Information, Technology & Consulting

LDAP Directory Migration


On April 4, 2017 @ 6:00AM, the Redhat directory servers (a.k.a. DND LDAP,, are going out-of-maintenance and will be decommissioned. Before they are decommissioned, all applications/services should be updated to use the new directory servers (Oracle Unified Directory) or Active Directory as appropriate.

The new directory servers have been configured to be as similar to the old directory servers as possible/appropriate to reduce the impact as applications are migrated.

Things to know about the new Directory Servers:

1. Hostname: The hostname that should be used to connect to the new directory servers is In many cases, an application will only need to change their hostname from (or to to migrate to the new directory. uses the F5 GTMs to provide load balancing and fault detection. Once the old Redhat LDAP servers have been decommissioned, and will be repointed to

2. Encryption: provides both non-TLS and TLS (not to be confused with startTLS) options for connecting to the directory. The standard LDAP ports are used. Non-TLS: 389; TLS: 636. We strongly recommend using TLS for all connections that authenticate (BIND) to the directory with user credentials.

3. Naming Context: In the new directory servers, there is a single naming context (dc=dartmouth,dc=edu) where all users are located. There will no longer be a dc=dartmouth,dc=org naming context. All users from the DND LDAP and the AND LDAP can be found in under dc=dartmouth,dc=edu.

4. Users: All users found in Oracle Identity Manager (OIM) exist in the new directory servers and are automatically updated as changes are made to a user's record in OIM. Those users can be found under ou=Users,dc=dartmouth,dc=edu.

5. Groups: All roles (groups) found in Oracle Identity Manager (OIM) exist in the new directory servers and are automatically updated as changes are made in OIM.

6. Relative Distinguished Name (RDN): In the new directory servers, the RDN is the "uid" attribute. This means that the Distinguished Name (DN) for a user will look something like: uid=d99999z,ou=Users,dc=dartmouth,dc=edu

7. DND Protocol: The DND protocol is tightly coupled with the Redhat LDAP servers. As the Redhat LDAP servers are decommissioned, the DND protocol will also be decommissioned.

8. dndlookup CLI: Several users use a command-line utility called `dndlookup` to lookup users and retrieve user attributes. This utility will no longer work once the DND protocol has been decommissioned. The IdM team has built a replacement utility ( to perform many of the same functions of dndlookup. This new utility makes use of a new RESTful lookup service. A KB article will be made available which documents ``.

9. DND Lookup RESTful Service: The IdM team has created a RESTful web service to serve as a generic lookup service. A KB article will be made available which documents the API. Here is an example lookup:

10. Attribute Mapping: There have been several attribute name changes for the custom Dartmouth attributes in the new directory servers. Here is a table of those attribute changes.

Redhat LDAP Attribute NameOUD Attribute NameExample Data
dndHinmanaddrdcHinmanaddrHB 6028 A
dndMailaddrdcMailaddr[email protected]

11. Other Attributes: Here is a list of other common attributes:

AttributeExample Data
cnTest5 K. Smith
displayNameTest5 K. Smith
mail[email protected]
Administrative Applications
Administrative Systems
Last updated: 
Tuesday, March 21, 2017

If you have questions or need further information, contact your department's IT support office, or contact the IT Service Desk via email at [email protected], via phone at 603-646-2999 or walk in to see them in Baker/Berry 178J.

Information, Technology & Consulting