Why yet another LDAP-based user management system?
All other similar products/projects focus on making data easily available everywhere and therefore are not suitable for really strict security/confidentiality requirements. Also other systems do not have a distinct data model for person / multi-user-account relationship.
What's the official name of the project and why I see those strange characters?
The official name is Æ-DIR to be distinguishable from any other project (and to challenge Unicode capabilities of software). AE-DIR is the official pure-ASCII representation. Only capital letters are used in both representations.
Æ-DIR seems complex. How to start with a simple setup for my very few systems?
Æ-DIR is designed to scale down and up:
You can install the system and start with one zone and a single host/service group for all your systems pointing to a single user group. Later you can extend that to your growing needs by adding more host/service and user groups and by moving hosts/services.
Can Æ-DIR server run on name-your-favourite-OS-here?
Æ-DIR is not limited to run on Linux. Provided you have packages of all the required software it could be installed on various OS platforms. But note that tweaking the automated ansible installation to run on different platforms is much work.
Can I use another LDAP server software for Æ-DIR?
No. Æ-DIR makes heavy use of OpenLDAP's access control. To best of my knowledge other LDAP server implementations do not provide similar powerful access control. If you have different opinion/suggestion please let me know.
I prefer to install only packages shipped by my Linux (enterprise) distribution. Why are OpenLDAP packages from different repositories installed?
Can I use another search base than ou=ae-dir?
Yes. You can set ansible variable aedir_suffix which is used in all ansible tasks. Note that currently this is not well tested. Please provide feedback if you're using it.
How to backup the data?
On each Æ-DIR provider a CRON job exports the databases to LDIF files with command-line tool slapcat(8) (see also OpenLDAP Admin Guide). How often this happens and where the files are stored can be configured with ansible vars.
Is there an API for bulk operations?
The official API for programming Æ-DIR is LDAPv3 (see RFC 4510). Access control rules and constraints in OpenLDAP configuration prevent your client role to access/alter entries in an invalid way.
One read-to-use module is available for Python.
I always get an error message insufficientAccess when I try to delete a user or a group. What's wrong?
Nothing's wrong. It works as designed.
User names, group names and numeric POSIX Id must never be reused. This is enforced by unique constraints and therefore deletion of user and group entries is prevented by ACLs. Set the status to "archived" (2) to make the entries invisible even for the zone admins.
How to report list of active users?
Any client example configurations available?
Yes. Check out the directory client-examples/.
Why do the client examples not use group authorization (e.g. memberOf filter)?
The goal is to keep client configuration dumb. This makes it possible to change access rights (solely by changing entities' relationship) in the directory without touching the client configuration.
Is the netgroup map supported by Æ-DIR?
Are nested groups supported by Æ-DIR?
No, because of bad performance. Furthermore you will loose oversight over nested groups sooner or later. Try understanding/leveraging the power host/service groups referencing user groups which serves the same purpose in most practical cases.
I'm too lazy to add groups etc. Can I directly assign rights to a user account?
Can I setup a Æ-DIR test instance without having to issue TLS certs?
No! In production you must use TLS anyway. So you should use your test environment to get familiar with it right from the start.
Can I let admins impersonate as a user for testing some issues with the user's access rights?
No! That's bad practice regarding audit logs! The admin should add a test user for himself with the very same groups membership and use this for testing.
When using two-factor authentication (2FA) is it possible to distinguish whether password or OTP input was wrong?
No! Both of these authentication factors are checked at once and this succeeds or fails. Æ-DIR deliberately does not tell the user which authentication factor was wrong. This avoids the authentication factors being attacked separately.