Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security

LDAP Attributes used at the University of Chicago

This article explains the use of LDAP attributes at the University of Chicago.

LDAP is probably the most important service which is provisioned during the account claims process. Data from LDAP is used to control everything from access to the wireless network and library databases to logging into departmental-level services. This document attempts to explain which attributes in LDAP are populated at CNet claiming time as well as some uses by our services of those attributes. LDAP attributes are updated both at CNet claiming time and at 10:00 a.m. Monday - Friday based on data in the MCDB.

Common Attributes

The 'Common Attributes' are attributes which are always present on any user object in LDAP.

Attribute Name

Attribute Definition

Example

Attribute Uses

DN

Distinguished Name - The unique identifier of the person in LDAP

uid=davel,ou=people,dc=uchicago,dc=edu

Identifies a record

objectClass

This multi-valued attribute defines what 'classes' an account object belongs to also defines what attributes an entry is allowed to have on it

top, person, organizationalPerson, inetOrgPerson, eduPerson, ucPerson, ucObject

Generally used by some clients to see if the entry is either a person or a non-person object. Since we only have people objects it's better to look for other specific attributes

givenName

The person's first name

David

Useful if you need a person's official first name

ucMiddleName

The person's middle name

Benjamin

Useful if you need a person's official middle name

sn

The person's last name

Langenberg

Useful if you need a person's official last name

cn

The person's full name

David Benjamin Langenberg

Useful if you need a person's official full name

displayName The person's preferred method of showing their name Dave Langenberg Set by the user or directory reviewer, this is what you should use when displaying the user's information to a human.
eduPersonNicknameThe person's preferred first nameDaveSet by user or directory reviewer. Students set this in my.uchicago.edu. Staff/Faculty set this in directory.uchicago.edu

chicagoID

The person's Chicago ID

80246515R

Useful for looking up individuals by ChicagoID to get CNetID or other information and tie the individual back to your local database

uid

The person's CNetID

davel

Useful for looking up users by CNetID

ou

A combination of what a person's studying, where they work, and what their appointment is

Pediatrics

Can be used for authorization or just informational purposes

eduPersonAffiliation
(see Using LDAP Affiliations for Authorization )

this multi-valued attribute will contain all current affiliations a person has with the university

alum, student, former_student, lab_student, lab_school, new student, graham_student, postdoc, staff, faculty, academic, affiliate, emeritus, temporary, hospital, medical_associate

this attribute is used to control access to things
like library resources, wireless networking, etc

eduPersonPrimaryAffiliation

single-valued what a person's primary affiliation is based on a pre-arranged hierarchy (See Attribute Uses)

staff

This should ONLY be used for display purposes. The assignment of this value is based solely on a pre-arranged hierarchy of affiliation values and does NOT reflect the true primary affiliation of an individual.

Attributes Related to Email Routing

The following attributes are related to routing a person's email throughout the email (@uchicago.edu) System. Please note that the email routing system is complex and the data here is for informational purposes only. IT Services reserves the right to modify how it uses and what data is stored in the attributes listed here at any time without warning. Most of these attributes are private and not viewable by the public. These attributes are only applied to folks who claim via cnet.uchicago.edu

Attribute Name

Attribute Definition

Example

Attribute Uses

mail

The person's email address

davel@uchicago.edu

Used by client applications to display the main email address. Used by mirapoint to translate an email addressed to a person's alias to that person's real mail address.

mailLocalAddress

multi-valued - all routable mail addresses for a person

davel@uchicago.edu, davel@midway.uchicago.edu, david@uchicago.edu

This attribute is what holds all the "aliases" for a person

mailRoutingAddress

where a person's mail should be delivered to

davel@gmail.com


mailHost

which mailstore the person's cMail was stored on

m4500-00.uchicago.edu

DEPRECATED: used by mirapoint to determine where a person's mail should be held. It's the next hop for a person's mail after the mail leaves the individuals miQuarantineHost. The exception is if the object is a mailing list in which case it will be either listhost.uchicago.edu or lists.uchicago.edu.

miQuarantineHost

which junkmail host a person's mail is on

mailgateway.uchicago.edu

DEPRECATED: used by mirapoint to determine where to route someone's junkmail. Also which quarantine the user is on.

Attributes Related to Unix Login Services

The following attributes are used by Unix machines to authenticate users. They are only applied to CNetID holders who claim via cnet.uchicago.edu

Attribute Name

Attribute Definition

Example

Attribute Uses

gecos

The person's full name

David Benjamin Langenberg

What a person's full name is on the Unix workstation

uidNumber

The person's user id number

15298

The UID which should be applied to any files created by the user

gidNumber

The person's group id number

15298

The default Group ID which should be applied to any files created by the user

loginShell

The person's shell

/opt/bin/tcsh (the default)

The shell which should spawn when the user logs in

homeDirectory

Where the person's home directory lives

/nfs/harper/hc0/davel

where the person's home directory resides

Attributes Related to Job and Study

The following attributes are related to a person's job and/or field of study. The OU attribute listed above holds the concatenation of these attributes except for ucStudentId and ucExecLevel. They are applied/updated daily at 10:00 a.m.

Attribute Name

Attribute Definition

Example

Attribute Uses

ucDepartment

The department in which a staff member works/is paid by Presently Out Of Date

Voice & Data Networking

can be used for authorization

ucExecLevel The account executive level from which a staff member is paid Presently Out Of Date Information Technology Services authorization at the "division" level. Also useful for report generation.

ucAppointment

A person's academic appointment (if they have one or more). Format is Title$Department. Clients should translate the $ to mean new-line Presently out of Date

Professor$Sociology, Senior Research Associate$Computation Institute

can be used for authorization

title

This is displayed by LDAP clients. It used to be user-settable for staff, but now is only maintained for Faculty. it's the same value as ucAppointment Presently Out of Date

Professor$Sociology, Senior Research Associate$Computation Institute

should only be used for display purposes

ucCurriculum

The program of study for a student. Undergrads always have College: pre-pended to their program of study

College: Common Year

can be used for authorization

ucStudentId

The person's student ID number

10123456

useful for tying students into your local database

Attributes Related to Phone and Addresses

These are all the attributes which have been used to store phone and address data. The data for students is sync'd daily with the MCDB at 10:00 AM.

WARNING: Please pay special attention to attributes in this area. Some are not being actively maintained. If your application needs data that these fields would contain please write to idm@uchicago.edu for information on other ways of receiving the necessary data.

Attribute Name

Example

Is data current

Attribute Uses

homePostalAddress

123 Any St$Chicago IL$60637

Check icon for students only

Where the student lives

homePhone

+1 773 702 1234

Check icon for students only

How to reach the student

telephoneNumber

+1 773 702 1234

Check iconfor staff only

what to display for a person's main number(s).

postalAddress

123 Any St$Chicago IL$60637

Error icon

where you should send correspondence by post

mobile

+1 773 702 1234

Error icon

if you're trying to call a person's cell

ucOfficeTelephoneNumber

+1 773 702 1234

Error icon

A person's office line

ucOfficePostalAddress

123 Any St$Chicago IL$60637

Error icon

where to send office correspondence

facsimileTelephoneNumber

+1 773 702 1234

Error icon

Where to send faxes to the person

Miscellaneous Attributes

These attributes are used mostly for Authorization Purposes or meta-data purposes by IdM and IT Services. Most are private, though if you can make a strong enough case to read them IdM can give you a special 'Agent DN' to use in your application

Attribute Name

Attribute Definition

Example

Attribute Uses

ucPriv

Multi-valued strings

nsit.closure, nsit.network.nowireless, nsit.directory.ferpa

This attribute holds various flags for services, mainly deny or allow flags. Used in the closure process for the day 10 lockout. Also used to lock folks out of individual services which they may be otherwise entitled to.

ucIsMemberOf

Multi-valued strings

uc:applications:confluence:ITS:Everyone

This attribute is populated by Grouper, is public, and can be used by applications to see if a person belongs to certain groups, thus granting access to resources

ucReasonLocked

single-value why a particular flag in ucPriv is set

due to closure

This attribute is not very well maintained, but it can be used to provide clues for why certain values are set in ucPriv

ucRevisions

multi-valued history of changes on the user's entry

20070209193735Z: (AMSXML) cn=manager,dc=uchicago,dc=edu - Changed name from David Bb Langenberg

Used mainly by LDAP Administrators to determine when some changes occurred. This is updated mainly by IdM programs and occasionally gets missed during updates by hand

ucAlternateUID

single-valued old method for mail aliases

david

This is how old ph-aliases are stored in LDAP as well as how IT Services used to store mail aliases before we moved to everybody gets 6 aliases. This attribute is no longer maintained

ucUseKerberos

single-valued entry generally with a 1 if present

1

This is used by the LDAP server to determine if it needs to pass BIND requests for the user to UCHAD.

ucUserPasswordModifyTimestamp

string of a date in GMT format is YYYYMMDDHHMMSS

20080227173458Z

When the user's password was last changed

 ucBirthDate string form of the individual's birthdate. Format is YYYYMMDD  19690101 Finding out the individual's birthdate.

userPassword

Salted Sha1 hash stored as a base-64'd string

NOT PROVIDED

IdM will not allow anybody to read this attribute. It's only listed here for completeness. If you need to check a person's password you MUST attempt a BIND operation as that user.




Keywords:authentication authorization cnet cnetid   Doc ID:16178
Owner:Dave L.Group:University of Chicago
Created:2010-12-08 19:00 CDTUpdated:2016-11-21 08:24 CDT
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  4   0