Information Technologies Jeremy Mortis 1 hi LDAP The Online Directory

Information Technologies

Jeremy Mortis1hi

LDAP

The Online Directory


Jeremy Mortis2hi

LDAP

• What is it

• What do we use it for

• How is it loaded

• How to use it

• Current challenges

• Futures


Jeremy Mortis3hi

What is LDAP?

Our web-based directory of

students, faculty, and staff


Jeremy Mortis4hi

What is LDAP?

Lightweight

Directory

Access

Protocol


Jeremy Mortis5hi

What is LDAP?

• An object database

• An access protocol

• Based on X.500/DAP

• Optimized for searching

• High availability


Jeremy Mortis6hi

LDAP Usage at U of C

• Campus E-mail directory

• Authentication & authorization> Web> Calendar> News


Jeremy Mortis7hi

Example Uses

Directory search• www.ucalgary.ca/directory• Netscape Address Book

Restricting web content• https://www.ucalgary.ca/it/SMG/minutes


Jeremy Mortis8hi

LDAP Structure

o=ucalgary.ca

ou=People

uid=twhite

directory.ucalgary.ca

cn=Administrators


Jeremy Mortis9hi

Objectclass: uofcpersondn: uid=twhite,ou=People,o=ucalgary.ca

sn: White givennames: Terrance mail: [email protected] mail: [email protected] department: President’s Office

LDAP Objects


Jeremy Mortis10hi

Objectclass: groupofuniquenamesdn: cn=Administrators,o=ucalgary.ca

owner: uid=kozlowsk,ou=... uniquemember: uid=kozlowsk,ou=… uniquemember: uid=rogjohns,ou=… uniquemember: uid=admin,ou=...

LDAP Objects


Jeremy Mortis11hi

LDAP Objects

• Distinguished namee.g. uid=twhite,ou=people,o=ucalgary.ca

• Attributescan be inherited

• Valuescan occur multiple times


Jeremy Mortis12hi

Available Attributes

uid IT username

sn Surname from UCID system

officialname Given name from UCID system

givenname Preferred given name

cn Common name (givenname + sn)


Jeremy Mortis13hi


faculty (for students)

departmentnumber (e.g. U4705)

department Department Name

telephonenumber

facsimiletelephonenumber

roomnumber

mail E-mail address

labeleduri Web home page


Jeremy Mortis14hi


userclass UCID category type(s)

course Current courses (not published)

employeenumber UofC ID Number (restricted)

publish Public display flag

locked Active indicator

Other stuff could be added!


Jeremy Mortis15hi

Potential Attributes

• User Comments

• Alternate departments

• Departmental phone number

• Digital certificates

• Calendar preferences


Jeremy Mortis16hi

Sources of Data

AuthentUCID

SIS HR

UCIDAIX

AccountsPersonalUpdates

LDAPusername


Jeremy Mortis17hi

Why am I not listed?

• Must have a UCID

• Must have an IT Username

• Username must be connected to UCID

• Username must be primary

• Publish flag must be set

• Wait for update to happen


Jeremy Mortis18hi

Update Schedule

• Web update - every hour

• UCID updates - every hour

• AIX updates - daily

• HR/SIS data changes - weekly


Jeremy Mortis19hi

Historical Artifacts

• LDAP keyed by username; authent keyed by UCID

• Loaded all UCIDS w/data on Aug 1, 98

• Fake usernames if one didn’t exist

• Username required after that date

• Students not published after Aug 1,99


Jeremy Mortis20hi

.ucaccess

A facility for restricting access to web

pages by any combination of LDAP data

(e.g., IT meeting minutes)


Jeremy Mortis21hi

.ucaccess

Place rules in content directory:

[ldap]

uid:mortis

uid:rogjohns

uid:kozlowsk


Jeremy Mortis22hi

.ucaccess

[ldap]

course:*MATH211*

course:*MATH213*

Course data format: W2000MATH211L01B03T01


Jeremy Mortis23hi

.ucaccess

Attributes are ‘or’ed together:

[ldap]

department:UCS*

uid:fritsp

course:W2000*


Jeremy Mortis24hi

API’s

• Web access ldap://directory.ucalgary.ca

/o=ucalgary.ca??sub?cn=*morven*

• AIX command line ldapsearch -b o=ucalgary.ca cn=*morven*

• C, Perl, Java, etc.


Jeremy Mortis25hi

Binding

• Another name for ‘logging on’

• Interface to AIX cluster password

• Required for:* view access to UCID and courses* updating LDAP directly* viewing ‘locked’ entries


Jeremy Mortis26hi

Mainframe Calls

• DASAUTHSAIX password authentication

• DASMAILAE-mail address lookup


Jeremy Mortis27hi

Current Problems

• No Yellow Pages

• Stale phone numbers

• Single faculty & department

• No checking of e-mail addresses

• No departmental administration

• Update time lag


Jeremy Mortis28hi

Ideas for the Future

• End users update LDAP directly

• Interface with TeleWeb system

• Separate staff list

• Digital Certificates

• Calendar integration

• Hot failover


Jeremy Mortis29hi

Support

• Admin Help Desk

• Leigh Schroth (account problems)

• Roger Johnson (data loads)

• Don Kozlowski (LDAP itself)


Jeremy Mortis30hi

Coordination Committee

• Bob Revak (chair)

• Roger Johnson

• Don Kozlowski

• Jeremy Mortis

• Paul Starling


Jeremy Mortis31hi

More Information

LDAP in general

http://developer.netscape.com/docs/

.ucaccess

http://www.ucalgary.ca

/it/itf/general/web/web-02.html

Documents

Information Technologies Jeremy Mortis 1 hi LDAP The Online Directory