From Fedora Project Wiki

< Features

Revision as of 19:07, 19 January 2009 by Sgallagh (talk | contribs) (New Feature for Fedora 11 - SSSD)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Feature Name

System Security Services Daemon (SSSD)


This project provide a set of daemons to manage access to remote directories and authentication mechanisms, it provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA.


  • email:

Current status

  • Targeted release: Fedora 28
  • Last updated: January 19, 2009
  • Percentage of completion: 25%

Detailed Description

The SSSD is intended to provide several key feature enhancements to Fedora. The first and most visible will be the addition of offline caching for network credentials. Authentication through the SSSD will potentially allow LDAP, NIS, FreeIPA and Samba services to provide an offline mode, to ease the use of centrally managing laptop users.

An additional feature of the SSSD will be to provide a service on the system D-BUS called InfoPipe. This service will act as a central authority on extended user information such as face browser images, preferred language, etc. This will replace the existing system consisting predominately of hidden configuration files in the user's home directory, which may not be available if the home directory has not yet been mounted by autofs.

The SSSD is being developed alongside the FreeIPA project. Part of its purpose will be to act as an IPA client to enable features such as machine enrollment and machine policy management. SSSD will provide a back-end to the newly redesigned PolicyKit for central management of policy decisions.

Benefit to Fedora

  • Laptop users will have offline access to their network logons, eliminating the need for local laptop accounts when traveling.
  • Desktop developers will have access to the new InfoPipe, allowing them to migrate towards using a more consistent approach for storing and retrieving extended user information.
  • The SSSD will simplify enrollment into FreeIPA network domains, as it will provide the FreeIPA client software.
  • The design of the SSSD will allow other services such as LDAP, NIS and Samba to take advantage of the caching and offline features.


Some features of the SSSD are available now as a technology preview. The NSS caching lookups for LDAP authentication are nearly in a working state.

We need to complete the NSS feature, add the PAM, PolicyKit and InfoPipe features (in descending priority) and complete the IPA client functionality.

How To Test

To be added. The test plan for this feature will be fairly complex, as it provides several different components that will each require testing.

User Experience

Users will be able to authenticate to their network logons while not connected to the network. Additionally, joining a machine to a FreeIPA domain should be markedly simpler.


Additional components of the FreeIPA client will be dependent on this feature, however they are being developed concurrently and should not be negatively impacted. The SSSD will have dependencies on glibc, D-BUS, libtevent, libtalloc and libldb. At the time of this writing, we do not foresee any of these packages affecting our release.

Contingency Plan

We will complete the NSS and PAM portions of the SSSD first. If time does not permit completion of the additional components, they will be deferred to Fedora 12. In the unlikely event that the NSS and PAM portions of the SSSD are not ready for Fedora 11, they can be omitted with no harm to the release.


Design Document on

Release Notes

Comments and Discussion