Æ-DIR: Yet another LDAP user and systems management
This talk will present a concept and real-world implementation of a user and authorization management system purely based on OpenLDAP mainly used to control administrative access to Unixoid servers. The main goal of Æ-DIR (besides challenging Unicode handling in various software with its name) is to follow the need-to-know principle as much as possible. The visibility of user, group, sudoers, etc. is limited mainly by OpenLDAP’s set-based ACLs. All systems and services, no exception(!), have to individually authenticate to be authorized to access Æ-DIR.
The talk will give some additional information about the secured base configuration of OpenLDAP, tools developed and some experiences made when migrating/attaching 7000+ servers to this user management.
Furthermore the architecture of a SSH gateway is shown which uses the very same access control data to authorize SSH connections passing through the gateway.
Finally the talk will outline some additional to-dos, and rough ideas how to further develop this system.
Michael Ströder works since 16 years as a consultant for LDAP based directory services and identity/access management. His main interest is building highly secure infrastructures.