Next steps / to-do list

In no particular order...

Done

1. Multi-factor authc
2. Hardening
   1. AppArmor
   2. systemd

Multi-factor authc

• integrated OATH-LDAP
• based on slapd-sock listener

Hardening

AppArmor

If you set ansible variable apparmor_enabled: True then AppArmor profiles and abstractions are installed to confine all components to enforce mode.
Only supported on Debian Stretch and openSUSE/SLE.

systemd

Using various systemd security configuration options for starting services via systemd units. See ansible variable aedir_systemd_hardening for global settings.

See also:

• systemd.index — List all manpages from the systemd project
• systemd.exec(5)
• lwn.net: Using systemd for more secure services in Fedora
• Security focused systemd configuration

Open

1. WebSSO
2. X.509 PKI
3. ansible
4. Logging
5. Monitoring
6. PXE/DHCP/TFTP integration
7. Network Access Control (NAC)
8. RADIUS
9. PAM/NSS caching demon
10. DNS
11. User Interface
12. Command-line tool
13. Browser integration/security
14. Python 3.x
15. Compliance checks

WebSSO

Possible IdP implementations for SAML 2.0, OAuth 2.0, Open ID connect:

Project name	License	Programming Language	Notes
pysaml2 and oic / pyop	Apache License 2.0	Python	no ready-to-use web application much work to implement missing pieces highest flexibility
ipsilon	GPLv3	Python	many dependencies especially on FreeIPA/sssd modules hard to install bad documentation seems unmaintained
keycloak	Apache License 2.0	Java	runs within wildfly easy too install test deployment complex hardening needed

X.509 PKI

• Issue server certs to aeHost, aeNwDevice, aeService or aeSrvGroup based on authorization of role Setup Admins
• see also LDAPcon 2017 talk: X.509 PKI RA schema for Æ-DIR
• direct ansible integration for server cert enrollment
• X.509 cert enrollment for aeUser with multi-factor authc
• use X.509 certs as SSH authorized keys instead of attribute sshPublicKey
• remote CA keys (e.g. based on pyeleven and PyKCS11)
• Are there ready-to-use PKI backend solutions in Python?
• serverPKI
• certidude

ansible

• Automated authentication configuration (set userPassword) for aeHost and aeService
• Dynamic inventory module for accessing attributes in Æ-DIR entries
• proper keyring support (inspired by Mirko's password_from_keyring-py)

Logging

• Log performance data as Graylog Extended Log Format (GELF)
• The web applications should use Python's logging module and file ae-logging.conf
• Add cee_syslog_handler in file ae-logging.conf

Monitoring

• monitor whether PAM/NSS client still has valid configuration

PXE/DHCP/TFTP integration

• Extend one of the following Python demon implementations to look up correct boot config in Æ-DIR:
  • ptftpd (GPLv3)
  • PyPXE (MIT License)
• make use of aeNwDevice

Network Access Control (NAC)

• IEEE 802.1X
• libvirt network filters
• make use of aeNwDevice

RADIUS

Support for RADIUS with dynamic RADIUS client configuration (see also NAC).

• FreeRADIUS: has many features, basic LDAP authc out-of-the-box
• BSDRadius: needs own module
• thin implementation based on pyrad

PAM/NSS caching demon

Improve Performance

Æ-DIR-specific caching demon knows the data and therefore can search more efficiently without local configuration (see notes about smart clients)

Automation / Recovery on error (PAM)

special system user for aeHost with host password allowed to set system password in local configuration

Location-specific replicas

read DC locations in attribute aeLocation of aeHost entry to determine "near" consumer replicas to access

Monitoring

integrated monitoring (alarming and performance)

Maps

group

• The group map could be extended with generic groups based on rights groups attributes with well-known gidNumber.
• Add virtual groups for the gidNumber set in aeUser entries.

aliases

For simple mail forwarding the aliases map should be supported with generic aliases based on rights groups attributes.

hosts

Do hosts lookup similar to ideas for DNS.

ethers

The ethers map could be virtually provided for hosts within the same local network (collision domain) similar to ideas for Network Access Control.

Implementation details

• use PAM/NSS frontend modules of nss-pam-ldapd
• eventually fix and extend Arthur's pynslcd(8)
• eventually use DiskCache for persistent caching
• Support using X.509 TLS client certs for SASL/EXTERNAL bind
• Look at off-line sync with nsscache / libnss-cache

DNS

• use PowerDNS to serve attributes as DNS RRs to augment regular DNS service:
  • aeHost (A and PTR)
  • aeNwDevice (A and PTR)
  • aeZone (SOA)
• use remote backend (preferrably with DNSSEC) via pdns-remotebackend-python

User Interface

• specific web application for administrative use-cases
• Python / flask / WTForms…
• Simple reporting use-cases (expired objects etc.).
• Graph reporting of data structures in a zone.

Command-line tool

• Consolidate various command-line tools into one tool with sub-commands within Python module package aedir.
• Implement following use-cases:
  • Add aeHost entries
  • Set password (replace ae-passwd.py)

Browser integration/security

• Make use of Subresource Integrity either with ansible-generated hashes or on-the-fly-generation in the web app(s):
  • Subresource Integrity - W3C Recommendation
  • Using Subresource Integrity | Mozilla Developer Network (MDN)
  • Browser support (caniuse.com)

Python 3.x

Possible LDAP modules with support for Python 3.x:

Module	License	Notes
ldap3	LGPLv3	supports Python 2.7 and 3.4+
bonsai	MIT	only Python 3.4+
ldap0	Python-style	needs work to support Python 3

Compliance checks

Prepare compliance statements:

• CIS benchmarks
• BSI Grundschutz