ACL stands for Access Control List. Various program use ACLs to control access to data to certain users.
AcIS uses ACLs in OpenLDAP to allow certain Kerberized binds to access the affil and private data in the directory
This term is used to mean a variety of different concepts:
| Most Common Form | Definition | Example |
|---|---|---|
| Affiliation | A person's role at the university | "She's a professor in the English department." |
| Affiliate | An institution associated with Columbia University but not part of the university proper | Harlem Hospital, Barnard College |
| Affiliate | Any source that provides AcIS with person data | The math department, Barnard College |
| Affiliation | An EduPerson-compliant set of relationship(s) with the university | One of Faculty, Student, Staff, Alum, Member, Employee, Affiliate |
| Affil | An authorization privilege which is published to an LDAP database in the ID System and which may be used by an application to control access. | CUstudent2, ISULPrintStudentExtended |
ahpl is the mechanism that makes unix
account data available to unix applications, including PINE and
the unix shell (bash in most cases). ahpl was written by
AcIS. ahpl replaces (and is based on) chpl, AcIS's previous program
that made unix account data available.
ahpl retrieves its data from the AcIS OpenLDAP version 2 servers.
Answering the question, "is this person
really who he/she claims to be." In the ID System realm, this
translates to, "is the UNI entered by a given person actually controlled
by that person?"
The act of authentication makes no assertion about who the
user is beyond the string of characters that is his/her UNI. In
particular, it says nothing about what the person is allowed to do,
nor does it verify the nature of the person's affiliation with
Columbia University. It does not even indicate that the person is
affiliated with the university at all.
Answering the question, "is this person allowed to do what he/she
is trying to do?"
The searchable online listing of all people at the university. Incorporates whitepages and affils; that is to say, the directory includes address and phone information, and also authorization information.
The directory is implemented as an LDAP database, and the term LDAP is frequently misused where directory would be most appropriate. (As in the question, "did LDAP build today," where the speaker probably really wants to know if the directory was updated.)
A collection of feed entries, or a fixed-width formatted file containing feed entries.
For specific information on what a feed file looks like, see affiliate feed format specification.
Each feed entry corresponds to one set of data about a person, and generally contains a first and last name, a social security number, a date of birth, department and title information, and a building address and phone number.
A person's unique identifier; synonymous with UNI; UNI is preferred.
The system AcIS uses to provide authentication services to applications at the university.
An entry in the kerberos database. The identifier of a kerberos handle is a string of letters and numbers; in practice, this string corresponds either to a UNI or a username (or frequently both). Every kerberos handle has a password attached to it, and it is this handle-password combination that enables a user to authenticate.
Because of the almost one-to-one relationship between UNIs and kerberos handles, the terms are often confused.
Lightweight Directory Access Protocol; a standard method for communicating with a database. (The latest version of this protocol is version 3.)
AcIS has two types of data served via LDAP: the directory and unix account
data. lookup and mail clients use
LDAP to retrieve names; ahpl uses the
unix account data to provide information to unix programs.
AcIS uses the OpenLDAP "brand" of LDAP server to store, search, and deliver the data served via LDAP.
A unix program for searching for peopple in the directory. A web version is also available.
AcIS uses OpenLDAP software to serve directory and unix account data. OpenLDAP is an open-source project.
AcIS maintains servers running two different versions of OpenLDAP: version 2.1.30 (which serves LDAP protocol versions 2 and 3, and is used for unix account data), and version 1.2.12 (serves LDAP protocol version 2 only; used for directory data).
Data of the sort that is contained in a feed entry, including first and last name, social security number, date of birth, department and title information, and a building address and phone number.
The electronic id that is assigned to each person; the rule is that there is one UNI per real live person. (This rule is, unfortunately, not enforcible some of the time.)
Also sometimes called handle, and occasionally NUI
An identity on a unix machine. Each unix account has one username and has an associated uid (number), homedirectory, shell, and gecos field (name).
On AcIS systems, a unix account enables a user to receive and store email on the AcIS system, to access email via IMAP and PINE, and to send email. Unix accounts can also be used to log into cunix.
In general, faculty, staff and students receive unix accounts, but alumni and people less closely affiliated with the university do not.
The data in a database which maps unix usernames to unix uids (numbers), homedirectories, shells, and gecos information (name). AcIS provides this information via LDAP. AcIS unix machines read this data via ahpl.
A username, or unix username is the string of letters and numbers that is the unique identifier for a unix account.
A person's unix username is most often the same as his UNI, but this is not a rule and it does not always hold. (For example, many AcIS employees have usernames that do not match their UNIs.)
The AcIS whitepages contains names, addresses, phone numbers, and related data, and is searchable via lookup. Whitepages data is a component of the directory.