Instructional & Research Information Systems
LDAP (Lightweight Directory Access Protocol) service
We experienced a failure of EECS LDAP authentication, from about 5:50pm to 10:30pm, due to routine patches changing some file permissions for saslauthd. The issue has been corrected, and LDAP authentication is working again.
The problem may have been most noticeable when attempting to login to various EECS web forms (e.g. system registration or user account request forms).
At this time, the department LDAP server ldap.eecs.berkeley.edu (aka ldap.cs.berkeley.edu) accepts implicit SSLv3 and TLS 1.0, 1.1 and 1.2 connections on port 636, and allow STARTTLS negotiation for the same protocols on port 389.
Beginning Tuesday, February 19th 2019 at 8am, our LDAP servers will no longer accept SSLv3 or TLSv1.0 connections. All clients must use TLS v1.1 or v1.2.
Please send any questions or problem reports to help@eecs.berkeley.edu.
[Read more…] about LDAP SSL/TLS changes
Resolved as of 2017-12-20 14:07:00
The LDAP servers behind the load balancer for ldap.eecs.berkeley.edu will be upgraded tonight between 6pm and 8pm. Beginning at 6pm a final backup will be made of the data on the old servers, loaded into the new servers, and then the old servers will be retired. No service interruption is expected as the load balancer will be used to route requests to the right machines during the transition.
This is a change in both operating system and OpenLDAP software version. We have been testing the new servers for several months and do not expect any problems, but please inform help@eecs if you have any issues after the upgrade.
One enhancement is the addition of the memberOf overlay. This puts a new attribute (memberOf) in each person’s record to reflect LDAP groups they are members of, and is needed for some authorization situations.
Unix groups and automount maps are now also published in LDAP. Documentation is being prepared which will describe how to configure sssd on Unix/Linux machines to use these new OUs in LDAP instead of NIS.
[Read more…] about LDAP upgrade tonight, 6pm
Due to a fire threatening our transformers, PG&E has advised campus we will be losing power.
IRIS is taking proactive steps to shut down as much equipment safely before we totally lose power.
See https://www.nixle.us/9HHZX for the warning from UCPD.
[Read more…] about Campus losing power, IRIS services shutting down
Resolved as of 2017-01-20 12:10:00
We are upgrading our [LDAP infrastructure](https://iris.eecs.berkeley.edu/news/10933-department-ldap-upgrade-thu-jan) to replace an old server with a new machine. This server is a backup node which should take over the role of the LDAP server if the primary server fails. In order to ensure the new server is performing as expected, we will be simulating a failure of the primary node at 10pm on Wednesday, June 17th. The backup node should take over within 5 seconds. If all goes as planned, we will then bring the primary back up and call it a successful test.
During this testing, there will be brief (~5 second) interruptions in LDAP service. This will occur at least twice but possibly more if the first test is unsuccessful. During those brief intervals, anyone whose timing is especially good might notice trouble logging into any application that uses LDAP.
All testing will be over by 10:30pm at the latest, but probably much sooner.
[Read more…] about LDAP High-Availability Testing Wednesday 10pm
We are currently seeing slowness in services that use LDAP authentication. This affects any services that prompt for LDAP login, such as our network registration forms, our Jabber server, and any EECS LDAP-authenticated websites.
[Read more…] about Slowness for services that use LDAP authentication
We’re getting reports of trouble authenticating to various EECS resources (EECS-Secure, LDAP). Staff are investigating.
[Read more…] about Authentication Trouble
On Tuesday, April 1, 2014 IRIS will begin restricting access to the EECS LDAP directory server (`ldap.eecs.berkeley.edu`) from off-campus IP addresses. This will primarily affect people who use email programs such as Thunderbird, Outlook or Apple Mail that are configured to auto-complete email addresses from our directory. This will not affect people using the bMail web interface.
At this time, anonymous queries are allowed against the EECS LDAP directory, but searches are restricted to no more than 100 results. Unfortunately this configuration still allows an anonymous query to retrieve some details about a specific person, such as their email address, phone number or advisor. To mitigate this, after April 1 only authenticated queries will be allowed when coming from an off-campus IP address. For the purposes of this change, “off-campus” means an IP not in the any of the following ranges:
Those who need continued anonymous access to the directory from off-campus can use the [campus VPN](http://ist.berkeley.edu/node/591), which will give their off-campus machine a campus IP address. Those who need to run queries that return unlimited results can bind to the directory using their EECS credentials, or an “application” account can be created if needed.
We expect this change will affect a small number of people, but if you have any concerns or questions please contact the IRIS helpdesk at help@eecs.berkeley.edu.
[Read more…] about Changes to EECS LDAP Access from off-campus