D-PHYS user authentication
What is LDAP
All D-PHYS accounts are centrally managed in ISG's LDAP servers. These servers are used to authenticate all IT services that can be used with a D-PHYS account. User groups can be created to limit access on certain services to specific users.
LDAP at D-PHYS
We run a 3-way cluster of replicating LDAP servers:
Since LDAP is a service of such central importance, a cluster of 3 redundant nodes lets us sleep better at night.
- connection URL (use all three to get maximum availability):
ldap(s)://ldap1.phys.ethz.ch, ldap(s)://ldap2.phys.ethz.ch, ldap(s)://ldap3.phys.ethz.ch
- only LDAP protocol v3 is supported
- DN is based on attribute
uniqKeydoesn't exist any more
- several other attributes are gone too, contact us for details
- encryption: A secured connection via TLS or Kerberos is enforced. (Minimum TLSv1.2)
- preferred method of connection: Use
StartTLSextended operation, which is LDAPv3's standard mechanism for enabling TLS (SSL) data confidentiality protection. Otherwise use
636, deprecated in OpenLDAP, but still possible).
The TLS certificates of the LDAP servers are issued/signed by QuoVadis Limited
To establish a secure connection, one of these certificates has to be configured as a trusted certificate in your software/operating-system.
On a recent version of most software/operating-systems, the
QuoVadis Root CA 2 should already be in the list of trusted certificate authorities. For example on Debian this certificate is at
/etc/ssl/certs/QuoVadis_Root_CA_2.pem and included in
Restrict Access in Apache Webserver
To configure the Apache Webserver to authenticate using a D-PHYS Account, you need to modify your
<Directory> block or
<Location> block in the server configuration to look like the following:
AuthType Basic AuthName "ETH D-PHYS Account" AuthBasicProvider ldap AuthLDAPURL "ldap://ldap1.phys.ethz.ch ldap2.phys.ethz.ch ldap3.phys.ethz.ch/ou=people,dc=phys,dc=ethz,dc=ch?uid?one?(&(objectClass=dphysUser)(!(blocked=yes)))" TLS AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off # To restrict access to some user(s), add a line like this for each user # (replace `<username>` with the D-PHYS user name): Require ldap-user <username> # To restrict access to some group(s), add a line like this for each group # (replace `<groupname>` with the D-PHYS group name): Require ldap-group cn=<groupname>,ou=groups,dc=phys,dc=ethz,dc=ch # To grant access to all D-PHYS users, add the following line: Require valid-user
Apache webserver configuration
If you host your own Apache webserver, additionally the following configuration in the server-context is recommended. This has to be configured server wide and will have an effect on all
<Location> blocks in the configuration.
LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/ca-certificates.crt LDAPVerifyServerCert On LDAPTrustedMode TLS
The configuration file under ldap is required as well and will force it's CA settings (
TLS_REQCERT) over the settings configured in
LDAPVerifyServerCert). This is undocumented, may be a bug and could change in the future. So setting both configurations to secure values is recommended.
To configure software on Linux, which is using the OpenLDAP libraries
ldap-utils, the following configuration is required/recommended:
URI ldap://ldap1.phys.ethz.ch ldap://ldap2.phys.ethz.ch ldap://ldap3.phys.ethz.ch BASE dc=phys,dc=ethz,dc=ch # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_REQCERT demand