LDAP Authentication

LDAP authentication is available for applications hosted within campus only. This docunment explains the technical detail of LDAP authentication service.

NOTE: For security reason, LDAP authentication will not be granted for web-based applications in general. Web-based applications shall use the web Single Sign On (SSO) protocols to authenticate users. Refer to the Authentication service for more information.

Getting Started

A request for LDAP authentication service is required for the application. The requesting entity must meet certain conditions to get access to the LDAP service.  Please send email to cchelp@ust.hk with the information below to request the access.

  • Email Subject: Request for LDAP authentication
  • Email Content:
    • 2 Technical contacts
    • Department which owned the application
    • Application description in brief
    • IP address(es) require LDAP authentication

On approval, a service account will be given to you.  And you could configure the service account in the application to access the LDAP service and authenticate users.

Technical Details

LDAP Connection Properties

  • Host: openldap.ust.hk
  • Port: 389 for StartTLS, 636 for SSL
    (non-encrypted connection is not allowed, check the CA certificate of the server certificate)
  • Base DN: dc=ust,dc=hk
  • Scope: subtree
  • Filter: uid=<username>

Attributes Available For Application

Please refers to the Attributes for LDAP Applications for the details.

Account Lockout Policy

User account will be lockout (ban for authenticate) after 10 incorrent login attempts in 1 minute.  After 2 minutes, the user's account will be unlocked and login attempts may continue.