13.2. Using and Caching Credentials with SSSD
The System Security Services Daemon (SSSD) provides access to different identity and authentication providers.
13.2.1. About SSSD
Most system authentication is configured locally, which means that services must check with a local user store to determine users and credentials. What SSSD does is allow a local service to check with a local cache in SSSD, but that cache may be taken from any variety of remote identity providers — an LDAP directory, an Identity Management domain, Active Directory, possibly even a Kerberos realm.
SSSD also caches those users and credentials, so if the local system or the identity provider go offline, the user credentials are still available to services to verify.
SSSD is an intermediary between local clients and any configured data store. This relationship brings a number of benefits for administrators:
- Reducing the load on identification/authentication servers. Rather than having every client service attempt to contact the identification server directly, all of the local clients can contact SSSD which can connect to the identification server or check its cache.
- Permitting offline authentication. SSSD can optionally keep a cache of user identities and credentials that it retrieves from remote services. This allows users to authenticate to resources successfully, even if the remote identification server is offline or the local machine is offline.
- Using a single user account. Remote users frequently have two (or even more) user accounts, such as one for their local system and one for the organizational system. This is necessary to connect to a virtual private network (VPN). Because SSSD supports caching and offline authentication, remote users can connect to network resources by authenticating to their local machine and then SSSD maintains their network credentials.
Additional Resources
While this chapter covers the basics of configuring services and domains in SSSD, this is not a comprehensive resource. Many other configuration options are available for each functional area in SSSD; check out the man page for the specific functional area to get a complete list of options.
Some of the common man pages are listed in Table 13.1, “A Sampling of SSSD Man Pages”. There is also a complete list of SSSD man pages in the "See Also" section of the
sssd(8)
man page.
Functional Area | Man Page | ||
---|---|---|---|
General Configuration | sssd.conf(8) | ||
sudo Services | sssd-sudo | ||
LDAP Domains | sssd-ldap | ||
Active Directory Domains |
| ||
Identity Management (IdM or IPA) Domains |
| ||
Kerberos Authentication for Domains | sssd-krb5 | ||
OpenSSH Keys |
| ||
Cache Maintenance |
|