From Fedora Project Wiki


SSSD

System Security Services Daemon (SSSD)

Summary

This project provides a set of daemons to manage access to remote directories and authentication mechanisms, it provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA.

Owner

Current status

  • Targeted release: Fedora 11
  • Last updated: 2009-04-28
  • Percentage of completion: 100%

Detailed Description

The SSSD is intended to provide several key feature enhancements to Fedora. The first and most visible will be the addition of offline caching for network credentials. Authentication through the SSSD will potentially allow LDAP, NIS, and FreeIPA services to provide an offline mode, to ease the use of centrally managing laptop users.

The LDAP features will also add support for connection pooling. All communication to the ldap server will happen over a single persistent connection, reducing the overhead of opening a new socket for each request. The SSSD will also add support for multiple LDAP/NIS domains. It will be possible to connect to two or more LDAP/NIS servers acting as separate user namespaces.

An additional feature of the SSSD will be to provide a service on the system D-BUS called InfoPipe. This service will act as a central authority on extended user information such as face browser images, preferred language, etc. This will replace the existing system consisting predominately of hidden configuration files in the user's home directory, which may not be available if the home directory has not yet been mounted by autofs.

The SSSD is being developed alongside the FreeIPA project. Part of its purpose will be to act as an IPA client to enable features such as machine enrollment and machine policy management. SSSD will provide a back-end to the newly redesigned PolicyKit for central management of policy decisions.

Benefit to Fedora

  • Laptop users will have offline access to their network logons, eliminating the need for local laptop accounts when traveling.
  • Desktop developers will have access to the new InfoPipe, allowing them to migrate towards using a more consistent approach for storing and retrieving extended user information.
  • The SSSD will simplify enrollment into FreeIPA network domains, as it will provide the FreeIPA client software.
  • The design of the SSSD will allow other services such as LDAP, NIS and FreeIPA to take advantage of the caching and offline features.

Scope

Some features of the SSSD are available now as a technology preview. The NSS caching lookups for LDAP authentication are nearly in a working state.

We need to complete the NSS feature, add the PAM, InfoPipe, and PolicyKit features (in descending priority) and complete the IPA client functionality.

Update 3/1/2009:

  • NSS and PAM are approaching a testable state.
  • InfoPipe is moving forwards, approximately 25% complete.
  • PolicyKit support has been deferred.
  • We fully expect to be in a testable state by the F11 beta, and complete in time for the release.

Sgallagh

Update 3/4/2009:

  • NSS and PAM at 95% completion
  • InfoPipe at approximately 50-60% completion
  • We are on-target for being testable by the F11 beta freeze on March 10th.

Sgallagh 20:00, 4 March 2009 (UTC)

Update 3/6/2009:

  • NSS and PAM: 100% completion
  • InfoPipe: 80% completion
  • Packaging and commandline tools: 80% completion
  • We remain on-target for the beta freeze on March 10th.

Sgallagh 16:46, 6 March 2009 (UTC)

Update 3/9/2008 (added late):

  • NSS and PAM: 100% completion
  • InfoPipe: 100% completion
  • Packaging and commandline tools: 100% completion
  • Built in rawhide for beta freeze

Sgallagh 11:22, 16 March 2009 (UTC)

Update 4/28/2009

  • InfoPipe was pulled from SSSD starting with 0.3.0 because it was incompatible with the needs of its consumers.
  • SSSD at this time consists of the NSS and PAM improvements (Offline Use, Multiple NSS domains, LDAP connection pooling)

Sgallagh 18:36, 28 April 2009 (UTC)

How To Test

Pre-requisites:

  • A functioning LDAP and/or FreeIPA authentication server

The following functionality must be tested for use with LDAP servers:

  • Install the sssd package
  • Configure SSSD to connect to a Fedora Directory Server (on this machine or another). Can also be a FreeIPA server.
  • While online (active connection to the Directory server
    • Attempt to log into a user provided by the Directory Server. (Online PAM test)
      • User should be authenticated correctly.
    • Perform "time getent pw <LDAP username>" from the shell (Online NSS test)
      • Should return the user's passwd entry within a reasonable amount of time
    • Immediately perform the same command ("time getent pw <LDAP username>") again (Cached NSS test)
      • Should return the user's passwd entry immediately, showing a much faster lookup time
  • Disconnect from the network to perform the following tests. Wait until the cache timeout has expired, or these results will be the same as the Cached NSS test.
    • Attempt to log into the same user as above. (Offline cached PAM test)
      • After timeout (default: 15 seconds), the user should be authenticated correctly.
    • Perform the command "time getent pw <LDAP username>" from the shell (Offline cached NSS test)
      • After timeout (default: 15 seconds), the user's NSS data will be returned.
  • Test FreeIPA as a PolicyKit back-end
    • Configure a set of PolicyKit rules in the FreeIPA UI
    • While logged in as a FreeIPA user, attempt an action specified by those rules
      • The user should be granted or denied access based on the FreeIPA configuration
  • Test InfoPipe features
    • Use provided test client to verify D-BUS API for InfoPipe

User Experience

Users will be able to authenticate to their network logons while not connected to the network. Additionally, joining a machine to a FreeIPA domain should be markedly simpler.

Administrators will be able to configure a machine to authenticate against more than one LDAP server/domain.

Dependencies

Additional components of the FreeIPA client will be dependent on this feature, however they are being developed concurrently and should not be negatively impacted. The SSSD will have dependencies on glibc, D-BUS, libtalloc, libtevent, libtdb and libldb. At the time of this writing, we do not foresee any of these packages affecting our release.

Soft co-dependency on PolicyKit 1.0

Contingency Plan

We will complete the NSS and PAM portions of the SSSD first. If time does not permit completion of the additional components, they will be deferred to Fedora 12. In the unlikely event that the NSS and PAM portions of the SSSD are not ready for Fedora 11, they can be omitted with no harm to the release.

Documentation

Design Document on FreeIPA.org

Release Notes

The SSSD package will install several services on the Fedora system.

  • A new NSS module (nss_sss) for the Name Service Switch
  • A new PAM module (pam_sss) for authentication
  • An NSS provider service that answers NSS requests from the nss_sss module
  • A PAM provider service that manages a PAM conversation through the pam_sss
  • A data provider front-end service for populating cache data from back-ends
  • One or more data provider back-end services for communicating with the network authentication service

Comments and Discussion