D-PHYS user authentication¶
What is LDAP¶
All D-PHYS accounts are centrally managed in ISG's LDAP servers. These servers are used to authenticate all IT services that can be used with a D-PHYS account. User groups can be created to limit access on certain services to specific users.
LDAP at D-PHYS¶
We run a 3-way cluster of replicating LDAP servers:
ldap{1,2,3}.phys.ethz.ch
Since LDAP is a service of such central importance, a cluster of 3 redundant nodes lets us sleep better at night.
Technical details¶
- connection URL (use all three to get maximum availability):
ldap(s)://ldap1.phys.ethz.ch, ldap(s)://ldap2.phys.ethz.ch, ldap(s)://ldap3.phys.ethz.ch
- only LDAP protocol v3 is supported
- baseDN:
ou=people,dc=phys,dc=ethz,dc=ch
- DN is based on attribute
uid
, attributeuniqKey
doesn't exist any more - several other attributes are gone too, contact us for details
- ports:
389
->ldap://
+StartTLS
,636
->ldaps://
(TLS) - encryption: A secured connection via TLS or Kerberos is enforced. (Minimum TLSv1.2)
- preferred method of connection: Use
ldap://
(port389
) usingStartTLS
extended operation, which is LDAPv3's standard mechanism for enabling TLS (SSL) data confidentiality protection. Otherwise useldaps://
(port636
, deprecated in OpenLDAP, but still possible).
TLS Certificate¶
The TLS certificates of the LDAP servers are issued/signed by DigiCert Inc
Restrict Access in Apache Webserver¶
To configure the Apache Webserver to authenticate using a D-PHYS Account, you need to modify your .htaccess
file, <Directory>
block or <Location>
block in the server configuration to look like the following:
AuthType Basic
AuthName "ETH D-PHYS Account"
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldap1.phys.ethz.ch ldap2.phys.ethz.ch ldap3.phys.ethz.ch/ou=people,dc=phys,dc=ethz,dc=ch?uid?one?(&(objectClass=dphysUser)(!(blocked=yes)))" TLS
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
# To restrict access to some user(s), add a line like this for each user
# (replace `<username>` with the D-PHYS user name):
Require ldap-user <username>
# To restrict access to some group(s), add a line like this for each group
# (replace `<groupname>` with the D-PHYS group name):
Require ldap-group cn=<groupname>,ou=groups,dc=phys,dc=ethz,dc=ch
# To grant access to all D-PHYS users, add the following line:
Require valid-user
Apache webserver configuration¶
If you host your own Apache webserver, additionally the following configuration in the server-context is recommended. This has to be configured server wide and will have an effect on all <VirtualHost>
, <Directory>
and <Location>
blocks in the configuration.
LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/ca-certificates.crt
LDAPVerifyServerCert On
LDAPTrustedMode TLS
The configuration file under ldap is required as well and will force it's CA settings (TLS_CACERT
, TLS_REQCERT
) over the settings configured in apache2
(LDAPTrustedGlobalCert
, LDAPVerifyServerCert
). This is undocumented, may be a bug and could change in the future. So setting both configurations to secure values is recommended.
Linux configuration¶
To configure software on Linux, which is using the OpenLDAP libraries libldap
, like apache2
or ldap-utils
, the following configuration is required/recommended:
Contents of /etc/ldap/ldap.conf
:
URI ldap://ldap1.phys.ethz.ch ldap://ldap2.phys.ethz.ch ldap://ldap3.phys.ethz.ch
BASE dc=phys,dc=ethz,dc=ch
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT demand