LDAP Standards Policy

Policy Information

LDAP Service

LDAP service for Vanderbilt is available to all applications owners who have been granted permission to its use. The requirements listed below are mandatory for the continued use of the LDAP system and must be adhered to in all cases.If there is a question or concern for any of the policy listed below please contact Vanderbilt IT/Active Directory Team at eaids@vanderbilt.edu .

For ELDAP, GLDAP and VLDAP

• All clients need to be registered to use the service. To register please go to the registration web page
• All communication to LDAP will be conducted via port 636/TCP using SSL
• All BINDs are simple BINDs
• LDAP clients should be version 3 compliant
• Anonymous connections are not allowed
• All clients must reside on the Vanderbilt network (no exception). Cases concerning access to authentication and user attribute information for clients off campus please refer to Federated Services (SAML) instead.
• Access to user information is allowed through resource accounts; all other accounts are not allowed to view other user’s data. Submit requests to the registration web page
• Access to HR, SR, Card, and Pager attribute values requires an additional elevated access that is granted upon request to Vanderbilt IT/IDIS via ticket. Please send the reason for elevated request along with Name of Application, Name of user requesting, and resource account that request access. Your request will be forwarded to the appropriate owner of the attribute data for their approval.
• LDAP clients are never allowed to modify
• LDAP service uses publically trusted Geotrust SSL server certificates
• LDAP traffic is monitored for performance and availability. In cases where there are unusual amounts of traffic or malformed requests, VUIT/Directory Services reserves the right to exclude the client. All attempts will be made to contact any client’s service owners before any action is taken. Exclusion will only be initiated if client traffic threatens or is degrading the LDAP service to an unacceptable level. In the case of normal high levels of traffic, VUIT/Directory Services has the capacity to increase without restricting clients. If you have a great need, ensure that you check with Vanderbilt IT before you deploy your client. Excessive use is defined to be a large number of LDAP operations over an extended time in which performance is drastically impacted. This could be either in the form of a Denial Of Service (DOS) attack or misconfigured client.

For ULDAP

• All clients need to be registered to use the service. To register please go to the registration web page
• All communication to LDAP will be conducted via port 636/TCP using SSL
• All BINDs are simple BINDs
• LDAP clients should be version 3 compliant
• Anonymous connections are not allowed
• All clients must reside on the Vanderbilt network (no exception). Cases concerning access to authentication and user attribute information for clients off campus please refer to Federated Services (SAML) instead.
• Access to user information is allowed through resource accounts; all other accounts are not allowed to view other user’s data. Submit requests to the registration web page
• Departments that use the service are allowed to modify certain areas of LDAP as agreed upon by both Vanderbilt VUIT and internal department
• LDAP service uses publically trusted Geotrust SSL server certificates.
• LDAP traffic is monitored for performance and availability. In cases where there are unusual amounts of traffic or malformed requests, VUIT/Directory Services reserves the right to exclude the client. All attempts will be made to contact any client’s service owners before any action is taken. Exclusion will only be initiated if client traffic threatens or is degrading the LDAP service to an unacceptable level. In the case of normal high levels of traffic, VUIT/Directory Services has the capacity to increase without restricting clients. If you have a great need, ensure that you check with Vanderbilt IT before you deploy your client. Excessive use is defined to be a large number of LDAP operations over an extended time in which performance is drastically impacted. This could be either in the form of a Denial Of Service (DOS) attack or misconfigured client.