Google+
ITS and UVa logos for printed output

LDAP (Lightweight Directory Access Protocol)

Private LDAP Information for UVA Developers

LDAP/Active Directory Attribute Changes (June 25, 2018)

As part of the rollout of the new Identity & Access Management System at UVA, some public and private LDAP and Eservices Active Directory (AD) changes will go into effect on Monday, June 25, 2018. Learn more »

Requesting Access

In order to access the Private LDAP Directory information for use in applications and software at UVA, developers must:

  1. Download and complete the LDAP Access Form.
  2. Return the completed form via Messenger Mail to: Director, ITS-Infrastructure Support Services and Administration, P.O. Box 400324.
  3. If LDAP access is approved for your application, you will be emailed with information regarding the bind account and password you should use in your application.

Questions about this process may be addressed to ldapaccess@virginia.edu.

Connecting to the Private LDAP Server

To connect to the private LDAP server, you will need a bind account and password (which will be provided to you upon approval of your request for access). The following information will also be needed to connect to the server:

Description Value
Name of Server pitchfork.itc.virginia.edu
Insecure Port (non-encrypted) # 389
Secure Port (encrypted) # 636
Root LDAP Search Base o=University of Virginia,c=US
People LDAP Search Base ou=People,o=University of Virginia,c=US
Group LDAP Search Base ou=Groups,o=University of Virginia,c=US

Secure Connections

While a secure, encrypted connection is not enforced at this time, it is highly recommended. At some point in the future this may become a requirement and, in general, it is a good idea to use an encrypted connection to provide additional protection for the bind password and the data that is pulled from the directory.

Configuring a Secure Connection

Configuring an encrypted connection will vary depending on the programming language you are using, but in general instead of using ldap://pitchfork.itc.virginia.edu:389 you would use ldaps://pitchfork.itc.virginia.edu:636.

Obtaining the Necessary Certificates

You will also need to load the appropriate root certificate into the certificate store being used by your program or platform. The root certificate can be downloaded from the Comodo website at https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=10&nav=0,1.

Attributes

Please note: As part of the rollout of the new Identity & Access Management System at UVA, some private LDAP changes will go into effect on Monday, June 25, 2018 (full details). In the list of attributes below, these will be marked as "Modified", "Deprecated", or "New." Also, please see the Additional Attribute Notes below.

The list of attributes available on the private LDAP servers includes:

Name
If there is an asterisk (*) before an attribute name please see the Additional Attributes Notes below; the asterisk is not part of the attribute name.
Description ValueType

m=multi-valued, s=single-valued

Values Access Reference Steward
uvaPersonIAMAffiliation
New 6/25/18
Official IAM Role(s) held by userm yuvaPerson  
*  cn
Modified 6/25/2018
Full name of the person m  y inetOrgPerson
RFC-2798
 
*  displayName
Modified 6/25/2018
Name to display to userss y inetOrgPerson
RFC-2798
 
*  sn
Modified 6/25/18
Last Names yinetOrgPerson
RFC-2798
 
*  givenName
Modified 6/25/2018
First Names yinetOrgPerson
RFC-2798
 
*  initials
Modified 6/25/2018
Initialss y inetOrgPerson
RFC-2798
 
title Working Titlem  inetOrgPerson
RFC-2798
 
uidUVA Computing IDs yinetOrgPerson
RFC-2798
 
mailregistered email addresss yinetOrgPerson
RFC-2798
 
homePhone
Deprecated 6/25/2018
Home phone number   inetOrgPerson
RFC-2798
 
telephoneNumberOffice Number as received from the HR source system(s).m yinetOrgPerson
RFC-2798
 
facsimileTelephoneNumberFax Number as received from the HR source system(s).m yinetOrgPerson
RFC-2798
 
labeledURI
Deprecated 6/25/18
Home Pages yinetOrgPerson
RFC-2798
 
* descriptionA form of affiliation
(Legacy Attribute)
m yinetOrgPerson
RFC-2798
 
jpegPhoto
Deprecated 6/25/18
A photo provided by the individual s yinetOrgPerson
RFC-2798
 
uidNumberUNIX UID s  yposixAccount
RFC-2307
 
gidNumberUNIX GID s yposixAccount
RFC-2307
 
gecosUNIX Name s  posixAccount
RFC-2307
 
homeDirectoryUNIX Home Directorys yposixAccount
RFC-2307
 
loginShellUNIX Shell s yposixAccount
RFC-2307
 
mailAlternateAddressEmail aliases m ymailRecipient  
preferredEmailAddressEmail addresss y  
mailForwardingAddressMail delivery address m y  
CVPN3000-Access-HoursVPN controls rCisco proprietary 
cVPN3000-IPSec-Split-Tunneling-Policyfull or partial tunnels rCisco proprietary  
isMemberOfMyGroup Membershipm yeduMember 
* uvaPersonUpdateTimestampWhen we last saw an update from a system of record for this individualm  yuvaPerson 
uvaUniversityIDPhotoID Card Photo s ruvaPersonBusinessOps
uvaUniversityIDPhotoThumbID Card Photo thumbnail s ruvaPersonBusinessOps
uvaUniversityIDPhotoHashUsed for processing s ruvaPersonBusinessOps
uvaLastCompQuiz
Deprecated 6/25/2018
Last successful completion of the Security Awareness Training (Responsible Computing Quiz) s yuvaPerson  
uvaRequiredTrainingCompletedLast successful completion of the Information Security Awareness Training (Responsible Computing Quiz) m yuvaPerson  
uvaPayrollDepartmentDepartment - payroll view s yuvaPerson 
* uvaPayrollClassificationClassification - payroll view s yuvaPerson  
* uvaPayrollLastUpdateLast Oracle updates  uvaPerson 
* uvaRegistrarLastUpdateLast registrar updates   uvaPerson  
uvaRegistrarSchoolSchool of the students y uvaPerson 
uvaDisplayDepartmentYour department name? yuvaPerson  
uvaDisplayName
Modified 6/25/2018
A full name strings  uvaPerson  
uvaAccountsSelect accounts held by the individualm yuvaPerson  
msnInstMessHandle
Deprecated 6/25/2018
MSN IM Handles  uvaPerson 
aolInstMessHandle
Deprecated 6/25/2018
AIM IM Handles  uvaPerson 
uvaDeliverableAddressAll deliverable addresses a user has configured in AMSm yuvaPerson 
uvaEmailAddressesAll deliverable addresses and aliases a user has configured in AMSm yuvaPerson  
uvaIkeyNumberNumber of ikey (1 for first, 2 for second, etc)s  uvaPerson  
uvaIsModeratorOfSympa mailing lists this user moderatesm yuvaPerson  
uvaIsOwnerOfGroups this user owns/administersm yuvaPerson  
uvaJvpnIkeyEnabledIs person's Ikey enabled for use on JointVPNs  uvaPerson  
uvaJvpnIpsecSplitTunnelingPolicyIndicates full or split tunnel for JointVPN userss  uvaPerson  
uvaUserDBFlag
Deprecated 6/25/2018
Internal flags - e.g., no accountm  uvaPerson 
uvaOracleDeptNameOracle Dept Names yuvaPerson 
uvaOracleOrgCodeOracle ORG Codes yuvaPerson  
uvaExpirationDateDate on which the account will expires  uvaPerson  
uvaCleanupDateWhen accounts have been cleaned ups  uvaPerson  
uvaExpirationStatusRecord expiration statuss yuvaPerson  
uvaMemberWould ITS issue any accounts yuvaPerson  
uvaRegistrarClassificationRegistrar classifications  uvaPerson 
MSNwirelessAccessJefferson WLAN access controls  uvaPerson  
unixuidPerson's UNIX UIDs yuvaPerson 
wirelessAccessCavalier WLAN access controls  uvaPerson  
uvRestrictDon't display information on this persons yuvaPerson  
uvaPersonTODOUsed by NetBadge for its reminder servicem  uvaPerson 
* eduPersonScopedAffiliation (Legacy Attribute)Relationship to universitym yeduPerson 
* eduPersonAffiliation (Legacy Attribute)Relationship to universitym yeduPerson 
* eduPersonPrimaryAffiliation (Legacy Attribute) Primary relationship to University. s y eduPerson 
eduPersonOrgUnitDNDepartment ORGs yeduPerson  
eduPersonPrincipalNamecomputingID@virginia.edus yeduPerson 
eduPersonNickName
Deprecated 6/25/18
Nicknames yeduPerson  
eduPersonOrgDNUniversity of Virginias yeduPerson  
uvaEmplIDsEMPL IDs from various systems of recordm yuvaPerson  
uvaPersonSupervisorSysidSupervisor EMPL ID from various systems of recordm yuvaPerson 
uvaAccessListJointVPN access listm yuvaPerson 
pagerUser's pager number as received from the HR source system.  
mobileCellular or other type of mobile phone number as received from the HR source system.  
PostalAddress
Deprecated 6/25/18
Replaced with physicalDeliveryOfficeName.  
generationQualifier
Modified 6/25/18
A field containing just the user's name suffix (e.g. Jr.)  
uvaPersonMFADeadlineFuture date by which Duo device registration must be completed s yuvaPerson 
uvaPersonMFARequiredSet if Duo account has been activated and at least one device is registereds yuvaPerson 

Additional Attribute Notes (June 25, 2018)

Name

cn, displayName, sn, givenName, initials, generationQualifier

The user now has the ability to modify the First, Middle, Last, and Suffix name values in Identity & Access Management. If the user has modified these values, they will appear in the appropriate field in this directory. If the user has not modified these values, they are representative of the values as sent from the source system for that record.

eduPersonNickName

The values set in this field will no longer be maintained, and will not be managed by the user. Please use the appropriate name field as indicated above.

eduPersonPrimaryAffiliation, eduPersonScopedAffiliation

Legacy primary user affiliation (legacy university role trumping logic) will continue to be maintained temporarily, with a deprecation date announced to ITS, LSPs, owners of bind accounts, Focus Group, Steering Committee, others at a future date. Please use uvaPersonaIAMAffiliation instead.

Role Information

description, uvaPersonUpdateTimestamp, uvaPayrollClassification, uvaPayrollLastUpdate, uvaRegistrarLastUpdate, eduPersonScopedAffiliation, eduPersonAffiliation, eduPersonPrimaryAffiliation

While these fields will continue to be available, they may not represent the true multiple affiliations that someone may possess. For the most accurate role(s) information, please use uvaPersonIAMAffiliation attribute.

  Page Updated: Thursday 2018-06-07 17:19:11 EDT