Next steps / to-do list

In no particular order...

1. WebSSO
2. X.509 PKI
3. DevOps tooling
4. Logging
5. PXE/DHCP/TFTP integration
6. Network Access Control (NAC)
7. RADIUS
8. DNS
9. User Interface
10. ModSecurity
11. Command-line tool
12. Browser integration/security
13. Python 3.x
14. Compliance checks

WebSSO

Custom IdP implementation supporting SAML 2.0, OAuth 2.0, Open ID Connect checking login relationship of user and service based on aeSrvGroup - aeLoginGroups.

Python modules to be used: pysaml2, oic, pyop

X.509 PKI

• Issue server certs to aeHost, aeNwDevice, aeService or aeSrvGroup based on authorization of role Setup Admins
• see also LDAPcon 2017 talk: X.509 PKI RA schema for Æ-DIR
• direct ansible integration for server cert enrollment
• X.509 cert enrollment for aeUser with multi-factor authc
• use X.509 certs as SSH authorized keys instead of attribute sshPublicKey
• remote CA keys (e.g. based on pyeleven and PyKCS11)
• Are there ready-to-use PKI backend solutions in Python?
• serverPKI
• certidude

DevOps tooling

• Scripts for local slapd-ldap instance used as admin proxy for bulk operations from ansible plays, dynamic ansible inventory based on Æ-DIR entries or similar.
• proper keyring support for tools (inspired by Mirko's password_from_keyring-py)

ansible

• Automated authentication configuration (set userPassword) for aeHost and aeService
• Dynamic inventory module for accessing attributes in Æ-DIR entries

Logging

• Log performance data as Graylog Extended Log Format (GELF)
• The web applications should use Python's logging module and file ae-logging.conf
• Add cee_syslog_handler in file ae-logging.conf

PXE/DHCP/TFTP integration

• Extend one of the following Python demon implementations to look up correct boot config in Æ-DIR:
  • ptftpd (GPLv3)
  • PyPXE (MIT License)
• make use of aeNwDevice

Network Access Control (NAC)

• IEEE 802.1X
• libvirt network filters
• make use of aeNwDevice

RADIUS

Support for RADIUS with dynamic RADIUS client configuration (see also NAC).

• FreeRADIUS: has many features, basic LDAP authc out-of-the-box
• BSDRadius: needs own module
• thin implementation based on pyrad

DNS

• use PowerDNS to serve attributes as DNS RRs to augment regular DNS service:
  • aeHost (A and PTR)
  • aeNwDevice (A and PTR)
  • aeZone (SOA)
• use remote backend (preferrably with DNSSEC) via pdns-remotebackend-python

User Interface

• specific web application for administrative use-cases
• Python / flask / WTForms…
• Simple reporting use-cases (expired objects etc.).
• Graph reporting of data structures in a zone.

ModSecurity

Define a ruleset for ModSecurity.

Command-line tool

• Consolidate various command-line tools into one tool with sub-commands within Python module package aedir.
• Implement following use-cases:
  • Add aeHost entries
  • Set password (replace ae-passwd.py)

Browser integration/security

• Make use of Subresource Integrity either with ansible-generated hashes or on-the-fly-generation in the web app(s):
  • Subresource Integrity - W3C Recommendation
  • Using Subresource Integrity | Mozilla Developer Network (MDN)
  • Browser support (caniuse.com)

Python 3.x

Possible LDAP modules with support for Python 3.x:

Module	License	Notes
ldap3	LGPLv3	supports Python 2.7 and 3.4+
bonsai	MIT	only Python 3.4+
ldap0	Python-style	needs work to support Python 3

Compliance checks

Prepare compliance statements:

• CIS benchmarks
• BSI Grundschutz