Directory Services

UW Person Directory Service

Summary

The UW Person Directory Service provides standard, read-only LDAP access to a person's online UW identification, affiliations, and contact information.

Contents:

Overview
LDAP Server Description
LDAP Client Technologies
Access
Person Attribute Sets
Contact Us

Overview

The Person Directory contains person data obtained from institutional sources such as the Person Registry, HEPPS, SDB and Advance databases. Basic identification and affiliation data is available for all UW members and affiliates. Additional data is available for UW employees, students, and alumni. Data is searchable by official UW identifiers. Access requires registration and is restricted to authorized applications.

LDAP Server Description

The Person Directory is described in the following table:

Name	UW Person Directory Service
Hosts	eds.u.washington.edu (for production use)
Ports	• 389 (standard LDAP port) • 636 (LDAP over SSL port)
Protocol	LDAPv3
Bind	All binds require authentication. See: LDAP Authentication Methods
Base	`dc=washington,dc=edu`
Data	`ou=People,dc=personregistry`
Updates	All data is updated at least nightly
Timeouts	10 minute idle timeout
Search	Results constrained to 500 matches
Search Keys	Search by common UW identifiers, e.g. • UW NetID, UW RegistryID, UID • Student System Key, Student ID Number • Employee ID • Advance ID Number
Attributes	• Person Attribute Sets (below) • Person Directory Attribute Reference
Schema	• UW Person Directory Schema (200807) • Person Directory Example Entry

LDAP Client Technologies

Any LDAP client that supports one the required authentication methods can be used to retrieve data from the Person Directory.

UW.EDS.Person Component (Windows)
PHP 5 ldap_sasl_bind Example
ldapsearch command-line tool
Microsoft .NET 2.0 Framework System.DirectoryServices
Perl Net::LDAP & Authen::SASL Example
EDSDemo Java Code Example
Other standard LDAP clients

Access

As an institutional resource the Person Directory is subject to UW policies regarding information access, use, and protection. Access to the Person Directory is provided to UW applications in support of business and academic functions, not directly to end-users. Registration of client applications is required. A request for access must include information about the client application to ensure that access policies are appropriately applied. This includes:

The application's function and its responsible parties.
The application's required attributes. As described below, attributes are organized into sets to simplify access management.
Provisions in the application to ensure that sensitive data is handled appropriately.

In addition, other information (such as client software type) is requested so our support team can better assist directory customers.

For client authentication the Person Directory uses SSL client certificates issued by the UW Services CA. At run time, access is controlled based on the DNS name in the client certificate. A client application will need to have a UW-issued certificate (and corresponding private key) available to it. The DNS name in this certificate is included in the registration request.

In many simple cases a registration can be done (and a certificate obtained) using the DNS name of the host system on which the application is running. In cases where the host system is supporting many applications, or applications are managed separately from the host system, it is preferable to use a DNS name that represents the application itself. In particular if a client application is running on a replicated cluster, registration should be done once using the DNS name of the application rather than separately for each cluster host system (the certificate and private key can be copied to each of the cluster members). See Managing DNS Names For Infrastructure Services Access.

Apply for access here: UW EDS Client Application Registration

Person Attribute Sets

Attribute sets are defined based on data source and sensitivity. Refer to the Person Directory Attribute Reference for a short description of individual attributes.

Attribute Set	Attribute classes (Attribute names)
Basic	Entry metadata (distinguishedName, objectClass, etc.) RegistryID (uwRegID, serialNumber, uwPriorRegID) UW NetID (uwNetID, uwPriorNetID) Test (uwTest) Name (sn, cn, uwPersonRegisteredName, uwPersonRegisteredSurname, uwPersonRegisteredFirstMiddle, displayName) Affiliation (eduPersonAffiliation) Basic Directory Listing Preference (uwWPPublish) Unix User Identifier (UID) (uidNumber)
Student	Student ID Number (uwStudentID) Student System Key (uwStudentSystemKey) Student Name (uwSWPName) Student Contact Data (uwSWPPhone, uwSWPEmail) Student Directory Listing Preference (uwSWPPublish) Student Class Code (uwSWPClass) Student Departments (uwSWPDept1-3)
Employee	Employee ID (uwEmployeeID) Employee Appointment Data (uwEmployeeHomeDepartment, uwEmployeeMailStop) Employee Name (uwEWPName) Employee Directory Listing Preference (uwEWPPublish) Employee Campus Contact Data (uwEWPPhone1-2, uwEWPEmail1-2, uwEWPDept1-2, uwEWPTitle1-2, uwEWPAddr1-2, uwEWPName, uwEWPVoicemail, uwEWPTouchDial, uwEWPFacsimile) Note: Employee Contact Data Limitations describes the source and quality of these attributes.
Alumni	Advance ID Number (uwDevelopmentID)

Contact Us

We welcome questions and discussion concerning the Person Directory and the nature of its data. Discussion helps clarify the ways the directory can be used and also helps define directions for future development. Please contact us at iam-support@washington.edu.