Lightweight Directory Access Protocol (LDAP) is an important authentication service which is provisioned during the account claims process. Data from LDAP is used to control everything from access to the wireless network and library databases to logging into departmentally-managed services. The following tables explain which attributes in LDAP are populated at CNetID claiming time as well as some uses by our services of these attributes. LDAP attributes are updated both at CNetID claiming time and around 10:00 a.m. every day based on data in the MCDB.
Common Attributes
The Common Attributes are attributes which are always present on any user object in LDAP.
|
Attribute Name |
Attribute Definition |
Example |
Attribute Uses |
|
DN |
Distinguished Name - The unique identifier of the person in LDAP. |
uid=johndoe,ou=people,dc=uchicago,dc=edu |
Identifies a record. |
|
objectClass |
This multi-valued attribute defines what 'classes' an account object belongs to also defines what attributes an entry is allowed to have on it. |
top, person, organizationalPerson, inetOrgPerson, eduPerson, ucPerson, ucObject |
Generally used by some clients to see if the entry is either a person or a non-person object. Since we only have people objects it's better to look for other specific attributes. |
|
givenName |
The person's first name. |
John |
Useful if you need a person's official first name. |
|
ucMiddleName |
The person's middle name. |
Jacob |
Useful if you need a person's official middle name. |
|
sn |
The person's last name. |
Doe |
Useful if you need a person's official last name. |
|
cn |
The person's full name. |
John Jacob Doe |
Useful if you need a person's official full name. |
| displayName | The person's preferred method of showing their name. | Johnny Doe | Set by the user or directory reviewer, this is what you should use when displaying the user's information to a human. |
| eduPersonNickname | The person's preferred first name. | Johnny | Set by user or directory reviewer. Students set this in my.uchicago.edu. Staff and Faculty set this in directory.uchicago.edu. |
|
chicagoID |
The person's Chicago ID. |
80246515R |
Useful for looking up individuals by ChicagoID to get CNetID or other information and tie the individual back to your local database. |
|
uid |
The person's CNetID. |
johndoe |
Useful for looking up users by CNetID. |
|
ou |
A combination of what a person's studying, where they work, and specifics of their appointment. |
Pediatrics |
Can be used for authorization or just informational purposes. |
|
eduPersonAffiliation |
This multi-valued attribute will contain all current affiliations a person has with the university. |
alum, student, former_student, lab_student, lab_school, new student, graham_student, postdoc, staff, faculty, academic, affiliate, emeritus, temporary, hospital, medical_associate |
This attribute is used to control access to things like library resources, wireless networking, etc. |
|
eduPersonPrimaryAffiliation |
Single-valued what a person's primary affiliation is based on a pre-arranged hierarchy (See Attribute Uses). |
staff |
This should ONLY be used for display purposes. The assignment of this value is based solely on a pre-arranged hierarchy of affiliation values and does NOT reflect the true primary affiliation of an individual. |
Attributes Related to Email Routing
The following attributes are related to routing a person's email throughout the @uchicago.edu email domain. Please note, the email routing system is complex and the data here is for informational purposes only. IT Services reserves the right to modify how it uses data and what data is stored in the attributes listed here at any time without warning. Most of these attributes are private and not viewable by the public. These attributes are only applied to folks who claim a CNetID.
|
.Attribute Name |
Attribute Definition |
Example |
Attribute Uses |
|
|
The person's email address. |
johndoe@uchicago.edu |
Used by client applications to display the main email address. Used by Mirapoint to translate an email addressed to a person's alias to that person's real mail address. |
|
mailLocalAddress |
Multi-valued - all routable mail addresses for a person. |
johndoe@uchicago.edu, johndoe@midway.uchicago.edu, johndoe@uchicago.edu |
This attribute is what holds all the "aliases" for a person. |
|
mailRoutingAddress |
Where a person's mail should be delivered to. |
johnnyjdoe@gmail.com |
Attributes Related to Unix Login Services
The following attributes are used by Unix machines to authenticate users. They are only applied to CNetID holders who claim via cnet.uchicago.edu.
|
Attribute Name |
Attribute Definition |
Example |
Attribute Uses |
|
gecos |
The person's full name. |
John Jacob Doe |
What a person's full name is on the Unix workstation. |
|
uidNumber |
The person's user id number. |
15298 |
The UID which should be applied to any files created by the user. |
|
gidNumber |
The person's group id number. |
15298 |
The default Group ID which should be applied to any files created by the user. |
|
loginShell |
The person's shell. |
/opt/bin/tcsh (the default) |
The shell which should spawn when the user logs in. |
|
homeDirectory |
Where the person's home directory lives. |
/nfs/harper/hc0/johndoe |
Where the person's home directory resides. |
Attributes Related to Job and Study
The following attributes are related to a person's job and/or field of study. The OU attribute listed above holds the concatenation of these attributes except for ucStudentId and ucExecLevel. They are applied/updated daily at 10:00 a.m.
|
Attribute Name |
Attribute Definition |
Example |
Attribute Uses |
|
ucDepartment |
The department in which a staff member works/is paid by |
Voice & Data Networking |
Can be used for authorization |
| ucExecLevel | The account executive level from which a staff member is paid | Information Technology Services | Authorization at the "division" level. Also useful for report generation. |
|
ucAppointment |
A person's academic appointment (if they have one or more). Format is Title$Department. Clients should translate the $ to mean new-line |
Professor$Sociology, Senior Research Associate$Computation Institute |
Can be used for authorization. |
|
title |
This is displayed by LDAP clients. It used to be user-settable for staff, but now is only maintained for Faculty. It's the same value as ucAppointment |
Professor$Sociology, Senior Research Associate$Computation Institute |
Should only be used for display purposes |
|
ucCurriculum |
The program of study for a student. Undergrads always have College: pre-pended to their program of study. |
College: Common Year |
Can be used for authorization |
|
ucStudentId |
The person's student ID number |
10123456 |
Useful for tying students into your local database |
Attributes Related to Phone and Addresses
These are all the attributes which have been used to store phone and address data. The data for students is synced daily with the MCDB at 10:00 a.m.
WARNING: Please pay special attention to attributes in this area. Some are not being actively maintained. If your application needs data that these fields would contain, please write to Identity & Access Management (IAM) at idm@uchicago.edu for information on other ways of receiving the necessary data.
|
Attribute Name |
Example |
Is data current |
Attribute Uses |
|
|
homePostalAddress |
123 Any St$Chicago IL$60637 |
|
Where the student lives. |
|
|
homePhone |
+1 773 702 1234 |
|
How to reach the student. |
|
|
telephoneNumber |
+1 773 702 1234 |
|
What to display for a person's main number(s). NOTE: this is dependent upon the individual or Directory Reviewer adding and keeping this information up to date in the Directory |
|
|
postalAddress |
123 Any St$Chicago IL$60637 |
|
Where you should send correspondence by post |
|
|
mobile |
+1 773 702 1234 |
|
If you're trying to call a person's cell. |
|
|
ucOfficeTelephoneNumber |
+1 773 702 1234 |
|
A person's office line. |
|
|
ucOfficePostalAddress |
123 Any St$Chicago IL$60637 |
|
Where to send office correspondence. |
|
|
facsimileTelephoneNumber |
+1 773 702 1234 |
|
Where to send faxes to the person. |
|
Miscellaneous Attributes
These attributes are used mostly for Authorization Purposes or meta-data purposes by IAM and IT Services. Most are private; although, if you can make a strong enough case to read them, IAM can give you a special Agent DN to use in your application.
|
Attribute Name |
Attribute Definition |
Example |
Attribute Uses |
|
ucPriv |
Multi-valued strings |
nsit.closure, nsit.network.nowireless, nsit.directory.ferpa |
This attribute holds various flags for services, mainly deny or allow flags. Used in the closure process for the day 10 lockout. Also used to lock folks out of individual services which they may be otherwise entitled to. |
|
ucIsMemberOf |
Multi-valued strings |
uc:applications:confluence:ITS:Everyone |
This attribute is populated by Grouper, is public, and can be used by applications to see if a person belongs to certain groups, thus granting access to resources. |
|
ucReasonLocked |
Single-value why a particular flag in ucPriv is set. |
Due to closure |
This attribute is not very well maintained, but it can be used to provide clues for why certain values are set in ucPriv. |
|
ucRevisions |
Multi-valued history of changes on the user's entry |
20070209193735Z: (AMSXML) cn=manager,dc=uchicago,dc=edu - Changed name from Jon Doe |
Used mainly by LDAP Administrators to determine when some changes occurred. This is updated mainly by IdM programs and occasionally gets missed during updates by hand. |
|
ucAlternateUID |
Single-valued old method for mail aliases |
John |
This is how old ph-aliases are stored in LDAP as well as how IT Services used to store mail aliases before we moved to everybody gets 6 aliases. This attribute is no longer maintained. |
|
ucUseKerberos |
Single-valued entry generally with a 1 if present |
1 |
This is used by the LDAP server to determine if it needs to pass BIND requests for the user to UCHAD. |
|
ucUserPasswordModifyTimestamp |
String of a date in GMT format is YYYYMMDDHHMMSS |
20080227173458Z |
When the user's password was last changed. |
| ucBirthDate | String form of the individual's birthdate. Format is YYYYMMDD | 19690101 | Finding out the individual's birthdate. |
|
userPassword |
Salted Sha1 hash stored as a base-64'd string |
NOT PROVIDED |
IAM will not allow anybody to read this attribute. It's only listed here for completeness. If you need to check a person's password you MUST attempt a BIND operation as that user. |