ITS supports an enterprise LDAP service that software applications can use to authenticate users with their VUnetID and ePassword. This directory service is a highly available redundant service integrated with the centralized identity management service. LDAP service points and nodes are located in several areas to support both campus and medical center applications.
Applications which utilize standard Microsoft processes, such as the DS Locator service, for automatically locating appropriate and available domain controllers and which adhere to modern Microsoft security protocols, such as Kerberos, should consider using the Enterprise Active Directory Service.
There are several components to Vanderbilt’s enterprise LDAP service that applications can leverage:
The ePassword LDAP service supports all VUnetID accounts that are currently affiliated with Vanderbilt. This includes all current students, faculty, staff and others with an active VUnetID. Applications that use this LDAP service can verify a user’s VUnetID and ePassword and access additional attributes about the authenticated user. Utilizing these additional attributes in the LDAP directory service enables the application to offer a more rich experience for the end user. These attributes include directory information about the authenticated user, which include name, email address, contact information and other key identifiers.
Once an individual is no longer affiliated with Vanderbilt, their ePassword access is revoked. Depending on the type of account, this can happen immediately, or after a set period of time.
The VUnetID for Life LDAP service supports all VUnetID accounts created since May of 2009. If your VUnetID was active at that time, your account was automatically created within this service. All future VUnetID accounts will also be added automatically to this service. VUnetID for Life is a special directory service that continues to support an individual’s VUnetID and ePassword even after they are no longer an active student, faculty or staff member. This allows users to continue to authenticate and verify their identity with applications that choose to leverage this service.
In addition to supporting authentication, account information is available for authorized resource IDs which can be used for determining high level authorization decision. Information such as employment and student status is available, along with other unique keys for this account to other matching systems.
ITS now offers UNIX administrators and those leveraging centralized account accesses in UNIX/LINUX environments the ability to integrate with ePassword LDAP accounts. UNIX LDAP allows each organization to host their own individual, separate and safe environment to manage users, hosts and services while at the same time allowing them to leverage the account maintenance of ePassword LDAP. Each organization interested must present their request for UNIX LDAP access to ITS Partner where it will be evaluated for integration. ITS reserves the right to be authoritative concerning certain user attributes (uid, password, first and last name) and expects that all other attribute, host or service information will be maintained by the requesting party. Please send all questions or inquires to firstname.lastname@example.org.
In response to applications that need user access where access is granted without complete verifiable information, a Guest LDAP infrastructure was created. Guest LDAP contains those accounts that are created when a request for access is initiated without the need to create an ePassword account. Guest LDAP is as well integrated with other authentication sources like Facebook, Windows Live, and Google allowing a more diverse authentication mechanism. Guest LDAP is not meant to replace or supersede ePassword LDAP but instead allow application owners a source for accounts that may be temporary (as in vendor accounts) or access for those on their way to ePassword Accounts. Access to Guest LDAP is determined on a case by case basis.
For more information about using any of these enterprise services please fill out a request to use VUnetID authentication.