Lookup a person by Oxford SSO / username
Perform an LDAP search with a base of ou=people,dc=oak,dc=ox,dc=ac,dc=uk and a filter of krbPrincipalName=<USERNAME>@OX.AC.UK,cn=OX.AC.UK,cn=KerberosRealms,dc=oak,dc=ox,dc=ac,dc=uk.
Lookup a person by oakPersonID
You should do an LDAP search with a base of ou=people,dc=oak,dc=ox,dc=ac,dc=uk and a filter of oakPersonID=<ID>.
You should not do an LDAP search with a base of oakPrimaryPersonID=<ID>,ou=people,dc=oak,dc=ox,dc=ac,dc=uk. This is because in some cases a person may have multiple oakPersonIDs. Only one of these will be present in the distinguished name of the person's entry as the oakPrimaryPersonID.
Lookup a person by University Card barcode
If the card reader you're using reads the whole barcode including the check digit, then perform an LDAP search with a base of ou=people,dc=oak,dc=ox,dc=ac,dc=uk and a filter of oakUniversityBarcodeFull=BARCODE. Otherwise, use the oakUniversityBarcode attribute instead.
Authorise based on membership of the University
To query whether someone is a member of the University, perform an LDAP compare query to compare the eduPersonAffiliation attribute of the person's entry to the string member.
Authorise based on membership of a particular unit: via person
Perform an LDAP compare query to compare the eduPersonOrgUnitDN attribute on the person's entry with the known distinguished name of the unit's entry. For example, to see whether person 38463 is a member of IT Services, one would perform an LDAP compare to ask whether the eduPersonOrgUnitDN attribute of oakPrimaryPersonID=38463,ou=people,dc=oak,dc=ox,dc=ac,dc=uk has a value of oakUnitCode=itserv,ou=units,dc=oak,dc=ox,dc=ac,dc=uk.
Authorise based on membership of a particular unit: via unit
Equally valid is to perform an LDAP compare query to compare the member attribute on the unit's entry with the known distinguished name of the person's entry. Using the same example as above, one would perform an LDAP compare to ask whether the member attribute of oakUnitCode=itserv,ou=units,dc=oak,dc=ox,dc=ac,dc=uk has a value of oakPrimaryPersonID=38463,ou=people,dc=oak,dc=ox,dc=ac,dc=uk
Authorise based on ITSS status
Perform an LDAP compare query to compare the member attribute on the oakGN=ITSS,ou=oucscentral,dc=oak,dc=ox,dc=ac,dc=uk entry with the known distinguished name of the person's entry
Authorise based on ITSS status at a particular unit
Check the oakGN=ITSS,oakUnitCode=<CODE>,ou=units,dc=oak,dc=ox,dc=ac,dc=uk group for the unit of interest.
Find all units for which a person is ITSS
Query the person's oakITSSFor attribute.
Display someone's name
Some applications need to display a person's name, for example in a welcome message. The correct attribute to use for this is displayName.
Keep persistent references to a person in your application
You should use oakPrimaryPersonID or oakPersonID for this. None of the other unique attributes are guaranteed to be present on every person entry.
You should not treat oakPrimaryPrincipal as a persistent reference to a person; principal names may be used to store persistent references to particular principals, but this is different from treating oakPrimaryPrincipal as a persistent reference to a person.