Q. How can an LDAP bind get a list of the groups it has access to?

A. A search example: ldapsearch -H ldaps://ldap.berkeley.edu -x -D "uid=ist-as-wa-ezsvn,ou=applications,dc=berkeley,dc=edu" -W -s sub -b "ou=campus groups,dc=berkeley,dc=edu" "(&(objectclass=*)(cn=edu:berkeley:app:calmessages*))" "dn"


  1. How do I ask to see expired affiliates and inactive employees/faculty?  Do I just request access to OU=expired people?
  2. Do I request separate access for OU=guests?
  3. Are expired guest accounts put into OU=expired people as well?
  4. Are objects in OU=expired people eventually deleted?
  5. Are objects in OU=people immediately moved upon expiration/termination?
  6. Is berkeleyEduAffExpDate the correct attribute to query for expired affiliates?
  7. Is berkeleyEduEmpTerminationDate the correct attribute to query for retired or otherwise former staff and faculty?
  8. Are the Oracle views pulling all Person object schema attributes and do they contain inactive/expired/terminated people?
  9. With our current privileged bind I see that people in affiliated orgs do not have any email attribute, is that normal and/or a voluntary attribute?
  10. The Oracle views are missing first name and last name, but have displayName.  I see that in LDAP the same accounts have a givenName and cn, so is that normal?


  1. Yes.  Ask for access to ou=expired people and the fields there that you need.
  2. Yes.  ou=guests is a separate ou.  If you request access you'll get access to all fields.
  3. I believe the guest accounts that expire are simply deleted after a period of time.
  4. No.  We don't delete records for non-guests unless there is a duplicate record, even after they expire.
  5. No.  Each type of affiliation has an associated grace period which varies from nothing for Temp Agency Staff to 9 months for students.  The record will move to OU=expired people if all affiliations have passed the grace period.  Note that those that have an affiliation as an Advancement Constituent will be moved to ou=advcon.  These are primarily alumni.
  6. The berkeleyEduAffExpDate in the ou=people main record gets set when all affiliate affiliations are expired.  If you need to know when a particular affiliation affiliation is expired, you'll need to check theberkeleyEduAffExpDate for the sub records, which have an objectclass of berkeleyEduPersonAffiliate.  If you need this you'll need to request access to the affiliate sub record.
  7. We use the berkeleyEduEmpExpDate to determine the grace period.  The termination date reflects the date the employment ended.  The berkeleyEduEmpExpDate is the day we were informed the job ended if later than the termination date.  
  8. If you are referring to the CalDAP Oracle DB, yes they pull all of the records.  I don't believe that they retain the expired data.
  9. mail is a voluntary attribute which people can add using the Directory Update app screens.  The berkeleyEduOfficialEmail is also voluntary for employees and affiliates.  It is required for students but the requirement is not enforced.
  10. berkeleyEduFirstName and berkeleyEduLastName are only filled in if someone goes into the Directory Update app and selects a preferred name.  This will be the name reflected in the displayName.  If a person doesn't select a preferred name, the displayName is updated with the employee name, the student name, or the affiliate name, in that order of preference.