Ask Us logo

LDAP Directory Service

These are some of the key middleware components or systems:

Overview

The University of Hawaii's central LDAP Directory Service is provided primarily for use by the University of Hawaii (UH) System. It contains information about the people affiliated with the UH System. Information about students is subject to federal laws (FERPA) and may not be publicly visible if they have elected to keep their directory information private.

This directory is intended solely to provide contact information for individual members of the University community. Information obtained from this directory may not be used for the purpose of bulk communication (spam, unsolicited commercial email, etc.) of any kind to students, faculty and/or staff. This includes solicitations of any kind or informational announcements using paper, email, or phone calls. Violations may be addressed under all applicable policies, codes of conduct or law.

This document is intended to provide basic information about using this service. Questions may be directed to the ITS IAM group.

Topics

Connecting to the Directory Service

To use the directory service, you need to tell your directory enabled application such as an email program or address book what host to contact to get the information. You may also need to tell it what service port to use if the service uses something other than the standard LDAP service port of 389. Typically, the information about people (assuming you want to lookup someone's email address or office telephone number) is contained in the people portion of the directory subtree.

The information you will need is summarized as follows:

Configuration item
Value for UH Directory Service
host
ldap.hawaii.edu
port
389 (standard LDAP service port, only for startls)
search base
ou=People, dc=hawaii, dc=edu

These configuration items tell your directory enabled application which host to contact and what part of the directory to look in. Your directory enabled client program may not need the search base information.

What is an LDAP Directory?

LDAP stands for lightweight directory access protocol. It is an Internet standard for accessing and querying information in a CCITT Recommendation X.500 (International Standards Organization standard) directory service. It was conceived as a way to tap into existing X.500 directory services and evolved into a standard way of accessing directory type of information. An LDAP directory primarily provides a lookup service. The information in it can be just about anything within reason. It should be noted that an LDAP directory is not structured the same way as a relational database. While meant for lookups, the information is not structured like it would be in a relational database where a lot of ad hoc queries might be run against data that in multiple tables. Rather, the information in and LDAP directory is structured in a “flat” way where each entry is a single record or container of data about that entry. Each piece of data is called an attribute (data field). Some attributes can only have one value while other may many values. Thus, a single entry could have multiple values in some attributes or fields.

What is the LDAP Directory Service good for?

We currently have white pages (telephone number and office location) information in the directory. There are additional pieces of information that make the directory service useful for other things such as user authentication and access control. A person's affiliation with the university is available in an attribute and says whether they are student, staff, or faculty. Finer grains of access control or authorization are possible depending on the data that is available in the directory. However, there are many dimensions and obstacles to finer grained access control. For more information, please contact the ITS IAM group.

Can I authenticate users to my Web site?

Only UH Web sites may authenticate UH users using LDAP. Knowledge of LDAP programming in whatever language you use to build your site (PHP, Perl, Java, ASP, etc.) is required.

An easier way to authenticate users to your Web site is to use the Web Login Service. It eliminates the need to know how to do any LDAP programming. Please see the Web Login Service documentation for details.

Additional Resources