4. Recommended Usage

This section gives recommendations on how to achieve particular goals using the Oak LDAP service, independently of any particular LDAP client software. To apply this advice using your OpenLDAP client software, please refer to Using LDAP Client Software With the Oak LDAP Service.

4.1. What it Means for a Person to Have an Oak LDAP Entry

You shouldn't infer anything from the mere existence of an Oak LDAP entry for a person. In particular, just because someone is in the Oak LDAP directory doesn't mean they're a member of the University (but see How to Authorise Based on Membership of the University), nor does it imply that they're entitled to use any University resources.

4.2. How to Look Up a Person by SSO Username

Perform an LDAP search with a base of ou=people,dc=oak,dc=ox,dc=ac,dc=uk and a filter of oakPrincipal=krbPrincipalName=<USERNAME>@OX.AC.UK,cn=OX.AC.UK,cn=KerberosRealms,dc=oak,dc=ox,dc=ac,dc=uk.

4.3. How to Look Up a Person by oakPersonID

You should do an LDAP search with a base of ou=people,dc=oak,dc=ox,dc=ac,dc=uk and a filter of oakPersonID=<ID>.

You should not do an LDAP search with a base of oakPrimaryPersonID=<ID>,ou=people,dc=oak,dc=ox,dc=ac,dc=uk. This is because in some cases a person may have multiple oakPersonIDs. Only one of these will be present in the distinguished name of the person's entry as the oakPrimaryPersonID.

4.4. How to Look Up a Person by Their Card's Barcode

If the card reader you're using reads the whole barcode including the check digit, then perform an LDAP search with a base of ou=people,dc=oak,dc=ox,dc=ac,dc=uk and a filter of oakUniversityBarcodeFull=BARCODE. Otherwise, use the oakUniversityBarcode attribute instead.

4.5. How to Authorise Based on Membership of the University

To query whether someone is a member of the University, perform an LDAP compare query to compare the eduPersonAffiliation attribute of the person's entry to the string member.

4.6. How to Authorise Based on Membership of a Particular Unit

Often, authorisation decisions will be taken on the basis of membership of a particular unit (college or department).

4.6.1. With a Query About the Person's Entry

Perform an LDAP compare query to compare the eduPersonOrgUnitDN attribute on the person's entry with the known distinguished name of the unit's entry. For example, to see whether person 38463 is a member of OUCS, one would perform an LDAP compare to ask whether the eduPersonOrgUnitDN attribute of oakPrimaryPersonID=38463,ou=people,dc=oak,dc=ox,dc=ac,dc=uk has a value of oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk.

4.6.2. With a Query About the Unit's Entry

Equally valid is to perform an LDAP compare query to compare the member attribute on the unit's entry with the known distinguished name of the person's entry. Using the same example as above, one would perform an LDAP compare to ask whether the member attribute of oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk has a value of oakPrimaryPersonID=38463,ou=people,dc=oak,dc=ox,dc=ac,dc=uk

4.7. How to Authorise Based on ITSS Membership

4.7.1. Simple ITSS Status Check

Perform an LDAP compare query to compare the member attribute on the oakGN=ITSS,ou=oucscentral,dc=oak,dc=ox,dc=ac,dc=uk entry with the known distinguished name of the person's entry

4.7.2. Check for ITSS Status at a Particular Unit

Check the oakGN=ITSS,oakUnitCode=<CODE>,ou=units,dc=oak,dc=ox,dc=ac,dc=uk group for the unit of interest.

4.8. Find all the Units for Which a Person is ITSS

Query the person's oakITSSFor attribute.

4.9. How to Display Someone's Name

Some applications need to display a person's name, for example in a welcome message. The correct attribute to use for this is displayName.

4.10. How to Keep Persistent References to a Person in Your Application

You should use the oakPrimaryPersonID and oakPersonID attributes for this (bearing in mind how to look up a person by ID). None of the other unique attributes are guaranteed to be present on every person entry.

You should not treat the oakPrimaryPrincipal as a persistent reference to a person; principal names may be used to store persistent references to particular principals, but this is different from treating oakPrimaryPrincipal as a persistent reference to a person.

Up: Contents Previous: 3. Terms of Usage Next: 5. Resilience