LDAP Directory Information

A guide to the LDAP Schema

What is LDAP?

LDAP– LDAP (Lightweight Directory Access Protocol) is the service used by campus applications and end-user applications such as e-mail clients to obtain information (e.g. Names, E-Mail addresses, Phone Numbers, etc.) from the campus directory.

UCI LDAP Information

Timeliness

A note on the timeliness of the data in UCI’s LDAP servers. The LDAP servers are populated from the Campus Directory approximately every two hours during business hours and less frequently outside of them.

URL

The LDAP URL is ldap://ldap.service.uci.edu

Base DN

“ou=University of California Irvine,o=University of California, c=US”

DN of a ucinetid

“uid=XXXXXXX,ou=University of California Irvine,o=University of California, c=US” where XXXXXXX = the ucinetid of the object.

Using TLS (Transaction Layer Security)

The LDAP server supports TLS. LDAP using SSL (ldaps) is not supported. In order to use TLS, the client must connect to the ldap server on the unsecure port 389 and issue the command startTLS. Security will then be negotiated. Most LDAP clients support this. Some LDAP clients may require the certificate.

Private Data

The data in UCI’s ldap directory is separated into public and private zones. Unauthorized users cannot access private data, which holds information such as birthday and student ID. If you would like to apply for access to private information, email oit@uci.edu.

FERPA (Family Educational Rights and Privacy Act) Restricted Data

Access to Personally Identifiable Information requires the approval of the University Registrar and is subject to applicable UC policies.

To read more about your responsibilities under the these policies, please consult the link above and the University Registrars Privacy web site.

If you have a legitimate educational interest and would like to apply for access to personally identifiable student information, email oit@uci.edu.

A Note on LDAP Aliases

A number of aliases for attributes have been incorporated into the schema for legacy support.

Many of the names for attributes that belong in the inetOrgPerson schema were renamed from their legacy PH names. This change was made so that LDAP is more compatible with frequently used applications such as Eudora, OS/X Mail and Outlook. The aliases assigned to these attributes correspond to the attribute names in LDAP pre-2005 schema.

If your application specifies attribute names to be returned, the alias system will understand the attribute you are requesting, and return attributes those attributes, however, they will be named with their primary names in the return result.

If, however, your queries does not specify which attributes it wants returned, the attribute names returned will be their new official names. One can also use aliased names in search filters.

For example, the PH field ‘phone’ is now stored in LDAP as ‘telephoneNumber’ in accordance with the iNetOrgPerson schema. ‘phone’ is also now an alias for ‘telephoneNumber’. If the attribute ‘phone’ is requested, the attribute will show up in the response as name ‘telephoneNumber’. If a general query of all data occurs without specifying attribute names, the attribute will be returned as ‘telephoneNumber’.

Note regarding case sensitivity

While LDAP is not case sensitive, many programming language are. Any query being made to the LDAP server will be case insensitive. However, once an ldap result is being used inside a case sensitive programming language, the language will treat attribute names as case sensitive. This is the case in PHP. PHP will automatically lowercase all attribute names in a result hash to avoid confusion.

Student Preferred Names

Students have the ability to specify an alternate preferred name to their legal name. A studentspreferred name is used as their directory name in all name related fields. More information aboutPreferred Name may be found on the University Registrar’s web site at: http://www.reg.uci.edu/request/preferredname.html

Standard Attributes used in UCI’s Directory

UCI also uses a number of attributes from other schemas, most notably iNetOrgPerson (and all of its inherited schema), and eduPerson.

Attribute Name Alias RFC Spec. Number Indexed in Database?
cn commonName 2256 indexed
departmentNumber 2798 indexed
displayName 2798
employeeNumber 2798 indexed
facsimileTelephoneNumber fax 2256
givenName gn 2256 indexed
postalAddress 2256
postalCode 2256
sn surname 2256 indexed
st stateOrProvinceName 2256
street streetAddress 2256
telephoneNumber 2256 indexed
title 2256
uid userid 1274 indexed
userClass 1274 indexed