Authorized Entities Directory

Admin UI (web2ldap) // Password self-service // OATH enrollment

Æ-DIR is an acronym for Authorized Entities Directory (and a small Unicode challenge), an LDAP service based on OpenLDAP which implements a Privileged Identity & Access Management (IAM/PIM/PAM)

News:

• OATH-LDAP talk at
  SLAC 2018, Berlin, 2018-05-08
• Æ-DIR talk at
  OSDC 2018, Berlin, 2018-06-12/13
• Æ-DIR & OATH-LDAP talk at
  KA-IT-SI, Karlsruhe, 2018-12-13

Objectives:

• Strictly follow need to know and least privilege principles
• Agile data maintenance by consequent delegation of manageable small areas
• Provide meaningful audit trails
• Compliance

Design paradigms:

• Explicit is better than implicit
• Secure authorization requires secure authentication
• No anonymous access at all
• Individual authentication instead of shared credentials
• Avoid all-mighty proxy roles
• Rights assignment / permission granting always based on groups
• Do not assume hierarchical structure
• A person is not an user account
• Role separation with multiple user accounts per person
• Persistent IDs (never re-used) for reliable audit trails
• Only encrypted network traffic
• Well-defined semantics for all object classes and attributes (better no data than bad data)

For a longer introduction you can check out various Æ-DIR conference presentations.