- D I R - - A u t h o r i z e d E n t i t i e - - PowerPoint PPT Presentation

SLIDE 1

STROEDER.COM

F O S D E M ‘ 1 8 / 2 1 8

• 2
• 3
• 1
• F

O S D E M ’ 1 8

• I

d e n t i t y a n d A c c e s s M a n a g e m e n t d e v r

• m

Æ- D I R

• A

u t h

• r

i z e d E n t i t i e s D i r e c t

• r

y

f r

• m

p a r a n

• i

d u s e r m a n a g e m e n t t

• s

e c u r e s y s t e m m a n a g e m e n t

SLIDE 2

STROEDER.COM

F O S D E M ‘ 1 8 / 2 1 8

• 2
• 3
• 2
• P

e r s

• n

a l i n f

• 

M i c h a e l S t r ö d e r < m i c h a e l @s t r

• e

d e r . c

• m

> , s e l f

• e

m p l

• y

e d



I A M , P K I , e t c .



F r e e s

• f

t w a r e



Æ- D I R



O A T H

• L

D A P



w e b 2 l d a p



f

• r

m e r l y p y t h

• n
• l

d a p

SLIDE 3

STROEDER.COM

F O S D E M ‘ 1 8 / 2 1 8

• 2
• 3
• 3
• O

b j e c t i v e s



S t r i c t l y f

• l

l

• w

p r i n c i p l e s :



N e e d

• t
• k

n

• w



L e a s t P r i v i l e g e



S e p a r a t i

• n
• f

D u t i e s



A g i l e d a t a m a i n t e n a n c e b y c

• n

s e q u e n t d e l e g a t i

• n
• f

m a n a g e a b l e s m a l l a r e a s



P r

• v

i d e m e a n i n g f u l a u d i t t r a i l s



S

• l

i d b a s e f

• r

c

• m

p l i a n c e c h e c k s

SLIDE 4

STROEDER.COM

F O S D E M ‘ 1 8 / 2 1 8

• 2
• 3
• 4
• P

a r a d i g ms



E x p l i c i t i s b e t t e r t h a n i m p l i c i t



S e c u r e a u t h

• r

i z a t i

• n

r e q u i r e s s e c u r e a u t h e n t i c a t i

• n



I n d i v i d u a l a u t h e n t i c a t i

• n

i n s t e a d

• f

s h a r e d c r e d e n t i a l s



A v

• i

d a l l

• m

i g h t y p r

• x

y r

• l

e s



A p e r s

• n

i s n

• t

a n u s e r a c c

• u

n t , a v

• i

d

• r

g

• b

a s e d a u t h z !



R

• l

e s e p a r a t i

• n

w i t h m u l t i p l e u s e r a c c

• u

n t s p e r p e r s

• n



P e r s i s t e n t I D s ( n e v e r r e

• u

s e d ) f

• r

r e l i a b l e a u d i t t r a i l s

SLIDE 5

STROEDER.COM

F O S D E M ‘ 1 8 / 2 1 8

• 2
• 3
• 5
• R
• l

e s



Æ a d m i n s d e l e g a t e z

• n

e s , f i x b r

• k

e n e n t r i e s , b u t t h e y d

• n
• t

m a i n t a i n z

• n

e s



Æ a u d i t

• r

s m a y r e a d ( a l m

• s

t ) e v e r y t h i n g



Z

• n

e a d m i n s a r e t h e m a i n t a i n e r s d

• i

n g t h e d a i l y w

• r

k



Z

• n

e a u d i t

• r

s m a y r e a d a n y t h i n g w i t h i n a z

• n

e



S e t u p a d m i n s m a i n t a i n h

• s

t s / s e r v i c e s w i t h i n s e r v i c e g r

• u

p s



U s e r s m a y r e a d

• w

n e n t r i e s , s e e m e m b e r s

• f
• w

n g r

• u

p s , c h a n g e

• w

n p a s s w

• r

d

SLIDE 6

STROEDER.COM

F O S D E M ‘ 1 8 / 2 1 8

• 2
• 3
• 6
• 2
• t

i e r a r c h i t e c t u r e

admin workstation Æ-DIR provider slapd mdb admin UI (web2ldap) password self service

LDAPS, LDAPI LDAPI

web browser Æ-DIR consumer slapd mdb

LDAPS (syncrepl)

custom tool

LDAPS

Unixoid server sudo-ldap sssd SSH client

SSH HTTPS

maintenance tools maintenance tools maintenance tools

LDAPI

DB server postgresql web server Apache httpd

LDAPS

pgadmin

SLIDE 7

STROEDER.COM

F O S D E M ‘ 1 8 / 2 1 8

• 2
• 3
• 7
• D

i r e c t

• r

y I n f

• r

ma t i

• n

T r e e ( D I T )

• u=ae-dir

aeRoot cn=ae aeZone cn=example aeZone cn=example-zone-admins aeGroup cn=example-grp-1 aeGroup cn=example-zone-auditors aeGroup uid=foo1 aeUser cn=example-sudo aeSudoRule cn=example-srvgrp aeSrvGroup host=example-srv aeHost uid=system_example1 aeService cn=pub aeZone cn=ae-users aeGroup cn=sudo-defaults aeSudoRule cn=people aeZone departmentNumber=d42 aeDept uniqueIdentifier=p23 aePerson cn=eth0 aeNwDevice cn=bond0 aeNwDevice

SLIDE 8

STROEDER.COM

F O S D E M ‘ 1 8 / 2 1 8

• 2
• 3
• 8
• C
• mp

l e t e E E R d i a g r a m

aeSrvGroup aeProxyFor aeGroup aeSetupGroups aeLogStoreGroups aeLoginGroups aeVisibleGroups aeDisplayNameGroups aeSudoRule aeVisibleSudoers aeMailGroup aeVisibleGroups aeDisplayNameGroups aeDept aeDept aeLocation aeLocation aeService member aeUser member sudoUser aeHost (child of) aeSrvGroup aeLocation pwdPolicy pwdPolicySubentry aeNwDevice (child of) aeNwDevice aePerson aeDept aeLocation aeZone aeZoneAdmins aeZoneAuditors aePasswordAdmins aeDept aeLocation (child of) aeSrvGroup memberOf aeHost memberOf pwdPolicySubentry memberOf aePerson aeAuthcToken

• athHOTPToken
• athTOTPToken

memberOf pwdPolicySubentry aePerson pwdPolicySubentry

• athParams
• athHOTPParams

aeContact memberOf aeDept member member member

SLIDE 9

STROEDER.COM

F O S D E M ‘ 1 8 / 2 1 8

• 2
• 3
• 9
• A

u t h z E E R d i a g r a m

aeHost aeSrvGroup aeGroup aeSudoRule aeUser aePerson member sudoUser aeSetupGroups aeLogStoreGroups aeLoginGroups aeVisibleGroups aeDisplayNameGroups (child of) or aeSrvGroup aeVisibleSudoers aePerson aeService aeZone aeProxyFor aeZoneAdmins aeZoneAuditors aePasswordAdmins aeService aeNwDevice (child of)

SLIDE 10

STROEDER.COM

F O S D E M ‘ 1 8 / 2 1 8

• 2
• 3
• 1
• C

l i e n t i n t e g r a t i

• n



C l i e n t s d e l i b e r a t e l y k e p t d u m b



S c h e m a d e r i v e d f r

• m

c

• m

m

• n

s t a n d a r d s :



N I S

• L

D A P



s u d

• l

d a p ( a l w a y s s u d

• H
• s

t : A L L )



H y b r i d g r

• u

p s f

• r

R F C 2 3 7 / R F C 2 3 7 b i s c

• m

p a b i l i t y



S u p p

• r

t f

• r

h

• s

t s m a p ( e . g . w i t h n s s

• p

a m

• l

d a p d a k a n s l c d )



A b a n d

• n

n e t g r

• u

p m a p → m i g r a t e t

• a

e S r v G r

• u

p

SLIDE 11

STROEDER.COM

F O S D E M ‘ 1 8 / 2 1 8

• 2
• 3
• 1

1

• S

S H p r

• x

y w i t h a u t h z

admin workstation Æ-DIR consumer slapd mdb ssh <legacy-uid>@<target> ProxyCommand looked up for <target> in local config SSH proxy sudo-ldap sssd

LDAPS SSH <ae-dir-uid>@<gateway-host>

ae_checkd sshd full shell for GW admins nss_sss pam_sss wrapper script (ForceCommand) nc <target>:22

Authz Check <ae-uid@target> SSH key query by ae-uid

target system ssh

TCP (SSH tunnel)

SLIDE 12

STROEDER.COM

F O S D E M ‘ 1 8 / 2 1 8

• 2
• 3
• 1

2

• O

A T H

• L

D A P

• 2
• t

i e r a r c h i t e c t u r e

OpenLDAP provider OpenLDAP consumer slapd mdb

syncrepl (LDAPS) LDAPS

web browser LDAP client bind proxy

LDAPI

back-sock as overlay

IPC

slapd mdb OTP validator

LDAPI

back-sock as overlay

IPC forward password/OTP bind (LDAPS) LDAPS

enrollment web app

HTTPS LDAPI

enrollment client

SLIDE 13

STROEDER.COM

F O S D E M ‘ 1 8 / 2 1 8

• 2
• 3
• 1

3

• O

A T H

• L

D A P

• e

n r

• l

l me n t

enrollment client

User OTP admin

OpenLDAP provider user workstation

• 1. request OTP token
• 6. hand-out

enrollment client, OTP token and pw#2

• 3. add/reset

token entry (through web application)

• 9. OTP token ID

pw#1 + pw#2 (LDAP simple bind) encrypted shared secret (LDAP modify)

• 4. send pw#1

via e-mail

• 7. get pw#1

from e-mail

• 8. insert OTP token

enter pw#1 + pw#2 e-mail server fetch e-mail

• 2. add/personalize

OTP token

• 5. note pw#2

OTP admin workstation

SLIDE 14

STROEDER.COM

F O S D E M ‘ 1 8 / 2 1 8

• 2
• 3
• 1

4

• N

e x t : S y s t e m ma n a g e me n t



a e N w D e v i c e h a s t r i p l e ( F Q D N , I P , M A C )



N e t w

• r

k a c c e s s c

• n

t r

• l

( 8 2 . 1 x )



O S d e p l

• y

m e n t ( P X E , D H C P , B O O T P )



E l i m i n a t e d y n a m i c h

• s

t n a m e u p d a t e s i n D N S



e a s y i n t e g r a t i

• n
• f

v i r t

• i

n s t a l l

• r

s i m i l a r



a n s i b l e d y n a m i c i n v e n t

• r

y



X . 5 9 s e r v e r c e r t i f i c a t e s

SLIDE 15

STROEDER.COM

F O S D E M ‘ 1 8 / 2 1 8

• 2
• 3
• 1

5

• :
• /

? … !

C h e c k

• u

t

• h

t t p s : / / a e

• d

i r . c

• m/

d e mo . h t ml C

• n

t r i b u t e

• h

t t p s : / / a e

• d

i r . c

• m/

t

• d
• .

h t ml