Call for Testing the New Cornell Enterprise Directory (LDAP) Environment
Identity Management is preparing to decommission the aging Enterprise Directory servers and replace them with a new cloud-based, vendor-hosted solution. We currently have a test environment in place and plan on the production environment being available for a phased transition in about a month.
If you or your department uses a BindID to connect to the Enterprise Directory, we are requesting your assistance to test the new environment and ensure your application’s compatibility. Please reconfigure your test client applications using the following parameters and conduct LDAP searches as you normally would.
|Test Environment Hostname||unified-test.directory.cornell.edu|
|Test Environment Connection Port||tcp/636 (LDAPS over TLS required)|
|Test Environment BindID Credentials||currently the same, no change necessary at this time|
There are several important changes in the new service, outlined below:
The service is cloud-based and has no internal (10-space) access.
- To access the service, your client application will need outbound internet connectivity.
- The Managed Servers environment, whether on-premises or in the cloud, has been pre-configured to allow outbound connectivity to the new Enterprise Directory environment.
- If your server resides on-premises outside of the Managed Servers environment, such as 10-space on a departmental network, Transproxy has been configured to provide NAT for this purpose.
- Networks protected by the Managed Firewall service that limit outbound connectivity can use the global address object in FortiManager called CU_GRP_Offsite_Directory_Services for the firewall policy configuration.
- Ultimately it is your responsibility to ensure that your application has outbound connectivity to the Enterprise Directory environment.
The service will only accept secure connections that utilize LDAPS on port tcp/636.
- Please ensure that your application supports simple authentication over TLS.
- Unencrypted LDAP connections over port tcp/389 are no longer supported.
Your current BindID and password will remain valid for the test environment.
- We will be requiring password resets for the production environment to adhere to modern password recommendations.
- We are working on a self-service process for password resets ahead of the production migration. More details to follow.
- The edupersonnickname attribute will be restricted for FERPA enabled students, as other name attributes are.
If you encounter any issues during testing, please contact us at firstname.lastname@example.org and we will work with you to address them.