An LDAP interface to the Enterprise Directory is provided by ED-LDAP.
ED-LDAP is a pool of LDAPv3 compliant LDAP servers that are used by Virginia Tech applications for:
- Public directory or whitepages lookups
- Retrieving other information about users and other entries (groups, entitlements, etc.) as needed
- ED Services
- ED Groups
- VT Organizations
The information returned by ED-LDAP is dependent on how you bind.
- Anonymous Binds
- Simple Binds
- SASL EXTERNAL Binds
The view returned when binding anonymously is known as ED-Lite.
The view returned when simple binding as a person in known as ED-Auth.
The view returned when binding using SASL EXTERNAL is known as ED-ID.
Binding to ED-LDAP anonymously results in the view we refer to as ED-Lite.
ED-Lite contains public directory information that is world readable. It is the source for all the information contained in People Search:
ED-Lite is available at:
$ ldapsearch -h directory.vt.edu -Z -x -b ou=People,dc=vt,dc=edu uupid=dhawes # extended LDIF # # LDAPv3 # base <ou=People,dc=vt,dc=edu> with scope subtree # filter: uupid=dhawes # requesting: ALL # # 1152120, People, vt.edu dn: uid=1152120,ou=People,dc=vt,dc=edu objectClass: virginiaTechPerson uupid: dhawes uid: 1152120 cn: David H Hawes sn: Hawes givenName: David middleName: H displayName: David H Hawes departmentNumber: 066103 authId: dhawes mailStop: 0479 postalAddress: SETI-Middleware$1700 Pratt Dr.$Blacksburg, VA 24061 title: Application Developer instantMessagingID: Google:email@example.com instantMessagingID: Virginia Tech:firstname.lastname@example.org suppressDisplay: FALSE telephoneNumber: 5402313862 passwordState: ACTIVE labeledURI: Homepage:https://www.middleware.vt.edu/doku.php?id=middleware:dhaw es mail: email@example.com suppressedAttribute: localPostalAddress department: Middleware & Identity Apps # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1
Some data can be suppressed in ED-Lite depending on a user’s affiliations and preferences. The rules are listed below.
The following affiliations roll up to the VT-ACTIVE-MEMBER affiliation, which overall suppression is based on:
The following affiliations do not roll up to the VT-ACTIVE-MEMBER affiliation:
- All Alumni affiliations
- All VCOM affiliations
The following rules for displaying information in ED-Lite should be treated individually. That is, if rule 1 is met, the information is displayed for that individual and rule checking stops. In other words, you only go to rule 2 if rule 1 doesn’t apply.
- If any of the affiliations present is VT-EMPLOYEE-STATE, then display the Employee attributes taking into account the suppressedAttribute attribute for addresses and phones.
- If at this point, any affiliation present is VT-EMPLOYEE-PREHIRE, then do not display any information about this person.
- If at this point, any affiliation present is VT-STUDENT-ENROLLED or VT-STUDENT-FUTURE and the Confidential flag is NO, then display the Student-Not Confidential attributes taking into account the suppressedAttribute attribute for addresses and phones.
- If at this point, any affiliation present is VT-STUDENT-ENROLLED or VT-STUDENT-FUTURE and the Confidential flag is YES, then do not display any information about this person.
- If at this point, any affiliation present is VT-EMPLOYEE-WAGE or VT-EMPLOYEE-NON-STATE, then display the Others attributes.
- If at this point, any affiliation present is VT-STUDENT-RECENT and the Confidential flag is NO, then display the Student-Not Confidential attributes taking into account the suppressedAttribute attribute for addresses and phones.
- If at this point, any affiliation present is VT-STUDENT-RECENT and the Confidential flag is YES, then do not display any information about this person.
- At this point, display the Others attributes.
|Attribute||Employee||Student (Not Confidential)||Others|
|Home department for an employee||OK||X||OK|
|Instant messaging Ids||*||*||*|
|Webpage(s) associated with person||*||*||*|
|Local phone (MA or DM in Banner)||OK||OK||X|
|Local postal address (MA or DM in Banner)||OK||OK||X|
|Preferred email address||OK||OK||OK|
|Mail code for employees||OK||X||OK|
|Postal Address (OF in Banner)||OK||X||OK|
|Office phone number (OF in Banner)||OK||X||OK|
- indicates the individual users should indicate this in MY VT as to whether or not they desire to make this information available via ED-Lite
Binding to ED-LDAP with a simple bind using TLS is commonly referred to as ED-Auth.
ED-Auth is used primarily to authenticate users by PID and password. It can also be used for authorization using VT affiliations and ED group membership.
Binding to ED-Auth is typically done by searching for the PID, called uupid in ED-LDAP, and then binding with the returned DN and user supplied password.
As a bound user, applications can check affiliations or group membership for authorization.
ED-Auth is available at:
$ ldapsearch -h authn.directory.vt.edu -Z -x -b ou=People,dc=vt,dc=edu uupid=dhawes 1.1 # extended LDIF # # LDAPv3 # base <ou=People,dc=vt,dc=edu> with scope subtree # filter: uupid=dhawes # requesting: 1.1 # # 1152120, People, vt.edu dn: uid=1152120,ou=People,dc=vt,dc=edu # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 $ ldapsearch -h authn.directory.vt.edu -Z -x -b ou=People,dc=vt,dc=edu -D uid=1152120,ou=People,dc=vt,dc=edu -W uupid=dhawes 1.1 # extended LDIF # # LDAPv3 # base <ou=People,dc=vt,dc=edu> with scope subtree # filter: uupid=dhawes # requesting: 1.1 # # 1152120, People, vt.edu dn: uid=1152120,ou=People,dc=vt,dc=edu # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 $ ldapcompare -h authn.directory.vt.edu -Z -x -D uid=1152120,ou=People,dc=vt,dc=edu -W uid=1152120,ou=People,dc=vt,dc=edu virginiaTechAffiliation:VT-ACTIVE-MEMBER Enter LDAP Password: TRUE
You must use TLS when using ED-Auth. Failure to do so will result in LDAP error 13, confidentiality required.
Always use TLS.
ED-Auth IP Restrictions
ED-Auth will only authenticate users for clients that are in specified ranges of IP addresses or that use TLS client authentication with a valid ED Service certificate.
Allowed IP Addresses
|IP (CIDR)||Netmask||Start IP||End IP|
TLS Client Auth
In addition to the list of allowed IP addresses, clients that perform TLS client authentication with a certificate for an active ED Service will also be allowed to authenticate users.
Clients that aren’t in the allowed IP ranges or perform TLS client auth with an active ED Service will see LDAP error 49, invalid credentials. If you encounter this error and the user can login to valid VT services (e.g. https://auth.vt.edu), you should check that your client IP is in the allowed range (or your ED-ID services is active and you are doing TLS client auth).
Users are able to suppress their uupid attribute in ED-Auth, which can cause issues if an application expects the attribute to always be available.
To allow the lookup of a single uupid but prevent the enumeration of them all, exact searches will always return the uupid. Wildcard searches will never return the uupid.
Suppose you are looking for pid1234. The filter:
will return the entry with the uupid attribute since it is an exact search.
If you use the filter with a wildcard:
the entry will be returned, but will not contain the uupid attribute.
Binding to ED-LDAP with a SASL EXTERNAL bind results in the view we refer to as ED-ID.
ED-ID is used to look up information about users that is typically not public.
This information can be used by applications for:
- Making business decisions
- Showing additional data about people
- Authorizing users
Access to ED-ID requires an ED service, which is associated with a certificate issued by the VT Middleware CA. The ED service certificate is used to perform TLS client authentication to ED-LDAP, which then allows us to bind using SASL EXTERNAL.
Entries in ED-ID include:
The attributes available for view by ED services must be approved during the registration process. In this way, specialized views can be created for each ED service.
ED-ID is available at:
# search by uupid ldapsearch -h id.directory.vt.edu -Z -Y EXTERNAL -b ou=People,dc=vt,dc=edu uupid=vtpid # view your ED service ldapsearch -h id.directory.vt.edu -Z -Y EXTERNAL -b ou=Services,dc=vt,dc=edu uusid=*
Types of Entries
ED-LDAP contains the following types of entries: