If access to a service should be limited to a particular population, LDAP contains both public and private fields (LDAP attributes) that can be used to identify that population. Public LDAP attributes can be used with an anonymous LDAP bind (LDAP account and password); private attributes require a privileged LDAP bind.
LDAP is divided into several containers called Organizational Units (OUs). Active employees, students, and affiliates, as well as those who are expired but are still within their grace period, are in the People OU. There is also a PreSIR People OU for admitted students, an ADVCON People OU for alumni and members of the Advancement Constituents, and an Expired People OU for those with no active affiliation. Anonymous LDAP binds have access only to the People OU. Anyone needing access to other OUs must request a privileged LDAP bind.
Below are some of the LDAP attributes more commonly used for authorization purposes.
berkeleyEduTestIDFlag: contains true if the record is a test record.
berkeleyEduAffiliations: a multivalued attribute that contains which affiliations a person has and whether or not any of the affiliations have expired.
departmentNumber: contains the department code listed in HCM as the home department under Contact Information
berkeleyEduEmpApptType: determine if an employee is staff, faculty, or student employee
berkeleyEduEmpTitleCode: used to pull out a particular job category
berkeleyEduStuCollegeCode: group students by College
berkeleyEduStuMajorCode: group students by Major
berkeleyEduStuUGCode: is the student a graduate (G) or undergraduate (U)
berkeleyEduStuRegStatCode: determine a student's registration status
When searching LDAP, restricting the search to avoid unnecessary data will speed things up. The search base for many searches will be ou=people,dc=berkeley,dc=edu. If the search needs to search within all of the OUs, the search base should be at a higher level, namely dc=berkeley,dc=edu, but this will be a longer search.
The search scope determines how many levels down from the search base into the data the search should go. If the search base is ou=people,dc=berkeley,dc=edu, the search scope can usually be one. If the search base includes more than one sub OU, the search scope will usually need to be sub, and again the search will take longer.
An example of an anonymous search for info about a person using the uid is
ldapsearch -H ldaps://ldap.berkeley.edu -x -s sub -b "ou=people,dc=berkeley,dc=edu" "(&(objectclass=person)(uid=3807))"
Below are some example LDAP search filter expressions. There is often more than one way to get the same search result.
LDAP filter expression
|All active employees||(&(objectclass=person)(!(berkeleyEduTestIDFlag=true))(berkeleyEduAffiliations=EMPLOYEE-TYPE-*)(!(berkeleyeduAffiliations=EMPLOYEE-STATUS-EXPIRED)))|
|All active employees in a specific department||(&(objectclass=person)(!(berkeleyEduTestIDFlag=true))(employeeNumber=*)(departmentNumber=JICCS)(!(berkeleyeduempexpdate=*)))|
|All students in a major (whether they are active or in their grace period)||(&(objectclass=person)(!(berkeleyEduTestIDFlag=true))(berkeleyEduStuMajorCode=080))|