Next steps / to-do list

Done

Multi-factor authc

Open

Group maintenance

WebSSO

Possible IdP implementations for SAML 2.0, OAuth 2.0, Open ID connect:

Project name License Programming
Language
Notes
pysaml2 and oic Apache License 2.0 Python
  • no ready-to-use web application
  • much work to implement missing pieces
  • highest flexibility
ipsilon GPLv3 Python
  • many dependencies especially on FreeIPA/sssd modules
  • hard to install
  • bad documentation
  • seems unmaintained
keycloak Apache License 2.0 Java
  • runs within wildfly
  • complex too install
  • more hardening efforts
Shibboleth Duo? Java
CAS Apache License 2.0 Java

X.509 PKI

ansible

Logging

Monitoring

AppArmor

Automatically install correct profiles to run AppArmor in mandatory mode.

PXE/DHCP/TFTP integration

Network Access Control

FreeRADIUS

FreeRADIUS integration:

PAM/NSS caching demon

Improve Performance
Æ-DIR-specific caching demon knows the data and therefore can search more efficiently without local configuration (see notes about smart clients)
Automation / Recovery on error (PAM)
special system user for aeHost with host password allowed to set system password in local configuration
Location-specific replicas
read DC locations in attribute aeLocation of aeHost entry to determine "near" consumer replicas to access
Monitoring
integrated monitoring (alarming and performance)
Maps
group
  • The group map could be extended with generic groups based on rights groups attributes with well-known gidNumber.
  • Add virtual groups for the gidNumber set in aeUser entries.
aliases
For simple mail forwarding the aliases map should be supported with generic aliases based on rights groups attributes.
hosts
Do hosts lookup similar to ideas for DNS.
ethers
The ethers map could be virtually provided for hosts within the same local network (collision domain) similar to ideas for Network Access Control.
Implementation details

DNS

User Interface

Browser integration/security

Compliance checks

Prepare compliance statements:

Reporting