Unit 4: Active Directory and LDAP integration

[TeoSlayer]

Scope

On-premise AD/LDAP integration for enterprises that haven't migrated to cloud identity.

Deliverables

• AD group membership → Pilot network mapping
• Kerberos-to-token bridge: service that validates Kerberos tickets and issues short-lived Pilot join tokens
• LDAP bind verification: simpler alternative for LDAP-only environments
• AD CS certificate templates: "Pilot Agent" template with Extended Key Usage and SAN fields
• Bridge service binary: standalone component that connects to AD and issues tokens
• Setup guide: AD configuration, group policy, certificate template creation

Files

• cmd/pilot-ad-bridge/ — Kerberos/LDAP bridge service
• pkg/adbridge/ — AD/LDAP client, token issuance

Priority: MEDIUM

[TeoSlayer]

Context: Many enterprises (especially regulated industries, government, healthcare) still run on-premise AD. They can't use OIDC directly. The Kerberos-to-token bridge is a translation layer: agent authenticates with Kerberos ticket → bridge validates against AD → bridge issues short-lived Pilot token → agent joins network. This preserves existing AD group policies and GPO controls.