Next steps / to-do list
Done
Multi-factor authc
- integrated OATH-LDAP
- based on slapd-sock listener
Open
Group maintenance
- Drop slapo-memberOf and use slapo-dynlist instead with reverted group management (see OpenLDAP ITS#8613 for rationale).
- Make memberOf writeable (ACLs, UI, etc.) for responsible zone admins.
WebSSO
Possible IdP implementations for SAML 2.0, OAuth 2.0, Open ID connect:
| Project name | License | Programming Language |
Notes |
|---|---|---|---|
| pysaml2 and oic | Apache License 2.0 | Python |
|
| ipsilon | GPLv3 | Python |
|
| keycloak | Apache License 2.0 | Java |
|
| Shibboleth | Duo? | Java | |
| CAS | Apache License 2.0 | Java |
X.509 PKI
- Issue server certs to aeHost, aeNwDevice, aeService or aeSrvGroup based on authorization of role Setup Admins
- Enrollment based on Automatic Certificate Management Environment (ACME)
- direct ansible integration for server cert enrollment
- X.509 cert enrollment for aeUser with multi-factor authc
- use X.509 certs as SSH authorized keys instead of attribute sshPublicKey
- remote CA keys (e.g. based on pyeleven)
ansible
- Automated authentication configuration (set userPassword) for aeHost and aeService
- Dynamic inventory module for accessing attributes in Æ-DIR entries
- proper keyring support (inspired by Mirko's password_from_keyring-py)
Logging
- Log performance data as Graylog Extended Log Format (GELF)
- The web applications should use Python's logging module and file ae-logging.conf
- Add cee_syslog_handler in file ae-logging.conf
Monitoring
- monitor whether PAM/NSS client still has valid configuration
AppArmor
Automatically install correct profiles to run AppArmor in mandatory mode.
PXE/DHCP/TFTP integration
- Extend one of the following Python demon implementations to look up correct boot config in Æ-DIR:
- make use of aeNwDevice
Network Access Control
- IEEE 802.1X
- libvirt network filters
- make use of aeNwDevice
FreeRADIUS
FreeRADIUS integration:- dynamic RADIUS client configuration (with shared secrets)
- TACACS+
PAM/NSS caching demon
- Improve Performance
- Æ-DIR-specific caching demon knows the data and therefore can search more efficiently without local configuration (see notes about smart clients)
- Automation / Recovery on error (PAM)
- special system user for aeHost with host password allowed to set system password in local configuration
- Location-specific replicas
- read DC locations in attribute aeLocation of aeHost entry to determine "near" consumer replicas to access
- Monitoring
- integrated monitoring (alarming and performance)
- Maps
-
- group
-
- The group map could be extended with generic groups based on rights groups attributes with well-known gidNumber.
- Add virtual groups for the gidNumber set in aeUser entries.
- aliases
- For simple mail forwarding the aliases map should be supported with generic aliases based on rights groups attributes.
- hosts
- Do hosts lookup similar to ideas for DNS.
- ethers
- The ethers map could be virtually provided for hosts within the same local network (collision domain) similar to ideas for Network Access Control.
- Implementation details
-
- use PAM/NSS frontend modules of nss-pam-ldapd
- eventually fix and extend Arthur's pynslcd(8)
- eventually use DiskCache for persistent caching
- Support using X.509 TLS client certs for SASL/EXTERNAL bind
- Look at off-line sync with nsscache / libnss-cache
DNS
-
use PowerDNS to serve attributes as DNS RRs to augment regular DNS service:
- aeHost (A and PTR)
- aeNwDevice (A and PTR)
- aeZone (SOA)
- use remote backend (preferrably with DNSSEC) via pdns-remotebackend-python
User Interface
- specific web application for administrative use-cases
- Python / flask / WTForms…
Browser integration/security
- Make use of Subresource Integrity either with ansible-generated hashes or on-the-fly-generation in the web app(s):
Compliance checks
Prepare compliance statements:
Reporting
- Web apps for simple reporting use-cases (expired objects etc.).
- Graph reporting of data structures in a zone.