Æ-DIR: Yet another LDAP user and systems management

Michael Ströder



This talk will present a concept and real-world implementation of a user and authorization management system purely based on OpenLDAP mainly used to control administrative access to Unixoid servers. The main goal of Æ-DIR (besides challenging Unicode handling in various software with its name) is to follow the need-to-know principle as much as possible. The visibility of user, group, sudoers, etc. is limited mainly by OpenLDAP’s set-based ACLs. All systems and services, no exception(!), have to individually authenticate to be authorized to access Æ-DIR.

The talk will give some additional information about the secured base configuration of OpenLDAP, tools developed and some experiences made when migrating/attaching 7000+ servers to this user management.

Furthermore the architecture of a SSH gateway is shown which uses the very same access control data to authorize SSH connections passing through the gateway.

Finally the talk will outline some additional to-dos, and rough ideas how to further develop this system.


Michael Ströder works since 16 years as a consultant for LDAP based directory services and identity/access management. His main interest is building highly secure infrastructures.

He’s also the author of the LDAP client web application web2ldap (see http://www.web2ldap.de) and maintainer of the Python LDAP module (see http://www.python-ldap.org).


AE-DIR: Paranoid user management with OpenLDAP – slides


Æ-DIR home page

Michael Ströder

Michael Ströder