D-PHYS user authentication

What is LDAP

All D-PHYS accounts are centrally managed in ISG's LDAP servers. These servers are used to authenticate all IT services that can be used with a D-PHYS account. User groups can be created to limit access on certain services to specific users.

LDAP at D-PHYS

We currently run two generations of LDAP servers:

  • the 'old' system ldap.phys.ethz.ch
  • the 'new' LDAP cluster ldap{1,2,3}.phys.ethz.ch

The 'old' server has its origins in the early 1990s when D-PHYS accounts were first established. It is the current data master and most services use it to look up user information. However, since its design dates back almost 25 years, the data schema does not conform to today's LDAP standards any longer which creates all sorts of issues for us.

In early 2017 we started developing a new setup based on 3 replicating LDAP servers. Since it is a service of such central importance, a cluster of 3 redundant nodes lets us sleep better at night. We not only replicated the user data, but also changed the data schema to modern standards. Furthermore, we prepared the system to allow for exciting new features like Kerberos in the future. The new system is fully in sync with the old one and we have already started porting services to use the new instead of the old servers. Once all LDAP clients have been moved, the old system will be turned off.

Technical details

'old' system

  • connection URL: ldap(s)://ldap.phys.ethz.ch
  • LDAP protocols v2 and v3 are supported
  • baseDN: ou1=People,ou=Physik Departement,o=ethz,c=ch
  • DN is based on attribute uniqKey

'new' system

  • connection URL (use all three to get maximum availability):
ldap(s)://ldap1.phys.ethz.ch, ldap(s)://ldap2.phys.ethz.ch, ldap(s)://ldap3.phys.ethz.ch
  • only LDAP protocol v3 is supported
  • baseDN: ou=people,dc=phys,dc=ethz,dc=ch
  • DN is based on attribute uid, attribute uniqKey doesn't exist any more
  • several other attributes are gone too, contact us for details
  • ports: 389 -> ldap:// + StartTLS, 636 -> ldaps:// (TLS)
  • encryption: A secured connection via TLS or Kerberos is enforced. (Minimum TLSv1.2)
  • preferred method of connection: Use ldap:// (port 389) using StartTLS extended operation, which is LDAPv3's standard mechanism for enabling TLS (SSL) data confidentiality protection. Otherwise use ldaps:// (port 636, deprecated in OpenLDAP, but still possible).

TLS Certificate

The TLS certificates of the new LDAP servers are issued/signed by QuoVadis Limited

To establish a secure connection, one of these certificates has to be configured as a trusted certificate in your software/operating-system.

On a recent version of most software/operating-systems, the QuoVadis Root CA 2 should already be in the list of trusted certificate authorities. For example on Debian this certificate is at /etc/ssl/certs/QuoVadis_Root_CA_2.pem and included in /etc/ssl/certs/ca-certificates.crt.

Restrict Access in Apache Webserver

To configure the Apache Webserver to authenticate using a D-PHYS Account, you need to modify your .htaccess file, <Directory> block or <Location> block in the server configuration to look like the following:

AuthType Basic
AuthName "ETH D-PHYS Account"
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldap1.phys.ethz.ch ldap2.phys.ethz.ch ldap3.phys.ethz.ch/dc=phys,dc=ethz,dc=ch?uid?sub" TLS
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off

# To restrict access to some user(s), add a line like this for each user
# (replace `<username>` with the D-PHYS user name):
Require ldap-user <username>

# To restrict access to some group(s), add a line like this for each group
# (replace `<groupname>` with the D-PHYS group name):
Require ldap-group cn=<groupname>,ou=groups,dc=phys,dc=ethz,dc=ch

# To grant access to all D-PHYS users, add the following line:
Require valid-user

Apache webserver configuration

If you host your own Apache webserver, additionally the following configuration in the server-context is recommended. This has to be configured server wide and will have an effect on all <VirtualHost>, <Directory> and <Location> blocks in the configuration.

LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/ca-certificates.crt
LDAPVerifyServerCert On
LDAPTrustedMode TLS

The configuration file under ldap is required as well and will force it's CA settings (TLS_CACERT, TLS_REQCERT) over the settings configured in apache2 (LDAPTrustedGlobalCert, LDAPVerifyServerCert). This is undocumented, may be a bug and could change in the future. So setting both configurations to secure values is recommended.

Linux configuration

To configure software on Linux, which is using the OpenLDAP libraries libldap, like apache2 or ldap-utils, the following configuration is required/recommended:

Contents of /etc/ldap/ldap.conf:

URI ldap://ldap1.phys.ethz.ch ldap://ldap2.phys.ethz.ch ldap://ldap3.phys.ethz.ch
BASE dc=phys,dc=ethz,dc=ch
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT demand