How often is the data refreshed in OIT LDAP?

People and KSAMS data in OIT LDAP is updated near real-time when changed at the source except KSAMS role name change which will be updated the next day morning.

People History and other information is updated every day before 10am.

How do I look up a person’s name in the OIT LDAP?

You may search for a person using their “uid" (UCINetID).

There are 3 groups of names related to people. Directory names can be updated via a request sent to Help Desk and can be used as “preferred names.”

Employee Legal (Payroll) Names

  • uciEmployeeGivenName (first name)
  • uciEmployeeMiddleName
  • uciEmployeeSN (last/family name)

Student Names

  • uciStudentGivenName (first name)
  • uciStudentMiddleName
  • uciStudentSN (last/family name)

Directory Names

  • givenName (first name)
  • middleName
  • sn (last/family name)
  • displayName (combined name)

How do I get an SSL certificate for LDAP?

You can use openSSL to get an ssl certificate.

The following command returns the entire certificate chain, i.e. the SSL cert for OIT LDAP as well as the intermediate CA certs and the root CA cert:

openssl s_client -showcerts -connect ldap-auth.oit.uci.edu:636

Which LDAP instance should I use (Public vs Non-Public)?

You should choose which OIT LDAP instance to use depending on what data and attributes you need access to and whether you are able to use SSL connections.

OIT LDAP public attributes are described here.

How do I access the OIT LDAP from outside of campus?

LDAP can be made accessible by opening the firewall and adding the vendor servers' IP addresses to our LDAP access control list.

In order to make firewall and LDAP changes, the supervisor should submit a request with the following information:

  • Which application is it for?
  • What IP(s) need access?
  • What data the application is trying to access?
  • Who is responsible for the application and what is the contact information?

If an outside vendor wishes to use LDAP for authentication because they cannot use UCI’s single sign-on solution (WebAuth), the vendor will need to get an approval from the Identity and Access Management (IAM) and Security teams. A request should be submitted with the specific details and the reason why the application cannot use WebAuth or Shibboleth for authentication.

What version of Java/JRE is compatible with LDAP?

We recommended using Java 1.8 or higher.

Although we currently support Java 1.7, it is not compatible with TLMv1.2 or higher. Using TLSv1.2 or higher is more secure and, therefore, we will be retiring support for Java 1.7 in the near future.

How do I access LDAP with Apache Directory Studio?

This document will explain how to install and access the LDAP using Apache Directory Studio.

How do I retrieve KSAMS roles and their members?

If you need to retrieve a list of KSAMS roles, you may search for records with “objectClass” of “groupOfNames” from DN “ou=kams,ou=groups,dc=uci,dc=edu”.

To retrieve members of a KSAMS role, read the “member” attribute for the specific KSAMS role.