An LDAP interface to the Enterprise Directory is provided by ED-LDAP.

ED-LDAP is a pool of LDAPv3 compliant LDAP servers that are used by Virginia Tech applications for:

  1. Public directory or whitepages lookups
  2. Authentication
  3. Authorization
  4. Retrieving other information about users and other entries (groups, entitlements, etc.) as needed

ED-LDAP contains:

  1. People
  2. Addresses
  3. ED Services
  4. ED Groups
  5. Entitlements
  6. VT Organizations

The information returned by ED-LDAP is dependent on how you bind.

ED-LDAP supports:

  1. Anonymous Binds
  2. Simple Binds
  3. SASL EXTERNAL Binds

The view returned when binding anonymously is known as ED-Lite.

The view returned when simple binding as a person in known as ED-Auth.

The view returned when binding using SASL EXTERNAL is known as ED-ID.

ED-Lite

Binding to ED-LDAP anonymously results in the view we refer to as ED-Lite.

ED-Lite contains public directory information that is world readable. It is the source for all the information contained in People Search:

ED-Lite is available at:

  • ldap://directory.vt.edu
  • ldaps://directory.vt.edu

Example

$ ldapsearch -h directory.vt.edu -Z -x -b ou=People,dc=vt,dc=edu uupid=dhawes
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=vt,dc=edu> with scope subtree
# filter: uupid=dhawes
# requesting: ALL
#

# 1152120, People, vt.edu
dn: uid=1152120,ou=People,dc=vt,dc=edu
objectClass: virginiaTechPerson
uupid: dhawes
uid: 1152120
cn: David H Hawes
sn: Hawes
givenName: David
middleName: H
displayName: David H Hawes
departmentNumber: 066103
authId: dhawes
mailStop: 0479
postalAddress: SETI-Middleware$1700 Pratt Dr.$Blacksburg, VA 24061
title: Application Developer
instantMessagingID: Google:dhawes@vt.edu
instantMessagingID: Virginia Tech:dhawes@im.vt.edu
suppressDisplay: FALSE
telephoneNumber: 5402313862
passwordState: ACTIVE
labeledURI: Homepage:https://www.middleware.vt.edu/doku.php?id=middleware:dhaw
 es
mail: dhawes@vt.edu
suppressedAttribute: localPostalAddress
department: Middleware & Identity Apps

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Suppression Rules

Some data can be suppressed in ED-Lite depending on a user’s affiliations and preferences. The rules are listed below.

Affiliations

The following affiliations roll up to the VT-ACTIVE-MEMBER affiliation, which overall suppression is based on:

  • VT-EMPLOYEE-PREHIRE
  • VT-EMPLOYEE-NON-STATE
  • VT-EMPLOYEE-TEMPORARY
  • VT-EMPLOYEE-VOLUNTEER
  • VT-EMPLOYEE-STATE
  • VT-EMPLOYEE-WAGE
  • VT-STUDENT-ENROLLED
  • VT-STAFF
  • VT-FACULTY
  • VT-EMPLOYEE

The following affiliations do not roll up to the VT-ACTIVE-MEMBER affiliation:

  • VT-EMPLOYEE-FORMER
  • VT-EMPLOYEE-LEAVE
  • VT-EMPLOYEE-RETIREE
  • VT-STUDENT-WAGE
  • VT-STUDENT-FUTURE
  • VT-STUDENT-RECENT
  • All Alumni affiliations
  • All VCOM affiliations

Rules

The following rules for displaying information in ED-Lite should be treated individually. That is, if rule 1 is met, the information is displayed for that individual and rule checking stops. In other words, you only go to rule 2 if rule 1 doesn’t apply.

  1. If any of the affiliations present is VT-EMPLOYEE-STATE, then display the Employee attributes taking into account the suppressedAttribute attribute for addresses and phones.
  2. If at this point, any affiliation present is VT-EMPLOYEE-PREHIRE, then do not display any information about this person.
  3. If at this point, any affiliation present is VT-STUDENT-ENROLLED or VT-STUDENT-FUTURE and the Confidential flag is NO, then display the Student-Not Confidential attributes taking into account the suppressedAttribute attribute for addresses and phones.
  4. If at this point, any affiliation present is VT-STUDENT-ENROLLED or VT-STUDENT-FUTURE and the Confidential flag is YES, then do not display any information about this person.
  5. If at this point, any affiliation present is VT-EMPLOYEE-WAGE or VT-EMPLOYEE-NON-STATE, then display the Others attributes.
  6. If at this point, any affiliation present is VT-STUDENT-RECENT and the Confidential flag is NO, then display the Student-Not Confidential attributes taking into account the suppressedAttribute attribute for addresses and phones.
  7. If at this point, any affiliation present is VT-STUDENT-RECENT and the Confidential flag is YES, then do not display any information about this person.
  8. At this point, display the Others attributes.

Suppression Matrix

Attribute Employee Student (Not Confidential) Others
Common Name OK OK OK
Home department for an employee OK X OK
Display Name OK OK OK
First Name OK OK OK
Instant messaging Ids * * *
Webpage(s) associated with person * * *
Local phone (MA or DM in Banner) OK OK X
Local postal address (MA or DM in Banner) OK OK X
Preferred email address OK OK OK
Mail code for employees OK X OK
Major X OK X
Middle name OK OK OK
Last name OK OK OK
Postal Address (OF in Banner) OK X OK
Office phone number (OF in Banner) OK X OK
Working title OK X OK
UID OK OK OK
PID OK OK OK
    • indicates the individual users should indicate this in MY VT as to whether or not they desire to make this information available via ED-Lite

ED-Auth

Binding to ED-LDAP with a simple bind using TLS is commonly referred to as ED-Auth.

ED-Auth is used primarily to authenticate users by PID and password. It can also be used for authorization using VT affiliations and ED group membership.

Binding to ED-Auth is typically done by searching for the PID, called uupid in ED-LDAP, and then binding with the returned DN and user supplied password.

As a bound user, applications can check affiliations or group membership for authorization.

ED-Auth is available at:

  • ldap://authn.directory.vt.edu
  • ldaps://authn.directory.vt.edu

Example

$ ldapsearch -h authn.directory.vt.edu -Z -x -b ou=People,dc=vt,dc=edu uupid=dhawes 1.1
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=vt,dc=edu> with scope subtree
# filter: uupid=dhawes
# requesting: 1.1 
#

# 1152120, People, vt.edu
dn: uid=1152120,ou=People,dc=vt,dc=edu

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

$ ldapsearch -h authn.directory.vt.edu -Z -x -b ou=People,dc=vt,dc=edu -D uid=1152120,ou=People,dc=vt,dc=edu -W uupid=dhawes 1.1
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=vt,dc=edu> with scope subtree
# filter: uupid=dhawes
# requesting: 1.1 
#

# 1152120, People, vt.edu
dn: uid=1152120,ou=People,dc=vt,dc=edu

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

$ ldapcompare -h authn.directory.vt.edu -Z -x -D uid=1152120,ou=People,dc=vt,dc=edu -W uid=1152120,ou=People,dc=vt,dc=edu virginiaTechAffiliation:VT-ACTIVE-MEMBER
Enter LDAP Password: 
TRUE

Confidentiality Required

You must use TLS when using ED-Auth. Failure to do so will result in LDAP error 13, confidentiality required.

Always use TLS.

ED-Auth IP Restrictions

ED-Auth will only authenticate users for clients that are in specified ranges of IP addresses or that use TLS client authentication with a valid ED Service certificate.

Allowed IP Addresses

IP (CIDR) Netmask Start IP End IP
198.82.0.0/16 255.255.0.0 198.82.0.0 198.82.255.255
128.173.0.0/16 255.255.0.0 128.173.0.0 128.173.255.255
38.68.224.0/20 255.255.240.0 38.68.224.0 38.68.239.255
38.68.240.0/24 255.255.255.0 38.68.240.0 38.68.240.255
38.68.241.0/24 255.255.255.0 38.68.241.0 38.68.241.255
38.68.251.0/24 255.255.255.0 38.68.251.0 38.68.251.255
38.68.252.0/24 255.255.255.0 38.68.252.0 38.68.252.255
38.68.254.0/24 255.255.255.0 38.68.254.0 38.68.254.255
172.16.0.0/12 255.240.0.0 172.16.0.0 172.31.255.255
2001:468:c80::/48 FFFF:FFFF:FFFF:0000:0000:0000:0000:0000 2001:0468:0C80:0000:0000:0000:0000:0000 2001:0468:0C80:FFFF:FFFF:FFFF:FFFF:FFFF
2607:b400::/40 FFFF:FFFF:FF00:0000:0000:0000:0000:0000 2607:B400:0000:0000:0000:0000:0000:0000 2607:B400:00FF:FFFF:FFFF:FFFF:FFFF:FFFF
2607:b400:800::/48 FFFF:FFFF:FFFF:0000:0000:0000:0000:0000 2607:B400:0800:0000:0000:0000:0000:0000 2607:B400:0800:FFFF:FFFF:FFFF:FFFF:FFFF
2002:80ad::/32 FFFF:FFFF:0000:0000:0000:0000:0000:0000 2002:80AD:0000:0000:0000:0000:0000:0000 2002:80AD:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
2002:c652::/32 FFFF:FFFF:0000:0000:0000:0000:0000:0000 2002:C652:0000:0000:0000:0000:0000:0000 2002:C652:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

TLS Client Auth

In addition to the list of allowed IP addresses, clients that perform TLS client authentication with a certificate for an active ED Service will also be allowed to authenticate users.

Client Errors

Clients that aren’t in the allowed IP ranges or perform TLS client auth with an active ED Service will see LDAP error 49, invalid credentials. If you encounter this error and the user can login to valid VT services (e.g. https://auth.vt.edu), you should check that your client IP is in the allowed range (or your ED-ID services is active and you are doing TLS client auth).

UUPID Suppression

Users are able to suppress their uupid attribute in ED-Auth, which can cause issues if an application expects the attribute to always be available.

To allow the lookup of a single uupid but prevent the enumeration of them all, exact searches will always return the uupid. Wildcard searches will never return the uupid.

Suppose you are looking for pid1234. The filter:

uupid=pid1234

will return the entry with the uupid attribute since it is an exact search.

If you use the filter with a wildcard:

uupid=pid1234*

the entry will be returned, but will not contain the uupid attribute.

ED-ID

Binding to ED-LDAP with a SASL EXTERNAL bind results in the view we refer to as ED-ID.

ED-ID is used to look up information about users that is typically not public.

This information can be used by applications for:

  1. Making business decisions
  2. Showing additional data about people
  3. Authorizing users

Access to ED-ID requires an ED service, which is associated with a certificate issued by the VT Middleware CA. The ED service certificate is used to perform TLS client authentication to ED-LDAP, which then allows us to bind using SASL EXTERNAL.

Entries in ED-ID include:

  1. People
  2. Addresses
  3. Groups
  4. Entitlements
  5. Organizations

The attributes available for view by ED services must be approved during the registration process. In this way, specialized views can be created for each ED service.

ED Services:

ED-ID is available at:

ldap://id.directory.vt.edu ldaps://id.directory.vt.edu

Example

# search by uupid
ldapsearch -h id.directory.vt.edu -Z -Y EXTERNAL -b ou=People,dc=vt,dc=edu uupid=vtpid
# view your ED service
ldapsearch -h id.directory.vt.edu -Z -Y EXTERNAL -b ou=Services,dc=vt,dc=edu uusid=*

Types of Entries

ED-LDAP contains the following types of entries:

ED Usage Requirements

Schema

Examples