2.4. Identity and authentication providers for SSSD
You can connect an SSSD client to the external identity and authentication providers, for example an LDAP directory, an Identity Management (IdM), Active Directory (AD) domain, or a Kerberos realm. The SSSD client then get access to identity and authentication remote services using the SSSD provider. You can configure SSSD to use different identity and authentication providers or a combination of them.
Identity and Authentication Providers as SSSD domains
Identity and authentication providers are configured as domains in the SSSD configuration file, /etc/sssd/sssd.conf
. The providers are listed in the [domain/name of the domain]
or [domain/default]
section of the file.
A single domain can be configured as one of the following providers:
An identity provider, which supplies user information such as UID and GID.
-
Specify a domain as the identity provider by using the
id_provider
option in the[domain/name of the domain]
section of the/etc/sssd/sssd.conf
file.
-
Specify a domain as the identity provider by using the
An authentication provider, which handles authentication requests.
-
Specify a domain as the authentication provider by using the
auth_provider
option in the[domain/name of the domain]
section of/etc/sssd/sssd.conf
.
-
Specify a domain as the authentication provider by using the
An access control provider, which handles authorization requests.
-
Specify a domain as the access control provider using the
access_provider
option in the[domain/name of the domain]
section of/etc/sssd/sssd.conf
. By default, the option is set topermit
, which always allows all access. See the sssd.conf(5) man page for details.
-
Specify a domain as the access control provider using the
A combination of these providers, for example if all the corresponding operations are performed within a single server.
-
In this case, the
id_provider
,auth_provider
, andaccess_provider
options are all listed in the same[domain/name of the domain]
or[domain/default]
section of/etc/sssd/sssd.conf
.
-
In this case, the
You can configure multiple domains for SSSD. You must configure at least one domain, otherwise SSSD will not start.
Proxy Providers
A proxy provider works as an intermediary relay between SSSD and resources that SSSD would otherwise not be able to use. When using a proxy provider, SSSD connects to the proxy service, and the proxy loads the specified libraries.
You can configure SSSD to use a proxy provider to enable:
- Alternative authentication methods, such as a fingerprint scanner
- Legacy systems, such as NIS
-
A local system account defined in the
/etc/passwd
file as an identity provider and a remote authentication provider, for example Kerberos
Available Combinations of Identity and Authentication Providers
You can configure SSSD to use the following combinations of identity and authentication providers.
Identity Provider | Authentication Provider |
---|---|
Identity Management [a] | Gestion de l'identité |
Active Directory | Active Directory |
LDAP | LDAP |
LDAP | Kerberos |
Proxy | Proxy |
Proxy | LDAP |
Proxy | Kerberos |
[a]
An extension of the LDAP provider type.
|
Ressources supplémentaires
sssctl
utility, your host should be enrolled in Identity Management (IdM) that is in a trust agreement with an Active Directory (AD) forest.