D-PHYS user authentication
What is LDAP
All D-PHYS accounts are centrally managed in ISG's LDAP servers. These servers are used to authenticate all IT services that can be used with a D-PHYS account. User groups can be created to limit access on certain services to specific users.
LDAP at D-PHYS
We currently run two generations of LDAP servers:
- the 'old' system
- the 'new' LDAP cluster
The 'old' server has its origins in the early 1990s when D-PHYS accounts were first established. It is the current data master and most services use it to look up user information. However, since its design dates back almost 25 years, the data schema does not conform to today's LDAP standards any longer which creates all sorts of issues for us.
In early 2017 we started developing a new setup based on 3 replicating LDAP servers. Since it is a service of such central importance, a cluster of 3 redundant nodes lets us sleep better at night. We not only replicated the user data, but also changed the data schema to modern standards. Furthermore, we prepared the system to allow for exciting new features like Kerberos in the future. The new system is fully in sync with the old one and we have already started porting services to use the new instead of the old servers. Once all LDAP clients have been moved, the old system will be turned off.
- connection URL:
- LDAP protocols v2 and v3 are supported
- DN is based on attribute
- connection URL (use all three to get maximum availability):
ldap(s)://ldap1.phys.ethz.ch, ldap(s)://ldap2.phys.ethz.ch, ldap(s)://ldap3.phys.ethz.ch
- only LDAP protocol v3 is supported
- DN is based on attribute
uniqKeydoesn't exist any more
- several other attributes are gone too, contact us for details
- encryption: A secured connection via TLS or Kerberos is enforced. (Minimum TLSv1.2)
- preferred method of connection: Use
StartTLSextended operation, which is LDAPv3's standard mechanism for enabling TLS (SSL) data confidentiality protection. Otherwise use
636, deprecated in OpenLDAP, but still possible).
The TLS certificates of the new LDAP servers are issued/signed by QuoVadis Limited
To establish a secure connection, one of these certificates has to be configured as a trusted certificate in your software/operating-system.
On a recent version of most software/operating-systems, the
QuoVadis Root CA 2 should already be in the list of trusted certificate authorities. For example on Debian this certificate is at
/etc/ssl/certs/QuoVadis_Root_CA_2.pem and included in
Restrict Access in Apache Webserver
To configure the Apache Webserver to authenticate using a D-PHYS Account, you need to modify your
<Directory> block or
<Location> block in the server configuration to look like the following:
AuthType Basic AuthName "ETH D-PHYS Account" AuthBasicProvider ldap AuthLDAPURL "ldap://ldap1.phys.ethz.ch ldap2.phys.ethz.ch ldap3.phys.ethz.ch/dc=phys,dc=ethz,dc=ch?uid?sub" TLS AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off # To restrict access to some user(s), add a line like this for each user # (replace `<username>` with the D-PHYS user name): Require ldap-user <username> # To restrict access to some group(s), add a line like this for each group # (replace `<groupname>` with the D-PHYS group name): Require ldap-group cn=<groupname>,ou=groups,dc=phys,dc=ethz,dc=ch # To grant access to all D-PHYS users, add the following line: Require valid-user
Apache webserver configuration
If you host your own Apache webserver, additionally the following configuration in the server-context is recommended. This has to be configured server wide and will have an effect on all
<Location> blocks in the configuration.
LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/ca-certificates.crt LDAPVerifyServerCert On LDAPTrustedMode TLS
The configuration file under ldap is required as well and will force it's CA settings (
TLS_REQCERT) over the settings configured in
LDAPVerifyServerCert). This is undocumented, may be a bug and could change in the future. So setting both configurations to secure values is recommended.
To configure software on Linux, which is using the OpenLDAP libraries
ldap-utils, the following configuration is required/recommended:
URI ldap://ldap1.phys.ethz.ch ldap://ldap2.phys.ethz.ch ldap://ldap3.phys.ethz.ch BASE dc=phys,dc=ethz,dc=ch # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_REQCERT demand