Æ-DIR: Yet another LDAP user and systems management
Michael Ströder
stroeder.com
Abstract
This talk will present a concept and real-world implementation of a user and authorization management system purely based on OpenLDAP mainly used to control administrative access to Unixoid servers. The main goal of Æ-DIR (besides challenging Unicode handling in various software with its name) is to follow the need-to-know principle as much as possible. The visibility of user, group, sudoers, etc. is limited mainly by OpenLDAP’s set-based ACLs. All systems and services, no exception(!), have to individually authenticate to be authorized to access Æ-DIR.
The talk will give some additional information about the secured base configuration of OpenLDAP, tools developed and some experiences made when migrating/attaching 7000+ servers to this user management.
Furthermore the architecture of a SSH gateway is shown which uses the very same access control data to authorize SSH connections passing through the gateway.
Finally the talk will outline some additional to-dos, and rough ideas how to further develop this system.
Biography
Michael Ströder works since 16 years as a consultant for LDAP based directory services and identity/access management. His main interest is building highly secure infrastructures.
He’s also the author of the LDAP client web application web2ldap (see http://www.web2ldap.de) and maintainer of the Python LDAP module (see http://www.python-ldap.org).
Presentation
AE-DIR: Paranoid user management with OpenLDAP – slides
Software
Michael Ströder