This document is intended for IT Professionals seeking to understand how data
in GDS is mapped to UWWI.
| GDS |
UWWI |
dn: serialNumber=<regid>,ou=groups,dc=washington,dc=edu
where <regid> is the UW RegID. |
dn: cn=<blah>,OU=Standard,OU=GDS,OU=Groups,DC=netid,DC=washington,DC=edu
where <blah> is described below under cn. |
| objectClass: uwDepartmentGroup |
objectclass: top; uwEntity; group; |
| serialNumber: <regid> |
No complement. AD uses SID for
uniqueness, and since the serialNumber has no value to users,
serialNumber was dropped. |
| uwRegID: <regid> |
uwRegID: <regid> |
| cn: <group name> |
cn: <group name>
samAccountName: <group name>
where <group name> is the first value
of the multi-valued GDS cn at the time of creation of the AD group. If
the GDS cn is single-valued, then the UWWI cn is updated, otherwise, the
UWWI cn is never updated. |
| description: <group description> |
description: <group description> |
| owner: uwNetID=<uwnetid> |
managedBy: <Active Directory DN of <uwnetid>>
where <uwnetid> is searched in UWWI
and the DN of that object is the value of the managedBy attribute. If
there is no such object, then this value isn't populated. See
uwContactPerson for important related content. |
| member: uwNetID=<uwnetid> |
member: <Active Directory DN of <uwnetid>>
where uwnetid is searched in AD and
the DN of that object is the value of the member attribute. If there is
no such object, then this value isn't populated. |
| memberGroup: cn=<group cn> |
member: <Active Directory DN of <group cn>>
where <group cn> is searched in AD and
the DN of that object is the value of the member attribute. If there is
no such object, then this value isn't populated. |
| uwContactPerson: uwNetid=<uwnetid> OR cn=<group
cn> |
managedBy: <Active Directory DN of <uwnetid>
or <group cn>>
where <uwnetid> or <group cn> is searched in UWWI
and the DN of that object is the value of the managedBy attribute. If
there is no such object, then this value isn't populated. If the GDS
owner attribute is also set, then the uwContactPerson value overrides
the GDS owner info. |
| uwEmailEnabled: uwexchange |
oOFReplyToOriginator: TRUE
reportToOwner: TRUE
msExchRequireAuthToSendTo: TRUE
delivContLength: 61440
msExchRecipientDisplayType: 1073741833
mailNickname: <cn>
msExchVersion: <existing Exchange version>
msExchPoliciesIncluded:
{B6B1B695-99F7-4455-B5B4-1231DD06C415},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
internetEncoding: 0
legacyExchangeDN: /o=University of Washington/ou=Exchange Administrative
Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=<cn>
extensionAttribute3: <blah>
where <existing Exchange version> is the value of msExchVersion on
LDAP://CN=Address Lists Container,CN=University of Washington,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=netid,DC=washington,DC=edu
AND
where <cn> is the GDS cn--not the AD cn.
AND
where <blah> is 1 if the attribute isn't already present with a value,
otherwise is not set.
uwEmailEnabled: uwexchange also controls whether the following GDS
attributes are mapped to UWWI or ignored: uwPublishedEmail, uwAuthOrig,
uwReportToOriginator. If (!(uwEmailEnabled=uwexchange)), then those 3
GDS attributes are ignored, and some set of the above noted attributes
may be cleared if they were previously populated. |
| uwPublishedEmail: <email> |
mail: <email>
proxyAddresses: SMTP:<email>
proxyAddresses: smtp:<cn>@exchange.washington.edu
where <cn> is the GDS cn value
AND
where <email> must be RFC compliant and a unique value across all
Exchange recipients.
If <email> is not RFC compliant and unique, then <email> is ignored, and
instead the following is set:
mail: <cn>@exchange.washington.edu
proxyAddresses: SMTP:<cn>@exchange.washington.edu |
| uwAuthOrig: uwNetid=<uwnetid> AND/OR cn=<group
cn> OR dc=none |
authOrig: <Active Directory DN of <uwnetid>
dlMemSubmitPerms: <Active Directory DN of <group cn>>
where <uwnetid> or <group cn> is searched in UWWI and the DN of
that object is the value used. User DNs go on the UWWI authOrig
attribute; group DNs go on the UWWI dlMemSubmitPerms attribute.
If (uwAuthOrig=dc=none), then neither of the above applies, and instead
the following is set:
authOrig: CN=a_none,OU=Application NetIDs,OU=Other
NetIDs,DC=netid,DC=washington,DC=edu
this means that only the a_none account can send email to that Exchange
distribution group, and by design the a_none UW NetID is not used by
anyone. |
uwReportToOwner: <bit>
where <bit> is {0,1} |
reportToOwner: <boolean conversion of
<bit>>
reportToOriginator: <NOT boolean conversion of <bit>>
So for reportToOwner : 1->TRUE, 0->FALSE. The opposite holds for
reportToOriginator. |
| displayName: <string> |
displayName: <string> |
uwReadAccess: uwNetid=<uwnetid> AND/OR cn=<group
cn> OR dc=none
Those values are hereafter collectively referred to as "targetValues" |
uwReadAccess: <Active Directory DN of <uwnetid>
or <Active Directory DN of <group cn>> or <Active Directory
DN of <the a_none uwnetid>
ntSecurityDescriptor: Allow targetValues Read All Properties
where <uwnetid> or <group cn> is searched in UWWI and the DN of
that object is the value used.
If (uwReadAccess=dc=none), then the DN is:
CN=a_none,OU=Application NetIDs,OU=Other
NetIDs,DC=netid,DC=washington,DC=edu
this means that only the a_none account has access, and by design the a_none UW NetID is not used by
anyone. |
uwViewAccess: uwNetid=<uwnetid> AND/OR cn=<group
cn> OR dc=none
Those values are hereafter collectively referred to as "targetValues" |
uwViewAccess<Active Directory DN of <uwnetid>
or <Active Directory DN of <group cn>> or <Active Directory
DN of <the a_none uwnetid>
ntSecurityDescriptor: Allow targetValues Read All Properties
ntSecurityDescriptor: Deny targetValues Read Members
where <uwnetid> or <group cn> is searched in UWWI and the DN of
that object is the value used.
If (uwViewAccess=dc=none), then the DN is:
CN=a_none,OU=Application NetIDs,OU=Other
NetIDs,DC=netid,DC=washington,DC=edu
this means that only the a_none account has access, and by design the a_none UW NetID is not used by
anyone.
Note that ntSecurityDescriptor is the access control list (ACL) for the
directory object, and that both ntSecurityDescriptor values noted above
are applied for each target value.
In the case where a single target is in both the uwReadAccess and
uwViewAccess, then no ntSecurityDescriptor is applied for the
uwViewAccess as it would inhibit access which is undesired behavior. |
|
GDS |
UWWI |
|
dn: serialNumber=<regid>,ou=<QQQYYYY>,ou=Courses,dc=washington,dc=edu |
dn: cn=<blah>,OU=Course,OU=GDS,OU=Groups,DC=netid,DC=washington,DC=edu
where <blah> is the cn. |
|
cn: NONE |
cn: <uwYear>+<uwquarter>+"-"+<uwCurric>+<uwCrsNo>+<uwSectId>
samAccountName: <uwYear>+<uwquarter>+"-"+<uwCurric>+<uwCrsNo>+<uwSectId> |
|
objectClass: uwCourseOffering; uwEntity; |
objectClass: top; uwCourseOffering; uwEntity; group; |
|
serialNumber: <regid> |
No complement. AD uses SID for uniqueness, and since the
serialNumber has no value to users, serialNumber was dropped. |
|
uwRegID: <regid> |
uwRegID: <regid> |
year: <year>
where <Year> is the applicable 4 digit year, e.g. "2007". |
uwYear: <year> |
quarter: <Quarter>
where <Quarter> is {"WIN", "SPR", "SUM", "AUT"} |
uwQuarter: <quarter> |
curric: <Curriculum Code>
e.g. "CSE" |
uwCurric: <curric code> |
crsNo: <Course Number>
e.g. "142" |
uwCrsNo: <course number> |
sln: <Course Section Schedule Line Number>
e.g. "11973" |
uwSln: <course section schedule line number> |
sectID: <Course Section ID>
e.g "A", "AA", "AB" |
uwSectID: <course section ID> |
displayName: <Course Title>
e.g. "COMPUTER PRGRMNG I" |
displayName: <Course Title> |
|
student: uwNetID=<netid> |
member: <Active Directory DN of <uwnetid>>
where <uwnetid> is searched in AD and the DN of that object is the value
of the member attribute. If there is no such object, then this value
isn't populated. |
|
instructor: uwNetID=<netid> |
uwInstructor: <Active Directory DN of <uwnetid>>
member: <Active Directory DN of <uwnetid>>
where <uwnetid> is searched in AD and the DN of that object is the value
of the member and uwInstructor attributes. If there is no such object,
then this value isn't populated. |