D-PHYS user authentication¶
What is LDAP¶
All D-PHYS accounts are centrally managed in ISG's LDAP servers. These servers are used to authenticate all IT services that can be used with a D-PHYS account. User groups can be created to limit access on certain services to specific users.
LDAP at D-PHYS¶
We run a 3-way cluster of replicating LDAP servers:
ldap{1,2,3}.phys.ethz.ch
Since LDAP is a service of such central importance, a cluster of 3 redundant nodes lets us sleep better at night.
Technical details¶
- connection URL (use all three to get maximum availability):
ldap(s)://ldap1.phys.ethz.ch, ldap(s)://ldap2.phys.ethz.ch, ldap(s)://ldap3.phys.ethz.ch
- only LDAP protocol v3 is supported
- baseDN:
ou=people,dc=phys,dc=ethz,dc=ch - DN is based on attribute
uid, attributeuniqKeydoesn't exist any more - several other attributes are gone too, contact us for details
- ports:
389->ldap://+StartTLS,636->ldaps://(TLS) - encryption: A secured connection via TLS or Kerberos is enforced. (Minimum TLSv1.2)
- preferred method of connection: Use
ldap://(port389) usingStartTLSextended operation, which is LDAPv3's standard mechanism for enabling TLS (SSL) data confidentiality protection. Otherwise useldaps://(port636, deprecated in OpenLDAP, but still possible).
TLS Certificate¶
The TLS certificates of the LDAP servers are issued/signed by DigiCert Inc
Restrict Access in Apache Webserver¶
To configure the Apache Webserver to authenticate using a D-PHYS Account, you need to modify your .htaccess file, <Directory> block or <Location> block in the server configuration to look like the following:
AuthType Basic
AuthName "ETH D-PHYS Account"
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldap1.phys.ethz.ch ldap2.phys.ethz.ch ldap3.phys.ethz.ch/ou=people,dc=phys,dc=ethz,dc=ch?uid?one?(&(objectClass=dphysUser)(!(blocked=yes)))" TLS
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
# To restrict access to some user(s), add a line like this for each user
# (replace `<username>` with the D-PHYS user name):
Require ldap-user <username>
# To restrict access to some group(s), add a line like this for each group
# (replace `<groupname>` with the D-PHYS group name):
Require ldap-group cn=<groupname>,ou=groups,dc=phys,dc=ethz,dc=ch
# To grant access to all D-PHYS users, add the following line:
Require valid-user
Apache webserver configuration¶
If you host your own Apache webserver, additionally the following configuration in the server-context is recommended. This has to be configured server wide and will have an effect on all <VirtualHost>, <Directory> and <Location> blocks in the configuration.
LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/ca-certificates.crt
LDAPVerifyServerCert On
LDAPTrustedMode TLS
The configuration file under ldap is required as well and will force it's CA settings (TLS_CACERT, TLS_REQCERT) over the settings configured in apache2 (LDAPTrustedGlobalCert, LDAPVerifyServerCert). This is undocumented, may be a bug and could change in the future. So setting both configurations to secure values is recommended.
Linux configuration¶
To configure software on Linux, which is using the OpenLDAP libraries libldap, like apache2 or ldap-utils, the following configuration is required/recommended:
Contents of /etc/ldap/ldap.conf:
URI ldap://ldap1.phys.ethz.ch ldap://ldap2.phys.ethz.ch ldap://ldap3.phys.ethz.ch
BASE dc=phys,dc=ethz,dc=ch
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT demand