Gehören Sie zu den Ersten, denen das gefällt!
This talk will present a real-world implementation of a privileged identity and access management system (IAM/PAM) based on OpenLDAP used together with OATH-LDAP for secure two-factor authentication. Æ-DIR and OATH-LDAP are both free software projects. The main goal of Æ-DIR is to follow the delegation, need-to-know and least-privilege principles as strictly as possible. The visibility of users, groups, sudoers, etc. is limited by OpenLDAP’s ACLs. All systems and services, no exception(!), have to individually authenticate to be authorized to access Æ-DIR. Especially the consequent delegation allows to almost completely abandon slow approval workflows which nicely fits the need for agile system management processes. Furthermore OATH-LDAP is presented, a two-factor authentication system, which directly uses the OpenLDAP server as a backend. It is built into Æ-DIR but can also be used separately. A highly secure enrollment process (no QR code displayed!) for two-factor HOTP authentication with yubikey tokens is shown. Finally the architecture of a SSH gateway is explained which uses the very same access control data to authorize SSH connections passing through the gateway.