Introduction
Access Control
Data Elements
Application Programming Interface
Using LDAP to Authenticate Users
Using LDAP to restrict access to Webpages
Using LDAP with Linux and PAM
LDAP Servers
Virtual LDAP
SSL/TSL Access to LDAP
Example Searches
Further Information
Introduction
Information Technologies operates a general purpose LDAP directory implementation to provide UNIX-style directory services on campus.
The LDAP service consists of two distinct LDAP directories -- a "master" directory and a "public" directory.
The "master" directory contains three main trees:
- "people", containing one entry per issued UCID (about 600,000 entries)
- "uidauthent", containing one entry per valid IT user account (about 35,000 entries)
- "eid", containing one entry per valid myUofC Portal id
The master directory is password protected and is primarily used to control access to various computer applications, such as email, BlackBoard, secure Web sites, etc.
The "public" directory contains a subset of the information in the "master" directory, and is primarily used for the Campus Email Directory.
This service is implemented using OpenLDAP on a Linux server farm. It is designed to be very robust and available 24 x 7.
Data in the directory is obtained automatically from a variety of sources, including the Student Information System, the Human Resources Information System, the TeleWeb online phone book, the IT User Registration System, and from the individuals listed.
IT also provides Active Directory services for the Microsoft world.
For more information about Identity and Access Management at the University of Calgary, see here.
Access Control
All users of the master directory must authenticate themselves.
Anyone with an IT account can authenticate using their IT username and password. Generally speaking, authenticating to the directory gives you the ability to see your own data, but nobody else's.
Some users are granted wider access as required by their jobs. There are also application credentials, which allow authorized applications to see the necessary data.
Read-only access to the public directory is available without authentication.
Data Elements
Master/People
The "people" tree of the "master" directory contains one entry per issued UCID, and includes the following data elements:
- uid (a unique, apparently random, identifier)
- ucid
- sn (surname)
- officialName (official given name)
- givenname (preferred given name)
- cn (common name, i.e. givenname + sn)
- roomNumber
- telephoneNumber
- facsimileTelephoneNumber
- departmentNumber (department number according to HR)
- department (department or faculty name according to TeleWeb or SIS)
- labeled URL (URL of homepage)
- mail (preferred e-mail address)
- publish (indicates whether to publish in the public directory)
- course (all courses currently registered in)
- userclass (e.g., Academic Staff, Support Staff, Student)
- owner (distinguished names of IT user accounts owned by this person)
- ID Card barcode
The distinguished name of each entry is "uid=hashedUCID,ou=people,o=ucalgary.ca". The "hashedUCID" is a one-way hash of the entry's ucid field.
There are exact key indexes defined for ucid, sn, and owner.
For a list of defined userclasses, click here.
Master/Uidauthent
The "uidauthent" tree of the "master" directory contains one entry per IT account, and includes the following data elements:
- uid (the IT username)
- cn (a copy of the account's GECOS field)
- owner (distinguished name of the "people" entry for the account owner)
- mailLocalAddress (actual e-mail address and any aliases)
- status (primary, secondary, locked, etc.)
- userPassword (not retrievable; used only for 'bind' operations)
- other /etc/password information
The distinguished name of each entry is "uid=username,ou=uidauthent,o=ucalgary.ca".
There are exact key indexes defined for uid, owner, and mailLocalAddress.
Master/eID
The "eID" tree of the "master" directory contains one entry per MyUofC Portal identity, and includes the following data elements:
- uid (the eID, e.g. Jack.B.Nimble)
- givenname (the user's preferred given name)
- surname (the user's preferred surname)
- owner (distinguished name of the "people" entry for the account owner)
- mail (preferred e-mail address)
- userPassword (not retrievable; used only for 'bind' operations)
The distinguished name of each entry is like "uid=jack.b.nimble,ou=eid,o=ucalgary.ca".
There are exact key indexes defined for uid, owner, and surname.
Public
The "public" directory is derived from the master directory, and contains one entry per person who is marked as world publishable. The following data elements are included:
- sn (surname)
- givenname (preferred given name)
- cn (common name, i.e. givenname + sn)
- telephoneNumber
- facsimileTelephoneNumber
- roomNumber
- department (department or faculty name according to TeleWeb or SIS)
- labeledURI (URL of homepage)
- mail (preferred e-mail address)
- userclass (staff, student)
The public directory has substring indexes on all fields, for efficient searching.
The distinguished name of each entry in the public directory is "uid=hasheducid,ou=people,o=ucalgary.ca", so to search this directory use a search base "o=ucalgary.ca" and a scope of "subtree", or a search base of "ou=people,o=ucalgary.ca" with a scope of "one".
Application Programming Interface
LDAP is a very widely supported protocol. API's are available for almost all common application development environments:
- Unix shell via ldapsearch
- Java via JNDI
- Microsoft via ADSI
- Perl via Net::LDAP
- PHP
- C++
The usual sequence of events is that you authenticate yourself first (using the "bind" call), and then perform one or more searches. A search returns zero or more entries.
There is a limit of 100 entries returned per search.
Using LDAP to Authenticate Users
A common use for LDAP is to authenticate users, not to LDAP itself, but to some other application.
You cannot retrieve the user's password from LDAP but you can verify that a supplied password is correct. This is done by attempting to bind to LDAP with the supplied credentials and observing the return code.
Note that you cannot bind to a "people" entry. You must bind to an "eid" or "uidauthent" entry by providing the distinguished name (which contains the associated username) and the password.
WARNING: An attempt to bind with a blank password always succeeds because the LDAP protocol considers this to be an "anonymous" bind, even though a username is specified. Always check for a blank password before binding.
Using LDAP to restrict access to webpages
LDAP can be used in .htaccess files to restrict access to web pages. Use the following configuration:
AuthName "University of Calgary eID or Username" AuthType Basic AuthLDAPURL "ldap://virtual.ldap.ucalgary.ca:389/ou=it,o=ucalgary.ca?uid?sub" <Limit GET POST> require user jack.b.nimble require user horace.wombat etc. </Limit>
Virtual LDAP is used in the above example, which allows users to authenticate with either their eID or IT username (and associated password.
Using LDAP with Linux and PAM
LDAP can be used to authenticate users on a Linux machine, in effect replacing the /etc/passwd file. For more information, see here.
LDAP Servers
Access to the master directory is via the URL:
ldaps://misc.ldap.ucalgary.ca
This actually is a "slave" server, of which there are several. You should always specify a secondary server in case the primary server is unavailable. Normally this would be:
ldaps://failover.ldap.ucalgary.ca
Access to the public directory is via the URL:
ldap://directory.ucalgary.ca
There is no failover machine for the public directory.
Virtual LDAP
Virtual LDAP is an authentication/authorization service which implements the LDAP protocol. It supports multiple identifiers and arbitrary back-end identity services. Some example uses:
- services that can authenticate using both IT usernames and eIDs
- web services that want to authenticate using SSO (Single Signon) tokens
- services that require the use of SecurID
- services that require personal information for making authorization decisions
Access to Virtual LDAP is via the URL:
ldap://virtual.ldap.ucalgary.ca
There are multiple Virtual LDAP servers behind a load balancing switch so it is not necessary to specify a failover machine.
The distinguished name for Virtual LDAP entries is "uid=...,ou=it,o=ucalgary.ca"
Typically VirtuaLDAP is tailored to meet specific requirements. For more information, contact the IT Support Centre.
SSL/TSL Access to LDAP
An SSL/TLS connection should be used so that passwords are encrypted when travelling over the network. An SSL/TLS connection is required if you want to connect to LDAP from an off-campus network.
The CA certificate for the LDAP server is here. What you do with this certificate depends on the client software being used. For more information, see the OpenLDAP SSL/TLS FAQ.
SSL/TLS access to the public directory and Virtual LDAP is not presently available.
Example Searches
1. Here is an unencrypted Linux ldapsearch that an authorized user (jbnimble) could run to look up the information for a particular UCID:
ldapsearch -h misc.ldap.ucalgary.ca -x -D uid=jbnimble,ou=uidauthent,o=ucalgary.ca -W -b ou=people,o=ucalgary.ca "(ucid=12345678)"
2. Here is an example anonymous LDAP search against the public directory for somebody whose full name includes the strings "jack" and "nimble":
ldapsearch -h public.ldap.ucalgary.ca -x -b o=ucalgary.ca -s sub "(cn=*jack*nimble*)"
3. Here is an unencrypted Linux ldapsearch that user "jbnimble" could run to obtain his own information. He is binding using his IT username and password, and then searching for a "people" entry that is owned by the credential he just bound as:
ldapsearch -h misc.ldap.ucalgary.ca -x -D uid=jbnimble,ou=uidauthent,o=ucalgary.ca -W -b ou=people,o=ucalgary.ca "(owner=uid=jbnimble,ou=uidauthent,o=ucalgary.ca)"
Further Information
For more information, please contact the Information Technologies Support Centre at itsupport@ucalgary.ca.