IAM in Service Catalog
The UW Groups Directory Service provides high-availability LDAP access to group data in the Groups Service including institutional groups.
The Groups Directory's LDAP service is described in the following table:
UW Groups Directory Service
389 (standard LDAP port)
All binds require authentication.
ou=Courses, updated nightly from SDB
ou=Groups, updated variously
Any LDAP client that supports one the required authentication methods can be used to retrieve data from the Groups Directory.
See also: LDAP Client Guidelines.
As an institutional resource the UW Groups Directory is subject to UW policies regarding information access, use, and protection. Access to the Groups Directory is provided to UW applications in support of business and academic functions, not directly to end-users. Registration of client applications is required. A request for access must include information about the client application to ensure that access policies are appropriately applied. Access to UW Course enrollment data requires an additional approval from the Office of Student Academic Data Management.
For client authentication the Groups Directory uses SSL client certificates issued by the UW Services CA. At run time, access is controlled based on the DNS name in the client certificate. A client application will need to have a UW-issued certificate (and corresponding private key) available to it. The DNS name in this certificate is included in the registration request.
In many simple cases a registration can be done (and a certificate obtained) using the DNS name of the host system on which the application is running. In cases where the host system is supporting many applications, or applications are managed separately from the host system, it is preferable to use a DNS name that represents the application itself. In particular if a client application is running on a replicated cluster, registration should be done once using the DNS name of the application rather than separately for each cluster host system (the certificate and private key can be copied to each of the cluster members). See Managing DNS Names For Infrastructure Services Access.
The ou=Courses container includes a subcontainer for entries representing each UW Course offering for the current quarter.
Note the format of the subcontainer is ou=QQQYYYY, corresponding with the current quarter and year.
year: Year (e.g. "2007")
quarter: Quarter ("WIN", "SPR", "SUM" or "AUT")
curric: Curriculum Code (e.g. "CSE")
crsNo: Course Number (e.g. "142")
sln: Course Section Schedule Line Number (e.g. "11973")
sectID: Course Section ID (e.g "A", "AA", "AB")
displayName: Course Title (e.g. "COMPUTER PRGRMNG I")
Note: A course entry may have multiple instructors. Teaching assistants are represented as instructors according to the instructor data in the SDB.
Note: Students without UW NetIDs are not listed in the course memberships.
Note: Additional student attributes are added to an entry's memberships to represent prior UW NetIDs and additional UW NetIDs that a person can authenticate with via UW Kerberos. These additions are quite rare.
Note: Course entry memberships are reconciled nightly from SDB. Updated memberships are available around 4:30am.
Note: Course entry memberships are maintained in accordance with the Registrar's Office practices for adding and dropping students: namely, additions after the third week of a quarter and drops after the end of a quarter, while being exceptional and rare, will be apparent in the memberships.
Note: Access to UW Course enrollment data requires approval from the Office of Student Academic Data Management. See Access & Registration above).
Note: The UW Time Schedule can be used as cross reference for course entry attributes.
A successful search of the ou=Groups container by group name (cn) returns an entry such as this:
cn: group name
description: group description
memberGroup: cn=group cn
Note: A group may have multiple owners.
Note: A group may contain one or more subgroups (i.e. groups can be nested). Subgroups are identified by the memberGroup attribute. Clients that don't already know that a group is flat (i.e. contains no subgroups) should search the group's immediate membership and all subgroup memberships, recursively, to determine membership of a given individual in the group.