FAQ

  1. General
  2. Installation
  3. Maintenance
  4. Client integration

General

  1. Why yet another LDAP-based user management system?

    All other similar products/projects focus on making data easily available everywhere and therefore are not suitable for really strict security/confidentiality requirements. Also other systems do not have a distinct data model for person / multi-user-account relationship.

  2. What's the official name of the project and why I see those strange characters?

    The official name is Æ-DIR to be distinguishable from any other project (and to challenge Unicode capabilities of software). AE-DIR is the official pure-ASCII representation. Only capital letters are used in both representations.

  3. Æ-DIR seems complex. How to start with a simple setup for my very few systems?

    Æ-DIR is designed to scale down and up:
    You can install the system and start with one zone and a single host/service group for all your systems pointing to a single user group. Later you can extend that to your growing needs by adding more host/service and user groups and by moving hosts/services.

Installation

  1. Can Æ-DIR server run on name-your-favourite-OS-here?

    Æ-DIR is not limited to run on Linux. Provided you have packages of all the required software it could be installed on various OS platforms. But note that tweaking the automated ansible installation to run on different platforms is much work.

  2. Can I use another LDAP server software for Æ-DIR?

    No. Æ-DIR makes heavy use of OpenLDAP's access control. To best of my knowledge other LDAP server implementations do not provide similar powerful access control. If you have different opinion/suggestion please let me know.

  3. I prefer to install only packages shipped by my Linux (enterprise) distribution. Why are OpenLDAP packages from different repositories installed?

    Æ-DIR has quite a complex OpenLDAP configuration which requires to have recent bug fix releases (see also OpenLDAP FAQ-O-MATIC).

  4. Can I use another search base than ou=ae-dir?

    Yes. You can set ansible variable aedir_suffix which is used in all ansible tasks. Note that currently this is not well tested. Please provide feedback if you're using it.

Maintenance

  1. How to backup the data?

    On each Æ-DIR provider a CRON job exports the databases to LDIF files with command-line tool slapcat. (see also OpenLDAP Admin Guide). How often this happens and where the files are stored can be configured with ansible vars.

  2. Is there an API for bulk operations?

    The official API for programming Æ-DIR is LDAPv3 (see RFC 4510). Access control rules and constraints in OpenLDAP configuration prevent your client role to access/alter entries in an invalid way.
    One read-to-use module is available for Python.

  3. I always get an error message insufficientAccess when I try to delete a user or a group. What's wrong?

    Nothing's wrong. It works as designed.
    User names, group names and numeric POSIX Id must never be reused. This is enforced by unique constraints and therefore deletion of user and group entries is prevented by ACLs. Set the status to "archived" (2) to make the entries invisible even for the zone admins.

  4. How to report list of active users?

    1. In web2ldap you can export search results as CSV or Excel files (see example exporting with web2ldap).
    2. Additionally there are two ready-to-use command-line tools which simply outputs CSV to stdout but can only be used by role Æ Admin.

Client integration

  1. Any client example configurations available?

    Yes. Check out the directory client-examples/.

  2. Why do the client examples not use group authorization (e.g. memberOf filter)?

    The goal is to keep client configuration dumb. This makes it possible to change access rights (solely by changing entities' relationship) in the directory without touching the client configuration.

  3. Is the netgroup map supported by Æ-DIR?

    Short answer: No!
    Long answer:
    Æ-DIR is designed to replace netgroups completely by leveraging host/service groups referencing user groups as login groups (via attribute aeLoginGroups).

  4. Are nested groups supported by Æ-DIR?

    No, because of bad performance. Furthermore you will loose oversight over nested groups sooner or later. Try understanding/leveraging the power host/service groups referencing user groups which serves the same purpose in most practical cases.

  5. I'm too lazy to add groups etc. Can I directly assign rights to a user account?

    No! You always must add host/service groups and assign the rights to them to user groups. Think about it a few minutes. It makes sense!