How to Sync Your CalGroup to LDAP

A knowledge base article about How to Sync Your CalGroup to LDAP provided by the UC Berkeley IT Service Hub - Knowledge Portal

Note before syncing your group to LDAP: please be aware that when you sync a group to LDAP, everyone with a privileged bind can see group membership. If you prefer to keep your group membership confidential, do not sync to LDAP.

To sync your group to LDAP using the CalGroups application, do the following:

  • Go to your CalGroups group page.
  • On the top right, click on “More Actions”.
  • Select “Edit Provisioning Info”.
  • You will see “Sync to LDAP”.
    • Setting this to "yes" will add the group name to berkeleyEduIsMemberOf attribute of the group members in  LDAP*. Any changes to the local group will continue to be pushed to LDAP.
    • Setting this to "no" will remove the group name from berkeleyEduIsMemberOf attribute of the members.
    • By default, groups larger than 350 members will not be provisioned.

As of March 17, 2017, we will only sync to the berkeleyEduIsMemberOf attribute and will remove the actual LDAP groups from ou=campus groups. That part of the name, however, will still remain in the group paths listed in berkeleyEduIsMemberOf. Since we will be removing the actual groups, the virtual attribute, isMemberOf, will no longer be accurate and should not be used. Going forward, you should only use berkeleyEduIsMemberOf.

Requesting an LDAP Bind

If you need an LDAP bind for your CalGroups folder space, request one via Service Request in ServiceNow. Be sure to note that you are requesting a CalGroups LDAP bind. You will need to gather the following information to complete the request:

  • Application Name
  • Application Functional Owner/Department and Contact Information
  • Application Technical Contact Information
  • If data will be stored, indicate where (e.g., type of machine, physical location, hostname, database platforms

Using your LDAP Bind to Access your CalGroups Info

Use the berkeleyEduIsMemberOf attribute in LDAP to determine a person's group membership. 

If you want to determine who is in your group, you might use the filter:

'(berkeleyEduIsMemberOf=cn=edu:berkeley:org:myDept:some-group,ou=campus groups,dc=berkeley,dc=edu)'

If you want to find all the accounts that are in the all-staff group, you would use the filter:

'(berkeleyEduIsMemberOf=cn=edu:berkeley:official:employees:staff:all-staff,ou=campus groups,dc=berkeley,dc=edu)'
If you want to determine if a person is in the group, you can AND their uid and the group:
'(&(uid=1234)(berkeleyEduIsMemberOf=cn=edu:berkeley:official:employees:staff:all-staff,ou=campus groups,dc=berkeley,dc=edu))'

Support

Request a new CalGroups folder space, or change or delete an existing space via Service Request in ServiceNow

If you have questions about CalGroups, including LDAP questions, contact: calnet-admin@berkeley.edu.