Why yet another LDAP-based user management system?
All other similar products/projects focus on making data easily available everywhere and therefore are not suitable for really strict security/confidentiality requirements. Also other systems do not have a distinct data model for person / multi-user-account relationship.
What's the official name of the project and why I see those strange characters?
The official name is Æ-DIR to be distinguishable from any other project (and to challenge Unicode capabilities of software). AE-DIR is the official pure-ASCII representation.
Only capital letters are used in both representations when occuring in documentation.
Lower-cased letters are used for DNS names (e.g. ae-dir-p1.example.com and the default search base ou=ae-dir.
Æ-DIR seems complex. How to start with a simple setup for my very few systems?
Æ-DIR is designed to scale down and up:
You can install the system and start with one zone and a single host/service group for all your systems pointing to a single user group. Later you can extend that to your growing needs by adding more host/service and user groups and by moving hosts/services.
Can Æ-DIR server run on name-your-favourite-OS-here?
Æ-DIR is not limited to run on Linux. Provided you have packages of all the required software it could be installed on various OS platforms. But note that tweaking the automated ansible installation to run on different platforms is much work.
Can I use another LDAP server software for Æ-DIR?
No. Æ-DIR makes heavy use of OpenLDAP's access control. To best of my knowledge other LDAP server implementations do not provide similar powerful access control (despite by implementing custom server-side plugin). If you have different opinion/suggestion please let me know.
I prefer to install only packages shipped by my Linux (enterprise) distribution. Why are OpenLDAP packages from different repositories installed?
Can I use another search base than ou=ae-dir?
Yes. You can set ansible variable aedir_suffix which is used in all ansible tasks. Note that currently this is not well tested. Please provide feedback if you're using it.
How to backup the data?
On each Æ-DIR provider a CRON job exports the databases to LDIF files with command-line tool slapcat(8) (see also OpenLDAP Admin Guide). How often this happens and where the files are stored can be configured with ansible vars.
Is there an API for bulk operations?
The official API for programming Æ-DIR is LDAPv3 (see RFC 4510). Access control rules and constraints in OpenLDAP configuration prevent your client role to access/alter entries in an invalid way.
One read-to-use module is available for Python.
I always get an error message insufficientAccess when I try to delete a user or a group. What's wrong?
Nothing's wrong. It works as designed.
User names, group names and numeric POSIX Id must never be reused. This is enforced by unique constraints and therefore deletion of user and group entries is prevented by ACLs. Set the status to "archived" (2) to make the entries invisible even for the zone admins.
How to report list of active users?
Any client example configurations available?
Yes. Check out the directory client-examples/.
Why do the client examples not use group authorization (e.g. memberOf filter)?
The goal is to keep client configuration dumb. This makes it possible to change access rights (solely by changing entities' relationship) in the directory without touching the client configuration.
Is the netgroup map supported by Æ-DIR?
Are nested groups supported by Æ-DIR?
No, because of bad performance. Furthermore you will loose oversight over nested groups sooner or later. Try understanding/leveraging the power host/service groups referencing user groups which serves the same purpose in most practical cases.
I'm too lazy to add groups etc. Can I directly assign rights to a user account?
Can I setup a Æ-DIR test instance without having to issue TLS certs?
No! In production you must use TLS anyway. So you should use your test environment to get familiar with it right from the start.
Can I let admins impersonate as a user for testing some issues with the user's access rights?
No! That's bad practice regarding audit logs! The admin should add a test user for himself with the very same groups membership and use this for testing.
When using two-factor authentication (2FA) is it possible to distinguish whether password or OTP input was wrong?
No! Both of these authentication factors are checked at once and this succeeds or fails. Æ-DIR deliberately does not tell the user which authentication factor was wrong. This avoids the authentication factors being attacked separately.
How to find the owner of an object (entry)?
Although widely used the term "owner" is pretty blurry in real-life.
In Æ-DIR each entry resides within a zone and zones are used for delegation. Therefore finding the respective zone admin(s) of the object's zone is a good approach to find the currently responsible "owner(s)".
How to find the privileged users?
"Privileged" is yet another blurry term which oversimplifies access control to a single security class.
Basically access rights (for regular client access) are granted to user groups. So the current group membership of an account defines whether it has to be considered privileged. Note that the result is not a simple yes/no decision. The privileges have always to be reviewed carefully within a particular service context.