stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
7b01c7d6acd233c1fdfac71cad09fd266be6bfc9
git.stella-ops.org/docs/implplan/archived/updates/2025-11-03-authority-plugin-ldap-review.md
master 7b01c7d6ac
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Add comprehensive product advisories for improved scanner functionality 
- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations.
- Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency.
- Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results.
- Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages.
- Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange.
- Established a validation plan for quiet scans, focusing on provenance and CI integration.
- Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.
2025-11-17 00:09:26 +02:00

2.2 KiB
Raw Blame History

Authority Plugin LDAP Review — 2025-11-03

Attendees

  • Auth Guild core (Authority Host Crew)
  • Security Guild (Identity Controls)
  • DevEx Docs Guild
  • Plugin Team 4 (Auth Libraries & Identity Providers)

Agenda

  • Confirm LDAP plugin charter and offline/sovereign requirements.
  • Resolve outstanding decisions (audit mirror, mutual TLS, group mapping).
  • Capture follow-up implementation tasks and documentation deliverables.

Discussion Summary

  1. Audit mirror parity — All provisioning flows must emit Mongo audit records even when LDAP is the write source. Records store actor, tenant, DN, operation, hashed secret reference, and correlation IDs matching Authority audit events.
  2. Mutual TLS requirements — Regulated installations (FIPS/eIDAS/GOST) require client certificate bindings. Plugin must accept secret-backed PFX stores, optional chain send, and deterministic trust-store configuration (system vs bundled roots). Runtime must fail fast when TLS is misconfigured.
  3. Role mapping flexibility — Deterministic regex mappings allow deriving canonical Authority roles from LDAP DNs without custom scripting. Regex capture groups map to {role} substitutions; evaluation order is deterministic (dictionary map → regex map) to preserve predictability.
  4. Offline cache expectations — Mongo-backed cache must record TTL and emit metrics when falling back to cached entries. Cache invalidation respects cache.ttlSeconds configuration.

Follow-up Tasks

  • PLG7.IMPL-001 — Scaffold plugin + tests, configuration binding (client cert, trust store, insecure toggle validation).
  • PLG7.IMPL-002 — Implement credential store + mutual TLS enforcement with deterministic retry/backoff and structured logging.
  • PLG7.IMPL-003 — Deliver claims enricher with regex mapping, cache layer, and associated tests/fixtures.
  • PLG7.IMPL-004 — Implement client provisioning store with LDAP write toggles, Mongo audit mirror, and bootstrap validation.
  • PLG7.IMPL-005 — Update developer guide, samples, and release notes with LDAP configuration guidance (mutual TLS, regex mapping, audit mirror).

Next Checkpoint

  • Status review scheduled 2025-11-10 to assess scaffolding progress and mutual TLS handshake tests.