Some notes concerning the UIUC LDAP server (test)

The production test LDAP (Lightweight Directory Access Protocol) server that CCSO is operating is found at ldaptest.uiuc.edu (currently hijo.cso.uiuc.edu), responding at the standard LDAP port of 389. Netscape's Directory Server v3.1 is the server software being used.

This LDAP directory now has a complete list of all the active people from the UIUC PH files. (Active means not having a value in the left_uiuc field.) It also contains all the 'unit phone' (unit information from the front of the campus phone book) and 'other phone' (Registered Organizations and other such groups) records that have at least a phone number or email address filled in.

The LDAP directory was created from a PH extract as of Wednesday, May 27. Each morning at 4:30 am, the LDAP directory is updated by processing changes based on a diff between daily PH extracts. Thus the LDAP directory should generally not be more than 24 hours 'out-of-date' with the information in PH.

Besides name, email, and url information, the directory also contains the department, title, phone, and address fields (just the 'primary' 'phone' and 'address' fields). And the 'nickname' field has been used to create some alternate name values in LDAP that will help (hopefully) to provide similar functionality as to PH (LDAP does not have a pre-defined nickname field that is automatically consulted in name searches). Plus the 'callsign' field has been brought over as a field called 'NetIDprevious'.

Note: The server is currently configured to limit entries returned to 50. And the primary suffix/search base for the LDAP server has currently been set to:

o=University of Illinois at Urbana-Champaign
but the LDAP server has been set up to automatically refer (re-direct) any queries made to it to the above suffix/search base. So if the client you are using for LDAP knows how to handle referrals (and both Communicator and Outlook do), it doesn't matter what you specify for this -- you can leave it blank. I don't know yet if Eudora handles this referral correctly.

LDAP-capable clients and the ldap queries they generate

The various LDAP-capable clients (such as Communicator, Eudora, and Outlook [98|Express]) vary greatly in the actual ldap query they generate based on the user searching for a name. These variations in the query often result in a different set of 'hits' being returned to the same query, depending on which clent is being used. In many cases, despite the variations, the user will still likely find the person they were looking for. But this won't always be the case, particularly with Win Eudora (which generates such an open-ended query that often the search limits imposed will cause only a partial result to be returned to the user).

The LDAP-capable clients vary in how they present the results of the search. Both Outlook [98|Express] and Communicator do this fairly well. Eudora's presentation could use some improvement.

The LDAP-capable clients also vary in their smarts regarding handling error messages being returned from the LDAP server. These error messages are usually due to the search being ended prematurely because one of the configurable search limits imposed on the server has been reached. Currently, only Outlook [98|Express] seems to report back a correct message to the user.

How to configure your LDAP-capable client to search the UIUC LDAP server

Communicator 4.x and LDAP

To configure a Communicator 4.x browser to look up people in the UIUC LDAP directory, do the following:
  1. From the pull-down menus choose:
    Edit -- Preferences

  2. In the Preferences window, choose:
    Mail & Groups -- Directory

  3. In the Directory frame, click on the 'New..' button

  4. In the Directory Server Property box that pops up, fill in the following:
    Description:whatever you want (e.g. UIUC LDAP server)
    LDAP Server:ldaptest.uiuc.edu
    Search Root: o=University of Illinois at Urbana-Champaign. Or you can leave it blank, per the note above.
    Port Number:389 (this is the default)
    Maximum Number of Hits:whatever (server is configured to not return more than 50 anyway)
  5. Click OK in the Directory Server Property box, and then in the Preferences window. Before clicking on OK in the Preferences window, you might want to re-order your Directory choices by using the arrow keys or dragging, depending on platform.

You can now access the LDAP server by going into the Address Book feature (can be accessed from the Communicator pull-down list). Type a name into the search box, and choose the UIUC LDAP server, and then search. You can also get more complex search options by clicking on the Directory icon in the menu bar of the Address Book window.

One can also highly customize the LDAP settings for Communicator by directly editing the prefs.js file (at least on Win32). Netscape has a technical article about how to do this entitled CUSTOMIZING LDAP SETTINGS FOR COMMUNICATOR.

Outlook Express and LDAP (Outlook 98 is similar)

To configure Outlook Express to look up people in the UIUC LDAP directory, do the following:
  1. From the pull-down menus choose:
    Tools -- Accounts

  2. In the Internet Accounts window, click on:
    Add > -- Directory Service

  3. Then the Internet Connection Wizard steps in. For each choice box, fill in the following:
    Internet directory (LDAP server):ldaptest.uiuc.edu
    Check EMAIL Addressesyour choice
    Friendly Namepick one (e.g. UIUC LDAP server)
  4. Click FINISH in the Congratulations box

  5. Now you need to edit the 'Properties' of this new entry. Highlight the friendly name you chose in the Internet Accounts box, and click on the Properties button.

  6. In the Properties box, click on the Advanced tab.

  7. Under the Advanced tab, set the value of the Search base field to:
    o=University of Illinois at Urbana-Champaign.
    Or you can leave it blank, per the note above.

  8. DO NOT choose the Use simple search filter option (or you'll find that most of your searches will fail). I'll add a section to these notes later on that outlines the LDAP queries being formulated by these various products, and that will explain why choosing this option causes problems.

  9. Click OK in the Properties box. In the Internet Accounts window, you might want to use the Set Order.. button to order your choices.

  10. Close the Internet Accounts window

You can now access the LDAP server by using the Find People or Address Book icons. If you go into the Address Book, click on the Find icon. Type a name into the name box (or email address into E-mail box), and choose the UIUC LDAP server, and then click on Find now.

Win Eudora and LDAP

To configure Eudora to look up people in the UIUC LDAP directory, do the following:
  1. Open up directory services (control-y)

  2. In the protocols window, select "LDAP" and click on new database. That will bring up a tabbed window with settings for your new server.

  3. Under the network tab, enter ldaptest.uiuc.edu where it asks for the server address. Leave the default port alone. Enter a descriptive name (e.g. UIUC LDAP server) where it says to enter a descriptive name.

  4. Under the search options tab, enter in the field labeled Search base:
    o=University of Illinois at Urbana-Champaign.
    Or you may be able to leave it blank, per the note above.

  5. Click OK in the protocols window, and things are configured.

Mac Eudora (4.x) and LDAP

Unlike some of the other LDAP-capable clients, it is relatively easy to modify the format of the actual ldap query that Mac Eudora will generate. The default query as configured in Mac Eudora uses a non-existent field name (gn) that is not defined in LDAP. By following the instructions below, you can modify the query Mac Eudora creates such that it works best with the UIUC LDAP server.

(Note these instructions come from Stan Kerr, and derive from the efforts of Mark Notarus and Stan Kerr.)

To configure Eudora to look up people in the UIUC LDAP directory, do the following:

  1. Moved 'Eudora LDAP Library' to the Extensions folder. (It had been in the Eudora folder.) The version I have for this file is 1.0.

  2. Got a more current version of the Eudora plugin 'Esoteric Settings 4.0' from Mark. I had an 'Esoteric Settings 4.0' dated Oct/97, and he had one dated this Spring. Apparently '4.0' doesn't mean much. Most likely the latest versions of Mac Eudora have this plugin, but I don't know for sure. The plugin lives in the Eudora folder itself, not in a subfolder.

  3. In Special->Settings, under Hosts, I set the 'directory services' host to:
    ldap://ldaptest.uiuc.edu/o=University of Illinois at Urbana-Champaign
    (Or you may be able to leave off the /o=University of Illinois at Urbana-Champaign part, per the note above.)

  4. After rebooting the system and restarting Eudora, I went to Special->Settings, selected LDAP, and edited the 'word-wise search filter template' to be:

    (|(cn=*^0*)(sn=*^0*))
(Note Stan also said:
After having made all these changes, I still seemed to be getting no response, so I twiddled some more, and retyped the directory services host URL, and boom! it started working. So I'm not absolutely 100% certain there isn't something more going on, but for the moment it's working. )

Some references on LDAP:

Lightweight Directory Access Protocol (University of Michigan)
An Internet Approach to Directories (a Netscape 'white paper')
University of Michigan's LDAP directory (web interface)

RFC2256 -- A Summary of the X.500(96) User Schema for use with LDAPv3
RFC2255 -- The LDAP URL Format
RFC2254 -- The String Representation of LDAP Search Filters
RFC2251 -- Lightweight Directory Access Protocol

m-grady@uiuc.edu