Next steps / to-do list

1. Monitoring
2. DevOps tooling
3. User Interface
4. WebSSO
5. PKI
6. PXE/DHCP/TFTP integration
7. Network Access Control (NAC)
8. RADIUS
9. DNS
10. Command-line tool
11. Compliance checks

Monitoring

Done:

• Implemented Prometheus exporter in web2ldap 1.5.45+.
• Implemented Prometheus metrics for slapd (interims solution in slapdcheck 3.5.0+).
• Implemented simple Prometheus metrics for the multi-process web apps and CRON jobs with small mtail programs. mtail has to be installed (see also ansible-mtail).

Open:

• Implement grafana dash-boards.

DevOps tooling

• Scripts for local slapd-ldap instance used as admin proxy for bulk operations from local tools.

ansible

Done:

• Automated authentication configuration (add entry, set userPassword) for aeHost and aeService with an ansible module.

Open:

• Dynamic inventory plugin for accessing attributes in Æ-DIR entries

User Interface

• specific web application for administrative use-cases
• Simple reporting use-cases (expired objects etc.).
• Graph reporting of data structures in a zone.

WebSSO

Custom IdP implementation supporting SAML 2.0, OAuth 2.0, Open ID Connect checking login relationship of user and service based on aeSrvGroup - aeLoginGroups.

Python modules to be used: pysaml2, oic, pyop

PKI

Done:

• Tight integration of EKCA for issuing short-term OpenSSH user certificates.

X.509

• Issue X.509 server certs to aeHost, aeNwDevice, aeService or aeSrvGroup based on authorization of role Setup Admins (see also LDAPcon 2017 talk: X.509 PKI RA schema for Æ-DIR)
• direct ansible integration for server cert enrollment
• X.509 cert enrollment for aeUser with multi-factor authc
• remote CA keys (e.g. based on pyeleven and PyKCS11)

PXE/DHCP/TFTP integration

• Extend one of the following Python demon implementations to look up correct boot config in Æ-DIR:
  • ptftpd (GPLv3)
  • PyPXE (MIT License)
• make use of aeNwDevice

Network Access Control (NAC)

• IEEE 802.1X
• libvirt network filters
• make use of aeNwDevice

RADIUS

Support for RADIUS with dynamic RADIUS client configuration (see also NAC).

• FreeRADIUS: has many features, basic LDAP authc out-of-the-box
• BSDRadius: needs own module
• thin implementation based on pyrad

DNS

• use PowerDNS to serve attributes as DNS RRs to augment regular DNS service:
  • aeHost (A and PTR)
  • aeNwDevice (A and PTR)
  • aeZone (SOA)
• use remote backend (preferably with DNSSEC) via pdns-remotebackend-python

Command-line tool

• Implement sub-commands in ae-dir-tool.
• • Use Typer with type hints.
  • Idempotent add/modify for aeHost entries.

Compliance checks

Prepare compliance statements:

• CIS benchmarks
• BSI Grundschutz