Next steps / to-do list
See also:
WebSSO
Custom OpenID Connect Provider (OP) checking login relationship of user and service based on aeSrvGroup - aeLoginGroups.
Python modules to evaluate:
- Identity Python module oidc-op, see also Example based on Flask
- Authlib, see also Example of OpenID Connect 1.0 Provider
Monitoring
-
Implement Æ-DIR data metrics exporter:
- Number of zones, users, groups, hosts etc. labeled by aeStatus
- Inbound references to a zone labeled per referencing zone.
- Extract data from exported LDIF data.
-
Implement grafana dash-boards for
- slapdcheck
- Æ-DIR data metrics exporter
User Interface
- specific web application for administrative use-cases
- Simple reporting use-cases (expired objects etc.).
- Graph reporting of data structures in a zone.
X.509 PKI
- Issue X.509 server certs to aeHost, aeNwDevice, aeService or aeSrvGroup based on authorization of role Setup Admins (see also LDAPcon 2017 talk: X.509 PKI RA schema for Æ-DIR)
- direct ansible integration for server cert enrollment
- X.509 cert enrollment for aeUser with multi-factor authc
- remote CA keys (e.g. based on pyeleven and PyKCS11)
Network Access Control (NAC)
- IEEE 802.1X
- libvirt network filters
- make use of aeNwDevice
RADIUS
Support for RADIUS with dynamic RADIUS client configuration (see also NAC).
- FreeRADIUS: many features, LDAP authc and authz out-of-the-box
- Custom implementation based on pyrad
DNS
-
use PowerDNS to serve attributes as DNS RRs to augment regular DNS service:
- aeHost (A and PTR)
- aeNwDevice (A and PTR)
- aeZone (SOA)
- use remote backend (preferably with DNSSEC) via pdns-remotebackend-python
Command-line tool
- Implement sub-commands in ae-dir-tool.
-
- Use Typer with type hints.
- Idempotent add/modify for aeHost entries.