SlideShare a Scribd company logo

DevOps IAM with Æ-DIR

NETWAYS
NETWAYS

The document discusses Æ-DIR, an open source identity and access management solution for DevOps. It describes Æ-DIR's two-tier architecture and defense-in-depth approach, including strict access controls, delegation of administration, and optional two-factor authentication. Several customer usage scenarios are provided, such as using Æ-DIR as a centralized IAM or for privileged admin accounts, integrating with other directories and applications, and a self-hosted SOHO deployment.

Software
1 of 20
Download to read offline
STROEDER.COM OSDC 2018-06-13- 1 - Æ-DIR - Authorized Entities Directory - The paranoid and agile IAM for DevOps - Open Source Datacenter Conference 2018
STROEDER.COM OSDC 2018-06-13- 2 - Michael Ströder <michael@stroeder.com>  Freelancer  Topics the last 20 years  Identity & Access Management, Directory Services (LDAP)  Single Sign-On, Multi-Factor Authentication  PKI (X.509, SSH), Applied Crypto  Open Source / Free Software: Æ-DIR, OATH-LDAP, web2ldap
STROEDER.COM OSDC 2018-06-13- 3 - Goals  Principles  Need-to-know  Least Privilege  Separation of Duties  Delegated administration of manageable small areas  Meaningful audit trails  Compliance checks
STROEDER.COM OSDC 2018-06-13- 4 - Paradigms  Explicit is better than implicit  Secure authorization requires secure authentication  Avoid all-mighty proxy roles and workflows  Do not assume hierarchical structure  A person is not an user account  Multiple user accounts per person  Persistent IDs (never re-used) for reliable audit trails
STROEDER.COM OSDC 2018-06-13- 5 - 2-tier architecture admin workstation Æ-DIR provider slapd mdb admin UI (web2ldap) password self service LDAPS, LDAPI LDAPI web browser Æ-DIR consumer slapd mdb LDAPS (syncrepl) custom tool LDAPS Unixoid server sudo-ldapsssd SSH client SSH HTTPS maintenance tools maintenance tools maintenance tools LDAPI DB server postgresql web server Apache httpd LDAPS pgadmin
STROEDER.COM OSDC 2018-06-13- 6 - Directory Information Tree (DIT) ou=ae-dir aeRoot cn=ae aeZone cn=example aeZone cn=example-zone-admins aeGroup cn=example-grp-1 aeGroup cn=example-zone-auditors aeGroup uid=foo1 aeUser cn=example-sudo aeSudoRule cn=example-srvgrp aeSrvGroup host=example-srv aeHost uid=system_example1 aeService cn=pub aeZone cn=ae-users aeGroup cn=sudo-defaults aeSudoRule cn=people aeZone departmentNumber=d42 aeDept uniqueIdentifier=p23 aePerson cn=eth0 aeNwDevice cn=bond0 aeNwDevice
STROEDER.COM OSDC 2018-06-13- 7 - Full EER diagram aeSrvGroup aeProxyFor aeGroup aeSetupGroups aeLogStoreGroups aeLoginGroups aeVisibleGroups aeDisplayNameGroups aeSudoRule aeVisibleSudoers aeMailGroup aeVisibleGroups aeDisplayNameGroups aeDept aeDept aeLocation aeLocation aeService member aeUser member sudoUser aeHost (child of) aeSrvGroup aeLocation pwdPolicy pwdPolicySubentry aeNwDevice (child of) aeNwDevice aePerson aeDept aeLocation aeZone aeZoneAdmins aeZoneAuditors aePasswordAdmins aeDept aeLocation (child of) aeSrvGroup memberOf aeHost memberOf pwdPolicySubentry memberOf aePerson aeAuthcTokenoathHOTPToken oathTOTPTokenmemberOf pwdPolicySubentry aePerson pwdPolicySubentry oathParamsoathHOTPParams aeContact memberOf aeDept member member member
STROEDER.COM OSDC 2018-06-13- 8 - EER for access control aeHost aeSrvGroupaeGroup aeSudoRule aeUser aePerson member sudoUser aeSetupGroups aeLogStoreGroups aeLoginGroups aeVisibleGroups aeDisplayNameGroups (child of) or aeSrvGroup aeVisibleSudoers aePerson aeService aeZone aeProxyFor aeZoneAdmins aeZoneAuditors aePasswordAdmins aeService aeNwDevice (child of)
STROEDER.COM OSDC 2018-06-13- 9 - Installation Æ-DIR server  ansible role installs replicas and all services  base configuration to be done separately  site-specific ansible variablen  Read the comments! ansible/roles/ae-dir-server/defaults/main.yml  Create site directory, see ansible/example/  If things went wrong ansible role corrects it
STROEDER.COM OSDC 2018-06-13- 10 - Defense in Depth  Secure defaults  Self-contained (zone ae)  Service separated, Unix domain sockets (Peer Credentials)  systemd-Options for hardening (mount points etc.)  Strict AppArmor profiles for all services (optional, targeted and only for SUSE and Debian)  2-faktor-authc: yubikey based on OATH-LDAP  Soon coming: Rule set for mod_security
STROEDER.COM OSDC 2018-06-13- 11 - Customer scenario #1  Æ-DIR is separate IAM for privileged admin accounts  15000 hosts  Person objects pulled from other LDAP server  Separate accounts for ops and dev people  Delegated administration of different stages  Two-factor authc with yubikey  SSH proxy
STROEDER.COM OSDC 2018-06-13- 12 - SSH proxy authz admin workstation Æ-DIR consumer slapd mdb ssh <legacy-uid>@<target> ProxyCommand looked up for <target> in local config SSH proxy sudo-ldap sssd LDAPS SSH <ae-dir-uid>@<gateway-host> ae_checkd sshd full shell for GW admins nss_sss pam_sss wrapper script (ForceCommand) nc <target>:22 Authz Check <ae-uid@target> SSH key query by ae-uid target system ssh TCP (SSH tunnel)
STROEDER.COM OSDC 2018-06-13- 13 - Customer scenario #2  Æ-DIR is the central IAM  HR data pulled from NetSuite  MacOS integration (synced pw change with File Vault)  “base accounts” get synced to AD/Exchange with pw  separate DevOps accounts synced to Azure without pw  Login to Azure portal via SAMLv2 IdP  two-factor authc with yubikey  Future: SAMLv2 login to Office 365
STROEDER.COM OSDC 2018-06-13- 14 - SOHO scenario  Eat you own dog food!  7 W, libvirt/KVM  postfix/dovecot  Apache  FreeRADIUS (WIFI)  see client-examples/  sshd & sssd or nslcd: roles/ae-dir-linux-client/ Image: thomas-krenn.com
STROEDER.COM OSDC 2018-06-13- 15 - 2-tier architecture with OATH-LDAP OpenLDAP provider OpenLDAP consumer slapd mdb syncrepl (LDAPS) LDAPS web browser LDAP client bind proxy LDAPI back-sock as overlay IPC slapd mdb OTP validator LDAPI back-sock as overlay IPC forward password/OTP bind (LDAPS) LDAPS enrollment web appHTTPS LDAPI enrollment client
STROEDER.COM OSDC 2018-06-13- 17 - Conclusion  Security by design is possible  Yes, it’s painful sometimes  Admins need help in the beginning  Backing of management helps (budget!)  Don’t break former security promises later! → think twice or more before changing something
STROEDER.COM OSDC 2018-06-13- 18 - Links  Docs: https://ae-dir.com  Play with it! https://ae-dir.com/demo.html  OATH-LDAP: https://oath-ldap.stroeder.com
STROEDER.COM OSDC 2018-06-13- 19 - :-/ ? … !
STROEDER.COM OSDC 2018-06-13- 20 - Work in progress: aehostd  Simple custom host demon knows schema  Even less client configuration  Optimized search for users and groups (safe CPU cycles)  Virtual groups (primary GID, role groups)  LDAP session tracking control f. better logging  hosts map  sudoers files via cvtsudoers (sudo 1.8.23+)  less code, less dependencies, mainly stripped pynslcd(8)

Recommended

Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderForgeRock
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical OverviewShawn Wells
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE
 
What's new in Havana--Keystone
What's new in Havana--KeystoneWhat's new in Havana--Keystone
What's new in Havana--KeystoneMirantis
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 

Recommended

Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderForgeRock
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical OverviewShawn Wells
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE
 
What's new in Havana--Keystone
What's new in Havana--KeystoneWhat's new in Havana--Keystone
What's new in Havana--KeystoneMirantis
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Open Identity Stack Roadmap
Open Identity Stack RoadmapOpen Identity Stack Roadmap
Open Identity Stack RoadmapForgeRock
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorMifrazMurthaja
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Technical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSTechnical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSatSistemas
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2WSO2
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in PracticeForgeRock
 
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...marcuschristie
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basicsJuan Vicente Herrera Ruiz de Alejo
 
Ad ds ws2008 r2
Ad ds ws2008 r2Ad ds ws2008 r2
Ad ds ws2008 r2MICTT Palma
 

More Related Content

What's hot

Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Open Identity Stack Roadmap
Open Identity Stack RoadmapOpen Identity Stack Roadmap
Open Identity Stack RoadmapForgeRock
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorMifrazMurthaja
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Technical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSTechnical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSatSistemas
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2WSO2
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in PracticeForgeRock
 
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...marcuschristie
 

What's hot (20)

Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
Open Identity Stack Roadmap
Open Identity Stack RoadmapOpen Identity Stack Roadmap
Open Identity Stack Roadmap
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with Keycloak
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Technical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSTechnical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWS
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
 
Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in Practice
 
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...
 

Similar to DevOps IAM with Æ-DIR

SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?Louis Göhl
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPALDAPCon
 
[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New BlackWSO2
 
SYDSP - Office 365 and Cloud Identity - What does it mean for me?
SYDSP - Office 365 and Cloud Identity - What does it mean for me?SYDSP - Office 365 and Cloud Identity - What does it mean for me?
SYDSP - Office 365 and Cloud Identity - What does it mean for me?Scott Hoag
 
Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020Iwantha Lekamge
 
Open Source Identity Management
Open Source Identity ManagementOpen Source Identity Management
Open Source Identity ManagementRadovan Semancik
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCloudIDSummit
 
OpenIDM: An Introduction
OpenIDM: An IntroductionOpenIDM: An Introduction
OpenIDM: An IntroductionForgeRock
 
Platform Deep Dive
Platform Deep DivePlatform Deep Dive
Platform Deep DiveConrad23
 
Windows 2008 R2 Security
Windows 2008 R2 SecurityWindows 2008 R2 Security
Windows 2008 R2 SecurityAmit Gatenyo
 
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !Identity Days
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365Scott Hoag
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Securityguest2a5a03
 

Similar to DevOps IAM with Æ-DIR (20)

Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
 
Ad ds ws2008 r2
Ad ds ws2008 r2Ad ds ws2008 r2
Ad ds ws2008 r2
 
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
 
[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black
 
Bye bye Identity Server
Bye bye Identity ServerBye bye Identity Server
Bye bye Identity Server
 
SYDSP - Office 365 and Cloud Identity - What does it mean for me?
SYDSP - Office 365 and Cloud Identity - What does it mean for me?SYDSP - Office 365 and Cloud Identity - What does it mean for me?
SYDSP - Office 365 and Cloud Identity - What does it mean for me?
 
Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020
 
Open Source Identity Management
Open Source Identity ManagementOpen Source Identity Management
Open Source Identity Management
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market Overview
 
OpenIDM: An Introduction
OpenIDM: An IntroductionOpenIDM: An Introduction
OpenIDM: An Introduction
 
Platform Deep Dive
Platform Deep DivePlatform Deep Dive
Platform Deep Dive
 
Windows 2008 R2 Security
Windows 2008 R2 SecurityWindows 2008 R2 Security
Windows 2008 R2 Security
 
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
 
Mojemoje
MojemojeMojemoje
Mojemoje
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Security
 

Recently uploaded

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 

Recently uploaded (20)

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 

DevOps IAM with Æ-DIR

  • 1. STROEDER.COM OSDC 2018-06-13- 1 - Æ-DIR - Authorized Entities Directory - The paranoid and agile IAM for DevOps - Open Source Datacenter Conference 2018
  • 2. STROEDER.COM OSDC 2018-06-13- 2 - Michael Ströder <michael@stroeder.com>  Freelancer  Topics the last 20 years  Identity & Access Management, Directory Services (LDAP)  Single Sign-On, Multi-Factor Authentication  PKI (X.509, SSH), Applied Crypto  Open Source / Free Software: Æ-DIR, OATH-LDAP, web2ldap
  • 3. STROEDER.COM OSDC 2018-06-13- 3 - Goals  Principles  Need-to-know  Least Privilege  Separation of Duties  Delegated administration of manageable small areas  Meaningful audit trails  Compliance checks
  • 4. STROEDER.COM OSDC 2018-06-13- 4 - Paradigms  Explicit is better than implicit  Secure authorization requires secure authentication  Avoid all-mighty proxy roles and workflows  Do not assume hierarchical structure  A person is not an user account  Multiple user accounts per person  Persistent IDs (never re-used) for reliable audit trails
  • 5. STROEDER.COM OSDC 2018-06-13- 5 - 2-tier architecture admin workstation Æ-DIR provider slapd mdb admin UI (web2ldap) password self service LDAPS, LDAPI LDAPI web browser Æ-DIR consumer slapd mdb LDAPS (syncrepl) custom tool LDAPS Unixoid server sudo-ldapsssd SSH client SSH HTTPS maintenance tools maintenance tools maintenance tools LDAPI DB server postgresql web server Apache httpd LDAPS pgadmin
  • 6. STROEDER.COM OSDC 2018-06-13- 6 - Directory Information Tree (DIT) ou=ae-dir aeRoot cn=ae aeZone cn=example aeZone cn=example-zone-admins aeGroup cn=example-grp-1 aeGroup cn=example-zone-auditors aeGroup uid=foo1 aeUser cn=example-sudo aeSudoRule cn=example-srvgrp aeSrvGroup host=example-srv aeHost uid=system_example1 aeService cn=pub aeZone cn=ae-users aeGroup cn=sudo-defaults aeSudoRule cn=people aeZone departmentNumber=d42 aeDept uniqueIdentifier=p23 aePerson cn=eth0 aeNwDevice cn=bond0 aeNwDevice
  • 7. STROEDER.COM OSDC 2018-06-13- 7 - Full EER diagram aeSrvGroup aeProxyFor aeGroup aeSetupGroups aeLogStoreGroups aeLoginGroups aeVisibleGroups aeDisplayNameGroups aeSudoRule aeVisibleSudoers aeMailGroup aeVisibleGroups aeDisplayNameGroups aeDept aeDept aeLocation aeLocation aeService member aeUser member sudoUser aeHost (child of) aeSrvGroup aeLocation pwdPolicy pwdPolicySubentry aeNwDevice (child of) aeNwDevice aePerson aeDept aeLocation aeZone aeZoneAdmins aeZoneAuditors aePasswordAdmins aeDept aeLocation (child of) aeSrvGroup memberOf aeHost memberOf pwdPolicySubentry memberOf aePerson aeAuthcTokenoathHOTPToken oathTOTPTokenmemberOf pwdPolicySubentry aePerson pwdPolicySubentry oathParamsoathHOTPParams aeContact memberOf aeDept member member member
  • 8. STROEDER.COM OSDC 2018-06-13- 8 - EER for access control aeHost aeSrvGroupaeGroup aeSudoRule aeUser aePerson member sudoUser aeSetupGroups aeLogStoreGroups aeLoginGroups aeVisibleGroups aeDisplayNameGroups (child of) or aeSrvGroup aeVisibleSudoers aePerson aeService aeZone aeProxyFor aeZoneAdmins aeZoneAuditors aePasswordAdmins aeService aeNwDevice (child of)
  • 9. STROEDER.COM OSDC 2018-06-13- 9 - Installation Æ-DIR server  ansible role installs replicas and all services  base configuration to be done separately  site-specific ansible variablen  Read the comments! ansible/roles/ae-dir-server/defaults/main.yml  Create site directory, see ansible/example/  If things went wrong ansible role corrects it
  • 10. STROEDER.COM OSDC 2018-06-13- 10 - Defense in Depth  Secure defaults  Self-contained (zone ae)  Service separated, Unix domain sockets (Peer Credentials)  systemd-Options for hardening (mount points etc.)  Strict AppArmor profiles for all services (optional, targeted and only for SUSE and Debian)  2-faktor-authc: yubikey based on OATH-LDAP  Soon coming: Rule set for mod_security
  • 11. STROEDER.COM OSDC 2018-06-13- 11 - Customer scenario #1  Æ-DIR is separate IAM for privileged admin accounts  15000 hosts  Person objects pulled from other LDAP server  Separate accounts for ops and dev people  Delegated administration of different stages  Two-factor authc with yubikey  SSH proxy
  • 12. STROEDER.COM OSDC 2018-06-13- 12 - SSH proxy authz admin workstation Æ-DIR consumer slapd mdb ssh <legacy-uid>@<target> ProxyCommand looked up for <target> in local config SSH proxy sudo-ldap sssd LDAPS SSH <ae-dir-uid>@<gateway-host> ae_checkd sshd full shell for GW admins nss_sss pam_sss wrapper script (ForceCommand) nc <target>:22 Authz Check <ae-uid@target> SSH key query by ae-uid target system ssh TCP (SSH tunnel)
  • 13. STROEDER.COM OSDC 2018-06-13- 13 - Customer scenario #2  Æ-DIR is the central IAM  HR data pulled from NetSuite  MacOS integration (synced pw change with File Vault)  “base accounts” get synced to AD/Exchange with pw  separate DevOps accounts synced to Azure without pw  Login to Azure portal via SAMLv2 IdP  two-factor authc with yubikey  Future: SAMLv2 login to Office 365
  • 14. STROEDER.COM OSDC 2018-06-13- 14 - SOHO scenario  Eat you own dog food!  7 W, libvirt/KVM  postfix/dovecot  Apache  FreeRADIUS (WIFI)  see client-examples/  sshd & sssd or nslcd: roles/ae-dir-linux-client/ Image: thomas-krenn.com
  • 15. STROEDER.COM OSDC 2018-06-13- 15 - 2-tier architecture with OATH-LDAP OpenLDAP provider OpenLDAP consumer slapd mdb syncrepl (LDAPS) LDAPS web browser LDAP client bind proxy LDAPI back-sock as overlay IPC slapd mdb OTP validator LDAPI back-sock as overlay IPC forward password/OTP bind (LDAPS) LDAPS enrollment web appHTTPS LDAPI enrollment client
  • 16.
  • 17. STROEDER.COM OSDC 2018-06-13- 17 - Conclusion  Security by design is possible  Yes, it’s painful sometimes  Admins need help in the beginning  Backing of management helps (budget!)  Don’t break former security promises later! → think twice or more before changing something
  • 18. STROEDER.COM OSDC 2018-06-13- 18 - Links  Docs: https://ae-dir.com  Play with it! https://ae-dir.com/demo.html  OATH-LDAP: https://oath-ldap.stroeder.com
  • 19. STROEDER.COM OSDC 2018-06-13- 19 - :-/ ? … !
  • 20. STROEDER.COM OSDC 2018-06-13- 20 - Work in progress: aehostd  Simple custom host demon knows schema  Even less client configuration  Optimized search for users and groups (safe CPU cycles)  Virtual groups (primary GID, role groups)  LDAP session tracking control f. better logging  hosts map  sudoers files via cvtsudoers (sudo 1.8.23+)  less code, less dependencies, mainly stripped pynslcd(8)