Skip to content

Instantly share code, notes, and snippets.

@kylehg

kylehg/penn-ldap-help.md

Created October 11, 2012 23:10
Show Gist options
  • Save kylehg/3876205 to your computer and use it in GitHub Desktop.
Save kylehg/3876205 to your computer and use it in GitHub Desktop.
Download ZIP
Using Penn's LDAP, courtesy Robert Mead
Raw
penn-ldap-help.md

Robert:

This is the result of a lot of blood-sweat-tears digestion of this: http://www.upenn.edu/computing/help/doc/email/directory.html

To query Penn Directory via command-line LDAP (the LDAPTLS_CACERT environment variable is necessary on Eniac because the ldap.conf file doesn't set TLS_CACERT; if you're doing this on your own machine, you can fix that):

LDAPTLS_CACERT=/etc/ssl/ca-bundle.pem ldapsearch -h directory.upenn.edu -Z -b ou=People,dc=upenn,dc=edu <FILTER> [object]

For authenticated view (gets you emails) (will prompt for your PennKey password):

LDAPTLS_CACERT=/etc/ssl/ca-bundle.pem ldapsearch -h directory.upenn.edu -Z -x -W -D uid=<YOUR_PENNKEY>,ou=PennPeople,dc=upenn,dc=edu -b ou=PennPeople,dc=upenn,dc=edu <FILTER> [object]

For authenticated view (no password, only if you have a Kerberos TGT, so probably only on Eniac unless you've installed Kerberos):

LDAPTLS_CACERT=/etc/ssl/ca-bundle.pem ldapsearch -h directory.upenn.edu -Z -b ou=PennPeople,dc=upenn,dc=edu <FILTER> [object]

Objects are things like displayName ("human" form), mail (email), givenName (first name), sn (surname=last name), title (major), postalAddress, postalCode, uid (pennkey). Some or all of those are private or entirely unavailable, depending on the user's settings. You can filter by any of these to, say, find the PennKey of someone by name, or vice versa, or find someone's email address by name (or vice versa). You can filter with expressions like: object='value' or object='partial' or object~='likeValue' (probably the most useful ones, but there are others)

All this is possible using native language LDAP bindings as well, for webapps/etc. If you're doing anything programmatic, the LDAP server seems pretty slow, so consider caching heavily things that won't change (which is most of it). Be responsible, especially with the "private" info, to restrict it to PennKey-authenticated users.

The trick is that ou=People is public info, but ou=PennPeople is authenticated (but requires the DN, or Kerberos). This helps if you're using the link for email setup. Also, I wrote a little shell script to abstract away a lot of it: ~robmead/bin/pdquery. Example: "pdquery uid=robmead mail". By default it uses Kerberos (so you should type kinit first), but you can set it up to use simple auth or none (note: neither are tested, but if they don't work it'll be easy to fix)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment