skip to main content
Infrastructure Division of Information Technology

Directory Services Attribute

Higher Ed NetID (eduPersonPrincipalName)

Attribute details

LDAP eduPersonPrincipalName attribute properties, usage and population rules
Definition: The "NetID" (account login identifier) for inter-institutional authentication.

This can be thought of as the account login scoped to the Identity Provider. For everyone in the directory, it is ''.

This value is also the Kerberos principal for the account holder.

This is a human-friendly identifier selected by the account holder. NetIDs are revokable (account holders are allowed to switch to a different NetID) and reassignable (6 months after the NetID is released by an account holder, it may be claimed by a different account holder).

Due to these characteristics, a Service Provider wishing to link a Texas A&M NetID account holder to an internal account should use a persistent identifier such as eduPersonUniqueId instead of eduPersonPrincipalName.
Attribute Name: 'eduPersonPrincipalName'
URN: urn:oid:
Multiple Values: Single-valued
Format: Directory String
The values consist of a left and right component separated by an "@" sign. The left component is the entry's tamuEduPersonNetID value. The right component identifies the domain or scope. For all entries in the Texas A&M NetID Identity Management System this is "".
Search Syntax: EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
Controlled Vocabulary: not applicable
Source: If NetID has not been activated, this attribute is not present, i.e. contains no value.
If NetID has been activated, the attribute value is

Directory-specific details

LDAP eduPersonPrincipalName attribute properties that are dependent on directory branch or object class configuration
  Enterprise Directory
People Branch
Directory URL:
Object Class: eduPerson
Required: no
Indexing: Presence (pres): Improves searches for entries that contain the indexed attribute.
Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value.
Access: Access to Enterprise Directory restricted.
Usage: Federated applications