Access to the OpenLDAP directory service can be achieved in multiple ways.
You usually use command line tools such as ldapsearch, the Stanford custom Perl module Stanford::Directory, software development libraries like the Java Naming and Directory Interface, the UnboundID LDAP SDK, OpenLDAP's C LDAP client libraries, or python-ldap etc.
All access is dependent on following our usage policy. Failure to abide by these policies can result in immediate loss of access to the directories.
To connect to a ldap service, you can use one of the two ldap service pools, both of them are hosted on Google Cloud Platform (GCP):
- ldap://ldap-prod.stanford.edu - for using kerberos service principal authentication (default port 389)
- ldaps://ldap-simple.stanford.edu - for using service principal name with a password (a.k.a. simple-bind, default port 636)
For on-prem systems that have no direct internet access to port 389:
- ldap://ldap.stanford.edu
Note we no longer have on-prem ldap servers. ldap://ldap.stanford.edu is a proxy that sends all ldap queries to the GCP cloud ldap servers.
If your on-prem systems are behind non-routeable shadow net, or there is a firewall rule to prevent your system from connecting to the cloud ldap servers, consider to work with networking so that your system can connect to ldap://ldap-prod.stanford.edu directly. It will reduce dependencies on campus loadbalancer and campus ldap proxy, and cut down two extra network hops. There is no on-prem proxy for simple-bind (port 636)
