Authentication Services
DOCUMENTATION
Directories
Documentation type
ED
AD
Ready for
review
Benefits/recommendations
Prerequisites/requirements
(i.e., only internal, InfoSec preapproval, web services, etc.)
SSOP/
ED->AD
(bind to ED,
authN to AD)
Shib
ADFS
EZ Proxy
(including
IP)
Onetime
Token
(ClinFac,
COI)
Ready
for
review
n/a

EZ-gen

Tokengen
n/a

EZ-ex
MultiGuest*
factor
Certs
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
User: 
General Description
Examples – sample code, apps
using service, etc.
Federation

ED-ex
Ready for
review
Ready for
review
Ready
for
review
SSOPgenU
Technical: 
SSOPgenT
In
progress

SSOP-ex
Ready
for
review

SSOP-rec

AD-req
None from
an
application
standpoint.
For
accounts:
Ready
for
review
Ready
for
review
n/a
TBD
n/a

EZ-req
n/a
n/a
n/a
TBD
n/a

EZ-bind
n/a
n/a
n/a
ESS
Elena
n/a
n/a
n/a
n/a

SSOP-req
Procedures to connect/bind
(will include description of
using web services, linux server
local admins, etc to connect to
the authN service)
Support/technical contact info

ED-bind

AD-bind

SSOPbind (also
use ED link)
ESS. Elena
Ryazanova
ESS.
Dave
ESS. Elena
and Dave
1|Page
Authentication Services
O’Connor
Privacy Considerations
Ready for
review
Policies/standards/regulations
Directory Schema
Use cases
In
progress
Ready
for
review

AD-pol
In
progress
Follows
ED rules
n/a
Ready
for
review
n/a
n/a
n/a
n/a
TBD
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
*Guest would be the enhanced “front door” approach that allows for the creation of guest/temporary accounts on the fly.
We could consider making URL redirector a category under which would fall EZProxy and early student email (though EZProxy is also a federated
solution )
2|Page
Authentication Services
DIRECTORY DESCRIPTIONS
ED
Enterprise Directory (ED) is a directory using Lightweight Directory Access Protocol (LDAP) which follows the X.500 model. Note: LDAP is also the
application protocol used for accessing AD over TCP/IP. ED uses a standards-based LDAP v3 implementation.
The ED directory is a set of entries which consist of attributes grouped together into objectclasses. Each attribute has a name and one or more
values and each entry has a unique identifier – its distinguished name (DN). DN consists of TRUNK plus…. is another unique identifier specific to
Tufts that is used with user accounts (accounts for staff, faculty, students and affiliates).
Data in ED is populated by ATAMS and WhitePages. ATAMS is a MySql database comprised of a collection of PERL scripts and set of tables . One
key aspect of the ATAMS’ scripts is the generation of UTLNs. ATAMS is fed by data from the Person Registry (PR) database and from TuftsTools
application. PR is a database populated by systems of record including HR, SIS, Medical School and eReg (see descriptions below). TuftsTools is
an administrative tool mainly for looking up user information (utln, password information), setting UTLNs and emails (for incoming students),
setting AD passwords and activating SSPO. Some attributes in ED that represent personal information which are updatable directly by end users
via the WhitePages. These include phone number, preferred name, alternate email address etc. Another important attribute that is updatable in
WhitePages is the ability to hide their information (talk about how they can hide themselves from the GAL in Outlook).
AD
Active Directory (AD) is Microsoft’s directory service used for centralized network administration. AD is comprised of a collection of objects and
attributes used to provide LDAP(*)-based authentication with Kerberos-based authorization. Objects (user accounts, groups, computer accounts,
etc.) are organized into organizational units (OUs); an abstraction which gives administrators the ability to construct a hierarchy to the objects in
the domain. Objects are made up of attributes, aka properties. The set of attributes available depends upon the object class – i.e., user objects
have a different set of attributes than printer objects. Some examples of the user object class attributes used by Tufts are: username – aka UTLN,
password, locked out status, etc.
Domain controllers (DCs) are the servers which run AD and are used to authenticate and authorize users and computers in the Windows
network. DCs follow a multi-master replication model: changes applied to any one domain controller will be replicated out to all other domain
controllers.
3|Page
Authentication Services
A host of attributes in AD are fed from the Enterprise Directory which is considered the authoritative source for such attributes (see schema
page <insert link to ED/AD schema>). Other attributes are fed by TuftsTools (i.e., email address, password) or manually by support persons.
All Tufts associates – faculty, staff and students – have user objects in AD. In fact, with the roll-out of SSOP (Simplified Sigh-On Process) in 2011,
all login password requests are ultimately submitted to your AD password.
*LDAP = Lightweight Directory Access Protocol
Shibboleth
The Shibboleth software implements widely-used federated identity standards, principally OASIS' Security Assertion Markup Language (SAML),
to provide a federated single sign-on and attribute exchange framework.


Single Sign on – you log on to one resource via Shibboleth, and when you access another resource that also uses Shibboleth, you are
automatically signed-in. No need to re-enter your credentials since Shibboleth retains the information for up to 8 hours.
Federation – Can accept logon requests from resources at other institutions. For instance, an individual with Columbia credentials could
log on to a Tufts resource that has been “shibbolized.” Tufts is now part of the InCommon consortium which provides a trust framework
amongst hundreds of institutions, mainly universities.
The three parts of Shibboleth are the service provider (SP), identity provider (IdP) and the discovery service (DS). The SP hosts the resource you
would access. The IdP authenticates the user and provides the requested attributes the SP requires to determine if the user can access the
resource. The DS helps the user to determine where they are from, thus to which IdP they should submit their credentials for authentication. All
of this information, and the details behind the trust between the providers, is stored in metadata.
Shibboleth also provides extended privacy functionality allowing the browser user and their home site to control the attributes released to each
application.
Using Shibboleth-enabled access simplifies management of identity and permissions for organizations supporting users and applications. A user
authenticates with his or her organizational credentials. The organization (IdP) may pass the minimal identity information necessary to the SP to
enable an authorization decision. There is the possibility to provide additional information, i.e., if you need to authN only students.
4|Page
Authentication Services
Glossary










ATAMS
Person Registry
eReg - a registration system used by Frontline Support Providers throughout the University to grant affiliates access to Tufts electronic
services.
SIS
Authentication: (single and multifactor) is a mechanism that an electronic system uses to identify and validate the identity of users with
the required degree of confidence that the user is who he or she purports to be. Authentication is accomplished through the use of one
or more “factors,” which correspond to things that the user knows (like a password), something that they possess (like a security token),
or something they are (like a fingerprint). Authentication should not be confused with authorization, which is the process of granting
individuals access to system resources based on their identity [NIST SP 800-103].
Authorization
TuftsTools
WhitePages
Trumpeter Tools
Exchange
5|Page
Authentication Services
EXAMPLES
ED
A list of the applications/services that bind directly to Enterprise Directory are:
























AcadIntegrity
Adobe Connect Pro
BusinessObjects
CALT
cardinal
cfengine
DARS
DCA Deposit Form
DCA Submission Agreement Builder
DistinctionAwards
EmailSynch
HSDB
ibis
Illiad
IMP
ingo
IPAM
JESMS queue check
Medical School Authentication Service
MedicatOSH
Med-OASIS
messaging multiplexor
Microsoft Download Utility
PAM-auth
6|Page
Authentication Services



























pelican
PeopleSoft Financials
PeopleSoft SIS
Picasso
presidential mass mailing
Proofpoint
RemedySearch
RT
ServiceNow
Spark
Splunk
sun messaging server
sympa
T2Flex
TOLSS
Travel Expense
trunk
trustees boardroom
UITConfluence
UIT-DMCA
UIT-RC
UITSCDownload
ULTS
Webcenter
WebPAC
Whitepages
xythos
7|Page
Authentication Services
All the previously listed applications are using a privileged application object, allowing them to see eligible accounts, including hidden accounts
of future students, faculty, staff and students who have elected FERPA privacy.
It is possible to bind to ED anonymously, though it will prevent you from authenticating hidden users.
AD – no master list in ESS, need more apps
The following applications/services are binding directly to Active Directory.


Qualtrics
Atomic Learning
Shibboleth
Currently there are no production systems using Shibboleth. We are completing a proof of concept using a “shibbolized” version of WhitePages
in a test environment (https://whitepages.tufts.edu/SSO/).
8|Page
Authentication Services
BENEFITS AND RECOMMENDATIONS
There are many factors that can help you determine which authentication service is best for your application/service. Learning the distinction
between the services offered (reading the descriptions, reviewing the directories’ schemas, etc.); getting recommendations from your vendor
(for off-campus solutions) or Tufts colleagues; considerations as to what you need to get from the directory in the form of attributes, etc.; how
your environment is set up – i.e., for more Windows/Microsoft-centric spaces perhaps AD is preferable.
A few questions to ask are:
1. What does the service owner prefer?
2. What does your application prefer?
3. What do you need from your federation/identity source?
ED
Enterprise Directory offers



Attributes – some with multi-values
Delineation of University affiliate type – i.e., staff, faculty, students, affiliates
APIs specifically for web applications
AD
Active Directory offers:


Windows/Microsoft-centric connections and support
Security group authorization – can provide
9|Page
Authentication Services
Shibboleth
Shibboleth offers:


Federated authentication with other InCommon members
Single-sign on
10 | P a g e
Authentication Services
PREREQUISITES/REQUIREMENTS
ED
In order to perform a bind to ED, you must consult with Information Security to be sure that it’s appropriate for you to gain access to the
directory. Depending upon what information your application requires, additional authorization may be required.
AD
In addition to what’s listed here, there’s also…?
Is there any other vetting we do for such requests – i.e., have to have a UIT “sponsor” or have to have their supervisor/manager approve the
request?
Any requirements for internal vs. external binds? – VPN, etc.?
What about firewall requirements?
Shibboleth
Still being determined.
11 | P a g e
Authentication Services
PRIVACY CONSIDERATIONS
Irrespective of the method of authentication you chose, it is important to understand the rights that are afforded to students under the Family
Educational Rights and Privacy Act (FERPA). Please see the following notification:
http://uss.tufts.edu/studentaffairs/publicationsandwebsites/FERPA.pdf.
Note: authentication itself does not necessarily provide the application/service with any directory information for the authenticated user –
especially those who have elected to hide their information. If your application/service requires additional attributes (email, SIS ID, etc.), then
that must be stated explicitly in the request. Additional authorization to release those attributes to your application/service may be required
prior to implementation.
“Each educational agency or institution must assess its own policies and systems to determine appropriate identity authentication measures
based on its own combination of technology, the sensitivity of the data, and applicable data security policies.“
(http://www2.ed.gov/policy/gen/guid/ptac/pdf/authentication.pdf)
ED
If a student, staff or faculty has elected to hide their personal information – via FERPA privacy or WhitePages – and you are not using a privileged
account to bind to ED, then those students will not be able to authenticate to your application/service. The same situation would apply to future
students/staff/faculty – as they too are hidden in the directory until they become active.
AD
Active Directory does not handle hidden accounts the same way that ED does. If your application/service must comply with privacy rules and
regulations, it is advised that you bind to ED for authentication.
If a user has decided to hide themselves, their Exchange account will also be hidden the effect of which is that they will no longer be listed in the
global address list in Outlook.
12 | P a g e
Authentication Services
Shibboleth
Because Shibboleth-authenticated applications bind to ED using a privileged account, you should refer to the ED section regarding privacy.
13 | P a g e
Authentication Services
DIRECTORY SCHEMA
ED
Attribute
cn
departmentNumber
displayName
dn
eduPersonAffiliation
eduPersonOrgDN
eduPersonOrgUnitDN
eduPersonPrimaryAffiliation
facsimileTelephoneNumber
gidNumber
givenName
homeDirectory
initials
labeledUri
loginShell
mail
mailAllowedServiceAccess
mailAutoReplyMode
mailAutoReplySubject
mailAutoReplyText
mailDeliveryOption
mailEquivalentAddress
mailForwardingAddress
mailHost
mailMessageStore
mailQuota
mailSieveRuleSource
Value
Lee Raymond
C800001
Lee Raymond
tuftsedutrunk=355C0E89A432CD014DC8ACB88C80
8546, ou=People, dc=tufts, dc=ed
employee member staff
dc=tufts, dc=edu
ou=People, dc=tufts, dc=edu
staff
(508) 631-3772
29331
Lee
/home/lraymo02
LER
https://tuftstools.tufts.edu
/bin/tcsh
Lee.Raymond@tufts.edu
Source
SOR
SOR
SOR
PR
PR
ED (ATAMS)
ED (ATAMS)
PR
WP
?
SOR
ATAMS
ATAMS
WP
ATAMS
ATAMS
ATAMS
ATAMS
ATAMS
ATAMS
ATAMS
ATAMS
ATAMS
ATAMS
ATAMS
ATAMS
ATAMS
Notes
?
?
?
?
?
?
?
?
?
?
?
14 | P a g e
Authentication Services
mailUserStatus
mobile
o
objectClass
ou
pager
physicalDeliveryOfficeName
sn
telephoneNumber
title
tuftsEduAcademicUnit
tuftsEduAcademicUnitCode
tuftsEduAdminGroup
tuftsEduAdminPrivilege
tuftsEduAlternateTelephoneNumber
tuftsEduAtamsEligibility
tuftsEduAtamsEligibilityDate
tuftsEduAtamsID
tuftsEduAuthenticationToken
tuftsEduCalendarCreatorsAtamsID
(914)290-3062
Central Administration (Employee)
top person organizationalPerson inetOrgPerson
eduPerson tuftsEduPerson tuftsEduMailAlias
posixAccount shadowAccount
commeetingmakerauxiliaryinfo
commeetingmakerpersonauxiliary
ATAMS
WP
PR
?
ATAMS
?
This is converted by PR from
information in the SOR
Univ Information Technology
(508) 631-3772
Administration-169 Holland St
Raymond
(617) 627-3649
Manager of Enterprise Services
School of Arts, Sciences, and Engineering
AS
O
write/eligible_adm /write/firstlast_last
/trumpeter_grant/all
/trumpeter_admin/utln_report
/trumpeter_admin/s /trumpeter_admin/q
/trumpeter_admin/p /trumpeter_admin/n
/trumpeter_admin/m /trumpeter_admin/l
/trumpeter_admin/k /trumpeter_admin/j
/trumpeter_a
(508) 631-3772
eligible
20-May-08
101050
532575
?
PR
WP
HR
HR
WP or SIS for students
SOR
This is derived by PR from
PR
information in the SOR
SIS
This is converted by PR from
PR
information in the SOR
?
WP
ATAMS
ATAMS
ATAMS
ATAMS
ATAMS
15 | P a g e
Authentication Services
tuftsEduClassYear
tuftsEduClinicalDepartment
tuftsEduClinicalDivision
tuftsEduClinicalTitle
tuftsEduClinicalWorkGroup
15
Medicine
Clinical Faculty
Associate Clinical Professor
Carney Hospital
COLLEGE OF LIBERAL ARTS
SIS
Med
PR
Med
Med
tuftsEduCollege
tuftsEduCollegeCode
tuftsEduDisplay
tuftsEduDisplayFacsimileTelephoneNumber
tuftsEduDisplayLabeledURI
tuftsEduDisplayMail
tuftsEduDisplayMobile
tuftsEduDisplayNameLF
tuftsEduDisplayTelephoneNumber
tuftsEduDisplayTuftsEduAlternateTelephoneNu
mber
tuftsEduDormitory
tuftsEduDormitoryAddress
tuftsEduDormitoryCampus
tuftsEduEmplID
tuftsEduEmployeeDepartment
LA
Y
Y
Y
Raymond, Lee
Y
Y
PR
SIS
WP
wp
WP
WP
WP
PR
WP
WP
T
SIS
HOUSTON HALL ROOM 125
SIS
MEDFORD/SOMERVILLE
1026896
Univ Information Technology
Central Administration
SIS
HR
PR
tuftsEduEmployeeDivision
PR
permanent
tuftsEduEmployeeStatus
tuftsEduEmployeeTitle
tuftsEduEmployeeWorkGroup
tuftsEduKrbPassword
tuftsEduLegalDegree
There's a lookup table in PR that
converts sis_college to college
name
Manager of Enterprise Services
1
M.D.
HR
HR
WP
TuftsTools
Med
? There's only one person with
this populated
? There's only one person with
this populated
? There's only one person with
this populated
There's a lookup table in PR that
converts div letter into a div
name
There's a lookup table in PR that
converts this value from multiple
HR values
16 | P a g e
Authentication Services
tuftsEduLegalName
tuftsEduMailAlias
tuftsEduMailForwardingAddress
tuftsEduMailForwardingAddress Target
tuftsEduMajor
tuftsEduPhysicalDeliveryCampus
tuftsEduPreferredDegree
tuftsEduPreferredName
tuftsEduProofpointPolicy
tuftsEduProofpointUserType
tuftsEduSisId
tuftsEduSISPrivacy
tuftsEduStatus
tuftsEduStudentDivision
tuftsEduTrumpeterMailhost
tuftsEduTRUNK
tuftsEduUnpublished
tuftsEduWhitePagesAdminGroupAdmin
uid
uidNumber
userPassword
vacationEndDate
Raymond, Lee E
lraymo02@tufts.edu Lee.Raymond@tufts.edu
lraymo02@exchange.tufts.edu
exchange.tufts.edu
UNDECIDED
Medford/Somerville
M.D.
Raymond, Lee
default
0
991193987
permanent
School of Arts, Sciences, and Engineering - College o
355C0E89A432CD014DC8ACB88C808546
lraymo02
29331
SOR
ATAMS
ATAMS
ATAMS
SIS
PR
SOR
WP
ATAMS
ATAMS
SIS
SIS
?
PR
Trumpeter
PR
ATAMS
WP
ATAMS
ATAMS
There's a lookup table in PR
Is this the WP field?
Can change first name in WP, last
name is from HR
This is derived by PR from
information in the SOR
?
17 | P a g e
Authentication Services
AD
Attribute
whenCreated
mobile
l
objectClass
mail
objectGUID
objectSid
whenChanged
edsvaNamingContextDN
City
Company
Email
Fax
FirstName
HomePhone
LastName
LogonName
Manager
MobilePhone
Office
Pager
PhoneNumber
PostalCode
PostOfficeBox
PrimaryGroupId
Value
5/20/2008 14:24
5086313772
Medford/Somerville
{top, person, organizationalPerson,
user}
Lee.Raymond@tufts.edu
8D3023068483CC40AB5B3CADDDFD
5B42
010500000000000515000000F538B8
512103F17DD561152069220100
1/20/2012 13:54
Source
Source value
Notes
Medford/Somerville
Tufts
Lee.Raymond@tufts.edu
Lee
508-631-3772
Raymond
lraymo02
CN=Regan\,
Theresa,OU=Users,OU=UIT,OU=Cent
ral,DC=tufts,DC=ad,DC=tufts,DC=edu
5086313772
Administration-169 Holland St
(617) 627-3649
513
18 | P a g e
Authentication Services
StateOrProvince
StreetAddress
WebPage
HomeDirectory
HomeDrive
ProfilePath
LogonScript
UserPrincipalName
TsProfilePath
TsHomeDirectory
TsHomeDrive
TsAllowLogon
TsRemoteControl
TsMaxDisconnectionTime
TsMaxConnectionTime
TsMaxIdleTime
TsReconnectionAction
TsBrokenConnectionAction
TsConnectClientDrives
TsConnectPrinterDrives
TsDefaultToMainPrinter
TsWorkDirectory
TsInitialProgram
PasswordLastSet
PasswordAge
PasswordExpires
LastLogonTimestamp
LastLogon
LastLogoff
AccountIsDisabled
AccountIsLockedOut
PasswordNeverExpires
UserMustChangePassword
AccountIsExpired
PasswordIsExpired
Ma
Administration-169 Holland St
http://uit.tufts.edu
\\TITAN\Home-TCCS$\lraymo02
P:
Central\tccs\CTL_D_TCCS_ICS
lraymo02@tufts.ad.tufts.edu
12/22/2011 10:08
29.04:40:21.5726638
6/19/2012 10:08
1/19/2012 9:51
1/20/2012 14:09
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
19 | P a g e
Authentication Services
AccountExpirationStatus
PasswordStatus
DeprovisionStatus
NTAccountName
SamAccountName
Security
Domain
LastKnownParent
MemberOf
NestedMemberOf
Never
Expires at: Tuesday, June 19, 2012
TUFTS\lraymo02
lraymo02
Quest.ActiveRoles.ArsPowerShellSna
pIn.UI.SecurityDescriptor
TUFTS\
{CN=As_Web_Uit,OU=WebAccessGr
oups,OU=ITS,OU=ASE,DC=tufts,DC=a
d,DC=tufts,DC=edu,
CN=UIT_ContactEI,OU=Users,OU=UIT,OU=Central,DC
=tufts,DC=ad,DC=tufts,DC=edu,
CN=LANDesk
FieldSupportRole,OU=Service
Accounts,OU=UITSC,OU=Central,DC=
tufts,DC=ad,DC=tufts,DC=edu,
CN=UIT_Exch2010_UM_Admin,OU=
Admin
Accounts,OU=UIT,OU=Central,DC=tu
fts,DC=ad,DC=tufts,DC=edu...}
{CN=AS_Web,OU=WebAccessGroups
,OU=ITS,OU=ASE,DC=tufts,DC=ad,DC
=tufts,DC=edu,
CN=UIT_Exch2010_Mailbox_Admin,
OU=Admin
Accounts,OU=UIT,OU=Central,DC=tu
fts,DC=ad,DC=tufts,DC=edu,
CN=UITSC UM Mailbox
Admin,OU=Microsoft Exchange
Security
Groups,DC=tufts,DC=ad,DC=tufts,DC
=edu, CN=UITSC Recipient
Management,OU=Microsoft
Exchange Security
20 | P a g e
Authentication Services
Groups,DC=tufts,DC=ad,DC=tufts,DC
=edu...}
Notes
AllMemberOf
Keywords
ProxyAddresses
PrimarySMTPAddress
PrimarySMTPAddressPrefix
PrimarySMTPAddressSuffix
PrimaryX400Address
{CN=As_Web_Uit,OU=WebAccessGr
oups,OU=ITS,OU=ASE,DC=tufts,DC=a
d,DC=tufts,DC=edu,
CN=AS_Web,OU=WebAccessGroups,
OU=ITS,OU=ASE,DC=tufts,DC=ad,DC=
tufts,DC=edu, CN=UIT_ContactEI,OU=Users,OU=UIT,OU=Central,DC
=tufts,DC=ad,DC=tufts,DC=edu,
CN=LANDesk FieldSupport
Role,OU=Service
Accounts,OU=UITSC,OU=Central,DC=
tufts,DC=ad,DC=tufts,DC=edu...}
{}
{EUM:73649;phonecontext=Medford Dial
Plan.tufts.ad.tufts.edu, X400:C=us;A=
;P=Tufts;O=Exchange;S=Raymond;G=
Lee;I=E;,
smtp:lraymo02@trumpeterstore.tufts.edu,
smtp:lraymo02@exchange.tufts.edu.
..}
Lee.Raymond@tufts.edu
Lee.Raymond
tufts.edu
C=us;A=
;P=Tufts;O=Exchange;S=Raymond;G=
21 | P a g e
Authentication Services
Lee;I=E;
PrimaryMSMailAddress
PrimaryCCMailAddress
PrimaryMacMailAddress
PrimaryLotusNotesAddress
PrimaryGroupWiseAddress
EmailAddressPolicyEnabled
Path
DN
CanonicalName
CreationDate
ModificationDate
ParentContainer
ParentContainerDN
Name
ClassName
Type
Guid
Sid
OperationID
OperationStatus
Cache
Connection
DirectoryEntry
TRUE
LDAP://TABVMDC1.tufts.ad.tufts.ed
u/CN=Raymond\,
Lee,OU=Users,OU=UIT,OU=Central,D
C=tufts,DC=ad,DC=tufts,DC=edu
CN=Raymond\,
Lee,OU=Users,OU=UIT,OU=Central,D
C=tufts,DC=ad,DC=tufts,DC=edu
tufts.ad.tufts.edu/Central/UIT/Users
/Raymond, Lee
5/20/2008 14:24
1/20/2012 13:54
tufts.ad.tufts.edu/Central/UIT/Users
OU=Users,OU=UIT,OU=Central,DC=t
ufts,DC=ad,DC=tufts,DC=edu
Raymond, Lee
user
user
0623308d-8384-40cc-ab5b3cadddfd5b42
S-1-5-21-1371027701-2112946977538272213-74345
Unknown
Quest.ActiveRoles.ArsPowerShellSna
pIn.BusinessLogic.ObjectCache
Quest.ActiveRoles.ArsPowerShellSna
pIn.Data.ArsADConnection
System.DirectoryServices.DirectoryE
ntry
22 | P a g e
Authentication Services
tuftsEduTrunk
6A9FDF52DACE46EE0155B70AF4C5F
DE3
512
userAccountControl
Populator
Populator
9.22337E+18
accountExpires
Populator - ATAMS
Administration-169 Holland St
streetAddress
Populator - LDAP
Medford/Somerville
l
Populator - LDAP
Medford/Somerville
postalAddress
Populator - LDAP
tuftsEduTrunk
tuftsEduAtamsEligib
ility (=ineligible,
locked,
locked_adm)
tuftsEduAtamsEligib
ility (=ineligible,
locked,
locked_adm)
physicalDeliveryOffi
ceName
tuftsEduPhyicalDeliv
eryCampus
tuftsEduPhysicalDeli
veryCampus
US
c
Populator
United States
co
Populator
Ma
st
Populator
Administration-169 Holland St
physicalDeliveryOfficeName
department
Populator - LDAP
Univ Information Technology
Populator - LDAP
displayName
Populator - ATAMS
Populator - ATAMS
Populator - LDAP
sn
Populator - LDAP
tuftsEduEmployeeTi
Populator - LDAP
E
initials
givenname
sn
Lee
Raymond
title
Manager of Enterprise Services
note: this will either disable AD object or
not
note: this will either expire AD object or not
not sure if I have this right
not sure if I have this right
I think this is just putting the value of "US"
into the country abbreviation attribute "c"
in AD if the attributes is NULL or isn't "US"
I think this is just putting the value of
"United States" into the country attribute
"co" in AD if that value is NULL or isn't
United States
I think this is just putting the value of "Ma"
into the state attribute "st" in AD if that
value is NULL or isn't Ma
physicalDeliveryOffi
ceName
dept
tuftsEduDisplayNam
eLF
identity_middlenam
e
identity_firstname
Raymond, Lee
It is grabbing this information from ATAMS
(e.identity_trunk), not ED.
This is getting the initial from ATAMS
This is getting the information from ATAMS
23 | P a g e
Authentication Services
tle
Project Manager
Populator - LDAP
tuftsEduEmployeeTi
tle
wwwHomePage
Populator - LDAP
labeledUri
facsimileTelephoneNumber
Populator - LDAP
facsimileTelephone
Number
Populator - LDAP
phone
otherTelephone
Populator - LDAP
tuftsEduAcademicUnit
Populator - LDAP
phone
tuftsEduAcademicU
nit
description
https://tuftstools.tufts.edu
telephoneNumber
(617) 627-3649
msExchHideFromAddressLists
Populator - LDAP
showInAddressBook
homeMDB
Populator - ATAMS
Populator
Based off of whether the
tuftsEduDisplayLabeledURI = Y
Based off of whether the
tuftsEduDisplayFacsimileTelephoneNumber
=Y
Based off of whether the
tuftsEduDisplayTelephoneNumber = Y
Based off of whether the
tuftsEduDisplayTuftsEduAlternateTelephon
eNumber = Y
Set to true if tuftsEduDisplay is blank,
tuftsEduUnpublished has a value,
tuftsEduAtamsEligibility = ineligible, locked
or locked_adm
global_address_list, all_users_address_list
?
This is which mailbox database to put you.
24 | P a g e