• Skip to main content
  • Skip to primary navigation
  • Skip to primary sidebar
  • UC Berkeley
  • Berkeley Engineering
  • EECS
Header Search Widget
IRIS

Instructional & Research Information Systems

  • About Us
  • Get Started
  • Get Help
  • FAQ
    • FAQ: Accounts
    • FAQ: EECS Slack
    • FAQ: File Storage
    • FAQ: Hardware
    • FAQ: MacOS
    • FAQ: Mail
    • FAQ: Mailing Lists
    • FAQ: Network
    • FAQ: Security
    • FAQ: Unix
    • FAQ: Web
    • FAQ: Windows
  • Services
    • Accounts
    • Backups
    • E-mail
    • EECS Login Servers
    • File Storage
    • Infrastructure
    • Mailing Lists
    • Networks
    • Printing
    • Room Reservations
    • Security
    • Software
    • Unix
    • Web
  • Policies
  • Forms
    • System Registration/Update
    • Account Request Form
    • Network Problem Report
    • Project Storage Request
    • SSL Certificate Request
    • All Other Forms
  • Rates

Changes to EECS LDAP Access from off-campus

April 1, 2014 by Rob McNicholas

On Tuesday, April 1, 2014 IRIS will begin restricting access to the EECS LDAP directory server (`ldap.eecs.berkeley.edu`) from off-campus IP addresses. This will primarily affect people who use email programs such as Thunderbird, Outlook or Apple Mail that are configured to auto-complete email addresses from our directory. This will not affect people using the bMail web interface.

At this time, anonymous queries are allowed against the EECS LDAP directory, but searches are restricted to no more than 100 results. Unfortunately this configuration still allows an anonymous query to retrieve some details about a specific person, such as their email address, phone number or advisor. To mitigate this, after April 1 only authenticated queries will be allowed when coming from an off-campus IP address. For the purposes of this change, “off-campus” means an IP not in the any of the following ranges:

  • 128.32.0.0/16
  • 169.229.0.0/16
  • 136.152.0.0/16
  • 172.16.0.0/16
  • 10.16.0.0/16


Those who need continued anonymous access to the directory from off-campus can use the [campus VPN](http://ist.berkeley.edu/node/591), which will give their off-campus machine a campus IP address. Those who need to run queries that return unlimited results can bind to the directory using their EECS credentials, or an “application” account can be created if needed.

We expect this change will affect a small number of people, but if you have any concerns or questions please contact the IRIS helpdesk at help@eecs.berkeley.edu.

UPDATE

[2014-08-07 15:37:09 | Rob McNicholas]

Our initial plan to restrict LDAP access ran into some problems and has been rescheduled. We hope to revisit this issue in September, 2014.

Our use of haproxy prevents the OpenLDAP nodes from seeing the IP address of the clients, which prevents us from using OpenLDAP-based ACLs. We are upgrading the operating system and haproxy software on and deploying new haproxy nodes which we hope will allow us to work around this limitation.



Resolved as of 2014-08-07 15:31:00

Filed Under: Resolved Incidents Services: LDAP

Primary Sidebar

IRIS Service Status

Green
We have 0 Active Incidents, and 0 Scheduled Maintenances noted.

IST Service Status

Outages to campus services are listed at berkeley.statusdashboard.com.
  • About
  • Contact
  • Privacy
  • Accessibility
  • Nondiscrimination

© 2022–2025 UC Regents  |  Log in