Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security

LDAP Attributes used at the University of Chicago

This article explains the use of LDAP attributes at the University of Chicago.

LDAP is probably the most important service which is provisioned during the account claims process. Data from LDAP is used to control everything from access to the wireless network and library databases to logging into departmental-level services. This document attempts to explain which attributes in LDAP are populated at CNet claiming time as well as some uses by our services of those attributes. LDAP attributes are updated both at CNet claiming time and at 10:00 a.m. Monday - Friday based on data in the MCDB.

Common Attributes

The 'Common Attributes' are attributes which are always present on any user object in LDAP.

Attribute Name

Attribute Definition


Attribute Uses


Distinguished Name - The unique identifier of the person in LDAP


Identifies a record


This multi-valued attribute defines what 'classes' an account object belongs to also defines what attributes an entry is allowed to have on it

top, person, organizationalPerson, inetOrgPerson, eduPerson, ucPerson, ucObject

Generally used by some clients to see if the entry is either a person or a non-person object. Since we only have people objects it's better to look for other specific attributes


The person's first name


Useful if you need a person's official first name


The person's middle name


Useful if you need a person's official middle name


The person's last name


Useful if you need a person's official last name


The person's full name

David Benjamin Langenberg

Useful if you need a person's official full name

displayName The person's preferred method of showing their name Dave Langenberg Set by the user or directory reviewer, this is what you should use when displaying the user's information to a human.
eduPersonNicknameThe person's preferred first nameDaveSet by user or directory reviewer. Students set this in Staff/Faculty set this in


The person's Chicago ID


Useful for looking up individuals by ChicagoID to get CNetID or other information and tie the individual back to your local database


The person's CNetID


Useful for looking up users by CNetID


A combination of what a person's studying, where they work, and what their appointment is


Can be used for authorization or just informational purposes

(see Using LDAP Affiliations for Authorization )

this multi-valued attribute will contain all current affiliations a person has with the university

alum, student, former_student, lab_student, lab_school, new student, graham_student, postdoc, staff, faculty, academic, affiliate, emeritus, temporary, hospital, medical_associate

this attribute is used to control access to things
like library resources, wireless networking, etc


single-valued what a person's primary affiliation is based on a pre-arranged hierarchy (See Attribute Uses)


This should ONLY be used for display purposes. The assignment of this value is based solely on a pre-arranged hierarchy of affiliation values and does NOT reflect the true primary affiliation of an individual.

Attributes Related to Email Routing

The following attributes are related to routing a person's email throughout the email ( System. Please note that the email routing system is complex and the data here is for informational purposes only. IT Services reserves the right to modify how it uses and what data is stored in the attributes listed here at any time without warning. Most of these attributes are private and not viewable by the public. These attributes are only applied to folks who claim via

Attribute Name

Attribute Definition


Attribute Uses


The person's email address

Used by client applications to display the main email address. Used by mirapoint to translate an email addressed to a person's alias to that person's real mail address.


multi-valued - all routable mail addresses for a person,,

This attribute is what holds all the "aliases" for a person


where a person's mail should be delivered to


which mailstore the person's cMail was stored on

DEPRECATED: used by mirapoint to determine where a person's mail should be held. It's the next hop for a person's mail after the mail leaves the individuals miQuarantineHost. The exception is if the object is a mailing list in which case it will be either or


which junkmail host a person's mail is on

DEPRECATED: used by mirapoint to determine where to route someone's junkmail. Also which quarantine the user is on.

Attributes Related to Unix Login Services

The following attributes are used by Unix machines to authenticate users. They are only applied to CNetID holders who claim via

Attribute Name

Attribute Definition


Attribute Uses


The person's full name

David Benjamin Langenberg

What a person's full name is on the Unix workstation


The person's user id number


The UID which should be applied to any files created by the user


The person's group id number


The default Group ID which should be applied to any files created by the user


The person's shell

/opt/bin/tcsh (the default)

The shell which should spawn when the user logs in


Where the person's home directory lives


where the person's home directory resides

Attributes Related to Job and Study

The following attributes are related to a person's job and/or field of study. The OU attribute listed above holds the concatenation of these attributes except for ucStudentId and ucExecLevel. They are applied/updated daily at 10:00 a.m.

Attribute Name

Attribute Definition


Attribute Uses


The department in which a staff member works/is paid by Presently Out Of Date

Voice & Data Networking

can be used for authorization

ucExecLevel The account executive level from which a staff member is paid Presently Out Of Date Information Technology Services authorization at the "division" level. Also useful for report generation.


A person's academic appointment (if they have one or more). Format is Title$Department. Clients should translate the $ to mean new-line Presently out of Date

Professor$Sociology, Senior Research Associate$Computation Institute

can be used for authorization


This is displayed by LDAP clients. It used to be user-settable for staff, but now is only maintained for Faculty. it's the same value as ucAppointment Presently Out of Date

Professor$Sociology, Senior Research Associate$Computation Institute

should only be used for display purposes


The program of study for a student. Undergrads always have College: pre-pended to their program of study

College: Common Year

can be used for authorization


The person's student ID number


useful for tying students into your local database

Attributes Related to Phone and Addresses

These are all the attributes which have been used to store phone and address data. The data for students is sync'd daily with the MCDB at 10:00 AM.

WARNING: Please pay special attention to attributes in this area. Some are not being actively maintained. If your application needs data that these fields would contain please write to for information on other ways of receiving the necessary data.

Attribute Name


Is data current

Attribute Uses


123 Any St$Chicago IL$60637

Check icon for students only

Where the student lives


+1 773 702 1234

Check icon for students only

How to reach the student


+1 773 702 1234

Check iconfor staff only

what to display for a person's main number(s).


123 Any St$Chicago IL$60637

Error icon

where you should send correspondence by post


+1 773 702 1234

Error icon

if you're trying to call a person's cell


+1 773 702 1234

Error icon

A person's office line


123 Any St$Chicago IL$60637

Error icon

where to send office correspondence


+1 773 702 1234

Error icon

Where to send faxes to the person

Miscellaneous Attributes

These attributes are used mostly for Authorization Purposes or meta-data purposes by IdM and IT Services. Most are private, though if you can make a strong enough case to read them IdM can give you a special 'Agent DN' to use in your application

Attribute Name

Attribute Definition


Attribute Uses


Multi-valued strings


This attribute holds various flags for services, mainly deny or allow flags. Used in the closure process for the day 10 lockout. Also used to lock folks out of individual services which they may be otherwise entitled to.


Multi-valued strings


This attribute is populated by Grouper, is public, and can be used by applications to see if a person belongs to certain groups, thus granting access to resources


single-value why a particular flag in ucPriv is set

due to closure

This attribute is not very well maintained, but it can be used to provide clues for why certain values are set in ucPriv


multi-valued history of changes on the user's entry

20070209193735Z: (AMSXML) cn=manager,dc=uchicago,dc=edu - Changed name from David Bb Langenberg

Used mainly by LDAP Administrators to determine when some changes occurred. This is updated mainly by IdM programs and occasionally gets missed during updates by hand


single-valued old method for mail aliases


This is how old ph-aliases are stored in LDAP as well as how IT Services used to store mail aliases before we moved to everybody gets 6 aliases. This attribute is no longer maintained


single-valued entry generally with a 1 if present


This is used by the LDAP server to determine if it needs to pass BIND requests for the user to UCHAD.


string of a date in GMT format is YYYYMMDDHHMMSS


When the user's password was last changed

 ucBirthDate string form of the individual's birthdate. Format is YYYYMMDD  19690101 Finding out the individual's birthdate.


Salted Sha1 hash stored as a base-64'd string


IdM will not allow anybody to read this attribute. It's only listed here for completeness. If you need to check a person's password you MUST attempt a BIND operation as that user.

Keywords:authentication, authorization, cnet, cnetid   Doc ID:16178
Owner:Dave L.Group:University of Chicago
Created:2010-12-08 19:00 CDTUpdated:2017-05-22 09:41 CDT
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  4   0