OIT LDAP Directory Information

What is LDAP?

LDAP– (Lightweight Directory Access Protocol) is the service available to campus applications and end-user applications such as e-mail clients to obtain information (e.g. Names, E-Mail Addresses, Phone Numbers, etc.) from the campus directory or to allow applications to delegate user authentication.

What Information is Available in LDAP?

The OIT LDAP contains public and non-public information about students, staff and faculty, group and services accounts, and email lists.  LDAP information is pulled from various sources within campus (e.g. HR, UCI Campus Phone Directory, Active Directory, etc.) and is updated in near real-time when data is changed at the source.

See OIT LDAP Attribute Information for details on all attributes available and their descriptions.

Public Data

The OIT Public LDAP server will provide public information for programmatic access by applications, such as email clients and vendor applications.  The OIT Public LDAP server does not require authentication to access.

Non-Public Data

The OIT Non-Public LDAP server will contain public information along with additional, non-public data fields for UCI employees, students, former students, former employees, and applicants.  To access the OIT Non-Public LDAP server, it will require authentication via a valid UCINetID account with appropriate entitlements.

Certain data fields pertaining to UCI Employees require an even greater level of authorization.

  • Staff or faculty employment data
  • Student data protected by FERPA (Family Educational Rights and Privacy Act)
    Access to Personally Identifiable Information requires the approval of the University Registrar and is subject to University of California Policies Applying to the Disclosure of Information from Student Records. To read more about your responsibilities under these policies, please consult the link above and the University Registrar’s Privacy page. If you have a legitimate business interest and would like to apply for access to personally identifiable student information, please open a ticket.
  • Staff or faulty VPN access information
  • Alumni email contact information
  • Group / Service / Third Party accounts
  • Email distribution lists and forwards
  • KSAMS roles and user-roles memberships

How Do I Access OIT LDAP?

OIT Public and Non-Public LDAP are available to any application hosted on campus. If your application is hosted outside of campus, please refer to the “How do I access the OIT LDAP from outside of campus?” section on the OIT LDAP FAQs page.

Public LDAP

ldaps://ldap.oit.uci.edu:636 (with SSL)

ldap://ldap.oit.uci.edu:389 (without SSL)

Non-Public LDAP

ldaps://ldap-auth.oit.uci.edu:636

ldaps://ldap-auth.oit.uci.edu:637 (with DUO Multi-Factor Authentication)

You must use a TLS/SSL connection to access the OIT Non-Public LDAP server.  We are not planning on supporting StartTLS at the moment.

If you already have a group UCInetID that your application uses, you can use that account to login or authenticate to OIT LDAP. Just be sure to request the relevant KSAMS role(s) in order to read the data that you need. Additionally, existing UCINetID accounts must adhere to the UCI Password Policy to authenticate successfully to OIT LDAP.

If you don’t already have a group UCInetID, you can create a UCInetID Service Account here. UCInetID Service Accounts are available at no charge, and do not include an email account. Once you have the UCInetID Service Account established, you will also need to request the relevant KSAMS role(s) in order to read the data you need.

If needed, please refer to this page for more information on how to request KSAMS access.

How Do I Perform a Search in OIT LDAP?

Base DN

“dc=uci,dc=edu”

DN of a UCINetID

“uid=XXXXXXX,ou=people,dc=uci,dc=edu” where XXXXXXX = the UCInetID of the object.

Case sensitivity

While LDAP is not case sensitive, many programming languages are. Any query being made to the LDAP server will be case insensitive. However, once an LDAP result is being used inside a case sensitive programming language, the language will treat attribute names as case sensitive. This is the case in PHP. PHP will automatically lowercase all attribute names in a result hash to avoid confusion.

LDAP Aliases

We no longer support LDAP aliases to map to the pre-2005 LDAP schema. A list of former attribute names and their current equivalents can be found using OIT LDAP Attribute Information. Please open a ticket if you need help updating your application to reflect the current attribute names.

LDAP Search Limits

The OIT Consolidated LDAP has a limit of 3000 result entries that a client may retrieve in a single operation.  If an LDAP client attempts to retrieve more results than the limit allowed in a single operation it will receive an error.  If your search needs to return more than 3000 entries, you must use paging as part of your search operation and retrieve all the desired data in batches.

LDAP Protocol Version

The OIT Consolidated LDAP supports protocol version 3 only.  Using an unsupported LDAP protocol version will result in a protocol error.

UCPATH Integration Testing

Public UCPath LDAP Test Environment

ldaps://ldap-stg.oit.uci.edu:636 (with SSL)
ldap://ldap-stg.oit.uci.edu:389 (without SSL)

Non-Public UCPath LDAP Test Environment

ldaps://ldap-auth-stg.oit.uci.edu:636
ldaps://ldap-auth-stg.oit.uci.edu:637 (with DUO Multi-Factor Authentication)

UCPath Changes to Expect

For changes to attributes or field values, refer to columns B and G in the OIT LDAP Attribute spreadsheet.

The “ou=People History” branch of OIT LDAP will not contain historical PPS data for any employees converted into UCPath, only UCPath values will be available. However, for terminated employees who were not converted into UCPath, their PeopleHistory record will retain the PPS values as of the employee’s separation.

Testing Cycles

There will be two iterations of integration testing this summer: D2 IT1 and D2 IT2.
The first iteration of testing (D2 IT1) will primarily focus on Tier 1 interfaces. There will be some staged transactional data also available for Tier-n but most staged data will be entered in D2 IT2.

Here are some key dates: (Please note that some of these dates may change.)

D2 IT1 – May 28th to June 28th

  • New converted data available in our UCI Operational Data Store (ODS) – May 29th
  • Release of ESBAT and OIT LDAP – June 5th

D2 IT2 – July 15th to Sept 6th

How Do I Get Support for OIT LDAP?

If you encounter issues or questions about using OIT LDAP, please open a ticket.  For critical issues, please indicate the impact to you or your application to ensure proper escalation.

Frequently Asked Questions

For more information, please visit our FAQ Page.

Scroll Up