Using LDAP for Authorization

If access to a service should be limited to a particular population, LDAP contains both public and private fields (LDAP attributes) that can be used to identify that population.  Public LDAP attributes can be used with an anonymous LDAP bind (LDAP account and password); private attributes require a privileged LDAP bind

LDAP is divided into several containers called Organizational Units (OUs).  Active employees, students, and affiliates, as well as those who are expired but are still within their grace period, are in the People OU.  There is also a PreSIR People OU for admitted students, an ADVCON People OU for alumni and members of the Advancement Constituents, and an Expired People OU for those with no active affiliation.  Anonymous LDAP binds have access only to the People OU.  Anyone needing access to other OUs must request a privileged LDAP bind.

Below are some of the LDAP attributes more commonly used for authorization purposes.

Public Attributes

berkeleyEduTestIDFlag: contains true if the record is a test record.

berkeleyEduAffiliations: a multivalued attribute that contains which affiliations a person has and whether or not any of the affiliations have expired. 

departmentNumber: contains the department code listed in HCM as the home department under Contact Information

Private Attributes

berkeleyEduEmpApptType: determine if an employee is staff, faculty, or student employee

berkeleyEduEmpTitleCode: used to pull out a particular job category

berkeleyEduStuCollegeCode: group students by College

berkeleyEduStuMajorCode: group students by Major

berkeleyEduStuUGCode: is the student a graduate (G) or undergraduate (U)

berkeleyEduStuRegStatCode: determine a student's registration status

LDAP Searching

When searching LDAP, restricting the search to avoid unnecessary data will speed things up. The search base for many searches will be ou=people,dc=berkeley,dc=edu.  If the search needs to search within all of the OUs, the search base should be at a higher level, namely dc=berkeley,dc=edu, but this will be a longer search.

The search scope determines how many levels down from the search base into the data the search should go.  If the search base is ou=people,dc=berkeley,dc=edu, the search scope can usually be one.  If the search base includes more than one sub OU, the search scope will usually need to be sub, and again the search will take longer.

An example of an anonymous search for info about a person using the uid is

ldapsearch -H ldaps:// -x -s sub -b "ou=people,dc=berkeley,dc=edu" "(&(objectclass=person)(uid=3807))"

Below are some example LDAP search filter expressions. There is often more than one way to get the same search result.

Search objective
LDAP filter expression
All active employees (&(objectclass=person)(!(berkeleyEduTestIDFlag=true))(berkeleyEduAffiliations=EMPLOYEE-TYPE-*)(!(berkeleyeduAffiliations=EMPLOYEE-STATUS-EXPIRED)))
All active employees in a specific department (&(objectclass=person)(!(berkeleyEduTestIDFlag=true))(employeeNumber=*)(departmentNumber=JICCS)(!(berkeleyeduempexpdate=*)))
All students in a major (whether they are active or in their grace period) (&(objectclass=person)(!(berkeleyEduTestIDFlag=true))(berkeleyEduStuMajorCode=080))