Directory Services

UW Groups Directory Service

Summary

The UW Groups Directory Service provides high-availability access to a consistent source of group-related data, including UW Groups data as well as UW Course group data.

Contents:

LDAP Server Description
LDAP Client Technologies
Access & Registration
UW Course Data
UW Groups Data

LDAP Server Description

The Groups Directory's LDAP service is described in the following table:

Name	UW Groups Directory Service
Hosts	groups.u.washington.edu
Ports	• 389 (standard LDAP port) • 636 (LDAP over SSL port)
Protocol	LDAPv3
Bind	All binds require authentication. See: LDAP Authentication Methods
Base	`dc=washington,dc=edu`
Course Data	ou=Courses, updated nightly from SDB
Groups Data	ou=Groups, updated variously
Schema	UW Groups Directory Schema (20080618)

Client Technologies

Any LDAP client that supports one the required authentication methods can be used to retrieve data from the Groups Directory.

UW Authorization Module (mod_uwa) - a resource manager for Apache/Unix
PHP 5 ldap_sasl_bind Example
ldapsearch command-line tool
Microsoft .NET 2.0 Framework System.DirectoryServices
Perl Net::LDAP & Authen::SASL Example
EDSDemo Java Code Example
Other standard LDAP clients

As an institutional resource the UW Groups Directory is subject to UW policies regarding information access, use, and protection. Access to the Groups Directory is provided to UW applications in support of business and academic functions, not directly to end-users. Registration of client applications is required. A request for access must include information about the client application to ensure that access policies are appropriately applied. Access to UW Course enrollment data requires an additional approval from the Office of Student Academic Data Management.

For client authentication the Groups Directory uses SSL client certificates issued by the UW Services CA. At run time, access is controlled based on the DNS name in the client certificate. A client application will need to have a UW-issued certificate (and corresponding private key) available to it. The DNS name in this certificate is included in the registration request.

In many simple cases a registration can be done (and a certificate obtained) using the DNS name of the host system on which the application is running. In cases where the host system is supporting many applications, or applications are managed separately from the host system, it is preferable to use a DNS name that represents the application itself. In particular if a client application is running on a replicated cluster, registration should be done once using the DNS name of the application rather than separately for each cluster host system (the certificate and private key can be copied to each of the cluster members). See Managing DNS Names For Infrastructure Services Access.

To apply for access now: UW EDS Client Application Registration

UW Course Data

The ou=Courses container includes a subcontainer for entries representing each UW Course offering for the current quarter.

Note the format of the subcontainer is ou=QQQYYYY, corresponding with the current quarter and year.

dn: serialNumber=regid,ou=QQQYYYY,ou=Courses,dc=washington,dc=edu
objectClass: uwCourseOffering
objectClass: uwEntity
serialNumber: regid
uwRegID:     regid
year:        Year (e.g. "2007")
quarter:     Quarter ("WIN", "SPR", "SUM" or "AUT")
curric:      Curriculum Code (e.g. "CSE")
crsNo:       Course Number (e.g. "142")
sln:         Course Section Schedule Line Number (e.g. "11973")
sectID:      Course Section ID (e.g "A", "AA", "AB")
displayName: Course Title (e.g. "COMPUTER PRGRMNG I")
student:     uwNetID=netid
student:     uwNetID=netid
student:     uwNetID=netid
student:     uwNetID=netid
instructor:  uwNetID=netid
instructor:  uwNetID=netid

Note: A course entry may have multiple instructors. Teaching assistants are represented as instructors according to the instructor data in the SDB.

Note: Students without UW NetIDs are not listed in the course memberships.

Note: Additional student attributes are added to an entry's memberships to represent prior UW NetIDs and additional UW NetIDs that a person can authenticate with via UW Kerberos. These additions are quite rare.

Note: Course entry memberships are reconciled nightly from SDB. Updated memberships are available around 4:30am.

Note: Course entry memberships are maintained in accordance with the Registrar's Office practices for adding and dropping students: namely, additions after the third week of a quarter and drops after the end of a quarter, while being exceptional and rare, will be apparent in the memberships.

Note: Access to UW Course enrollment data requires approval from the Office of Student Academic Data Management. See Access & Registration above).

Note: The UW Time Schedule can be used as cross reference for course entry attributes.

UW Groups Data

A successful search of the ou=Groups container by group name (cn) returns an entry such as this:

dn: serialNumber=regid,ou=groups,dc=washington,dc=edu
objectClass:  uwDepartmentGroup
serialNumber: regid
uwRegID:      regid
cn:           group name
description:  group description
owner:        uwNetID=uwnetid
member:       uwNetID=uwnetid
member:       uwNetID=uwnetid
member:       uwNetID=uwnetid
memberGroup:  cn=group cn

Note: A group may have multiple owners.

Note: A group may contain one or more subgroups (i.e. groups can be nested). Subgroups are identified by the memberGroup attribute. Clients that don't already know that a group is flat (i.e. contains no subgroups) should search the group's immediate membership and all subgroup memberships, recursively, to determine membership of a given individual in the group.