Next steps / to-do list

1. WebSSO
2. Monitoring
3. User Interface
4. PKI
5. Network Access Control (NAC)
6. RADIUS
7. DNS
8. Command-line tool

See also:

• Æ-DIR repositories with issue trackers
• How to contribute?

WebSSO

Custom OpenID Connect Provider (OP) checking login relationship of user and service based on aeSrvGroup - aeLoginGroups.

Python modules to evaluate:

• Identity Python module oidc-op, see also Example based on Flask
• Authlib, see also Example of OpenID Connect 1.0 Provider

Monitoring

• Implement Æ-DIR data metrics exporter:
  • Number of zones, users, groups, hosts etc. labeled by aeStatus
  • Inbound references to a zone labeled per referencing zone.
  • Extract data from exported LDIF data.
• Implement grafana dash-boards for
  • slapdcheck
  • Æ-DIR data metrics exporter

User Interface

• specific web application for administrative use-cases
• Simple reporting use-cases (expired objects etc.).
• Graph reporting of data structures in a zone.

X.509 PKI

• Issue X.509 server certs to aeHost, aeNwDevice, aeService or aeSrvGroup based on authorization of role Setup Admins (see also LDAPcon 2017 talk: X.509 PKI RA schema for Æ-DIR)
• direct ansible integration for server cert enrollment
• X.509 cert enrollment for aeUser with multi-factor authc
• remote CA keys (e.g. based on pyeleven and PyKCS11)

Network Access Control (NAC)

• IEEE 802.1X
• libvirt network filters
• make use of aeNwDevice

RADIUS

Support for RADIUS with dynamic RADIUS client configuration (see also NAC).

• FreeRADIUS: many features, LDAP authc and authz out-of-the-box
• Custom implementation based on pyrad

DNS

• use PowerDNS to serve attributes as DNS RRs to augment regular DNS service:
  • aeHost (A and PTR)
  • aeNwDevice (A and PTR)
  • aeZone (SOA)
• use remote backend (preferably with DNSSEC) via pdns-remotebackend-python

Command-line tool

• Implement sub-commands in ae-dir-tool.
• • Use Typer with type hints.
  • Idempotent add/modify for aeHost entries.