This guide provides information for performing LDAP operations against the UMass Amherst Active Directory (AD) instance. The instance allows for credential binding and attribute lookup using a service account.
This service is different than the OpenLDAP service:
Many purchased applications have native AD support which should be used instead of manual configuration.
UMass IT supports the AD LDAP connector as a service for on campus connections. Generally client connections flow through the F5 load balancers and are forwarded to a set of AD controllers.
Clients should use: campus-uma.umass.edu
The traffic flows through the F5 load balancer.
The address above (F5 load balancer) will not work with TLS. Instead you must connect to the AD servers directly. Use one of the following hosts:
Note: AD servers are replaced, and you will need to change your configuration when the AD server is replaced.
The Domain Controllers are to the F5 VIP. In order for AD clients to function, it needs to be open to all campus IP's. It is blocked off campus for the DC's and the VIP (the VIP is actually in 19.18).
Depending on the client software, you also have to trust the AD root certificate to use TLS.
System accounts must be subsidiary accounts (SUBR). Service accounts do not require any special permissions to connect or read attributes.
| LDAP Attribute | Active Directory Attribute | LDAP vs AD Data | Release Notes |
|---|---|---|---|
| departmentNumber | extensionAttribute12 | Note that the department number and name are different. | |
| displayName | displayName | In LDAP this is always the full name from spire (PS_UM_SAM_ACCTVW.NAME) which looks for campus name and then primary so it isn't getting those with just a preferred name. In AD this is the Fnpref+' '+Ln if Fnpref exists, and the full name otherwise. | Will always get the preferred name, and won't have access to the legal name. |
| eduPersonAffiliation | msExchExtensionCustomAttribute1 | AD only has primary affiliation. | |
| eduPersonPrimaryAffiliation | employeeType | Fomat and values are different between LDAP (exlample - Employee) and AD (example - PREM). | The value for this attribute is represented differently in AD than in LDAP. |
| eduPersonPrimaryAffiliation | n/a - Needed? | Need another AD attribute, if possible, that has the value with the same kind of label that is in LDAP. (See AD employeeType above.) | |
| UMAemployeeID | employeeID | ||
| UMAmiddleName | initials | LDAP contains middle name, AD contains first initial of middle name. | This will just be the middle initial rather than the full middle name. |
| givenName | givenName | In LDAP this is always PS_UM_SAM_PRF_NMVW.FIRST_NAME from SPIRE and blank otherwise, but in AD this is PS_UM_SAM_PRF_NMVW.FIRST_NAME if it is set and PS_UM_SAM_ACCTVW.FIRST_NAME otherwise. | This will always have a value whereas in LDAP it could have been blank. |
| LDAP and AD are the same. | |||
| mailLocalAddress | proxyAddresses | Fomat and values are different between LDAP (separate lines) and AD (list and doesn't have all aliases). | Multiple addresses will be in a list rather than separate lines. Also no all aliases will be available. |
| UMApreferredName | givenName | See entry for givenName | |
| sn | sn | LDAP and AD are the same. | |
| uid | SamAccountName | LDAP and AD are the same. | |
| uid | n/a (uid proposed) | ||
| UMAemailService | extensionAttribute14 | ||
| UMAPrimaryAccount | extensionAttribute15 | LDAP and AD are the same. | |
| UMAservices | msExchExtensionCustomAttribute2 | List type | |
| UMAunionCode | Scalar type | ||
| loginShell | n/a (loginShell proposed) | hardcoded to /bin/bash | |
| homeDirectory | n/a (unixHomeDirectory proposed) | ||
| eduPersonPrincipalName | SamAccountName | Same as uid | |
| cn | cn | LDAP contains middle name, AD doesn't | |
| gecos | n/a | ||
| gidNumber | n/a | ||
| objectClass | n/a | ||
| radiusSimultaneousUse | extensionAttribute9 | ||
| radiusServiceType | extensionAttribute8 | ||
| uidNumber | uidNumber | UnixID, unique identifier | |
| userPassword | n/a | ||
| uMassEmplID | extensionAttribute13 | SPIRE HR ID number | |
| uMassGuid | employeeNumber | SPIRE UITS OID ID | |
| UMAagreement | n/a | ||
| UMAdisabled | n/a | ||
| UMAmacClassrmHome | n/a | ||
| UMAacctType | n/a | ||
| UMOLacct | n/a | ||
| UMAstem | n/a |
basedn is DC=campus,DC=ads,DC=umass,DC=edu
Support requests flow through ServiceNow. Please send an email to it@umass.edu for support requests. Please indicate that the service is AD LDAP connector.