aehostd -- A custom NSS/PAM service for Æ-DIR
2019-11-05, 11:45–12:30, Main Conference Room

Click HERE to view the presentation slide deck.

This talk outlines why aehostd, a custom NSS/PAM service for Æ-DIR, was developed. Futhermore some implementation details and security aspects are explained followed by a demonstration of the host enrollment process.


In general the author hates to reinvent the wheel. But while Æ-DIR can be used with any NSS/PAM host client those are not ideal for an Æ-DIR deployment with ~15000 hosts. For various reasons a custom NSS/PAM service called aehostd was developed.

Some key aspects:
* Implemented in Python, uses front-end modules of nss-pam-ldapd
* Full enumeration of passwd and group maps
* Syncing of SSH authorized keys and sudoers files
* Supports host enrollment (initializing host password) via SSH pseudo login
* Can send search requests optimized for Æ-DIR's schema which saves lots of CPU power, network traffic and log space
* Provides virtual groups for Æ-DIR's role groups and user's individual primary GID
* Sends Session Tracking extended control (see draft-wahl-ldap-session)
* Client-side load-balancing with ordered and/or pooled LDAP URIs
* Refresh jitter for avoiding synced load peaks