internal
Stanford Windows Infrastructure - Directory
Directory services are a way to store and retrieve data about objects; users, groups, computers, buildings, etc. This page provides a brief description about Directory services provided by the Stanford Windows Infrastructure.
Accessing the Directory Service
Active Directory implements a standard LDAP interface for all directory queries. Common LDAP standards are defined in RFCs 2251-2256 (Updated by 3377), 2289, and 2830Two sets of ports are implemented - The standard port numbers are used
for the normal directory of objects in a single domain and another set are used for the
Global Catalog, a special directory containing a limited view of all objects in
an Active Directory forest.
| Protocol: | Port: | Description: |
|---|---|---|
| LDAP | 389 (TCP/UDP) | Lightweight Directory Access Protocol (LDAP) |
| LDAP/SSL | 636 (TCP) | LDAP over Secure Sockets Layer (SSL) |
| LDAP | 3268 (TCP) | Global Catalog |
| LDAP/SSL | 3269 (TCP) | Global catalog over SSL. |
Active Directory LDAP services can be located by using DNS SRV records in the domain or forest that you are interested in. For example a SRV lookup for _gc._tcp.win.stanford.edu will return a current list of servers that are supporting the Global Catalog service. _ldap._tcp.win.stanford.edu will return a list of servers supporting the standard LDAP service.
Features:
- Supports LDAP version 2 and LDAP version 3 clients.
- Supports SASL binding by GSSAPI, GSS-SPNEGO, and DIGEST (See Authentication)
- Supports LDAP v3 controls (Microsoft Technical Reference: Extended Controls)
For Windows Infrastructure client Windows machines, access is available in the Search function when you choose to search for "Printers, computers, or people"
The Global Catalog is utilized by Outlook in the form of the "Global Address List" or GAL (See Exchange)
Microsoft provides a COM/Scripting interface wrapper around LDAP called
"Active Directory Services Interface" or ADSI
Microsoft Technical Reference: ADSI
Schema
A Directory schema determines the structure of the data that the directory contains. At the most basic level, "Classes" of objects are defined that contain a number of "Attributes" which contain data.
Schema changes affect the entire infrastructure and are only performed after rigorous testing to ensure that the changes will not cause problems to existing or future applications. Schema additions cannot be removed once added. Schema objects no longer used are marked as "defunct". The process for testing and approving new schema is documented elsewhere in this site.
Current Stanford Windows Infrastructure Schema:
The base Active Directory schema for Windows Server 2003 is documented here:
Microsoft Technical Reference: Active Directory Schema
A number of attributes have been added to store data peculiar to Stanford University:
| LDAP name | Attribute ID | Attribute Syntax | Single/Multi Value | Note |
|---|---|---|---|---|
| suDisplayAffiliation | 1.3.6.1.4.1.299.11.1.9 | Directory String (Values) | Multi | Contains display affiliations. |
| suUnivID | 1.3.6.1.4.1.299.11.1.18 | Directory String | Single | University ID |
| suPrivilegeGroup | 1.3.6.1.4.1.299.11.1.19 | Directory String | Multi | Stores Registry group memberships. |
| suPrimaryOrganizationID | 1.3.6.1.4.1.299.11.1.602 | Directory String | Single | Organization ID code corresponding to user's primary affiliation. |
| suVisibEmail | 1.3.6.1.4.1.299.11.1.900 | Directory String | Single | Determines visibility of e-mail attributes. |
| suVisibHomeaddress | 1.3.6.1.4.1.299.11.1.901 | Directory String | Single | Determines visibility of home address. This attribute is not used or updated. |
| suVisibHomepage | 1.3.6.1.4.1.299.11.1.902 | Directory String | Single | Determines visibility of home web page. This attribute is not used or updated. |
| suVisibHomephone | 1.3.6.1.4.1.299.11.1.903 | Directory String | Single | Determines visibility of home web page. This attribute is not used or updated. |
| suVisibIdentity | 1.3.6.1.4.1.299.11.1.904 | Directory String | Single | Determines visibility of user's identity |
| suVisibFacsimileTelephoneNumber | 1.3.6.1.4.1.299.11.1.905 | Directory String | Single | Determines visibility of FAX numbers. This attribute is not used or updated. |
| suVisibMobilephone | 1.3.6.1.4.1.299.11.1.906 | Directory String | Single | Determines visibility of mobile phone number. This attribute is not used or updated. |
| suVisibPageremail | 1.3.6.1.4.1.299.11.1.907 | Directory String | Single | Determines visibility of email to send page. This attribute is not used or updated. |
| suVisibPagerphone | 1.3.6.1.4.1.299.11.1.908 | Directory String | Single | Determines visibility of phone number to send page. This attribute is not used or updated. |
| suVisibProfile | 1.3.6.1.4.1.299.11.1.909 | Directory String | Single | Determines visibility of profile information. This attribute is not used or updated. |
| suVisibSunetid | 1.3.6.1.4.1.299.11.1.910 | Directory String | Single | Determines visibility of user's SUNet ID. |
| suVisibAffiliation1 | 1.3.6.1.4.1.299.11.1.911 | Directory String | Single | Determines visibility of 1rst affiliation. |
| suVisibAffilAddress1 | 1.3.6.1.4.1.299.11.1.914 | Directory String | Single | Determines visibility of 1rst affiliation address. This attribute is not used or updated. |
| suVisibAffilPhone1 | 1.3.6.1.4.1.299.11.1.917 | Directory String | Single | Determines visibility of 1rst affiliation phone. This attribute is not used or updated. |
| suVisibAffilFax1 | 1.3.6.1.4.1.299.11.1.920 | Directory String | Single | Determines visibility of 1rst affiliation fax number. This attribute is not used or updated. |
| suVisibAffilFax4 | 1.3.6.1.4.1.299.11.1.923 | Directory String | Single | Determines visibility of 4th affiliation fax number. This attribute is not used or updated. |
| suVisibTelephoneNumber | 1.3.6.1.4.1.299.11.1.925 | Directory String | Single | Determines visibility of preferred telephone number. |
| suVisibMailaddress | 1.3.6.1.4.1.299.11.1.929 | Directory String | Single | Determines visibility of mail address. This attribute is not used or updated. |
| suVisibAffilMailCode | 1.3.6.1.4.1.299.11.1.941 | Directory String | Single | Determines visibility of mail code. This attribute is not used or updated. |
| suVisibStreet | 1.3.6.1.4.1.299.11.1.942 | Directory String | Single | Determines visibility of street address. |
For more information about these attributes see Attributes in the People Tree
| LDAP name | Class ID | Class type | mayContain | Note |
|---|---|---|---|---|
| SU-Person-Aux | 1.3.6.1.4.1.299.11.3.100 | Auxiliary | suDisplayAffiliation suPrimaryOrganizationID suPrivilegeGroup suUnivId suVisibEmail suVisibAffilFax1 suVisibAffilFax4 suVisibAffilPhone1 suVisibAffilAddress1 suVisibAffiliation1 suVisibFacsimileTelephoneNumber suVisibSunetid suVisibProfile suVisibPagerphone suVisibPageremail suVisibMobilephone suVisibMailaddress suVisibMailCode suVisibIdentity suVisibHomephone suVisibHomepage suVisibHomeaddress suVisibTelephoneNumber suVisibStreet | Auxiliary class for User class |
WinHarvester
Data in the Stanford Windows Infrastructure is maintained by a process called "WinHarvester" which is an implementation of a Registry event harvester
Currently the following attributes of user objects are controlled by WinHarvester:
| Attribute | Notes |
|---|---|
| altSecurityIdentities | This attribute holds the
mapping for Kerberos version 5 realm trust Value is determined by UID Registry attribute. |
| cn | Value is determined by UID Registry attribute. |
| co | Driven by Registry data for primary affiliation. |
| displayName | Last name first value is used - this was chosen because it was
agreed that that order worked better for a majority of applications
using directory data. Value is determined by suDisplayNameLF Registry attribute. |
| givenName | |
| l | Driven by Registry data for primary affiliation and street address. |
| ou | |
| postalCode | Driven by Registry data for primary affiliation and street address. |
| physicalDeliveryOffice Name | Driven by Registry data for primary affiliation and street address. |
| sAMAccountName | Value is determined by UID Registry attribute. |
| sn | Value is determined by suDisplayNameLF Registry attribute. |
| st | Driven by Registry data for primary affiliation and street address. |
| suDisplayAffiliation | |
| suPrivilegeGroup | Workgroup Manager Group memberships (See Authorization) |
| suPrimaryOrganizationID | |
| suUnivID | |
| suVisibAffiliation1 | |
| suVisibEmail | |
| suVisibIdentity | |
| suVisibSunetid | |
| suVisibTelephoneNumber | |
| suVisibStreet | |
| telephoneNumber | |
| userAccountControl | Enable/Disable account. Value is determined by suKerberosStatus Registry attribute. |
| userPrincipalName | Value is determined by UID Registry attribute. |
Visibility
Data visibility is controlled on all attributes using Access Control Entries (ACEs).- For all of the suVisib* attributes, the corresponding attributes' visibilities are set according to the value selected in Stanford.You. Mappings are listed at Attributes in the People Tree.
- For Exchange, some attributes are opened up to allow the Outlook client to find an Exchange Server.
- Every user can read the data on their own object
More Information
Stanford Registry ServiceMicrosoft Technical Reference: Directory Services
