(New Feature for Fedora 11 - SSSD) |
(Fix a few dependency issues, make mention of LDAP connection pooling) |
||
Line 27: | Line 27: | ||
== Detailed Description == | == Detailed Description == | ||
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | <!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | ||
The SSSD is intended to provide several key feature enhancements to Fedora. The first and most visible will be the addition of offline caching for network credentials. Authentication through the SSSD will potentially allow LDAP, NIS, FreeIPA | The SSSD is intended to provide several key feature enhancements to Fedora. The first and most visible will be the addition of offline caching for network credentials. Authentication through the SSSD will potentially allow LDAP, NIS, and FreeIPA services to provide an offline mode, to ease the use of centrally managing laptop users. | ||
The LDAP features will also add support for connection pooling. All communication to the ldap server will happen over a single persistent connection, reducing the overhead of opening a new socket for each request. The SSSD will also add support for multiple LDAP/NIS domains. It will be possible to connect to two or more LDAP/NIS servers acting as separate user namespaces. | |||
An additional feature of the SSSD will be to provide a service on the system D-BUS called InfoPipe. This service will act as a central authority on extended user information such as face browser images, preferred language, etc. This will replace the existing system consisting predominately of hidden configuration files in the user's home directory, which may not be available if the home directory has not yet been mounted by autofs. | An additional feature of the SSSD will be to provide a service on the system D-BUS called InfoPipe. This service will act as a central authority on extended user information such as face browser images, preferred language, etc. This will replace the existing system consisting predominately of hidden configuration files in the user's home directory, which may not be available if the home directory has not yet been mounted by autofs. | ||
Line 38: | Line 40: | ||
* Desktop developers will have access to the new InfoPipe, allowing them to migrate towards using a more consistent approach for storing and retrieving extended user information. | * Desktop developers will have access to the new InfoPipe, allowing them to migrate towards using a more consistent approach for storing and retrieving extended user information. | ||
* The SSSD will simplify enrollment into FreeIPA network domains, as it will provide the FreeIPA client software. | * The SSSD will simplify enrollment into FreeIPA network domains, as it will provide the FreeIPA client software. | ||
* The design of the SSSD will allow other services such as LDAP, NIS and | * The design of the SSSD will allow other services such as LDAP, NIS and FreeIPA to take advantage of the caching and offline features. | ||
== Scope == | == Scope == | ||
Line 65: | Line 67: | ||
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --> | <!-- If this feature is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --> | ||
Users will be able to authenticate to their network logons while not connected to the network. Additionally, joining a machine to a FreeIPA domain should be markedly simpler. | Users will be able to authenticate to their network logons while not connected to the network. Additionally, joining a machine to a FreeIPA domain should be markedly simpler. | ||
Administrators will be able to configure a machine to authenticate against more than one LDAP server/domain. | |||
== Dependencies == | == Dependencies == | ||
<!-- What other packages (RPMs) depend on this package? Are there changes outside the developers' control on which completion of this feature depends? In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate? Other upstream projects like the kernel (if this is not a kernel feature)? --> | <!-- What other packages (RPMs) depend on this package? Are there changes outside the developers' control on which completion of this feature depends? In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate? Other upstream projects like the kernel (if this is not a kernel feature)? --> | ||
Additional components of the FreeIPA client will be dependent on this feature, however they are being developed concurrently and should not be negatively impacted. | Additional components of the FreeIPA client will be dependent on this feature, however they are being developed concurrently and should not be negatively impacted. | ||
The SSSD will have dependencies on glibc, D-BUS, libtevent, | The SSSD will have dependencies on glibc, D-BUS, libtalloc, libtevent, libtdb and libldb. At the time of this writing, we do not foresee any of these packages affecting our release. | ||
== Contingency Plan == | == Contingency Plan == |
Revision as of 19:19, 19 January 2009
Feature Name
System Security Services Daemon (SSSD)
Summary
This project provide a set of daemons to manage access to remote directories and authentication mechanisms, it provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA.
Owner
- Name: Stephen Gallagher
- email: sgallagh@redhat.com
Current status
- Targeted release: Fedora 42
- Last updated: January 19, 2009
- Percentage of completion: 25%
Detailed Description
The SSSD is intended to provide several key feature enhancements to Fedora. The first and most visible will be the addition of offline caching for network credentials. Authentication through the SSSD will potentially allow LDAP, NIS, and FreeIPA services to provide an offline mode, to ease the use of centrally managing laptop users.
The LDAP features will also add support for connection pooling. All communication to the ldap server will happen over a single persistent connection, reducing the overhead of opening a new socket for each request. The SSSD will also add support for multiple LDAP/NIS domains. It will be possible to connect to two or more LDAP/NIS servers acting as separate user namespaces.
An additional feature of the SSSD will be to provide a service on the system D-BUS called InfoPipe. This service will act as a central authority on extended user information such as face browser images, preferred language, etc. This will replace the existing system consisting predominately of hidden configuration files in the user's home directory, which may not be available if the home directory has not yet been mounted by autofs.
The SSSD is being developed alongside the FreeIPA project. Part of its purpose will be to act as an IPA client to enable features such as machine enrollment and machine policy management. SSSD will provide a back-end to the newly redesigned PolicyKit for central management of policy decisions.
Benefit to Fedora
- Laptop users will have offline access to their network logons, eliminating the need for local laptop accounts when traveling.
- Desktop developers will have access to the new InfoPipe, allowing them to migrate towards using a more consistent approach for storing and retrieving extended user information.
- The SSSD will simplify enrollment into FreeIPA network domains, as it will provide the FreeIPA client software.
- The design of the SSSD will allow other services such as LDAP, NIS and FreeIPA to take advantage of the caching and offline features.
Scope
Some features of the SSSD are available now as a technology preview. The NSS caching lookups for LDAP authentication are nearly in a working state.
We need to complete the NSS feature, add the PAM, PolicyKit and InfoPipe features (in descending priority) and complete the IPA client functionality.
How To Test
To be added. The test plan for this feature will be fairly complex, as it provides several different components that will each require testing.
User Experience
Users will be able to authenticate to their network logons while not connected to the network. Additionally, joining a machine to a FreeIPA domain should be markedly simpler.
Administrators will be able to configure a machine to authenticate against more than one LDAP server/domain.
Dependencies
Additional components of the FreeIPA client will be dependent on this feature, however they are being developed concurrently and should not be negatively impacted. The SSSD will have dependencies on glibc, D-BUS, libtalloc, libtevent, libtdb and libldb. At the time of this writing, we do not foresee any of these packages affecting our release.
Contingency Plan
We will complete the NSS and PAM portions of the SSSD first. If time does not permit completion of the additional components, they will be deferred to Fedora 12. In the unlikely event that the NSS and PAM portions of the SSSD are not ready for Fedora 11, they can be omitted with no harm to the release.
Documentation
Design Document on FreeIPA.org
Release Notes
Comments and Discussion