SlideShare ist ein Scribd-Unternehmen logo

DevOps IAM with Æ-DIR

NETWAYS
NETWAYS

The document discusses Æ-DIR, an open source identity and access management solution for DevOps. It describes Æ-DIR's two-tier architecture and defense-in-depth approach, including strict access controls, delegation of administration, and optional two-factor authentication. Several customer usage scenarios are provided, such as using Æ-DIR as a centralized IAM or for privileged admin accounts, integrating with other directories and applications, and a self-hosted SOHO deployment.

Software
1 von 20
Downloaden Sie, um offline zu lesen
STROEDER.COM OSDC 2018-06-13- 1 - Æ-DIR - Authorized Entities Directory - The paranoid and agile IAM for DevOps - Open Source Datacenter Conference 2018
STROEDER.COM OSDC 2018-06-13- 2 - Michael Ströder <michael@stroeder.com>  Freelancer  Topics the last 20 years  Identity & Access Management, Directory Services (LDAP)  Single Sign-On, Multi-Factor Authentication  PKI (X.509, SSH), Applied Crypto  Open Source / Free Software: Æ-DIR, OATH-LDAP, web2ldap
STROEDER.COM OSDC 2018-06-13- 3 - Goals  Principles  Need-to-know  Least Privilege  Separation of Duties  Delegated administration of manageable small areas  Meaningful audit trails  Compliance checks
STROEDER.COM OSDC 2018-06-13- 4 - Paradigms  Explicit is better than implicit  Secure authorization requires secure authentication  Avoid all-mighty proxy roles and workflows  Do not assume hierarchical structure  A person is not an user account  Multiple user accounts per person  Persistent IDs (never re-used) for reliable audit trails
STROEDER.COM OSDC 2018-06-13- 5 - 2-tier architecture admin workstation Æ-DIR provider slapd mdb admin UI (web2ldap) password self service LDAPS, LDAPI LDAPI web browser Æ-DIR consumer slapd mdb LDAPS (syncrepl) custom tool LDAPS Unixoid server sudo-ldapsssd SSH client SSH HTTPS maintenance tools maintenance tools maintenance tools LDAPI DB server postgresql web server Apache httpd LDAPS pgadmin
STROEDER.COM OSDC 2018-06-13- 6 - Directory Information Tree (DIT) ou=ae-dir aeRoot cn=ae aeZone cn=example aeZone cn=example-zone-admins aeGroup cn=example-grp-1 aeGroup cn=example-zone-auditors aeGroup uid=foo1 aeUser cn=example-sudo aeSudoRule cn=example-srvgrp aeSrvGroup host=example-srv aeHost uid=system_example1 aeService cn=pub aeZone cn=ae-users aeGroup cn=sudo-defaults aeSudoRule cn=people aeZone departmentNumber=d42 aeDept uniqueIdentifier=p23 aePerson cn=eth0 aeNwDevice cn=bond0 aeNwDevice
STROEDER.COM OSDC 2018-06-13- 7 - Full EER diagram aeSrvGroup aeProxyFor aeGroup aeSetupGroups aeLogStoreGroups aeLoginGroups aeVisibleGroups aeDisplayNameGroups aeSudoRule aeVisibleSudoers aeMailGroup aeVisibleGroups aeDisplayNameGroups aeDept aeDept aeLocation aeLocation aeService member aeUser member sudoUser aeHost (child of) aeSrvGroup aeLocation pwdPolicy pwdPolicySubentry aeNwDevice (child of) aeNwDevice aePerson aeDept aeLocation aeZone aeZoneAdmins aeZoneAuditors aePasswordAdmins aeDept aeLocation (child of) aeSrvGroup memberOf aeHost memberOf pwdPolicySubentry memberOf aePerson aeAuthcTokenoathHOTPToken oathTOTPTokenmemberOf pwdPolicySubentry aePerson pwdPolicySubentry oathParamsoathHOTPParams aeContact memberOf aeDept member member member
STROEDER.COM OSDC 2018-06-13- 8 - EER for access control aeHost aeSrvGroupaeGroup aeSudoRule aeUser aePerson member sudoUser aeSetupGroups aeLogStoreGroups aeLoginGroups aeVisibleGroups aeDisplayNameGroups (child of) or aeSrvGroup aeVisibleSudoers aePerson aeService aeZone aeProxyFor aeZoneAdmins aeZoneAuditors aePasswordAdmins aeService aeNwDevice (child of)
STROEDER.COM OSDC 2018-06-13- 9 - Installation Æ-DIR server  ansible role installs replicas and all services  base configuration to be done separately  site-specific ansible variablen  Read the comments! ansible/roles/ae-dir-server/defaults/main.yml  Create site directory, see ansible/example/  If things went wrong ansible role corrects it
STROEDER.COM OSDC 2018-06-13- 10 - Defense in Depth  Secure defaults  Self-contained (zone ae)  Service separated, Unix domain sockets (Peer Credentials)  systemd-Options for hardening (mount points etc.)  Strict AppArmor profiles for all services (optional, targeted and only for SUSE and Debian)  2-faktor-authc: yubikey based on OATH-LDAP  Soon coming: Rule set for mod_security
STROEDER.COM OSDC 2018-06-13- 11 - Customer scenario #1  Æ-DIR is separate IAM for privileged admin accounts  15000 hosts  Person objects pulled from other LDAP server  Separate accounts for ops and dev people  Delegated administration of different stages  Two-factor authc with yubikey  SSH proxy
STROEDER.COM OSDC 2018-06-13- 12 - SSH proxy authz admin workstation Æ-DIR consumer slapd mdb ssh <legacy-uid>@<target> ProxyCommand looked up for <target> in local config SSH proxy sudo-ldap sssd LDAPS SSH <ae-dir-uid>@<gateway-host> ae_checkd sshd full shell for GW admins nss_sss pam_sss wrapper script (ForceCommand) nc <target>:22 Authz Check <ae-uid@target> SSH key query by ae-uid target system ssh TCP (SSH tunnel)
STROEDER.COM OSDC 2018-06-13- 13 - Customer scenario #2  Æ-DIR is the central IAM  HR data pulled from NetSuite  MacOS integration (synced pw change with File Vault)  “base accounts” get synced to AD/Exchange with pw  separate DevOps accounts synced to Azure without pw  Login to Azure portal via SAMLv2 IdP  two-factor authc with yubikey  Future: SAMLv2 login to Office 365
STROEDER.COM OSDC 2018-06-13- 14 - SOHO scenario  Eat you own dog food!  7 W, libvirt/KVM  postfix/dovecot  Apache  FreeRADIUS (WIFI)  see client-examples/  sshd & sssd or nslcd: roles/ae-dir-linux-client/ Image: thomas-krenn.com
STROEDER.COM OSDC 2018-06-13- 15 - 2-tier architecture with OATH-LDAP OpenLDAP provider OpenLDAP consumer slapd mdb syncrepl (LDAPS) LDAPS web browser LDAP client bind proxy LDAPI back-sock as overlay IPC slapd mdb OTP validator LDAPI back-sock as overlay IPC forward password/OTP bind (LDAPS) LDAPS enrollment web appHTTPS LDAPI enrollment client
STROEDER.COM OSDC 2018-06-13- 17 - Conclusion  Security by design is possible  Yes, it’s painful sometimes  Admins need help in the beginning  Backing of management helps (budget!)  Don’t break former security promises later! → think twice or more before changing something
STROEDER.COM OSDC 2018-06-13- 18 - Links  Docs: https://ae-dir.com  Play with it! https://ae-dir.com/demo.html  OATH-LDAP: https://oath-ldap.stroeder.com
STROEDER.COM OSDC 2018-06-13- 19 - :-/ ? … !
STROEDER.COM OSDC 2018-06-13- 20 - Work in progress: aehostd  Simple custom host demon knows schema  Even less client configuration  Optimized search for users and groups (safe CPU cycles)  Virtual groups (primary GID, role groups)  LDAP session tracking control f. better logging  hosts map  sudoers files via cvtsudoers (sudo 1.8.23+)  less code, less dependencies, mainly stripped pynslcd(8)

Empfohlen

Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderForgeRock
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical OverviewShawn Wells
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE
 
What's new in Havana--Keystone
What's new in Havana--KeystoneWhat's new in Havana--Keystone
What's new in Havana--KeystoneMirantis
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 

Empfohlen

Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderForgeRock
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical OverviewShawn Wells
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE
 
What's new in Havana--Keystone
What's new in Havana--KeystoneWhat's new in Havana--Keystone
What's new in Havana--KeystoneMirantis
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Open Identity Stack Roadmap
Open Identity Stack RoadmapOpen Identity Stack Roadmap
Open Identity Stack RoadmapForgeRock
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorMifrazMurthaja
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Technical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSTechnical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSatSistemas
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2WSO2
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in PracticeForgeRock
 
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...marcuschristie
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basicsJuan Vicente Herrera Ruiz de Alejo
 
Ad ds ws2008 r2
Ad ds ws2008 r2Ad ds ws2008 r2
Ad ds ws2008 r2MICTT Palma
 

Weitere ähnliche Inhalte

Was ist angesagt?

Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Open Identity Stack Roadmap
Open Identity Stack RoadmapOpen Identity Stack Roadmap
Open Identity Stack RoadmapForgeRock
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorMifrazMurthaja
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Technical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSTechnical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSatSistemas
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2WSO2
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in PracticeForgeRock
 
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...marcuschristie
 

Was ist angesagt? (20)

Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
Open Identity Stack Roadmap
Open Identity Stack RoadmapOpen Identity Stack Roadmap
Open Identity Stack Roadmap
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with Keycloak
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Technical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSTechnical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWS
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
 
Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in Practice
 
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Scienc...
 

Ähnlich wie DevOps IAM with Æ-DIR

SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?Louis Göhl
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPALDAPCon
 
[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New BlackWSO2
 
SYDSP - Office 365 and Cloud Identity - What does it mean for me?
SYDSP - Office 365 and Cloud Identity - What does it mean for me?SYDSP - Office 365 and Cloud Identity - What does it mean for me?
SYDSP - Office 365 and Cloud Identity - What does it mean for me?Scott Hoag
 
Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020Iwantha Lekamge
 
Open Source Identity Management
Open Source Identity ManagementOpen Source Identity Management
Open Source Identity ManagementRadovan Semancik
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCloudIDSummit
 
OpenIDM: An Introduction
OpenIDM: An IntroductionOpenIDM: An Introduction
OpenIDM: An IntroductionForgeRock
 
Platform Deep Dive
Platform Deep DivePlatform Deep Dive
Platform Deep DiveConrad23
 
Windows 2008 R2 Security
Windows 2008 R2 SecurityWindows 2008 R2 Security
Windows 2008 R2 SecurityAmit Gatenyo
 
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !Identity Days
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365Scott Hoag
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Securityguest2a5a03
 

Ähnlich wie DevOps IAM with Æ-DIR (20)

Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
 
Ad ds ws2008 r2
Ad ds ws2008 r2Ad ds ws2008 r2
Ad ds ws2008 r2
 
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
 
[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black
 
Bye bye Identity Server
Bye bye Identity ServerBye bye Identity Server
Bye bye Identity Server
 
SYDSP - Office 365 and Cloud Identity - What does it mean for me?
SYDSP - Office 365 and Cloud Identity - What does it mean for me?SYDSP - Office 365 and Cloud Identity - What does it mean for me?
SYDSP - Office 365 and Cloud Identity - What does it mean for me?
 
Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020
 
Open Source Identity Management
Open Source Identity ManagementOpen Source Identity Management
Open Source Identity Management
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market Overview
 
OpenIDM: An Introduction
OpenIDM: An IntroductionOpenIDM: An Introduction
OpenIDM: An Introduction
 
Platform Deep Dive
Platform Deep DivePlatform Deep Dive
Platform Deep Dive
 
Windows 2008 R2 Security
Windows 2008 R2 SecurityWindows 2008 R2 Security
Windows 2008 R2 Security
 
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
 
Mojemoje
MojemojeMojemoje
Mojemoje
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Security
 

Kürzlich hochgeladen

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 

Kürzlich hochgeladen (20)

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 

DevOps IAM with Æ-DIR

  • 1. STROEDER.COM OSDC 2018-06-13- 1 - Æ-DIR - Authorized Entities Directory - The paranoid and agile IAM for DevOps - Open Source Datacenter Conference 2018
  • 2. STROEDER.COM OSDC 2018-06-13- 2 - Michael Ströder <michael@stroeder.com>  Freelancer  Topics the last 20 years  Identity & Access Management, Directory Services (LDAP)  Single Sign-On, Multi-Factor Authentication  PKI (X.509, SSH), Applied Crypto  Open Source / Free Software: Æ-DIR, OATH-LDAP, web2ldap
  • 3. STROEDER.COM OSDC 2018-06-13- 3 - Goals  Principles  Need-to-know  Least Privilege  Separation of Duties  Delegated administration of manageable small areas  Meaningful audit trails  Compliance checks
  • 4. STROEDER.COM OSDC 2018-06-13- 4 - Paradigms  Explicit is better than implicit  Secure authorization requires secure authentication  Avoid all-mighty proxy roles and workflows  Do not assume hierarchical structure  A person is not an user account  Multiple user accounts per person  Persistent IDs (never re-used) for reliable audit trails
  • 5. STROEDER.COM OSDC 2018-06-13- 5 - 2-tier architecture admin workstation Æ-DIR provider slapd mdb admin UI (web2ldap) password self service LDAPS, LDAPI LDAPI web browser Æ-DIR consumer slapd mdb LDAPS (syncrepl) custom tool LDAPS Unixoid server sudo-ldapsssd SSH client SSH HTTPS maintenance tools maintenance tools maintenance tools LDAPI DB server postgresql web server Apache httpd LDAPS pgadmin
  • 6. STROEDER.COM OSDC 2018-06-13- 6 - Directory Information Tree (DIT) ou=ae-dir aeRoot cn=ae aeZone cn=example aeZone cn=example-zone-admins aeGroup cn=example-grp-1 aeGroup cn=example-zone-auditors aeGroup uid=foo1 aeUser cn=example-sudo aeSudoRule cn=example-srvgrp aeSrvGroup host=example-srv aeHost uid=system_example1 aeService cn=pub aeZone cn=ae-users aeGroup cn=sudo-defaults aeSudoRule cn=people aeZone departmentNumber=d42 aeDept uniqueIdentifier=p23 aePerson cn=eth0 aeNwDevice cn=bond0 aeNwDevice
  • 7. STROEDER.COM OSDC 2018-06-13- 7 - Full EER diagram aeSrvGroup aeProxyFor aeGroup aeSetupGroups aeLogStoreGroups aeLoginGroups aeVisibleGroups aeDisplayNameGroups aeSudoRule aeVisibleSudoers aeMailGroup aeVisibleGroups aeDisplayNameGroups aeDept aeDept aeLocation aeLocation aeService member aeUser member sudoUser aeHost (child of) aeSrvGroup aeLocation pwdPolicy pwdPolicySubentry aeNwDevice (child of) aeNwDevice aePerson aeDept aeLocation aeZone aeZoneAdmins aeZoneAuditors aePasswordAdmins aeDept aeLocation (child of) aeSrvGroup memberOf aeHost memberOf pwdPolicySubentry memberOf aePerson aeAuthcTokenoathHOTPToken oathTOTPTokenmemberOf pwdPolicySubentry aePerson pwdPolicySubentry oathParamsoathHOTPParams aeContact memberOf aeDept member member member
  • 8. STROEDER.COM OSDC 2018-06-13- 8 - EER for access control aeHost aeSrvGroupaeGroup aeSudoRule aeUser aePerson member sudoUser aeSetupGroups aeLogStoreGroups aeLoginGroups aeVisibleGroups aeDisplayNameGroups (child of) or aeSrvGroup aeVisibleSudoers aePerson aeService aeZone aeProxyFor aeZoneAdmins aeZoneAuditors aePasswordAdmins aeService aeNwDevice (child of)
  • 9. STROEDER.COM OSDC 2018-06-13- 9 - Installation Æ-DIR server  ansible role installs replicas and all services  base configuration to be done separately  site-specific ansible variablen  Read the comments! ansible/roles/ae-dir-server/defaults/main.yml  Create site directory, see ansible/example/  If things went wrong ansible role corrects it
  • 10. STROEDER.COM OSDC 2018-06-13- 10 - Defense in Depth  Secure defaults  Self-contained (zone ae)  Service separated, Unix domain sockets (Peer Credentials)  systemd-Options for hardening (mount points etc.)  Strict AppArmor profiles for all services (optional, targeted and only for SUSE and Debian)  2-faktor-authc: yubikey based on OATH-LDAP  Soon coming: Rule set for mod_security
  • 11. STROEDER.COM OSDC 2018-06-13- 11 - Customer scenario #1  Æ-DIR is separate IAM for privileged admin accounts  15000 hosts  Person objects pulled from other LDAP server  Separate accounts for ops and dev people  Delegated administration of different stages  Two-factor authc with yubikey  SSH proxy
  • 12. STROEDER.COM OSDC 2018-06-13- 12 - SSH proxy authz admin workstation Æ-DIR consumer slapd mdb ssh <legacy-uid>@<target> ProxyCommand looked up for <target> in local config SSH proxy sudo-ldap sssd LDAPS SSH <ae-dir-uid>@<gateway-host> ae_checkd sshd full shell for GW admins nss_sss pam_sss wrapper script (ForceCommand) nc <target>:22 Authz Check <ae-uid@target> SSH key query by ae-uid target system ssh TCP (SSH tunnel)
  • 13. STROEDER.COM OSDC 2018-06-13- 13 - Customer scenario #2  Æ-DIR is the central IAM  HR data pulled from NetSuite  MacOS integration (synced pw change with File Vault)  “base accounts” get synced to AD/Exchange with pw  separate DevOps accounts synced to Azure without pw  Login to Azure portal via SAMLv2 IdP  two-factor authc with yubikey  Future: SAMLv2 login to Office 365
  • 14. STROEDER.COM OSDC 2018-06-13- 14 - SOHO scenario  Eat you own dog food!  7 W, libvirt/KVM  postfix/dovecot  Apache  FreeRADIUS (WIFI)  see client-examples/  sshd & sssd or nslcd: roles/ae-dir-linux-client/ Image: thomas-krenn.com
  • 15. STROEDER.COM OSDC 2018-06-13- 15 - 2-tier architecture with OATH-LDAP OpenLDAP provider OpenLDAP consumer slapd mdb syncrepl (LDAPS) LDAPS web browser LDAP client bind proxy LDAPI back-sock as overlay IPC slapd mdb OTP validator LDAPI back-sock as overlay IPC forward password/OTP bind (LDAPS) LDAPS enrollment web appHTTPS LDAPI enrollment client
  • 16.
  • 17. STROEDER.COM OSDC 2018-06-13- 17 - Conclusion  Security by design is possible  Yes, it’s painful sometimes  Admins need help in the beginning  Backing of management helps (budget!)  Don’t break former security promises later! → think twice or more before changing something
  • 18. STROEDER.COM OSDC 2018-06-13- 18 - Links  Docs: https://ae-dir.com  Play with it! https://ae-dir.com/demo.html  OATH-LDAP: https://oath-ldap.stroeder.com
  • 19. STROEDER.COM OSDC 2018-06-13- 19 - :-/ ? … !
  • 20. STROEDER.COM OSDC 2018-06-13- 20 - Work in progress: aehostd  Simple custom host demon knows schema  Even less client configuration  Optimized search for users and groups (safe CPU cycles)  Virtual groups (primary GID, role groups)  LDAP session tracking control f. better logging  hosts map  sudoers files via cvtsudoers (sudo 1.8.23+)  less code, less dependencies, mainly stripped pynslcd(8)