStatCode
berkeleyEduStuRegStatName
berkeleyEduStuTermCode
berkeleyEduStuTermName
berkeleyEduStuTermStatus
berkeleyEduStuTermYear
berkeleyEduStuUGCode
berkeleyEduTokenIssuer
berkeleyEduUasEligFlag

berkeleyEduUnitCalNetDeptName

businessCategory
carLicense
destinationIndicator
eduPersonAffiliation
eduPersonNickname
eduPersonOrgDN
eduPersonOrgUnitDN
eduPersonPrimaryAffiliation
eduPersonPrimaryOrgUnitDN
eduPersonScopedAffiliation
eduPersonTargetedID
homePhone
homePostalAddress
initials
internationaliSDNNumber
jpegPhoto
manager
pager
photo
physicalDeliveryOfficeName
postOfficeBox
preferredDeliveryMethod
preferredLanguage
registeredAddress
secretary
seeAlso
teletexTerminalIdentifier
telexNumber
UCTrustAssurance

 

Person Term Subentry Attributes

berkeleyEduStuChangeDate

berkeleyEduStuCollegeCode

berkeleyEduStuCollegeName

berkeleyEduStuEduLevelCode

berkeleyEduStuEduLevelName

berkeleyEduStuEduRoleCode

berkeleyEduStuEduRoleName

berkeleyEduStuMajorCode

berkeleyEduStuMajorName

berkeleyEduStuRegStatCode

berkeleyEduStuRegStatName

berkeleyEduStuTermCode

berkeleyEduStuTermName

berkeleyEduStuTermStatus

berkeleyEduStuTermYear

berkeleyEduStuUGCode



Person Job Appointment Subentry

berkeleyEduPersonJobApptCTOCode

berkeleyEduPersonJobApptDepartment

berkeleyEduPersonJobApptEmpRecNumber

berkeleyEduPersonJobApptPersPgmCode

berkeleyEduPersonJobApptPrimaryFlag

berkeleyEduPersonJobApptRelationsCode

berkeleyEduPersonJobApptRepresentation

berkeleyEduPersonJobApptTitleCode

berkeleyEduPersonJobApptType

berkeleyEduPersonJobApptWOS


A Note about CAS Authorization 

One of the most common reasons people have for binding to LDAP is to check whether an account should have access to a given service.  This is one of the primary reasons that AdvCon, People and Guests are separate OUs.

CalNet will be providing enhanced functionality within the CAS single sign-on service that will allow service owners to specify certain populations who should be allowed access. This will mitigate the need for many online services to call LDAP at all as ineligible accounts will not be able to get past the CAS page. Part of this change will be a new default setting for all CAS-protected services that will automatically limit access to people with an employee, student or other type of affiliation. This will prevent guests or alumni from accessing these services unless the service owners explicitly request access for them. Stay tuned for updates in the coming months.