Next steps / to-do list

  1. Done
    1. Multi-factor authc
    2. Hardening
      1. AppArmor
      2. systemd
    3. Custom PAM/NSS caching demon
  2. Open
    1. WebSSO
    2. X.509 PKI
    3. DevOps tooling
    4. Logging
    5. PXE/DHCP/TFTP integration
    6. Network Access Control (NAC)
    7. RADIUS
    8. aehostd -- custom PAM/NSS demon
    9. DNS
    10. User Interface
    11. ModSecurity
    12. Command-line tool
    13. Browser integration/security
    14. Python 3.x
    15. Compliance checks


Multi-factor authc



If you set ansible variable apparmor_enabled: True then AppArmor profiles and abstractions are installed to confine all components to enforce mode.
Only supported on Debian Stretch and openSUSE/SLE.


Using various systemd security configuration options for starting services via systemd units. See ansible variable aedir_systemd_hardening for global settings.

See also:

aehostd -- custom PAM/NSS demon

aehostd is now ready for QA tests.

Some details still to be improved:

Location-specific replicas
read DC locations in attribute aeLocation of aeHost entry to determine "near" consumer replicas to access
integrated monitoring (alarming and performance)


In no particular order...


Custom IdP implementation supporting SAML 2.0, OAuth 2.0, Open ID Connect checking login relationship of user and service based on aeSrvGroup - aeLoginGroups.

Python modules to be used: pysaml2, oic, pyop

X.509 PKI

DevOps tooling



PXE/DHCP/TFTP integration

Network Access Control (NAC)


Support for RADIUS with dynamic RADIUS client configuration (see also NAC).


User Interface


Define a ruleset for ModSecurity.

Command-line tool

Browser integration/security

Python 3.x

Possible LDAP modules with support for Python 3.x:

Module License Notes
ldap3 LGPLv3
  • supports Python 2.7 and 3.4+
bonsai MIT
  • only Python 3.4+
ldap0 Python-style
  • needs work to support Python 3

Compliance checks

Prepare compliance statements: