System Security Services Daemon (SSSD)
This project provide a set of daemons to manage access to remote directories and authentication mechanisms, it provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA.
- Name: Stephen Gallagher
- email: firstname.lastname@example.org
- Targeted release: Fedora 29
- Last updated: January 19, 2009
- Percentage of completion: 25%
The SSSD is intended to provide several key feature enhancements to Fedora. The first and most visible will be the addition of offline caching for network credentials. Authentication through the SSSD will potentially allow LDAP, NIS, and FreeIPA services to provide an offline mode, to ease the use of centrally managing laptop users.
The LDAP features will also add support for connection pooling. All communication to the ldap server will happen over a single persistent connection, reducing the overhead of opening a new socket for each request. The SSSD will also add support for multiple LDAP/NIS domains. It will be possible to connect to two or more LDAP/NIS servers acting as separate user namespaces.
An additional feature of the SSSD will be to provide a service on the system D-BUS called InfoPipe. This service will act as a central authority on extended user information such as face browser images, preferred language, etc. This will replace the existing system consisting predominately of hidden configuration files in the user's home directory, which may not be available if the home directory has not yet been mounted by autofs.
The SSSD is being developed alongside the FreeIPA project. Part of its purpose will be to act as an IPA client to enable features such as machine enrollment and machine policy management. SSSD will provide a back-end to the newly redesigned PolicyKit for central management of policy decisions.
Benefit to Fedora
- Laptop users will have offline access to their network logons, eliminating the need for local laptop accounts when traveling.
- Desktop developers will have access to the new InfoPipe, allowing them to migrate towards using a more consistent approach for storing and retrieving extended user information.
- The SSSD will simplify enrollment into FreeIPA network domains, as it will provide the FreeIPA client software.
- The design of the SSSD will allow other services such as LDAP, NIS and FreeIPA to take advantage of the caching and offline features.
Some features of the SSSD are available now as a technology preview. The NSS caching lookups for LDAP authentication are nearly in a working state.
We need to complete the NSS feature, add the PAM, PolicyKit and InfoPipe features (in descending priority) and complete the IPA client functionality.
How To Test
To be added. The test plan for this feature will be fairly complex, as it provides several different components that will each require testing.
Users will be able to authenticate to their network logons while not connected to the network. Additionally, joining a machine to a FreeIPA domain should be markedly simpler.
Administrators will be able to configure a machine to authenticate against more than one LDAP server/domain.
Additional components of the FreeIPA client will be dependent on this feature, however they are being developed concurrently and should not be negatively impacted. The SSSD will have dependencies on glibc, D-BUS, libtalloc, libtevent, libtdb and libldb. At the time of this writing, we do not foresee any of these packages affecting our release.
We will complete the NSS and PAM portions of the SSSD first. If time does not permit completion of the additional components, they will be deferred to Fedora 12. In the unlikely event that the NSS and PAM portions of the SSSD are not ready for Fedora 11, they can be omitted with no harm to the release.
Comments and Discussion