Brussels / 3 & 4 February 2018


Æ-DIR -- Authorized Entities Directory

from paranoid user management to secure system management

This talk will introduce Æ-DIR, a paranoid identity and access management (IAM) system based on pure OpenLDAP. The talk will detail the data model used for delegated administration and its use e.g. for a strictly authorizing SSH proxy.

Furthermore it introduces OATH-LDAP, a OATH-based OTP authentication system with pure LDAP backend and the enrollment process used for secure initializing yubikey tokens.

The conclusion of the talk will highlight want else will be done with the data and role model in the near future.

Æ-DIR and OATH-LDAP are free software projects.

This talk will present a concept and real-world implementation of a privileged identity and access management system (IAM, PAM) purely based on OpenLDAP. The main goal of Æ-DIR (besides challenging Unicode handling in various software with its name) is to follow the delegation, need-to-know and least-privilege principles as strict as possible. The visibility of user, group, sudoers, etc. is limited by OpenLDAP’s set-based ACLs. All systems and services, no exception(!), have to individually authenticate to be authorized to access Æ-DIR.

The talk will give some additional information about the secured base configuration of OpenLDAP, tools developed and some experiences made when migrating/attaching 7000+ servers to this user management.

Furthermore the architecture of a SSH gateway is shown which uses the very same access control data to authorize SSH connections passing through the gateway.

Finally the talk will outline some additional to-dos, and rough ideas how to further develop this system.

OATH-LDAP defines a schema, a functional model and a LDAP-based enrollment for OATH-based authentication tokens. It is designed to be used with any LDAP server, but especially is ready-to-use integrated with Æ-DIR. It is actually used combined with a highly secure enrollment process (no QR code displayed!) for two-factor HOTP authentication with yubikey tokens.


Photo of Michael Ströder Michael Ströder