Next steps / to-do list
- Monitoring
- DevOps tooling
- User Interface
- WebSSO
- PKI
- PXE/DHCP/TFTP integration
- Network Access Control (NAC)
- RADIUS
- DNS
- Command-line tool
- Compliance checks
Monitoring
Done:
- Implemented Prometheus exporter in web2ldap 1.5.45+.
- Implemented Prometheus metrics for slapd (interims solution in slapdcheck 3.5.0+).
- Implemented simple Prometheus metrics for the multi-process web apps and CRON jobs with small mtail programs. mtail has to be installed (see also ansible-mtail).
Open:
- Implement grafana dash-boards.
DevOps tooling
- Scripts for local slapd-ldap instance used as admin proxy for bulk operations from local tools.
ansible
Done:
- Automated authentication configuration (add entry, set userPassword) for aeHost and aeService with an ansible module.
Open:
- Dynamic inventory plugin for accessing attributes in Æ-DIR entries
User Interface
- specific web application for administrative use-cases
- Simple reporting use-cases (expired objects etc.).
- Graph reporting of data structures in a zone.
WebSSO
Custom IdP implementation supporting SAML 2.0, OAuth 2.0, Open ID Connect checking login relationship of user and service based on aeSrvGroup - aeLoginGroups.
Python modules to be used: pysaml2, oic, pyop
PKI
EKCA
Tight integration of EKCA for issuing short-term OpenSSH user certificates.
X.509
- Issue server certs to aeHost, aeNwDevice, aeService or aeSrvGroup based on authorization of role Setup Admins (see also LDAPcon 2017 talk: X.509 PKI RA schema for Æ-DIR)
- direct ansible integration for server cert enrollment
- X.509 cert enrollment for aeUser with multi-factor authc
- remote CA keys (e.g. based on pyeleven and PyKCS11)
PXE/DHCP/TFTP integration
- Extend one of the following Python demon implementations to look up correct boot config in Æ-DIR:
- make use of aeNwDevice
Network Access Control (NAC)
- IEEE 802.1X
- libvirt network filters
- make use of aeNwDevice
RADIUS
Support for RADIUS with dynamic RADIUS client configuration (see also NAC).
- FreeRADIUS: has many features, basic LDAP authc out-of-the-box
- BSDRadius: needs own module
- thin implementation based on pyrad
DNS
-
use PowerDNS to serve attributes as DNS RRs to augment regular DNS service:
- aeHost (A and PTR)
- aeNwDevice (A and PTR)
- aeZone (SOA)
- use remote backend (preferably with DNSSEC) via pdns-remotebackend-python
Command-line tool
- Implement sub-commands in ae-dir-tool.
-
- Use Typer with type hints.
- Idempotent add/modify for aeHost entries.
Compliance checks
Prepare compliance statements: