Next steps / to-do list
- DevOps tooling
- User Interface
- PXE/DHCP/TFTP integration
- Network Access Control (NAC)
- Command-line tool
- Compliance checks
- Implemented Prometheus exporter in web2ldap 1.5.45+.
- Implemented Prometheus metrics for slapd (interims solution in slapdcheck 3.5.0+).
- Implemented simple Prometheus metrics for the multi-process web apps and CRON jobs with small mtail programs. mtail has to be installed (see also ansible-mtail).
- Implement grafana dash-boards.
- Scripts for local slapd-ldap instance used as admin proxy for bulk operations from local tools.
- Automated authentication configuration (add entry, set userPassword) for aeHost and aeService with an ansible module.
- Dynamic inventory plugin for accessing attributes in Æ-DIR entries
- specific web application for administrative use-cases
- Simple reporting use-cases (expired objects etc.).
- Graph reporting of data structures in a zone.
Custom IdP implementation supporting SAML 2.0, OAuth 2.0, Open ID Connect checking login relationship of user and service based on aeSrvGroup - aeLoginGroups.
- Issue X.509 server certs to aeHost, aeNwDevice, aeService or aeSrvGroup based on authorization of role Setup Admins (see also LDAPcon 2017 talk: X.509 PKI RA schema for Æ-DIR)
- direct ansible integration for server cert enrollment
- X.509 cert enrollment for aeUser with multi-factor authc
- remote CA keys (e.g. based on pyeleven and PyKCS11)
- Extend one of the following Python demon implementations to look up correct boot config in Æ-DIR:
- make use of aeNwDevice
Network Access Control (NAC)
Support for RADIUS with dynamic RADIUS client configuration (see also NAC).
- FreeRADIUS: has many features, basic LDAP authc out-of-the-box
- BSDRadius: needs own module
- thin implementation based on pyrad
- use PowerDNS to serve attributes as DNS RRs to augment regular DNS service:
- use remote backend (preferably with DNSSEC) via pdns-remotebackend-python
- Implement sub-commands in ae-dir-tool.
- Use Typer with type hints.
- Idempotent add/modify for aeHost entries.
Prepare compliance statements: