To developers and the technical community,
On October 4, 2016, the CalNet team will retire the legacy LDAP Sync Code and hand control of LDAP provisioning to the Berkeley Person Registry. This step modernizes campus identity data management and will affect the services described below. Please take note.
Sync Code Retirement - why it’s a big deal!
The CalNet Sync Code has been at the heart of CalNet systems for the past decade: it’s the code that connects to source systems (such as HCM, CS and CADS) and provisions and syncs identity data to LDAP. When it is retired on October 4, 2016, the Berkeley Person Registry (BPR), CalNet’s recently deployed identity registry database, will take over this function. BPR will pull data from multiple source systems to create canonical person records and distribute them to downstream systems such as LDAP and Active Directory.
How does this affect LDAP?
The Sync Code has been provisioning (creating accounts) directly in Berkeley’s LDAP server, which has been heavily modified to act as a primary data store for all identity information. When the Sync Code is retired, the campus will be able to rely on a modern relational database as its primary data store for identity information. As a result, the complexity of the current LDAP schema will no longer be necessary. Our LDAP will be streamlined to a more standard deployment that will be provisioned from BPR.
The OU structure of LDAP will be retained along with about 50 attributes on the main LDAP record. This represents over 90% of Berkeley LDAP use cases. Approximately 100 attributes, as well as the Job Appointment, Affiliate and Term sub-records, will be deprecated. Affiliates and names will also be handled differently. For more information, including the list of retained and deprecated attributes, see https://calnetweb.berkeley.edu/calnet-technologists/ldap-directory-service/ldap-simplification-and-standardization.
What happens to deprecated attributes?
As of October 4, 2016, deprecated attributes will no longer be updated. Applications may still access these attributes but the data will quickly become stale. It is strongly recommended that any application using deprecated attributes immediately adjust their systems. These attributes will be removed after the cutover, at a date to be determined.
How about name attributes?
All name attributes will be single-valued: cn (common name), sn (surname), displayName, and givenName. BPR scripts will use logic to prioritize the CalCentral preferred name for students and the directory name (if set) or the HCM name for employees.
Students needing to change how their name appears in LDAP may do so via CalCentral (https://calcentral.berkeley.edu/). Employees may do so via the directory update application (https://calnet-p2.calnet.berkeley.edu/directory/update/index.pl).
How does this affect CalNet Deputy tools?
The legacy tool to Issue Initial Token will be abated, since it relies on the Sync Code. Employees, affiliates and students can now use CalNet Account Manager to claim their new CalNet accounts. For more information, see https://calnetweb.berkeley.edu/calnet-me/info-new-users/activate-calnet-id.
The legacy tool called UAS (https://calnet.berkeley.edu/uas/ ) will also be abated, since it relies on many of the LDAP attributes that are being deprecated. CalNet Deputies can use the CalNet Admin Tool (https://docs.google.com/document/d/1xF6ZMyTIElMBIksebQJwzGZtLrd6uzcV0WvRUf9l8ao/edit) instead to look up a person’s identity record.
The legacy tool to Issue a Reset Token will continue to work. Find out more about deputy tools at: https://calnetweb.berkeley.edu/calnet-deputies/deputy-toolbox.
Where can I get help?
If you experience trouble with your application on October 4, send a full bug report to email@example.com detailing the issue. Please make the subject line of your email “Sync Code Bug,” so that we can prioritize it.
We will be holding a Sync Code War Room in a Google Hangout from 9am - 5pm on Tuesday, October 4 and Wednesday, October 5.
Feel free to contact us at firstname.lastname@example.org.