Skip Navigation

Friday August 2nd, 2013

OIT > Identity Management > LDAP Directory Information

LDAP Directory Information

A guide to the LDAP Schema

Summary: Information about the campus LDAP service, database schema, and usage notes.

What is LDAP?

LDAP- LDAP (Lightweight Directory Access Protocol) is the service used by campus applications and end-user applications such as e-mail clients to obtain information (e.g. Names, E-Mail addresses, Phone Numbers, etc.) from the campus directory.

UCI LDAP Information

Timeliness

A note on the timeliness of the data in UCI's LDAP servers. The LDAP servers are populated from the Campus Directory approximately every two hours during business hours and less frequently outside of them.

URL

The LDAP URL is ldap://ldap.service.uci.edu

Base DN

"ou=University of California Irvine,o=University of California, c=US"

DN of a ucinetid

"uid=XXXXXXX,ou=University of California Irvine,o=University of California, c=US" where XXXXXXX = the ucinetid of the object.

Using TLS (Transaction Layer Security)

The LDAP server supports TLS. LDAP using SSL (ldaps) is not supported. In order to use TLS, the client must connect to the ldap server on the unsecure port 389 and issue the command startTLS. Security will then be negotiated. Most LDAP clients support this. The certificate is self signed, and can be authenticated with the Certificate Authority cert found here: Certificate. Some LDAP clients may require the certificate.

Private Data

The data in UCI's ldap directory is separated into public and private zones. Unauthorized users cannot access private data, which holds information such as birthday and student ID. If you would like to apply for access to private information, email oit@uci.edu.

FERPA (Family Educational Rights and Privacy Act) Restricted Data

Access to Personally Identifiable Information requires the approval of the University Registrar and is subject to applicable UC policies.

To read more about your responsibilities under the these policies, please consult the link above and the University Registrars Privacy web site.

If you have a legitimate educational interest and would like to apply for access to personally identifiable student information, email oit@uci.edu.

A Note on LDAP Aliases

A number of aliases for attributes have been incorporated into the schema for legacy support.

Many of the names for attributes that belong in the inetOrgPerson schema were renamed from their legacy PH names. This change was made so that LDAP is more compatible with frequently used applications such as Eudora, OS/X Mail and Outlook. The aliases assigned to these attributes correspond to the attribute names in LDAP pre-2005 schema.

If your application specifies attribute names to be returned, the alias system will understand the attribute you are requesting, and return attributes those attributes, however, they will be named with their primary names in the return result.

If, however, your queries does not specify which attributes it wants returned, the attribute names returned will be their new official names. One can also use aliased names in search filters.

For example, the PH field 'phone' is now stored in LDAP as 'telephoneNumber' in accordance with the iNetOrgPerson schema. 'phone' is also now an alias for 'telephoneNumber'. If the attribute 'phone' is requested, the attribute will show up in the response as name 'telephoneNumber'. If a general query of all data occurs without specifying attribute names, the attribute will be returned as 'telephoneNumber'.

Note regarding case sensitivity

While LDAP is not case sensitive, many programming language are. Any query being made to the LDAP server will be case insensitive. However, once an ldap result is being used inside a case sensitive programming language, the language will treat attribute names as case sensitive. This is the case in PHP. PHP will automatically lowercase all attribute names in a result hash to avoid confusion.

Student Preferred Names

Students have the ability to specify an alternate preferred name to their legal name. A students preferred name is used as their directory name in all name related fields. More information about Preferred Name may be found on the University Registrar's web site at: http://www.reg.uci.edu/request/preferredname.html

Schema Information

Object Classes

Name OID Notes
uciperson 2.16.840.1.113916.5.6.2.1 used for PH type guest, student and person (staff/faculty) -- inherits from iNetOrgPerson and is supplemented by eduPerson
uciobject 2.16.840.1.113916.5.6.2.2 structural object, used for inheritance only
uciforward 2.16.840.1.113916.5.6.2.3 used for PH type forward or duplicate
ucimaillist 2.16.840.1.113916.5.6.2.4 used for PH type list
ucigroup 2.16.840.1.113916.5.6.2.5 used for PH type group
ucidepartment 2.16.840.1.113916.5.6.2.6 used for PH type dept
ucinetreg 2.16.840.1.113916.5.6.2.7 used for PH type netreg

UCI Custom Attributes

Name OID Data Type Single or Multi Valued Indexed in Database?
activatedOn 2.16.840.1.113916.5.6.1.15 string SINGLE-VALUE
addDate 2.16.840.1.113916.5.6.1.16 string SINGLE-VALUE
callsign 2.16.840.1.113916.5.6.1.22 string
campusId 2.16.840.1.113916.5.6.1.8 string SINGLE-VALUE indexed
deleteDate 2.16.840.1.113916.5.6.1.20 string SINGLE-VALUE
department 2.16.840.1.113916.5.6.1.2 string indexed
deptPhone 2.16.840.1.113916.5.6.1.21 string
emailName 2.16.840.1.113916.5.6.1.55 string SINGLE-VALUE indexed
facultyLevel 2.16.840.1.113916.5.6.1.57 string SINGLE-VALUE
guestExpiration 2.16.840.1.113916.5.6.1.25 date and time SINGLE-VALUE
guestId 2.16.840.1.113916.5.6.1.5 string SINGLE-VALUE indexed
guestSponsor 2.16.840.1.113916.5.6.1.27 string
homePageUrl 2.16.840.1.113916.5.6.1.12 string
hours 2.16.840.1.113916.5.6.1.30 string
lastFirstName 2.16.840.1.113916.5.6.1.31 string indexed
lastRefresh 2.16.840.1.113916.5.6.1.51 date and time SINGLE-VALUE
lastReset 2.16.840.1.113916.5.6.1.32 date and time SINGLE-VALUE
levelOfAssurance 2.16.840.1.113916.5.6.1.53 string SINGLE-VALUE
lka 2.16.840.1.113916.5.6.1.33 string
mailAddress 2.16.840.1.113916.5.6.1.34 string
mailcode 2.16.840.1.113916.5.6.1.10 string SINGLE-VALUE
mailDeliveryPoint 2.16.840.1.113916.5.6.1.6 string SINGLE-VALUE
major 2.16.840.1.113916.5.6.1.4 string
methodOfIssuance 2.16.840.1.113916.5.6.1.52 string SINGLE-VALUE
nickName 2.16.840.1.113916.5.6.1.50 string
otherInfo 2.16.840.1.113916.5.6.1.35 string
payrollTitle 2.16.840.1.113916.5.6.1.36 string
pictureUrl 2.16.840.1.113916.5.6.1.7 string
project 2.16.840.1.113916.5.6.1.38 string
releasePersonal 2.16.840.1.113916.5.6.1.13 string SINGLE-VALUE indexed
searchName 2.16.840.1.113916.5.6.1.42 string indexed
studentId 2.16.840.1.113916.5.6.1.3 string indexed
studentLevel 2.16.840.1.113916.5.6.1.45 string SINGLE-VALUE
stuEmailRelease 2.16.840.1.113916.5.6.1.14 string SINGLE-VALUE indexed
suspect 2.16.840.1.113916.5.6.1.54 string SINGLE-VALUE
titleCode 2.16.840.1.113916.5.6.1.56 string
type 2.16.840.1.113916.5.6.1.48 string SINGLE-VALUE indexed
ucinetid 2.16.840.1.113916.5.6.1.1 string SINGLE-VALUE indexed
ucnetId 2.16.840.1.113916.5.6.1.9 string SINGLE-VALUE indexed
uciAffiliation 2.16.840.1.113916.5.6.1.59 string indexed

Standard Attributes used in UCI's Directory

UCI also uses a number of attributes from other schemas, most notably iNetOrgPerson (and all of its inherited schema), and eduPerson.

Attribute Name Alias RFC Spec. Number Indexed in Database?
cn commonName 2256 indexed
departmentNumber 2798 indexed
displayName 2798
employeeNumber 2798 indexed
facsimileTelephoneNumber fax 2256
givenName gn 2256 indexed
postalAddress 2256
postalCode 2256
sn surname 2256 indexed
st stateOrProvinceName 2256
street streetAddress 2256
telephoneNumber 2256 indexed
title 2256
uid userid 1274 indexed
userClass 1274 indexed