Best Practices

Intended Audience: System architects, developers and system administrators

  1. Names and identifiers
    1. User names
      1. Personal accounts
      2. Tool/service accounts
    2. Host entries
    3. User group names
    4. Service group names
  2. Security considerations
    1. Using tool/service accounts (aeService)
  3. Æ-DIR setup
    1. Networking
    2. Host names

Names and identifiers

User identifiers

The user name of an account is stored in attribute uid and the POSIX-UID is stored in attribute uidNumber.

Recommendations for user names and POSIX-UIDs:

Personal accounts

Recommendations for user names (attribute uid) in aeUser entries:

Tool/service accounts

Recommendations for user names (attribute uid) in aeService entries:


Host entries

Recommendations for host names in aeHost entries:

User group names

General recommendations for user group names (attribute cn) and POSIX-GID (attribute gidNumber) in aeGroup entries:

More on group names:


Service group names

Recommendations for service group names (attribute cn) aeSrvGroup entries:


Security considerations

Using tool/service accounts (aeService)

Some general recommendations if you really cannot avoid using tool/service accounts acting as clients:

Æ-DIR setup

In general Æ-DIR's access control does not care about DNS names or network configuration at all. But it's a good idea to have separate DNS domains and network configuration.



Host names

Hostnames should not match any wild-card certificate you are using!

Besides general recommendations some more:

If you have fine-grained access control for delegated sub domains in your DNS server then it's a good idea to use separate sub domains (forward and reverse) and strictly delegate control to Æ-DIR system admins (members of group ae-sys-admins). Sub-domains also avoid accidentally matching wild-card certificates issued to your domains.

Example sub-domain:

Examples: for a provider with openldap_server_id=1 for a consumer