The document discusses Æ-DIR, an open source identity and access management solution for DevOps. It describes Æ-DIR's two-tier architecture and defense-in-depth approach, including strict access controls, delegation of administration, and optional two-factor authentication. Several customer usage scenarios are provided, such as using Æ-DIR as a centralized IAM or for privileged admin accounts, integrating with other directories and applications, and a self-hosted SOHO deployment.
Professional Resume Template for Software Developers
DevOps IAM with Æ-DIR
1. STROEDER.COM OSDC 2018-06-13- 1 -
Æ-DIR - Authorized Entities Directory
- The paranoid and agile IAM for DevOps -
Open Source Datacenter Conference 2018
2. STROEDER.COM OSDC 2018-06-13- 2 -
Michael Ströder <michael@stroeder.com>
Freelancer
Topics the last 20 years
Identity & Access Management, Directory Services (LDAP)
Single Sign-On, Multi-Factor Authentication
PKI (X.509, SSH), Applied Crypto
Open Source / Free Software:
Æ-DIR, OATH-LDAP, web2ldap
3. STROEDER.COM OSDC 2018-06-13- 3 -
Goals
Principles
Need-to-know
Least Privilege
Separation of Duties
Delegated administration of manageable small areas
Meaningful audit trails
Compliance checks
4. STROEDER.COM OSDC 2018-06-13- 4 -
Paradigms
Explicit is better than implicit
Secure authorization requires secure authentication
Avoid all-mighty proxy roles and workflows
Do not assume hierarchical structure
A person is not an user account
Multiple user accounts per person
Persistent IDs (never re-used) for reliable audit trails
5. STROEDER.COM OSDC 2018-06-13- 5 -
2-tier architecture
admin
workstation
Æ-DIR provider
slapd
mdb
admin UI
(web2ldap)
password
self service
LDAPS,
LDAPI
LDAPI
web
browser
Æ-DIR consumer
slapd
mdb
LDAPS
(syncrepl)
custom
tool
LDAPS
Unixoid server
sudo-ldapsssd
SSH client
SSH
HTTPS
maintenance
tools
maintenance
tools
maintenance
tools
LDAPI
DB server
postgresql
web server
Apache
httpd
LDAPS
pgadmin
8. STROEDER.COM OSDC 2018-06-13- 8 -
EER for access control
aeHost
aeSrvGroupaeGroup aeSudoRule
aeUser
aePerson
member
sudoUser
aeSetupGroups
aeLogStoreGroups
aeLoginGroups
aeVisibleGroups
aeDisplayNameGroups
(child of) or
aeSrvGroup
aeVisibleSudoers
aePerson
aeService
aeZone
aeProxyFor
aeZoneAdmins
aeZoneAuditors
aePasswordAdmins
aeService aeNwDevice
(child of)
9. STROEDER.COM OSDC 2018-06-13- 9 -
Installation Æ-DIR server
ansible role installs replicas and all services
base configuration to be done separately
site-specific ansible variablen
Read the comments!
ansible/roles/ae-dir-server/defaults/main.yml
Create site directory, see ansible/example/
If things went wrong ansible role corrects it
10. STROEDER.COM OSDC 2018-06-13- 10 -
Defense in Depth
Secure defaults
Self-contained (zone ae)
Service separated, Unix domain sockets (Peer Credentials)
systemd-Options for hardening (mount points etc.)
Strict AppArmor profiles for all services
(optional, targeted and only for SUSE and Debian)
2-faktor-authc: yubikey based on OATH-LDAP
Soon coming: Rule set for mod_security
11. STROEDER.COM OSDC 2018-06-13- 11 -
Customer scenario #1
Æ-DIR is separate IAM for privileged admin accounts
15000 hosts
Person objects pulled from other LDAP server
Separate accounts for ops and dev people
Delegated administration of different stages
Two-factor authc with yubikey
SSH proxy
12. STROEDER.COM OSDC 2018-06-13- 12 -
SSH proxy authz
admin
workstation
Æ-DIR
consumer
slapd
mdb
ssh <legacy-uid>@<target>
ProxyCommand looked up
for <target> in local config
SSH proxy
sudo-ldap
sssd
LDAPS
SSH <ae-dir-uid>@<gateway-host>
ae_checkd
sshd
full shell
for GW admins
nss_sss
pam_sss
wrapper script
(ForceCommand)
nc <target>:22
Authz Check
<ae-uid@target>
SSH key
query by ae-uid
target
system
ssh
TCP
(SSH tunnel)
13. STROEDER.COM OSDC 2018-06-13- 13 -
Customer scenario #2
Æ-DIR is the central IAM
HR data pulled from NetSuite
MacOS integration (synced pw change with File Vault)
“base accounts” get synced to AD/Exchange with pw
separate DevOps accounts synced to Azure without pw
Login to Azure portal via SAMLv2 IdP
two-factor authc with yubikey
Future: SAMLv2 login to Office 365
14. STROEDER.COM OSDC 2018-06-13- 14 -
SOHO scenario
Eat you own dog food!
7 W, libvirt/KVM
postfix/dovecot
Apache
FreeRADIUS (WIFI)
see client-examples/
sshd & sssd or nslcd:
roles/ae-dir-linux-client/
Image: thomas-krenn.com
15. STROEDER.COM OSDC 2018-06-13- 15 -
2-tier architecture with OATH-LDAP
OpenLDAP provider
OpenLDAP consumer
slapd
mdb
syncrepl
(LDAPS)
LDAPS
web
browser
LDAP
client
bind
proxy
LDAPI
back-sock
as overlay
IPC
slapd
mdb
OTP
validator
LDAPI
back-sock
as overlay
IPC
forward password/OTP bind (LDAPS)
LDAPS
enrollment
web appHTTPS
LDAPI
enrollment
client
16.
17. STROEDER.COM OSDC 2018-06-13- 17 -
Conclusion
Security by design is possible
Yes, it’s painful sometimes
Admins need help in the beginning
Backing of management helps (budget!)
Don’t break former security promises later!
→ think twice or more before changing something
18. STROEDER.COM OSDC 2018-06-13- 18 -
Links
Docs:
https://ae-dir.com
Play with it!
https://ae-dir.com/demo.html
OATH-LDAP:
https://oath-ldap.stroeder.com
20. STROEDER.COM OSDC 2018-06-13- 20 -
Work in progress: aehostd
Simple custom host demon knows schema
Even less client configuration
Optimized search for users and groups (safe CPU cycles)
Virtual groups (primary GID, role groups)
LDAP session tracking control f. better logging
hosts map
sudoers files via cvtsudoers (sudo 1.8.23+)
less code, less dependencies, mainly stripped pynslcd(8)