1. Introduction

The Oak LDAP uses standard, widely-used LDAP schemas in conjunction with some Oxford-specific extensions. This document describes the attributes and object classes we are using, and states where in the directory information tree each type of entry is to be found. It also states the per-attribute release policy. Example values of most attributes are given, for illustration.

This document is intended as a reference. For examples of which parts of the schema to use to solve common problems, please see the Recommended Usage section of the main Oak LDAP document.

The most important types of entries are
  • person entries
  • kerberos principal entries
  • organisational unit (colleges, departments, and so on) entries
  • general group entries

1.1. Definition of schema terms

DN
This stands for "Distinguished Name". This is an LDAP (and X.500) term, and is a name for an entry that uniquely identifies it within the directory information tree. The DN of the root of the Oak LDAP tree is dc=oak,dc=ox,dc=ac,dc=uk.
DN reference
Many of the entries in the Oak LDAP tree are related to each other. For example, principals are owned by people, and people are in groups. A common element of the Oak schema design is that relationships between entries are expressed by having some attribute on one entry whose value is the DN of the other entry. This is referred to as a "DN reference" in the schema documentation.

1.2. Definition of release policy terms

Where applicable, this document also states attributes' release policies. These use the following terms:
all service providers
This means all service providers who have registered to become Oak data consumers (registering to become an Oak data consumer is different from the process of requesting creation of webauth principals).
associated service providers
A service provider is associated with a person if either of the following two conditions is met:
  • the service provider is registered as providing a service to a unit of which the person is a member
  • the service provider is registered as a university-wide provider

A service provider is associated with a unit if it's registered as providing a service to that unit, or it's registered as a university-wide provider.

everyone
"Everyone" means every authenticated principal. Anonymous ldap binds will not be possible.
compare access
This means that the LDAP client is allowed to ask whether a particular attribute on a particular entry has a specific value, which the LDAP client must supply in the query. The LDAP client receives a yes / no answer.
search access
With search access to an attribute, the LDAP client is able to perform an LDAP search where the search filter involves that attribute. If a client has search access to an attribute, they also implicitly have compare access.
read access
This simply means that the LDAP client can read the value of the attribute. Read access also implies search and compare access.

1.3. See Also

  • LDAP schema file for locally-defined schema elements, in OpenLDAP-compatible format.

2. Person Entries at oakPrimaryPersonID=id,ou=people,dc=oak,dc=ox,dc=ac,dc=uk

Person entries have two object classes defined. Oxford-specific data is enabled via the oakPerson structural class. The standard eduPerson auxiliary class is mixed in. Note that oakPerson also inherits from the standard inetOrgPerson, thereby including a further range of standard person attribute types.

There is one entry here for each person represented in Oak.

2.1. Example Entry

dn: oakPrimaryPersonID=1234567890,ou=people,dc=oak,dc=ox,dc=ac,dc=uk
cn: John Doe
dateOfBirth: 197107060000Z
displayName: John Doe
eduPersonAffiliation: member
eduPersonAffiliation: staff
eduPersonOrgDN: dc=ox,dc=ac,dc=uk
eduPersonOrgUnitDN: oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
eduPersonOrgUnitDN: oakUnitCode=law,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
eduPersonPrimaryOrgUnitDN: oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
givenName: Tom
mail: john.doe@oucs.ox.ac.uk
memberOf: oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
o: University of Oxford
oakAlternativeMail: john.doe@oucs.ox.ac.uk
oakAlternativeMail: john.doe@law.ox.ac.uk
oakCardExpiry: 201102020000Z
oakITSSFor: oakGN=ITSS,oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
oakITSSFor: oakGN=ITSS,oakUnitCode=magd,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
oakOSSID: 2823413
oakOxfordSSOUsername: oucs0047
oakOxfordSSOUsername: tom
oakPersonID: 1234567890
oakPersonID: 9876543210
oakPrimaryPersonID: 1234567890
oakPrincipal: krbPrincipalName=oucs0047@OX.AC.UK,cn=OX.AC.UK,cn=KerberosRealms,dc=oak,dc=ox,dc=ac,dc=uk
oakPrincipal: krbPrincipalName=tom@OX.AC.UK,cn=OX.AC.UK,cn=KerberosRealms,dc=oak,dc=ox,dc=ac,dc=uk
oakStatus: staff
oakUniversityBarcode: 1234567
oakUniversityBarcodeCheckCharacter: -
oakUniversityBarcodeFull: 276962801-
oakUniversityCardID: 15021462
objectClass: eduPerson
objectClass: oakPerson
ou: Computing Services
ou: Faculty of Law
sn: Doe

2.2. cn Attribute Type

Common name.

This standard attribute type is defined in the following places:

This attribute type's matching rule makes it case insensitive.

Please refer to the discussion of cn in the eduPerson specification for further discussion.

2.2.1. Example

cn: John Doe

2.2.2. Release Policy

  • all service providers can perform read operations

2.3. dateOfBirth Attribute Type

Date of birth.

2.3.1. Example

dateOfBirth: 197107060000Z

2.3.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.4
    NAME          'dateOfBirth'
    DESC          'Date of Birth'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.24
    SINGLE-VALUE
    EQUALITY      generalizedTimeMatch
    ORDERING      generalizedTimeOrderingMatch
 )

2.3.3. Release Policy

  • This attribute doesn't have a general release policy defined
  • Access may only be granted to specific applications on a case by case basis

2.4. displayName Attribute Type

Friendly name to be used when displaying entries.

This standard attribute type is defined in the following places:

This attribute type's matching rule makes it case sensitive.

Please refer to the discussion of displayName in the eduPerson specification for further discussion.

2.4.1. Example

displayName: John Doe

2.4.2. Release Policy

  • all service providers can perform read operations

2.5. eduPersonAffiliation Attribute Type

eduPersonAffiliation is a standard attribute type used by many Universities. Here, it is derived from our local status categories as follows:

OUCS status code / oakStatus value eduPersonAffiliation values
cardholderaffiliate
collegemember
deptmember
leavernone
pgoffernone
postgradmember, student
retmember
senmemmember
staffmember, staff, employee
ugoffernone
undergradmember, student
virtualaffiliate
visitormember

Unfortunately, due to limited data, we are not currently able to populate all the values for eduPersonAffiliation that should be there. For example, many people with senmem or college status are also staff, but we don't yet have the data to add the staff value to the eduPersonAffiliation attribute for people where this is the case.

Please refer to the discussion of eduPersonAffiliation in the eduPerson specification for further discussion.

2.5.1. Example

eduPersonAffiliation: member
eduPersonAffiliation: staff

2.5.2. Release Policy

  • all service providers can perform read operations

2.6. eduPersonOrgDN Attribute Type

Please refer to the discussion of eduPersonOrgDN in the eduPerson specification for further discussion.

2.6.1. Example

eduPersonOrgDN: dc=ox,dc=ac,dc=uk

2.6.2. Release Policy

  • all service providers can perform read operations

2.7. eduPersonOrgUnitDN Attribute Type

Please refer to the discussion of eduPersonOrgUnitDN in the eduPerson specification for further discussion.

2.7.1. Example

eduPersonOrgUnitDN: oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
eduPersonOrgUnitDN: oakUnitCode=law,ou=units,dc=oak,dc=ox,dc=ac,dc=uk

2.7.2. Release Policy

  • all service providers can perform read operations

2.8. eduPersonPrimaryOrgUnitDN Attribute Type

Please refer to the discussion of eduPersonPrimaryOrgUnitDN in the eduPerson specification for further discussion.

2.8.1. Example

eduPersonPrimaryOrgUnitDN: oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk

2.8.2. Release Policy

  • all service providers can perform read operations

2.9. givenName Attribute Type

Although we provide good given name data for most people in the directory, in some cases this attribute contains a first name, followed by a space, followed by the initial of a middle name. This defect currently affects around 5% of person records. This is due to a limitation with current data sources, and may be corrected in future.

This standard attribute type is defined in the following places:

This attribute type's matching rule makes it case insensitive.

Please refer to the discussion of givenName in the eduPerson specification for further discussion.

2.9.1. Example

givenName: Tom

2.9.2. Release Policy

  • all service providers can perform read operations

2.10. mail Attribute Type

This contains the person's preferred mail address. If there is a requirement to contact the person by email, this address should be used. Although the LDAP schema allows multiple values for this attribute, in Oak LDAP it will only ever contain at most a single value for each person. It is not unique. If two people self-register with IT Services with the same mail address, there will be two person records in Oak LDAP with the same mail attribute.

This standard attribute type is defined in the following places:

This attribute type's matching rule makes it case insensitive.

Please refer to the discussion of mail in the eduPerson specification for further discussion.

2.10.1. Example

mail: john.doe@oucs.ox.ac.uk

2.10.2. Release Policy

  • all service providers can perform search operations
  • associated service providers can perform read operations

2.11. o Attribute Type

This standard attribute type is defined in the following places:

This attribute type's matching rule makes it case insensitive.

Please refer to the discussion of o in the eduPerson specification for further discussion.

2.11.1. Example

o: University of Oxford

2.11.2. Release Policy

  • all service providers can perform read operations

2.12. oakAlternativeMail Attribute Type

This multivalued attribute contains all email addresses for the person.

This attribute type's matching rule makes it case insensitive.

2.12.1. Example

oakAlternativeMail: john.doe@oucs.ox.ac.uk
oakAlternativeMail: john.doe@law.ox.ac.uk

2.12.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.10
    NAME          'oakAlternativeMail'
    DESC          'RFC822 Mailbox'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.26{256}
    EQUALITY      caseIgnoreIA5Match
    SUBSTR        caseIgnoreIA5SubstringsMatch
 )

2.12.3. Release Policy

  • all service providers can perform search operations
  • associated service providers can perform read operations

2.13. oakCardExpiry Attribute Type

Date of expiry of University Card

2.13.1. Example

oakCardExpiry: 201102020000Z

2.13.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.5
    NAME          'oakCardExpiry'
    DESC          'Card Expiry Date'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.24
    SINGLE-VALUE
    EQUALITY      generalizedTimeMatch
    ORDERING      generalizedTimeOrderingMatch
 )

2.13.3. Release Policy

  • associated service providers can perform read operations

2.14. oakITSSFor Attribute Type

DN references to all Unit-scoped ITSS groups to which this person belongs.

Because this attribute type holds a distinguished name (matching rule), some components may be case sensitive and some may be case insensitive.

2.14.1. Example

oakITSSFor: oakGN=ITSS,oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
oakITSSFor: oakGN=ITSS,oakUnitCode=magd,ou=units,dc=oak,dc=ox,dc=ac,dc=uk

2.14.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.19
    NAME          'oakITSSFor'
    DESC          'DN of Unit'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.12
    EQUALITY      distinguishedNameMatch
 )

2.14.3. Release Policy

  • all service providers can perform read operations

2.15. oakOSSID Attribute Type

This attribute type's matching rule makes it case sensitive.

2.15.1. Example

oakOSSID: 2823413

2.15.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.29
    NAME          'oakOSSID'
    DESC          'Unique identifier for people with a record in the Oxford Student System.'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.15
    EQUALITY      caseExactMatch
 )

2.15.3. Release Policy

  • all service providers can perform search operations
  • associated service providers can perform read operations

2.16. oakOxfordSSOUsername Attribute Type

This attribute contains the username(s) assigned to a person by IT Services Registration for account provisioning purposes.

This attribute type's matching rule makes it case sensitive.

2.16.1. Example

oakOxfordSSOUsername: oucs0047
oakOxfordSSOUsername: tom

2.16.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.47
    NAME          'oakOxfordSSOUsername'
    DESC          'Username for provisioning as managed by IT Services registration'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.15
    EQUALITY      caseExactMatch
    SUBSTR        caseExactSubstringsMatch
 )

2.16.3. Release Policy

  • all service providers can perform read operations

2.17. oakPersonID Attribute Type

This multivalued attribute holds all of a person's Oak IDs. When looking up a person by their Oak ID, service providers should use this attribute. A person might have more than one value of this attribute, for example, if the University has two records for the same person which they then merge. This attribute is unique in that no two person entries can have the same value of this attribute.

2.17.1. Example

oakPersonID: 1234567890
oakPersonID: 9876543210

2.17.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.25
    NAME          'oakPersonID'
    DESC          'Multivalued person identifier to handle merged records'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.15
    EQUALITY      caseExactMatch
 )

2.17.3. Release Policy

  • all service providers can perform read operations

2.18. oakPrimaryPersonID Attribute Type

This is an identifier for a person within Oak. It's used as the LDAP naming attribute on person entries. By design this avoids encoding any personal information in the distinguished name of a person's entry. Service providers who wish to look up a person by their Oak ID should not use this attribute; they should use the multivalued oakPersonID instead. This attribute is unique in that no two person entries can have the same value of this attribute.

2.18.1. Example

oakPrimaryPersonID: 1234567890

2.18.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.24
    NAME          'oakPrimaryPersonID'
    DESC          'Unique person identifier'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.15
    EQUALITY      caseExactMatch
 )

2.18.3. Release Policy

  • all service providers can perform read operations

2.19. oakPrincipal Attribute Type

This multivalued attribute contains DN references to all the Kerberos principals owned by this person. The presence of this attribute allows Service Providers to look up a person entry based on the principal name of a user who has authenticated to them via Oxford's single-sign-on system. Searches using this attribute are expected to be the predominant method by which person entries are looked up. This attribute is unique in that no two person entries can have the same value of this attribute.

Because this attribute type holds a distinguished name (matching rule), some components may be case sensitive and some may be case insensitive.

2.19.1. Example

oakPrincipal: krbPrincipalName=oucs0047@OX.AC.UK,cn=OX.AC.UK,cn=KerberosRealms,dc=oak,dc=ox,dc=ac,dc=uk
oakPrincipal: krbPrincipalName=tom@OX.AC.UK,cn=OX.AC.UK,cn=KerberosRealms,dc=oak,dc=ox,dc=ac,dc=uk

2.19.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.2
    NAME          'oakPrincipal'
    DESC          'DN of principal entry owned by this person'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.12
    EQUALITY      distinguishedNameMatch
 )

2.19.3. Release Policy

  • all service providers can perform read operations

2.20. oakStatus Attribute Type

This is the status as recorded on the person's University Card. See Registration's explanatory page for details.

This attribute type's matching rule makes it case insensitive.

2.20.1. Example

oakStatus: staff

2.20.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.6
    NAME          'oakStatus'
    DESC          'Status'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.15
    EQUALITY      caseIgnoreMatch
    SUBSTR        caseIgnoreSubstringsMatch
 )

2.20.3. Release Policy

  • all service providers can perform read operations

2.21. oakUniversityBarcode Attribute Type

Barcode number on the person's University Card. Note that this doesn't include the checksum character. This attribute is unique in that no two person entries can have the same value of this attribute.

2.21.1. Example

oakUniversityBarcode: 1234567

2.21.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.7
    NAME          'oakUniversityBarcode'
    DESC          'University Barcode'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE
    EQUALITY      integerMatch
 )

2.21.3. Release Policy

  • all service providers can perform search operations
  • associated service providers can perform read operations

2.22. oakUniversityBarcodeCheckCharacter Attribute Type

Checksum character of the barcode on the person's University Card.

2.22.1. Example

oakUniversityBarcodeCheckCharacter: -

2.22.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.8
    NAME          'oakUniversityBarcodeCheckCharacter'
    DESC          'University Barcode Check Character'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.26{1}
    SINGLE-VALUE
    EQUALITY      caseIgnoreIA5Match
 )

2.22.3. Release Policy

  • associated service providers can perform read operations

2.23. oakUniversityBarcodeFull Attribute Type

Full barcode number on the person's University Card, including checksum character. This attribute is unique in that no two person entries can have the same value of this attribute.

2.23.1. Example

oakUniversityBarcodeFull: 276962801-

2.23.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.9
    NAME          'oakUniversityBarcodeFull'
    DESC          'University Barcode Including Check Character'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.26
    SINGLE-VALUE
    EQUALITY      caseIgnoreIA5Match
 )

2.23.3. Release Policy

  • all service providers can perform search operations
  • associated service providers can perform read operations

2.24. oakUniversityCardID Attribute Type

This attribute type's matching rule makes it case sensitive.

2.24.1. Example

oakUniversityCardID: 15021462

2.24.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.34
    NAME          'oakUniversityCardID'
    DESC          'Unique identifier from the University Card database.'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.15
    EQUALITY      caseExactMatch
 )

2.24.3. Release Policy

  • all service providers can perform search operations
  • associated service providers can perform read operations

2.25. objectClass Attribute Type

Core LDAP attribute to state the type of the entry. All person entries have oakPerson and eduPerson set. Entries for people with additional attributes from Student Systems will also have oakOSSPerson set.

This standard attribute type is defined in the following places:

This attribute type's matching rule (see also RFC 4512 section-1.4 ) makes it case insensitive.

2.25.1. Example

objectClass: eduPerson
objectClass: oakPerson

2.25.2. Release Policy

  • all service providers can perform read operations

2.26. ou Attribute Type

Organisation unit with which this person is associated. Same data as eduPersonOrgUnitDN, but in a different format.

This standard attribute type is defined in the following places:

This attribute type's matching rule makes it case insensitive.

Please refer to the discussion of ou in the eduPerson specification for further discussion.

2.26.1. Example

ou: Computing Services
ou: Faculty of Law

2.26.2. Release Policy

  • all service providers can perform read operations

2.27. sn Attribute Type

Surname.

This standard attribute type is defined in the following places:

Please refer to the discussion of sn in the eduPerson specification for further discussion.

2.27.1. Example

sn: Doe

2.27.2. Release Policy

  • all service providers can perform read operations

3. Unit Entries at oakUnitCode=code,ou=units,dc=oak,dc=ox,dc=ac,dc=uk

Entries here represent organisational units. Many of these are organisational units of the University of Oxford, such as departments and colleges.

3.1. Example Entry

dn: oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
cn: Computing Services
displayName: Computing Services
facsimileTelephoneNumber: +44 1865 273275
member: oakPrimaryPersonID=38463,ou=people,dc=oak,dc=ox,dc=ac,dc=uk
member: oakPrimaryPersonID=6075,ou=people,dc=oak,dc=ox,dc=ac,dc=uk
member: oakPrimaryPersonID=21139,ou=people,dc=oak,dc=ox,dc=ac,dc=uk
member: oakPrimaryPersonID=6423,ou=people,dc=oak,dc=ox,dc=ac,dc=uk
oakDivision: acserv
oakSuperUnit: it
oakUnitCode: oucs
oakUnitStatus: department
oakUnitURI: http://www.oucs.ox.ac.uk/
objectClass: oakOrganizationalUnit
ou: Computing Services
postalAddress: 13 Banbury Road, Oxford, OX2 6NN
telephoneNumber: +44 1865 273200

3.2. cn Attribute Type

This standard attribute type is defined in the following places:

This attribute type's matching rule makes it case insensitive.

3.2.1. Example

cn: Computing Services

3.2.2. Release Policy

  • everyone can perform read operations

3.3. displayName Attribute Type

This standard attribute type is defined in the following places:

This attribute type's matching rule makes it case sensitive.

3.3.1. Example

displayName: Computing Services

3.3.2. Release Policy

  • everyone can perform read operations

3.4. facsimileTelephoneNumber Attribute Type

This standard attribute type is defined in the following places:

3.4.1. Example

facsimileTelephoneNumber: +44 1865 273275

3.4.2. Release Policy

  • all service providers can perform read operations

3.5. member Attribute Type

This standard attribute type is defined in the following places:

Because this attribute type holds a distinguished name (matching rule), some components may be case sensitive and some may be case insensitive.

3.5.1. Example

member: oakPrimaryPersonID=38463,ou=people,dc=oak,dc=ox,dc=ac,dc=uk
member: oakPrimaryPersonID=6075,ou=people,dc=oak,dc=ox,dc=ac,dc=uk
member: oakPrimaryPersonID=21139,ou=people,dc=oak,dc=ox,dc=ac,dc=uk
member: oakPrimaryPersonID=6423,ou=people,dc=oak,dc=ox,dc=ac,dc=uk

3.5.2. Release Policy

  • all service providers can perform read operations

3.6. oakDivision Attribute Type

This attribute type's matching rule makes it case insensitive.

3.6.1. Example

oakDivision: acserv

3.6.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.17
    NAME          'oakDivision'
    DESC          'Oxford Division'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE
    EQUALITY      caseIgnoreMatch
    SUBSTR        caseIgnoreSubstringsMatch
 )

3.6.3. Release Policy

  • everyone can perform read operations

3.7. oakSuperUnit Attribute Type

This attribute type's matching rule makes it case insensitive.

3.7.1. Example

oakSuperUnit: it

3.7.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.16
    NAME          'oakSuperUnit'
    DESC          'Oxford Super Unit'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE
    EQUALITY      caseIgnoreMatch
    SUBSTR        caseIgnoreSubstringsMatch
 )

3.7.3. Release Policy

  • everyone can perform read operations

3.8. oakUnitCode Attribute Type

This attribute type's matching rule makes it case sensitive.

3.8.1. Example

oakUnitCode: oucs

3.8.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.23
    NAME          'oakUnitCode'
    DESC          'Unit Code'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.15
    EQUALITY      caseExactMatch
 )

3.8.3. Release Policy

  • everyone can perform read operations

3.9. oakUnitStatus Attribute Type

Status of the Unit. The possible values, with their meanings, are:
college
the unit is a college of the collegiate University of Oxford
department
the unit is a department of the University of Oxford
If this attribute is not present, nothing from the above list is being asserted by Oak LDAP. New possible values may be added for this attribute in future.

3.9.1. Example

oakUnitStatus: department

3.9.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.51
    NAME          'oakUnitStatus'
    DESC          'Unit Status'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.15
    EQUALITY      caseIgnoreMatch
    SUBSTR        caseIgnoreSubstringsMatch
 )

3.9.3. Release Policy

  • everyone can perform read operations

3.10. oakUnitURI Attribute Type

This attribute type's matching rule makes it case sensitive.

3.10.1. Example

oakUnitURI: http://www.oucs.ox.ac.uk/

3.10.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.18
    NAME          'oakUnitURI'
    DESC          'Uniform Resource Identifier'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.15
    EQUALITY      caseExactMatch
 )

3.10.3. Release Policy

  • everyone can perform read operations

3.11. objectClass Attribute Type

This standard attribute type is defined in the following places:

This attribute type's matching rule (see also RFC 4512 section-1.4 ) makes it case insensitive.

3.11.1. Example

objectClass: oakOrganizationalUnit

3.11.2. Release Policy

  • everyone can perform read operations

3.12. ou Attribute Type

This standard attribute type is defined in the following places:

This attribute type's matching rule makes it case insensitive.

3.12.1. Example

ou: Computing Services

3.12.2. Release Policy

  • everyone can perform read operations

3.13. postalAddress Attribute Type

This standard attribute type is defined in the following places:

This attribute type's matching rule makes it case insensitive.

3.13.1. Example

postalAddress: 13 Banbury Road, Oxford, OX2 6NN

3.13.2. Release Policy

  • all service providers can perform read operations

3.14. telephoneNumber Attribute Type

This standard attribute type is defined in the following places:

3.14.1. Example

telephoneNumber: +44 1865 273200

3.14.2. Release Policy

  • all service providers can perform read operations

4. Principal Entries at krbPrincipalName=princname,cn=OX.AC.UK,cn=KerberosRealms,dc=oak,dc=ox,dc=ac,dc=uk

4.1. Example Entry

dn: krbPrincipalName=oucs0047@OX.AC.UK,cn=OX.AC.UK,cn=KerberosRealms,dc=oak,dc=ox,dc=ac,dc=uk
displayName: oucs0047
krbPrincipalName: oucs0047@OX.AC.UK
oakPerson: oakPrimaryPersonID=38463,ou=people,dc=oak,dc=ox,dc=ac,dc=uk
objectClass: krbPrincipalAux
objectClass: oakPrincipal

4.2. displayName Attribute Type

This is the part of the principal name before the realm. This used to be called the Oxford Username.

This standard attribute type is defined in the following places:

This attribute type's matching rule makes it case sensitive.

4.2.1. Example

displayName: oucs0047

4.2.2. Release Policy

4.3. krbPrincipalName Attribute Type

The full name of the principal, including the realm.

4.3.1. Example

krbPrincipalName: oucs0047@OX.AC.UK

4.3.2. Release Policy

4.4. oakPerson Attribute Type

DN reference to the Oak LDAP entry of the person who owns this principal

4.4.1. Example

oakPerson: oakPrimaryPersonID=38463,ou=people,dc=oak,dc=ox,dc=ac,dc=uk

4.4.2. OpenLDAP-Compatible Attribute Type Declaration

This is a locally-defined attribute type. Its definition from the schema follows, in an OpenLDAP-Compatible format.

attributeType ( 1.3.6.1.4.1.11023.1.1.7.2.1.12
    NAME          'oakPerson'
    DESC          'DN of person who owns this principal'
    SYNTAX        1.3.6.1.4.1.1466.115.121.1.12
    SINGLE-VALUE
    EQUALITY      distinguishedNameMatch
 )

4.4.3. Release Policy

4.5. objectClass Attribute Type

This standard attribute type is defined in the following places:

This attribute type's matching rule (see also RFC 4512 section-1.4 ) makes it case insensitive.

4.5.1. Example

objectClass: krbPrincipalAux
objectClass: oakPrincipal

4.5.2. Release Policy

5. Group Entries

A group represents any grouping of people. The exact meaning of a group depends on its position in the DIT.

5.1. displayName Attribute Type

A name for the group that an application can display when referring to the group.

This standard attribute type is defined in the following places:

This attribute type's matching rule makes it case sensitive.

5.1.1. Example

displayName: Primary ITSS

5.2. member Attribute Type

This multi-valued attribute holds DN references to all members of the group.

This standard attribute type is defined in the following places:

Because this attribute type holds a distinguished name (matching rule), some components may be case sensitive and some may be case insensitive.

5.2.1. Example

member: oakPrimaryPersonID=6075,ou=people,dc=oak,dc=ox,dc=ac,dc=uk
member: oakPrimaryPersonID=6423,ou=people,dc=oak,dc=ox,dc=ac,dc=uk
member: oakPrimaryPersonID=38463,ou=people,dc=oak,dc=ox,dc=ac,dc=uk

6. Group Entry at oakGN=ITSS,ou=oucscentral,dc=oak,dc=ox,dc=ac,dc=uk

This group contains all registered ITSS staff from across the University

7. Group Entry at oakGN=Primary ITSS,ou=oucscentral,dc=oak,dc=ox,dc=ac,dc=uk

This group contains all registered Primary ITSS staff from across the University

8. Change Log

DateDescription of Changes
2010-07-16 Add oakUnitStatus attribute and some discussion about organisational units.