From Fedora Project Wiki
(Propose SSSD for inclusion in Fedora by default)
 
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<!-- All fields on this form are required to be accepted by FESCo.
= SSSD By Default =
We also request that you maintain the same order of sections so that all of the feature pages are uniform.  -->
 
<!-- The actual name of your feature page should look something like: Features/YourFeatureName.  This keeps all features in the same namespace -->
 
= SSSD By Default <!-- The name of your feature --> =


== Summary ==
== Summary ==
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
Include SSSD the default set of base Fedora 13 packages and configure it through authconfig,and firstboot.
This feature is a proposal to include SSSD by default in the set of base Fedora 13 packages, and to have it be configurable, through authconfig, by firstboot.


== Owner ==
== Owner ==
Line 18: Line 12:


== Current status ==
== Current status ==
* Targeted release: [[Releases/{{FedoraVersion||next}} | {{FedoraVersion|long|next}} ]]  
* Targeted release: [[Releases/13 | Fedora 13 ]]  
* Last updated: 2009-12-02 15:00:00 EST
* Last updated: 2010-02-05 07:30:00 EST
* Percentage of completion: 10%
* Percentage of completion: 100%
 
=== 2009-12-11 ===
* The SSSD's SSSDConfig python API is complete
* authconfig-6.0.0-1, currently built in Koji and awaiting a Rawhide compose, contains all of the GUI features necessary for configuring the SSSD, taking advantage of the SSSDConfig python API
* firstboot invokes authconfig with SSSD support when selecting "Use Network Login"


<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
Still to do:
* Add SSSD to the default package set (pending FESCo approval of this Feature)
* Schedule a Test Day for configuring and testing this Feature
 
=== 2009-12-21 ===
* SSSD has been added as a default package in the "core" package group in Comps.
 
=== 2010-02-05 ===
* All necessary packages are in place in comps, authconfig and SSSD are working together
* Note: There are plans to redesign the actual authconfig interface to be simpler for end-users, but this is not a condition for Feature complete.


== Detailed Description ==
== Detailed Description ==
Line 74: Line 82:


* https://fedorahosted.org/sssd
* https://fedorahosted.org/sssd
* https://fedorahosted.org/sssd/wiki/HOWTO_Configure_0_9_9
* https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2


== Release Notes ==
== Release Notes ==
Line 80: Line 88:
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->


These may be dependent on the work done in authconfig.
Fedora 13 can now take advantage of the System Security Services Daemon to enable high-performance, cached authentication and identity lookups, as well as support for offline authentication.
 
Offline caching of identity data is supported for LDAP and FreeIPA servers, and offline authentication is supported for LDAP, Kerberos 5 and FreeIPA authentication servers.


== Comments and Discussion ==
== Comments and Discussion ==
* See [[Talk:Features/YourFeatureName]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
* See [[Talk:Features/SSSDByDefault]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
 


[[Category:FeatureReadyForWrangler]]
[[Category:FeatureAcceptedF13]]
<!-- When your feature page is completed and ready for review -->
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Latest revision as of 18:40, 18 March 2010

SSSD By Default

Summary

Include SSSD the default set of base Fedora 13 packages and configure it through authconfig,and firstboot.

Owner

  • email: sgallagh@redhat.com

Current status

  • Targeted release: Fedora 13
  • Last updated: 2010-02-05 07:30:00 EST
  • Percentage of completion: 100%

2009-12-11

  • The SSSD's SSSDConfig python API is complete
  • authconfig-6.0.0-1, currently built in Koji and awaiting a Rawhide compose, contains all of the GUI features necessary for configuring the SSSD, taking advantage of the SSSDConfig python API
  • firstboot invokes authconfig with SSSD support when selecting "Use Network Login"

Still to do:

  • Add SSSD to the default package set (pending FESCo approval of this Feature)
  • Schedule a Test Day for configuring and testing this Feature

2009-12-21

  • SSSD has been added as a default package in the "core" package group in Comps.

2010-02-05

  • All necessary packages are in place in comps, authconfig and SSSD are working together
  • Note: There are plans to redesign the actual authconfig interface to be simpler for end-users, but this is not a condition for Feature complete.

Detailed Description

This feature would provide support in firstboot for joining a client to an LDAP/Kerberos or FreeIPA server. Users would be able to select "Use Network Login" during firstboot setup and configure it for connection to one or more central identity and authentication stores.

Benefit to Fedora

The prime benefit of the System Security Services Daemon is support for offline logins. Above and beyond the traditional pam_ldap or pam_krb5 approaches, the SSSD would remove the need for laptop users of Fedora to maintain a local account, separate from their centrally-managed account, to work offline or disconnected from the central servers.

Scope

The SSSD and its dependency packages (libtdb, libldb, libtevent, libtalloc and c-ares) need to be included in the default installation of Fedora. Support needs to be added to authconfig to provide a simplistic way to configure the SSSD. To that end, a python API is exposed from the SSSD that can be consumed by authconfig. Support for the new authconfig SSSD features needs to be added to firstboot.

How To Test

Testing will require a centralized identity and authentication store. The SSSD natively supports LDAP as an identity store, and either LDAP or Kerberos 5 as an authentication store. The SSSD has been tested successfully against FreeIPA (LDAP+Kerberos) as well as Fedora DS and MIT Kerberos, and limited testing against ActiveDirectory.

To test, one would need to configure the SSSD using authconfig to communicate with a centralized user store. Then they may attempt to log in using SSH or GDM (or KDM, etc.). If this succeeds, they can then attempt to do the same while offline.

If authenticating against a Kerberos server, they should also verify that they received a valid TGT (when performing online authentication).

User Experience

Users with centrally managed accounts will no longer need to maintain second, local user for use when not connected to the central servers.

Dependencies

At this time, no dependencies other than those listed above are known.

Contingency Plan

If it is not completed in time, Fedora can drop this feature with no ill effects and continue to use the existing remote authentication methods.

Documentation

Release Notes

Fedora 13 can now take advantage of the System Security Services Daemon to enable high-performance, cached authentication and identity lookups, as well as support for offline authentication.

Offline caching of identity data is supported for LDAP and FreeIPA servers, and offline authentication is supported for LDAP, Kerberos 5 and FreeIPA authentication servers.

Comments and Discussion