Deploying the eduPerson Schema to Active Directory

If you work in a higher education environment, there exists a set of standards that must be implemented to allow students and faculty to collaborate on projects at other schools or to use higher education specific services. One of these standards is the eduPerson schema, which provides storage for widely used education-specific attributes about a person.

Most often, the eduPerson schema is coupled with your identity provider (IdP) or federation bridge to deliver attributes to service providers registered in a multilateral trust federation such as InCommon or eduGain. But you may also find that some directly integrated Security Assertion Markup Language (SAML) applications also rely on these attributes.

First, you need a place to store the attributes. If you run Active Directory (AD) in your environment, you already have such a place.

The eduPerson Schema

The eduPerson attributes are maintained by the Research and Education FEDerations group (REFEDS). REFEDS maintains both an LDIF file for OpenLDAP and an LDIF file for AD (most recently maintained by Ravenswood’s James Babb). The LDIF file contains definitions matching the standard published by REFEDS.

You will use the LDIF file to create new attributes in AD. New attributes are stored in a separate object class and use an OID branch registered specifically for the eduPerson schema. This means there is little risk of colliding with any other schema extensions your institution may have already deployed.

The LDIF file is available here: eduperson/eduPerson.adschema.ldf at master · REFEDS/eduperson (github.com)

To install the eduPerson schema, first download the LDIF file and replace “dc=x” with your domain (e.g., dc=ravenswoodtechnology,dc=com). The ldifde command can handle this substitution with the “-c” argument. However, you can also edit the file in a text editor of your choice to do the substitution if you prefer. Finally, you can run the command when connected to the schema master domain controller as a Schema Admin, as follows:

ldifde -i -f eduPerson.adschema.ldif -v -c "dc=x" "dc=ravenswoodtechnology,dc=com"Code language: PowerShell (powershell)

Or you can run the command from a different host and add the “-s” argument to specify the schema master domain controller:

ldifde -i -f eduPerson.adschema.ldif -v -c "dc=x" "dc=ravenswoodtechnology,dc=com" -s "dc-02.ravenswoodtechnology.com"Code language: PowerShell (powershell)

If you are unsure how to identify which domain controller is the Schema Master, we have a great blog post on FSMO roles with more information.

IMPORTANT: AD schema modifications are PERMANENT and cannot be undone easily. Although we can mark attributes as defunct and remove the object class from use, the attributes we create are in your Active Directory forever. Please make AD schema modifications in a non-production environment first, such as a lab, before making them in a live production environment.

Upgrading the Schema

Occasionally, REFEDS makes an update to the eduPerson schema that adds new attributes. For example, in August 2022, an attribute was added to hold a user’s display pronouns. You must occasionally update the schema in your directory to support any future additions to the schema.

To upgrade an existing eduPerson schema, first modify the object class definition to add only the new attribute. Replace the block of code in the section labeled “# Object classes” (line 282 as of July 2023) that creates the eduPerson object class with an example such as the following:

dn: CN=eduPerson,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: mayContain
mayContain: 1.3.6.1.4.1.5923.1.1.1.18
-Code language: PowerShell (powershell)


This example adds eduPersonDisplayPronouns to the object class only, without replacing the other attributes already present on the object class.

You do not need to remove or modify anything else in the LDIF file, such as removing the other previously installed attributes from the file. Ldifde will ignore any attributes that have already been created when changetype: ntdsschemaadd is used.

What’s Next?

Once you create the eduPerson schema, you need to start using it. The first step is to populate the attributes. You can accomplish this through various methods, from PowerShell scripts to elaborate identity governance and administration (IGA) tools.

On the delivery side, you may want to use a tool such as ADFSToolkit that allows you to use Active Directory Federation Services (ADFS) with multilateral federation aggregates such as InCommon or eduGain. Your new eduPerson schema could also be used as a data store for a Shibboleth IdP or for data that is eventually fed to a commercially supported federation bridge product. You can even sync most attributes to Entra ID (Azure AD) as custom attributes stored as directory extensions in an app registration that can be used for single sign-on claims, among other features.

This is where Ravenswood Technology Group can help. Our architectural and implementation expertise in higher education, identity and access management (IAM), and Microsoft technologies can help guide your college or university from the design stage all the way through implementation. Whether you need to overhaul your IAM infrastructure, simply replace portions of it, or just need help deploying the schema, our experts are here for you. Contact us today!

[RELEVANT BLOG CONTENT]

Azure Automation and SQL Server

Microsoft Azure Automation is a service that is designed to automate operational tasks across Azure and on-premises environments. It provides a way to create, test,

6 Tips to Harden Your Windows LAPS Deployment

In a previous blog post, we covered how to migrate to Windows Local Administrator Password Solution (LAPS). With Windows LAPS deployments gaining traction, it’s important

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.