Web Administration: Projects
Authenticated UF LDAP field specification
To comply with FERPA and other various statutes, the CIO has proposed updating the UF LDAP server. Under this proposal, a distinction will be made between queries made by the general public (i.e. anonymous) and members of the UF community (e.g. faculty, staff, and students).
Vocabulary and terms of art used in this document
The most important way in which the UF Directory represents a relationship between a person and the University is in the field “primary affiliation.” This is a very precise determination, and it is important that people using the university’s data systems understand the distinctions implied. As of October 2007, only eight primary affiliations exist in the UFDirectory:
| A | Alumni (1) |
| E | Employee |
| F | Faculty |
| L | Affiliate |
| M | Member |
| P | Pre-applicant (2) |
| S | Student |
| T | Staff |
Notes:
- Alumni are not permitted to publish their data in UF LDAP by administrative decision; their data is present, but not available to anonymous requesters.
- Pre-applicants are not permitted to be present in UF LDAP by administrative decision.
For the purposes of the access-control strictures discussed herein, “staff” and “employee” affiliations will be treated identically, and referred to in the collective as “staff”.
Similarly, “alumni”, “member”, “affiliate” and “pre-applicant” will all be referred to in the collective as “other”.
Some individuals have statutory barriers to their data being available, including police officers and students who have requested Buckley Amendment protection. These individuals are said to have “legislative protection” privacy enabled, meaning their records are protected.
UF LDAP field groups
To simplify discussion of the UF LDAP access-control strictures, the following fields groups are defined. The purpose of these groups id to aid classification and decisions.
| Field Group Name | Fields included | Notes |
|---|---|---|
| LDAP infrastructure fields | DN ObjectClass ou |
These fields are a fundamental part of the LDAP infrastructure. |
| Administrative fields | uflEduUniversityId uflEduPsDeptId eduPersonOrgDN departmentNumber uflEduPrivacy |
These fields are fundamental to any application wishing to make use of LDAP data, but are probably uninteresting to human observers for formatting reasons |
| Basic person identification fields | displayName cn sn givenName eduPersonPrimaryAffiliation eduPersonAffiliation o title preferredLanguage |
These fields represent the core of a person’s record: Their name, affiliation with the university, the organization (if any) with which they are most closely associated, etc. |
| Official university contact information | telephoneNumber street postalAddress registeredAddress uflEduOfficeLocation |
These fields hold the primary contact channel for official business between the University and the person in question. This denotation has some subtleties: It comprises, in UF Directory parlance the “UF Business Mailing Address”, the “UF Business Physical Address”, and the “UF Business Telephone Number”. For staff and faculty, it is reasonable to presume that this might reflect their office address (though this is only a presumption). For students, it is impossible to guess wether the address chosen for this use is the permanent home address, the local home address, or some office address. |
| Home contact information | homePhone homePostalAddress |
These fields hold the home contact data, which might have been extracted from the “Temporary home mailing address”, the “Local home mailing address”, or the “Permanent home mailing address”. There is a similar cascade of possible addresses for phone. |
| Other contact information | facsimileTelephoneNumber | facsimileTelephoneNumber holds Directory data from ‘Facsimile Telephone Number’ |
| Primary email | mail holds data from ‘UF Business Email Address’. | |
| POSIX account fields | uidNumber gidNumber homeDirectory loginShell gecos |
These data are used by POSIX (unix-like) systems to identify UF Users. |
| Personal information | uflEduBirthDate uflEduGender |
Probably self-explanatory. |
| Emergency contact information | mobile personal email emergency contact address emergency contact phone emergency contact email and emergency contact name |
mobile holds the Directory data from ‘Cellular Telephone Number’; personal email is the UF Directory field of the same name; address, phone, name and email with the category “Emergency Contact” in the UF Directory. |
- As of May 2008, the uflEduAll* fields have been removed.
- As of May 2008, the uflEduUuid field has been removed.
Access Control Lists
Some of the field groups have simple access-control heuristics. Any time UF LDAP acknowledges the existence of a person and returns related data, it will permit access to the LDAP infrastructure, administrative, basic person, official university contact and posixAccount data. In general, UF LDAP will never give access to internal or personal information, except to administrative applications.
UF LDAP will provide access to the ancillary information marked to be published, to authenticated users, but not to anonymous users.
UF LDAP will not provide emergency contact information. Note that as of 10-2007, the my.ufl.edu > My Account > Update Emergency Contact form allows users to enter emergency data into the UF Directory with publish flag set to “n”. Gatordex also allows entry of some of this data by users and allows users to set the value of the publish flag. A separate project is under review to make the data entry points more consistent.
This leaves the categories of home contact data, other contact data, and primary email. These details are discussed in the below grid:
| Target → / Requester ↓ | Faculty, staff, or employee | Student | Other affiliations |
|---|---|---|---|
| Anonymous user | (M) Primary email, (E) Other contact data | No data | (M) Primary email, (E) Other contact data |
| Faculty, staff, or employee | (M) Primary email, (E) Other contact data, (E) Home contact data. | (M) Primary email, (E) Other contact data, (E) Home contact data. | (M) Primary email, (E) Other contact data, (E) Home contact data. |
| Student | (M) Primary email, (E) Other contact data, (E) Home contact data. | (E) Primary email, (E) Other contact data, (E) Home contact data. | (M) Primary email, (E) Other contact data, (E) Home contact data. |
| Other affiliations | (M) Primary email, (E) Other contact data, (E) Home contact data. | (E) Primary email, (E) Other contact data, (E) Home contact data. | (M) Primary email, (E) Other contact data, (E) Home contact data. |