User Tools

Site Tools


middleware:ed:edauth

ED-Auth

ED-Auth is a directory made specifically for authentication and role-based authorization checks. Accounts will now also have the capacity to have their password expired automatically, to be locked, and will require stronger passwords.

General Documents

ED-Auth Schema The directory schema used for ED-Auth. Shows all the fields available in ED-Auth, whether they are required, multi-valued, or indexed. If you are using ED-Auth it is strongly suggested you read this.
Proposed ED-Auth Schema Any updates to the schema that are under consideration will be found here. This document may be identical to the previous link, if there are no proposed changes pending.
ED-Auth Usage Instructions This document details how to connect to, and use, the ED-Auth System with Java, C/C++, WinLDAP C (Windows), Python, Perl, PHP, Apache Modules, PAM LDAP, and pGina (Windows authentication).
Password Requirements This document outlines all the current requirements for passwords as well as those being considered for future adoption.
Password State This document describes what client applications should do when they encounter an account with an expired password state.
IP Restrictions This document describes the IP restrictions for ED-Auth.

Tools

ED LDAP Library A Java library used to make LDAP based queries against ED-Lite. This library requires knowledge of the LDAP query language.
OpenLDAP C Library A C library from the OpenLDAP project for accessing LDAP directories.
NET::LDAP Perl module A Perl library for accessing LDAP directories.
python-ldap A Python library for accessing LDAP directories.

FAQ

Q: What is ED-Auth?

A: ED-Auth is an LDAP directory used for user authentication and role based authorization. ED-Auth is used for PID/pass authentication and authorization based on a person's affiliation with Virginia Tech. TLS/SSL is required for ED-Auth access.

Q: How can I do PID/pass authentication?

A: Please see the ED-Auth Usage Instructions. The basic method is to search for the user by uupid and bind as the returned DN with the user's password.

Q: How can I authorize on affiliation?

A: The most straightforward way to authorize based on affiliation is to do an LDAP compare operation for eduPersonAffiliation on a connection that has been bound as the user you are authorizing. Another way is to do an LDAP search operation on the bound user's entry for the desired affiliation. (need examples package)

Q: Why can't I see any user information?

A: In ED-Auth, if you bind anonymously (without username or credentials), you can only see a person's DN, uupid, and objectclass. This is to keep confidential information confidential. To see a person's affiliations, you must bind as that user. In other words, it is only possible for a bound user to see their own affiliations. Please note that the only real data available in ED-Auth is the uid, uupid, eduPersonAffiliation(s), and userPassword (not visible). ED-Auth does not contain names, major, department, etc. See the ED-Auth schema.

Q: Whose affiliations can I see?

A: See the previous answer. In short, a user is only allowed to see their own affiliations after they have been bound as themselves.

Q: How do I connect to ED-Auth?

A: See the ED-Auth Usage Instructions. Please note that you must connect to ED-Auth over an encrypted connection, that is, over ldaps (LDAP over SSL), or by upgrading your connection by using startTLS.

Q: Is PID/pass authentication really binding as PID/pass?

A: Not exactly, but we use this term generically. What is really taking place is a search on a person's UUPID that returns a DN, and then a bind with that DN and the user's password.

middleware/ed/edauth.txt · Last modified: 2015/06/01 12:02 (external edit)