Skip to Content

LDAP

Last modified by Jukka Karvonen on 2025/01/29 13:57

LDAP user directory service can be used to query and update user information in the services. It's often used to update user's groups or check expired users.

It can also be used to login to command line-based services, like SSH, but no longer available to login to web services. With web services, you have to use SSO (SAML or OIDC).

Using the LDAP user directory

Services must be registered to the SP Registry in order to use LDAP.

Technical information

ldapauth.it.helsinki.fi is available from the University of Helsinki internal network and only used for user authentication or basic information, like user groups.

  • Services using this should still register to the SP Registry but can set the "Does this service use the LDAPAuth proxy?" checkbox and leave other technical information empty.

ldap.it.helsinki.fi can be used to query more information about users but is only available to registered services.

  • Old and still available address is ldap2015.it.helsinki.fi.
  • User attributes available from LDAP are listed on the page User attributes.

Services are available with both StartTLS (port 389) and TLS (port 636). TLS is using a certificate signed by UH's public CA provider (currently signed by Sectigo).

Example queries using ldapsearch

Query basic information and groups anonymously

ldapsearch -xZZH ldap://ldapauth.it.helsinki.fi:389 -b ou=people,dc=helsinki,dc=fi uid=lankka \* memberOf
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=helsinki,dc=fi> with scope subtree
# filter: uid=lankka
# requesting: * memberOf 
#

# lankka, people, helsinki.fi
dn: uid=lankka,ou=people,dc=helsinki,dc=fi
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: eduPerson
objectClass: schacContactLocation
objectClass: schacLinkageIdentifiers
objectClass: schacPersonalCharacteristics
objectClass: funetEduPerson2
objectClass: hyEduPerson
objectClass: posixAccount
objectClass: sambaSamAccount
objectClass: schacEntryMetadata
objectClass: inetLocalMailRecipient
memberOf: cn=grp-a02700-all,ou=groups,dc=helsinki,dc=fi
memberOf: cn=grp-idp-test,ou=groups,dc=helsinki,dc=fi
homeDirectory: /home/lankka
uid: lankka
sn: Ankka
gecos: Lupu Ankka lankka
cn: Lupu Ankka
givenName: Lupu
loginShell: /bin/bash
uidNumber: 1032815
gidNumber: 1032815

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

For authenticated query, add bind DN with "-D <service user DN>" and "-W" to prompt password. 

Querying group object information and members anonymously

ldapsearch -xZZH ldap://ldapauth.it.helsinki.fi -b ou=groups,dc=helsinki,dc=fi cn=grp-idp-test
# extended LDIF
#
# LDAPv3
# base <ou=groups,dc=helsinki,dc=fi> with scope subtree
# filter: cn=grp-idp-test
# requesting: ALL
#

# grp-idp-test, groups, helsinki.fi
dn: cn=grp-idp-test,ou=groups,dc=helsinki,dc=fi
cn: grp-idp-test
uniqueMember: uid=foobaruserremove,ou=people,dc=helsinki,dc=fi
uniqueMember: uid=lankka,ou=people,dc=helsinki,dc=fi
objectClass: top
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: hyPosixGroup
description: Idp:n testaamista varten
gidNumber: 4201710

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Obs. There is placeholder user "foobaruserremove" in all groups for technical reasons.