Information, Technology & Consulting

LDAP Directory Migration

Details

On April 4, 2017 @ 6:00AM, the Redhat directory servers (a.k.a. DND LDAP, ldap.dartmouth.edu, ldap.dartmouth.org) are going out-of-maintenance and will be decommissioned. Before they are decommissioned, all applications/services should be updated to use the new directory servers (Oracle Unified Directory) or Active Directory as appropriate.

The new directory servers have been configured to be as similar to the old directory servers as possible/appropriate to reduce the impact as applications are migrated.

Things to know about the new Directory Servers:

1. Hostname: The hostname that should be used to connect to the new directory servers is oud.dartmouth.edu. In many cases, an application will only need to change their hostname from ldap.dartmouth.edu (or ldap.dartmouth.org) to oud.dartmouth.edu to migrate to the new directory. oud.dartmouth.edu uses the F5 GTMs to provide load balancing and fault detection. Once the old Redhat LDAP servers have been decommissioned, ldap.dartmouth.edu and ldap.dartmouth.org will be repointed to oud.dartmouth.edu.

2. Encryption: oud.dartmouth.edu provides both non-TLS and TLS (not to be confused with startTLS) options for connecting to the directory. The standard LDAP ports are used. Non-TLS: 389; TLS: 636. We strongly recommend using TLS for all connections that authenticate (BIND) to the directory with user credentials.

3. Naming Context: In the new directory servers, there is a single naming context (dc=dartmouth,dc=edu) where all users are located. There will no longer be a dc=dartmouth,dc=org naming context. All users from the DND LDAP and the AND LDAP can be found in oud.dartmouth.edu under dc=dartmouth,dc=edu.

4. Users: All users found in Oracle Identity Manager (OIM) exist in the new directory servers and are automatically updated as changes are made to a user's record in OIM. Those users can be found under ou=Users,dc=dartmouth,dc=edu.

5. Groups: All roles (groups) found in Oracle Identity Manager (OIM) exist in the new directory servers and are automatically updated as changes are made in OIM.

6. Relative Distinguished Name (RDN): In the new directory servers, the RDN is the "uid" attribute. This means that the Distinguished Name (DN) for a user will look something like: uid=d99999z,ou=Users,dc=dartmouth,dc=edu

7. DND Protocol: The DND protocol is tightly coupled with the Redhat LDAP servers. As the Redhat LDAP servers are decommissioned, the DND protocol will also be decommissioned.

8. dndlookup CLI: Several users use a command-line utility called `dndlookup` to lookup users and retrieve user attributes. This utility will no longer work once the DND protocol has been decommissioned. The IdM team has built a replacement utility (dirlookup.py) to perform many of the same functions of dndlookup. This new utility makes use of a new RESTful lookup service. A KB article will be made available which documents `dirlookup.py`.

9. DND Lookup RESTful Service: The IdM team has created a RESTful web service to serve as a generic lookup service. A KB article will be made available which documents the API. Here is an example lookup:

https://api-lookup.dartmouth.edu/v1/lookup?netid=dz10015

10. Attribute Mapping: There have been several attribute name changes for the custom Dartmouth attributes in the new directory servers. Here is a table of those attribute changes.

Redhat LDAP Attribute NameOUD Attribute NameExample Data
dndCampusResidency dcCampusResidency Y
dndUid dcDndUid 2390510
dndAdvanceid dcAdvanceID 0000099999
dndAffiliation dcAffiliation DART
dndDartid dcDartid Z10015
dndDctsnum dcDctsnum HDZ10015
dndNonpub dcNonpub Y
dndDieboldnum dcDieboldnum 10003418310
dndComments dcComments  
dndDeptclass dcDeptclass Dept
dndExpires dcExpires  
dndHinmanaddr dcHinmanaddr HB 6028 A
dndMailaddr dcMailaddr [email protected]
dndStuff dcStuff (skype:Test5Smith123)
dndUrl dcUrl www.123pageA.com
nickname eduPersonNickname tsmith

11. Other Attributes: Here is a list of other common attributes:

AttributeExample Data
uid dz10015
givenName Test5
initials K
middleName K
sn Smith
cn Test5 K. Smith
displayName Test5 K. Smith
mail [email protected]
telephoneNumber 603-646-1234
eduPersonAffiliation Student
eduPersonPrimaryAffiliation Student
Topic: 
Administrative Applications
Subtopic: 
Administrative Systems
Last updated: 
Tuesday, March 21, 2017

If you have questions or need further information, contact your department's IT support office, or contact the IT Service Desk via email at [email protected], via phone at 603-646-2999 or walk in to see them in Baker/Berry 178J.

Close
Information, Technology & Consulting