Authorized Entities Directory

Admin UI (web2ldap) // Password self-service // OATH enrollment

Æ-DIR is an acronym for Authorized Entities Directory (and a small Unicode challenge), an LDAP service based on OpenLDAP

For a longer introduction you can check out various Æ-DIR conference presentations.

Project goals:

• Strictly follow need to know and least privilege principles
• Consequently delegate administration of manageable small areas
• Provide meaningful audit trails
• Compliance

Technical design paradigms:

• Explicit is better than implicit
• Secure authorization requires secure authentication
• No anonymous access at all
• Individual authentication instead of shared credentials
• Avoid all-mighty proxy roles
• Rights assignment / permission granting always based on groups
• Do not assume hierarchical structure
• A person is not an user account
• Role separation with multiple user accounts per person
• Persistent IDs (never re-used) for reliable audit trails
• Only encrypted network traffic
• Well-defined semantics for all object classes and attributes (better no data than bad data)