此内容没有您所选择的语言版本。

13.2. Using and Caching Credentials with SSSD


The System Security Services Daemon (SSSD) provides access to different identity and authentication providers.

13.2.1. About SSSD

Most system authentication is configured locally, which means that services must check with a local user store to determine users and credentials. What SSSD does is allow a local service to check with a local cache in SSSD, but that cache may be taken from any variety of remote identity providers — an LDAP directory, an Identity Management domain, Active Directory, possibly even a Kerberos realm.
SSSD also caches those users and credentials, so if the local system or the identity provider go offline, the user credentials are still available to services to verify.
SSSD is an intermediary between local clients and any configured data store. This relationship brings a number of benefits for administrators:
  • Reducing the load on identification/authentication servers. Rather than having every client service attempt to contact the identification server directly, all of the local clients can contact SSSD which can connect to the identification server or check its cache.
  • Permitting offline authentication. SSSD can optionally keep a cache of user identities and credentials that it retrieves from remote services. This allows users to authenticate to resources successfully, even if the remote identification server is offline or the local machine is offline.
  • Using a single user account. Remote users frequently have two (or even more) user accounts, such as one for their local system and one for the organizational system. This is necessary to connect to a virtual private network (VPN). Because SSSD supports caching and offline authentication, remote users can connect to network resources by authenticating to their local machine and then SSSD maintains their network credentials.
Additional Resources

While this chapter covers the basics of configuring services and domains in SSSD, this is not a comprehensive resource. Many other configuration options are available for each functional area in SSSD; check out the man page for the specific functional area to get a complete list of options.

Some of the common man pages are listed in Table 13.1, “A Sampling of SSSD Man Pages”. There is also a complete list of SSSD man pages in the "See Also" section of the sssd(8) man page.
Table 13.1. A Sampling of SSSD Man Pages
Functional Area Man Page
General Configuration sssd.conf(8)
sudo Services sssd-sudo
LDAP Domains sssd-ldap
Active Directory Domains
sssd-ad
sssd-ldap
Identity Management (IdM or IPA) Domains
sssd-ipa
sssd-ldap
Kerberos Authentication for Domains sssd-krb5
OpenSSH Keys
sss_ssh_authorizedkeys
sss_ssh_knownhostsproxy
Cache Maintenance
sss_cache (cleanup)
sss_useradd, sss_usermod, sss_userdel, sss_seed (user cache entry management)
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.