UCSB Identity hosts and maintains a directory farm, on campus and in the cloud. Many campus services authenticate directly against it. However, a new policy going forward is to use campus Single Sign-On (SSO) for all authentication and authorization, providing a layer that simplifies application deployment and improves security.


 

LDAP

The LDAP represents a consolidation of data for people at UCSB, and certain applications may require a data extract to update their data store.

Host: ldap.ucsb.edu
Port: 636

Directory Tree & Objectclasses

o=ucsb
  ou=people
    person
    organizationalPerson
    inetOrgPerson
    eduPerson
    ucEduPerson
    ucsbPerson
    dn: uid=netid,ou=people,o=ucsb
  ou=applications
    person
    inetOrgPerson
    dn: uid=netid,ou=applications,o=ucsb

LDIF Example

dn: uid=netidexample,ou=People,o=UCSB
objectClass: ucEduPerson
objectClass: eduPerson
objectClass: ucsbPerson
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Ken Ldif
sn: Ldif
departmentNumber: STSP
displayName: Ldif, Ken
eduPersonPrincipalName: netidexample@ucsb.edu
eduPersonScopedAffiliation: employee@ucsb.edu
eduPersonScopedAffiliation: member@ucsb.edu
eduPersonScopedAffiliation: student@ucsb.edu
employeeNumber: 99999999
givenName: Ken
initials: J
mail: netidexample@umail.ucsb.edu
UCEmployeeID: 99999999
UCnetID: 8888888
ucsbAdmID: 77777777
ucsbAffiliation: employee
ucsbAffiliation: student
ucsbAffiliation: umail
ucsbCampusID: CEBB11EA-3E3A-11EB-905A-4316F7583846
ucsbCufn: Kenny
ucsbDisplayDept1: STSP
ucsbDOB: 01/01/1920
ucsbEmailBusiness1: netidexample@umail.ucsb.edu
ucsbEmailStudent: netidexample@umail.ucsb.edu
ucsbEmpStatus: A
ucsbEmpType: 4
ucsbHomeDepartment: STSP
ucsbMailCode: 3070
ucsbMiddleName: Jay
ucsbPPSID: 666666666
ucsbRelease: public
ucsbReleaseStudent: Y
ucsbReleaseStuEmail: N
ucsbStuPerm: 5555555
ucsbStuRegStat: R
ucsbStuType: U
ucsbTitle: STDT VOLUNTEER
ucsbTitleCode: 009920
UCTrustAssurance: bronze
UCTrustCampusIDShort: SB0000999999
uid: netidexample

Active Directory

Netid.ucsb.edu: One-way trust is up-and-running!

  • Request a one-way trust to netid.ucsb.edu through UCSB ServiceNow>IT Service Catalog>Advanced Technical Services>Identity and Access.
  • Netid is ‘read-only’; UCSB Identity is the source of truth for all user objects.
  • Three successful trust relationships with netid.ucsb.edu include Life Science, College of Engineering and the Library

What are the Process and Prerequisites?

Reasons to Join the One-Way Trust:

  • Departments can make use of Identity provisioned user accounts using a one-way trust with netid.ucsb.edu.
  • Less administrative overhead due to account provisioning means fewer headaches for administrators and fewer credentials for a user to remember and secure.

What’s next?

  • Over the next six months, the Campus Active Directory technical team will be creating three development environments (netid, Resource Domain, Azure Tenant) to develop additional features for the service, which may include: two-way trusts, single forests and delegated management. This will be Phase III.

Questions? 

About Campus Active Directory
With campus Active Directory, we will leverage campus Identity & Access Management (IAM) solution(s) to provide a compelling campus service; offering efficient and supportable campus Active Directory services through standardization, application of best practices, and the reduction of unnecessary duplication. This project focuses on the Active Directory lifecycle, management of resources, and service access management by analyzing current directory services and support structure on campus. The project end-state is to create a future model that achieves cost savings through greater efficiency.