Next steps / to-do list

  1. Done
    1. Multi-factor authc
    2. Hardening
      1. AppArmor
      2. systemd
    3. Custom PAM/NSS caching demon
  2. Open
    1. WebSSO
    2. X.509 PKI
    3. DevOps tooling
    4. Logging
    5. Monitoring
    6. PXE/DHCP/TFTP integration
    7. Network Access Control (NAC)
    8. RADIUS
    9. PAM/NSS caching demon
    10. DNS
    11. User Interface
    12. Command-line tool
    13. Browser integration/security
    14. Python 3.x
    15. Compliance checks

Done

Multi-factor authc

Hardening

AppArmor

If you set ansible variable apparmor_enabled: True then AppArmor profiles and abstractions are installed to confine all components to enforce mode.
Only supported on Debian Stretch and openSUSE/SLE.

systemd

Using various systemd security configuration options for starting services via systemd units. See ansible variable aedir_systemd_hardening for global settings.

See also:

aehostd -- custom PAM/NSS demon

aehostd is now ready for QA tests.

Some details still to be improved:

Location-specific replicas
read DC locations in attribute aeLocation of aeHost entry to determine "near" consumer replicas to access
Monitoring
integrated monitoring (alarming and performance)

Open

In no particular order...

WebSSO

Possible IdP implementations for SAML 2.0, OAuth 2.0, Open ID connect:

Project name License Programming
Language
Notes
pysaml2 and oic / pyop Apache License 2.0 Python
  • no ready-to-use web application
  • much work to implement missing pieces
  • highest flexibility
ipsilon GPLv3 Python
  • many dependencies especially on FreeIPA/sssd modules
  • hard to install
  • bad documentation
  • seems unmaintained
keycloak Apache License 2.0 Java
  • runs within wildfly
  • easy too install test deployment
  • complex hardening needed

X.509 PKI

DevOps tooling

ansible

Logging

Monitoring

PXE/DHCP/TFTP integration

Network Access Control (NAC)

RADIUS

Support for RADIUS with dynamic RADIUS client configuration (see also NAC).

DNS

User Interface

Command-line tool

Browser integration/security

Python 3.x

Possible LDAP modules with support for Python 3.x:

Module License Notes
ldap3 LGPLv3
  • supports Python 2.7 and 3.4+
bonsai MIT
  • only Python 3.4+
ldap0 Python-style
  • needs work to support Python 3

Compliance checks

Prepare compliance statements: