Authorized Entities Directory
Admin UI (web2ldap) // Password self-service // OATH enrollment
Æ-DIR is an acronym for Authorized Entities Directory (and a small Unicode challenge), an LDAP service based on OpenLDAP which implements a Privileged Identity & Access Management (IAM/PIM/PAM)
News:
- OATH-LDAP talk at
SLAC 2018, Berlin, 2018-05-08 - Æ-DIR talk at
OSDC 2018, Berlin, 2018-06-12/13 - Æ-DIR & OATH-LDAP talk at
KA-IT-SI, Karlsruhe, 2018-12-13
Objectives:
- Strictly follow need to know and least privilege principles
- Agile data maintenance by consequent delegation of manageable small areas
- Provide meaningful audit trails
- Compliance
Design paradigms:
- Explicit is better than implicit
- Secure authorization requires secure authentication
- No anonymous access at all
- Individual authentication instead of shared credentials
- Avoid all-mighty proxy roles
- Rights assignment / permission granting always based on groups
- Do not assume hierarchical structure
- A person is not an user account
- Role separation with multiple user accounts per person
- Persistent IDs (never re-used) for reliable audit trails
- Only encrypted network traffic
- Well-defined semantics for all object classes and attributes (better no data than bad data)
For a longer introduction you can check out various Æ-DIR conference presentations.