Lightweight Directory Access Protocol (LDAP)

Overview:

LDAP (Lightweight Directory Access Protocol) is an internet standard protocol (See IETF RFCs 4510-4519 for current specifications, but it was originally defined in  RFCs 2251 and 3377) for storing and retrieving directory information, as well as performing authentication, and authorization.

I’d like to use LDAP to perform authentication for my application

In general, this is no longer supported at CWRU except in rare circumstances and legacy applications. We are actively discouraging the use of logins to applications that are not going through login.case.edu. 

You should be using Single Sign-On (either SAML or CAS). If your application cannot use SSO, please request permission to use LDAP for authentication from Information Security. If this is a third-party application, you should also be actively encouraging them to use our SSO for authentication.

I need a Bind DN for my application for a non-authentication purpose

If you’re using SAML Single Sign-On, we release a common set of attributes per-user that should cover most use cases, and we also can do custom attribute release for your application with some limitations. You can contact the Authentication group for more information on that.

If that’s not possible or relevant to the task at hand (i.e. you’re doing some kind of ‘data harvesting’ procedure), we can create an LDAP Bind DN for your application’s search needs.

We will need the following information:

  • uid for the Bind DN (or we’ll make something up for you along the lines of the application name)

  • the list of attributes that you intend to read from user accounts (i.e. givenName, sn, mail, eduPersonEntitlement, etc.)

  • Number of accounts that you intend to search for at a time (i.e. 1, 10, 10000) and/or the search query you intend to use.

  • Some details about the application and what you intend to use it for.

  • Responsible party’s email address, so we can contact you in case of problems. Note that we do not provide Bind DNs to students. If this is needed for a project, a faculty/staff member should make the request on the students behalf.

Once the Bind DN is created, we will communicate the credentials to the responsible party via Box Note.

I would like to use LDAP with my mail client

Here are some general guidelines that should work with most email clients that can use LDAP:

  • Server/Hostname: ldap.case.edu
  • base DN: ou=People, o=cwru.edu, o=isp
  • Port: 389(if using LDAP+TLS) or 636(LDAPS)
  • Bind DN: uid={userid}, ou=People, o=cwru.edu, o=isp    (where {userid} is replaced with your CWRU user id)

Using an anonymous bind can also work, but note that anonymous searches are limited in the number of results they can return compared to an authenticated bind. Unauthenticated binds (where you give a Bind DN, but no passphrase) are not allowed. Note that ports 389 and 636 may be blocked at various firewalls off-campus.

I need (an) LDAP Group(s) for my application.

We do not generally offer this as a service, as we don’t have an easy way to manage such groups that we can give access to at present. Submit a request using the LDAP Group Request link on the right describing your requirement. We will review and attempt to accommodate if it’s technically feasible..  At some point in the future we may be able to allow this through our Grouper service.

If you’re using SAML Single Sign-on, you may find what you need to do authorization via the eduPersonEntitlement and eduPersonScopedAffiliation attributes.

My entry on the LDAP server has incorrect data.

You will need to contact the authoritative source(s) for your account (HCM, SIS, etc.). Once changed there, your account information should be updated on the LDAP servers within 24 hours. Note that first.last email addresses do not automatically change when names are changed, and you should open a ticket to get that updated.

I searched for so-and-so and they didn’t show up?

They may have selected to suppress their directory information via FERPA. 

Didn’t find what you needed?

Submit a support request using the Technical Support link on the right for more information.

 

 
LDAP Group Request Technical Support

Service Offerings (2)

LDAP Group Request
Request for adding or updating LDAP groups
LDAP Technical Support
Technical support requests for issue related to LDAP services