Next steps / to-do list

In no particular order...

Done

  1. Multi-factor authc
  2. Hardening
    1. AppArmor
    2. systemd

Multi-factor authc

Hardening

AppArmor

If you set ansible variable apparmor_enabled: True then AppArmor profiles and abstractions are installed to confine all components to enforce mode.
Only supported on Debian Stretch and openSUSE/SLE.

systemd

Using various systemd security configuration options for starting services via systemd units. See ansible variable aedir_systemd_hardening for global settings.

See also:

Open

  1. WebSSO
  2. X.509 PKI
  3. ansible
  4. Logging
  5. Monitoring
  6. PXE/DHCP/TFTP integration
  7. Network Access Control (NAC)
  8. RADIUS
  9. PAM/NSS caching demon
  10. DNS
  11. User Interface
  12. Command-line tool
  13. Browser integration/security
  14. Python 3.x
  15. Compliance checks

WebSSO

Possible IdP implementations for SAML 2.0, OAuth 2.0, Open ID connect:

Project name License Programming
Language
Notes
pysaml2 and oic / pyop Apache License 2.0 Python
  • no ready-to-use web application
  • much work to implement missing pieces
  • highest flexibility
ipsilon GPLv3 Python
  • many dependencies especially on FreeIPA/sssd modules
  • hard to install
  • bad documentation
  • seems unmaintained
keycloak Apache License 2.0 Java
  • runs within wildfly
  • easy too install test deployment
  • complex hardening needed

X.509 PKI

ansible

Logging

Monitoring

PXE/DHCP/TFTP integration

Network Access Control (NAC)

RADIUS

Support for RADIUS with dynamic RADIUS client configuration (see also NAC).

PAM/NSS caching demon

Improve Performance
Æ-DIR-specific caching demon knows the data and therefore can search more efficiently without local configuration (see notes about smart clients)
Automation / Recovery on error (PAM)
special system user for aeHost with host password allowed to set system password in local configuration
Location-specific replicas
read DC locations in attribute aeLocation of aeHost entry to determine "near" consumer replicas to access
Monitoring
integrated monitoring (alarming and performance)
Maps
group
  • The group map could be extended with generic groups based on rights groups attributes with well-known gidNumber.
  • Add virtual groups for the gidNumber set in aeUser entries.
aliases
For simple mail forwarding the aliases map should be supported with generic aliases based on rights groups attributes.
hosts
Do hosts lookup similar to ideas for DNS.
ethers
The ethers map could be virtually provided for hosts within the same local network (collision domain) similar to ideas for Network Access Control.
Implementation details

DNS

User Interface

Command-line tool

Browser integration/security

Python 3.x

Possible LDAP modules with support for Python 3.x:

Module License Notes
ldap3 LGPLv3
  • supports Python 2.7 and 3.4+
bonsai MIT
  • only Python 3.4+
ldap0 Python-style
  • needs work to support Python 3

Compliance checks

Prepare compliance statements: