(New Feature for Fedora 11 - SSSD) |
m (→Summary: spelling error) |
||
(26 intermediate revisions by 6 users not shown) | |||
Line 4: | Line 4: | ||
<!-- The actual name of your feature page should look something like: Features/YourFeatureName. This keeps all features in the same namespace --> | <!-- The actual name of your feature page should look something like: Features/YourFeatureName. This keeps all features in the same namespace --> | ||
= | = SSSD = | ||
System Security Services Daemon (SSSD) | System Security Services Daemon (SSSD) | ||
== Summary == | == Summary == | ||
<!-- A sentence or two summarizing what this feature is and what it will do. This information is used for the overall feature summary page for each release. --> | <!-- A sentence or two summarizing what this feature is and what it will do. This information is used for the overall feature summary page for each release. --> | ||
This project | This project provides a set of daemons to manage access to remote directories and authentication mechanisms, it provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. | ||
== Owner == | == Owner == | ||
<!--This should link to your home wiki page so we know who you are--> | <!--This should link to your home wiki page so we know who you are--> | ||
* Name: [[User:Sgallagh| Stephen Gallagher]] | * Name: [[User:Sgallagh| Stephen Gallagher]] | ||
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or technical issues need to be resolved--> | <!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or technical issues need to be resolved--> | ||
* email: sgallagh@redhat.com | * email: sgallagh@redhat.com | ||
* Name: [[User:simo| Simo Sorce]] | |||
* email: simo@fedoraproject.org | |||
== Current status == | == Current status == | ||
* Targeted release: [[Releases/ | * Targeted release: [[Releases/11|Fedora 11]] | ||
* Last updated: | * Last updated: 2009-04-28 | ||
* Percentage of completion: | * Percentage of completion: 100% | ||
== Detailed Description == | == Detailed Description == | ||
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | <!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | ||
The SSSD is intended to provide several key feature enhancements to Fedora. The first and most visible will be the addition of offline caching for network credentials. Authentication through the SSSD will potentially allow LDAP, NIS, FreeIPA | The SSSD is intended to provide several key feature enhancements to Fedora. The first and most visible will be the addition of offline caching for network credentials. Authentication through the SSSD will potentially allow LDAP, NIS, and FreeIPA services to provide an offline mode, to ease the use of centrally managing laptop users. | ||
The LDAP features will also add support for connection pooling. All communication to the ldap server will happen over a single persistent connection, reducing the overhead of opening a new socket for each request. The SSSD will also add support for multiple LDAP/NIS domains. It will be possible to connect to two or more LDAP/NIS servers acting as separate user namespaces. | |||
An additional feature of the SSSD will be to provide a service on the system D-BUS called InfoPipe. This service will act as a central authority on extended user information such as face browser images, preferred language, etc. This will replace the existing system consisting predominately of hidden configuration files in the user's home directory, which may not be available if the home directory has not yet been mounted by autofs. | An additional feature of the SSSD will be to provide a service on the system D-BUS called InfoPipe. This service will act as a central authority on extended user information such as face browser images, preferred language, etc. This will replace the existing system consisting predominately of hidden configuration files in the user's home directory, which may not be available if the home directory has not yet been mounted by autofs. | ||
Line 38: | Line 39: | ||
* Desktop developers will have access to the new InfoPipe, allowing them to migrate towards using a more consistent approach for storing and retrieving extended user information. | * Desktop developers will have access to the new InfoPipe, allowing them to migrate towards using a more consistent approach for storing and retrieving extended user information. | ||
* The SSSD will simplify enrollment into FreeIPA network domains, as it will provide the FreeIPA client software. | * The SSSD will simplify enrollment into FreeIPA network domains, as it will provide the FreeIPA client software. | ||
* The design of the SSSD will allow other services such as LDAP, NIS and | * The design of the SSSD will allow other services such as LDAP, NIS and FreeIPA to take advantage of the caching and offline features. | ||
== Scope == | == Scope == | ||
Line 44: | Line 45: | ||
Some features of the SSSD are available now as a technology preview. The NSS caching lookups for LDAP authentication are nearly in a working state. | Some features of the SSSD are available now as a technology preview. The NSS caching lookups for LDAP authentication are nearly in a working state. | ||
We need to complete the NSS feature, add the PAM, PolicyKit | We need to complete the NSS feature, add the PAM, InfoPipe, and PolicyKit features (in descending priority) and complete the IPA client functionality. | ||
Update 3/1/2009: | |||
* NSS and PAM are approaching a testable state. | |||
* InfoPipe is moving forwards, approximately 25% complete. | |||
* PolicyKit support has been deferred. | |||
* We fully expect to be in a testable state by the F11 beta, and complete in time for the release. | |||
[[User:Sgallagh|Sgallagh]] | |||
Update 3/4/2009: | |||
* NSS and PAM at 95% completion | |||
* InfoPipe at approximately 50-60% completion | |||
* We are on-target for being testable by the F11 beta freeze on March 10th. | |||
[[User:Sgallagh|Sgallagh]] 20:00, 4 March 2009 (UTC) | |||
Update 3/6/2009: | |||
* NSS and PAM: 100% completion | |||
* InfoPipe: 80% completion | |||
* Packaging and commandline tools: 80% completion | |||
* We remain on-target for the beta freeze on March 10th. | |||
[[User:Sgallagh|Sgallagh]] 16:46, 6 March 2009 (UTC) | |||
Update 3/9/2008 (added late): | |||
* NSS and PAM: 100% completion | |||
* InfoPipe: 100% completion | |||
* Packaging and commandline tools: 100% completion | |||
* Built in rawhide for beta freeze | |||
[[User:Sgallagh|Sgallagh]] 11:22, 16 March 2009 (UTC) | |||
Update 4/28/2009 | |||
* InfoPipe was pulled from SSSD starting with 0.3.0 because it was incompatible with the needs of its consumers. | |||
* SSSD at this time consists of the NSS and PAM improvements (Offline Use, Multiple NSS domains, LDAP connection pooling) | |||
[[User:Sgallagh|Sgallagh]] 18:36, 28 April 2009 (UTC) | |||
== How To Test == | == How To Test == | ||
Line 61: | Line 95: | ||
--> | --> | ||
Pre-requisites: | |||
* A functioning LDAP and/or FreeIPA authentication server | |||
The following functionality must be tested for use with LDAP servers: | |||
* Install the sssd package | |||
* Configure SSSD to connect to a Fedora Directory Server (on this machine or another). Can also be a FreeIPA server. | |||
* While online (active connection to the Directory server | |||
** Attempt to log into a user provided by the Directory Server. (Online PAM test) | |||
*** User should be authenticated correctly. | |||
** Perform "time getent pw <LDAP username>" from the shell (Online NSS test) | |||
*** Should return the user's passwd entry within a reasonable amount of time | |||
** Immediately perform the same command ("time getent pw <LDAP username>") again (Cached NSS test) | |||
*** Should return the user's passwd entry immediately, showing a much faster lookup time | |||
* Disconnect from the network to perform the following tests. Wait until the cache timeout has expired, or these results will be the same as the Cached NSS test. | |||
** Attempt to log into the same user as above. (Offline cached PAM test) | |||
*** After timeout (default: 15 seconds), the user should be authenticated correctly. | |||
** Perform the command "time getent pw <LDAP username>" from the shell (Offline cached NSS test) | |||
*** After timeout (default: 15 seconds), the user's NSS data will be returned. | |||
* Test FreeIPA as a PolicyKit back-end | |||
** Configure a set of PolicyKit rules in the FreeIPA UI | |||
** While logged in as a FreeIPA user, attempt an action specified by those rules | |||
*** The user should be granted or denied access based on the FreeIPA configuration | |||
* Test InfoPipe features | |||
** Use provided test client to verify D-BUS API for InfoPipe | |||
== User Experience == | == User Experience == | ||
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --> | <!-- If this feature is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --> | ||
Users will be able to authenticate to their network logons while not connected to the network. Additionally, joining a machine to a FreeIPA domain should be markedly simpler. | Users will be able to authenticate to their network logons while not connected to the network. Additionally, joining a machine to a FreeIPA domain should be markedly simpler. | ||
Administrators will be able to configure a machine to authenticate against more than one LDAP server/domain. | |||
== Dependencies == | == Dependencies == | ||
<!-- What other packages (RPMs) depend on this package? Are there changes outside the developers' control on which completion of this feature depends? In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate? Other upstream projects like the kernel (if this is not a kernel feature)? --> | <!-- What other packages (RPMs) depend on this package? Are there changes outside the developers' control on which completion of this feature depends? In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate? Other upstream projects like the kernel (if this is not a kernel feature)? --> | ||
Additional components of the FreeIPA client will be dependent on this feature, however they are being developed concurrently and should not be negatively impacted. | Additional components of the FreeIPA client will be dependent on this feature, however they are being developed concurrently and should not be negatively impacted. | ||
The SSSD will have dependencies on glibc, D-BUS, libtevent, | The SSSD will have dependencies on glibc, D-BUS, libtalloc, libtevent, libtdb and libldb. At the time of this writing, we do not foresee any of these packages affecting our release. | ||
Soft co-dependency on [[Features/PolicyKitOne|PolicyKit 1.0]] | |||
== Contingency Plan == | == Contingency Plan == | ||
Line 77: | Line 140: | ||
== Documentation == | == Documentation == | ||
<!-- Is there upstream documentation on this feature, or notes you have written yourself? Link to that material here so other interested developers can get involved. --> | <!-- Is there upstream documentation on this feature, or notes you have written yourself? Link to that material here so other interested developers can get involved. --> | ||
[ | [http://www.freeipa.org/page/IPA_Client_Design_Overview Design Document on FreeIPA.org] | ||
== Release Notes == | == Release Notes == | ||
<!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --> | <!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --> | ||
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. --> | <!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. --> | ||
The SSSD package will install several services on the Fedora system. | |||
* A new NSS module (nss_sss) for the Name Service Switch | |||
* A new PAM module (pam_sss) for authentication | |||
* An NSS provider service that answers NSS requests from the nss_sss module | |||
* A PAM provider service that manages a PAM conversation through the pam_sss | |||
* A data provider front-end service for populating cache data from back-ends | |||
* One or more data provider back-end services for communicating with the network authentication service | |||
== Comments and Discussion == | == Comments and Discussion == | ||
* See [[Talk:Features/SSSD]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --> | * See [[Talk:Features/SSSD]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --> | ||
[[Category:FeatureAcceptedF11]] | |||
<!-- When your feature page is completed and ready for review --> | <!-- When your feature page is completed and ready for review --> | ||
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --> | <!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --> | ||
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--> | <!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--> | ||
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --> | <!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --> |
Latest revision as of 20:03, 11 May 2010
SSSD
System Security Services Daemon (SSSD)
Summary
This project provides a set of daemons to manage access to remote directories and authentication mechanisms, it provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA.
Owner
- Name: Stephen Gallagher
- email: sgallagh@redhat.com
- Name: Simo Sorce
- email: simo@fedoraproject.org
Current status
- Targeted release: Fedora 11
- Last updated: 2009-04-28
- Percentage of completion: 100%
Detailed Description
The SSSD is intended to provide several key feature enhancements to Fedora. The first and most visible will be the addition of offline caching for network credentials. Authentication through the SSSD will potentially allow LDAP, NIS, and FreeIPA services to provide an offline mode, to ease the use of centrally managing laptop users.
The LDAP features will also add support for connection pooling. All communication to the ldap server will happen over a single persistent connection, reducing the overhead of opening a new socket for each request. The SSSD will also add support for multiple LDAP/NIS domains. It will be possible to connect to two or more LDAP/NIS servers acting as separate user namespaces.
An additional feature of the SSSD will be to provide a service on the system D-BUS called InfoPipe. This service will act as a central authority on extended user information such as face browser images, preferred language, etc. This will replace the existing system consisting predominately of hidden configuration files in the user's home directory, which may not be available if the home directory has not yet been mounted by autofs.
The SSSD is being developed alongside the FreeIPA project. Part of its purpose will be to act as an IPA client to enable features such as machine enrollment and machine policy management. SSSD will provide a back-end to the newly redesigned PolicyKit for central management of policy decisions.
Benefit to Fedora
- Laptop users will have offline access to their network logons, eliminating the need for local laptop accounts when traveling.
- Desktop developers will have access to the new InfoPipe, allowing them to migrate towards using a more consistent approach for storing and retrieving extended user information.
- The SSSD will simplify enrollment into FreeIPA network domains, as it will provide the FreeIPA client software.
- The design of the SSSD will allow other services such as LDAP, NIS and FreeIPA to take advantage of the caching and offline features.
Scope
Some features of the SSSD are available now as a technology preview. The NSS caching lookups for LDAP authentication are nearly in a working state.
We need to complete the NSS feature, add the PAM, InfoPipe, and PolicyKit features (in descending priority) and complete the IPA client functionality.
Update 3/1/2009:
- NSS and PAM are approaching a testable state.
- InfoPipe is moving forwards, approximately 25% complete.
- PolicyKit support has been deferred.
- We fully expect to be in a testable state by the F11 beta, and complete in time for the release.
Update 3/4/2009:
- NSS and PAM at 95% completion
- InfoPipe at approximately 50-60% completion
- We are on-target for being testable by the F11 beta freeze on March 10th.
Sgallagh 20:00, 4 March 2009 (UTC)
Update 3/6/2009:
- NSS and PAM: 100% completion
- InfoPipe: 80% completion
- Packaging and commandline tools: 80% completion
- We remain on-target for the beta freeze on March 10th.
Sgallagh 16:46, 6 March 2009 (UTC)
Update 3/9/2008 (added late):
- NSS and PAM: 100% completion
- InfoPipe: 100% completion
- Packaging and commandline tools: 100% completion
- Built in rawhide for beta freeze
Sgallagh 11:22, 16 March 2009 (UTC)
Update 4/28/2009
- InfoPipe was pulled from SSSD starting with 0.3.0 because it was incompatible with the needs of its consumers.
- SSSD at this time consists of the NSS and PAM improvements (Offline Use, Multiple NSS domains, LDAP connection pooling)
Sgallagh 18:36, 28 April 2009 (UTC)
How To Test
Pre-requisites:
- A functioning LDAP and/or FreeIPA authentication server
The following functionality must be tested for use with LDAP servers:
- Install the sssd package
- Configure SSSD to connect to a Fedora Directory Server (on this machine or another). Can also be a FreeIPA server.
- While online (active connection to the Directory server
- Attempt to log into a user provided by the Directory Server. (Online PAM test)
- User should be authenticated correctly.
- Perform "time getent pw <LDAP username>" from the shell (Online NSS test)
- Should return the user's passwd entry within a reasonable amount of time
- Immediately perform the same command ("time getent pw <LDAP username>") again (Cached NSS test)
- Should return the user's passwd entry immediately, showing a much faster lookup time
- Attempt to log into a user provided by the Directory Server. (Online PAM test)
- Disconnect from the network to perform the following tests. Wait until the cache timeout has expired, or these results will be the same as the Cached NSS test.
- Attempt to log into the same user as above. (Offline cached PAM test)
- After timeout (default: 15 seconds), the user should be authenticated correctly.
- Perform the command "time getent pw <LDAP username>" from the shell (Offline cached NSS test)
- After timeout (default: 15 seconds), the user's NSS data will be returned.
- Attempt to log into the same user as above. (Offline cached PAM test)
- Test FreeIPA as a PolicyKit back-end
- Configure a set of PolicyKit rules in the FreeIPA UI
- While logged in as a FreeIPA user, attempt an action specified by those rules
- The user should be granted or denied access based on the FreeIPA configuration
- Test InfoPipe features
- Use provided test client to verify D-BUS API for InfoPipe
User Experience
Users will be able to authenticate to their network logons while not connected to the network. Additionally, joining a machine to a FreeIPA domain should be markedly simpler.
Administrators will be able to configure a machine to authenticate against more than one LDAP server/domain.
Dependencies
Additional components of the FreeIPA client will be dependent on this feature, however they are being developed concurrently and should not be negatively impacted. The SSSD will have dependencies on glibc, D-BUS, libtalloc, libtevent, libtdb and libldb. At the time of this writing, we do not foresee any of these packages affecting our release.
Soft co-dependency on PolicyKit 1.0
Contingency Plan
We will complete the NSS and PAM portions of the SSSD first. If time does not permit completion of the additional components, they will be deferred to Fedora 12. In the unlikely event that the NSS and PAM portions of the SSSD are not ready for Fedora 11, they can be omitted with no harm to the release.
Documentation
Design Document on FreeIPA.org
Release Notes
The SSSD package will install several services on the Fedora system.
- A new NSS module (nss_sss) for the Name Service Switch
- A new PAM module (pam_sss) for authentication
- An NSS provider service that answers NSS requests from the nss_sss module
- A PAM provider service that manages a PAM conversation through the pam_sss
- A data provider front-end service for populating cache data from back-ends
- One or more data provider back-end services for communicating with the network authentication service
Comments and Discussion