Next steps / to-do list

  1. Done
    1. Multi-factor authc
    2. Hardening
      1. AppArmor
      2. systemd
    3. Custom PAM/NSS caching demon
  2. Open
    1. WebSSO
    2. X.509 PKI
    3. DevOps tooling
    4. Logging
    5. Monitoring
    6. PXE/DHCP/TFTP integration
    7. Network Access Control (NAC)
    8. RADIUS
    9. PAM/NSS caching demon
    10. DNS
    11. User Interface
    12. Command-line tool
    13. Browser integration/security
    14. Python 3.x
    15. Compliance checks


Multi-factor authc



If you set ansible variable apparmor_enabled: True then AppArmor profiles and abstractions are installed to confine all components to enforce mode.
Only supported on Debian Stretch and openSUSE/SLE.


Using various systemd security configuration options for starting services via systemd units. See ansible variable aedir_systemd_hardening for global settings.

See also:

aehostd -- custom PAM/NSS demon

aehostd is now ready for QA tests.

Some details still to be improved:

Location-specific replicas
read DC locations in attribute aeLocation of aeHost entry to determine "near" consumer replicas to access
integrated monitoring (alarming and performance)


In no particular order...


Possible IdP implementations for SAML 2.0, OAuth 2.0, Open ID connect:

Project name License Programming
pysaml2 and oic / pyop Apache License 2.0 Python
  • no ready-to-use web application
  • much work to implement missing pieces
  • highest flexibility
ipsilon GPLv3 Python
  • many dependencies especially on FreeIPA/sssd modules
  • hard to install
  • bad documentation
  • seems unmaintained
keycloak Apache License 2.0 Java
  • runs within wildfly
  • easy too install test deployment
  • complex hardening needed

X.509 PKI

DevOps tooling




PXE/DHCP/TFTP integration

Network Access Control (NAC)


Support for RADIUS with dynamic RADIUS client configuration (see also NAC).


User Interface

Command-line tool

Browser integration/security

Python 3.x

Possible LDAP modules with support for Python 3.x:

Module License Notes
ldap3 LGPLv3
  • supports Python 2.7 and 3.4+
bonsai MIT
  • only Python 3.4+
ldap0 Python-style
  • needs work to support Python 3

Compliance checks

Prepare compliance statements: