LDAP

In IAM terms, a directory is a heirarchical collection of attributes tuned to accommodate extremely fast searches and high throughput (to the order or 100,000 searches per second). Harvard's LDAP directory (the acronym stands for Lightweight Directory Access Protocol) acts as the official University attribute authority — a hub for applications to obtain contact and profile data, which they can then use for authorizing users of an application, populating forms, or a variety of other actions.

The University LDAP contains profile data about HUID holders, and to a much lesser extent, for XID holders. Available data on XID holders is limited to name, email, login, and expiration date. Available data on HUID holders extends to multiple variations on name, all more core indicative and contact data, privacy data, and job and/or student status information. More than 100 attributes are available. Current uses of LDAP include:

  • Authorization of application users (e.g. “intranet”)
  • Enhance applications with data (pre-populated forms to reduce data entry for users)
  • Obtain data for administrative use (e.g. billing system at Library)
  • Custom online directory (redisplaying contact data using privacy)

Requesting Access to LDAP

  1. Contact ithelp@harvard.edu to start the conversation about gaining access to University LDAP.
  2. The IAM product team will discuss your project-specific requirements with you and assist in making a determination as to the data that should be made available to your application. A summary of available attribute data can be found here in order to make it easier for you to discuss your request.
  3. Access will be granted to a test instance, for development and testing purposes, before rolling out to production. This access is granted to specific machines by IP address.
  4. Please allow a minimum of one month for administrative review of your application.

Report LDAP Bugs

If you're already an LDAP user and are having trouble using the directory, be sure to report any issues with LDAP data to the helpdesk first at ithelp@harvard.edu or 617.496.2001 — not Directory Services. This ensures your trouble ticket will be routed to the appropriate group for a more immediate response. 

If you have general questions about LDAP that do not include opening a support ticket, please email directory_services@harvard.edu.

Maintaining the University LDAP Directory

Daily Load
Updates to University LDAP are made via custom code that extracts data from the ID and XID systems. Only XID data is loaded incrementally on a continuous basis. The master LDAP instance breaks replication with the two replica instances that are actually responding to the production queries. The master database is backed up, dropped, and then rebuilt from the current data found in HUID. Once the reload of the master is completed, each replica is dropped and rebuilt in succession using standard replication; this allows production LDAP to be online at all times. During the time the new ID system data are being replicated to the replicas, XID incremental updates are paused. This results in a daily delay in updating LDAP for new or changed XID accounts.

Normally, the daily data update is available by 8 a.m. and represents the previous day's entry of data into PeopleSoft and the SIS system, or data entry via MIDAS.

Additional Note on Loading LDAP
Please be aware that daily load can be suspended at the discretion of the Directory Services product manager or the associate director of ITIS. This may be necessary in certain circumstances due to the lack of availability of the HUID or XID system, or other issue with the source data.

Reference Materials

Please note that aside from the first item in this list, all materials require you to login with your HUID and password before viewing or downloading.