SSSD feature design pages¶
A design of every major change to the SSSD codebase should be discussed before implementing the code. A design page helps other developers, who will be later reviewing the code understand how the change helps the SSSD, the scope of the changes and how the change would be tested.
Blank template¶
When writing a design page, please start from the blank template.
Implemented in 2.0.x¶
Implemented in 1.16.x¶
- Multiple server addresses or names in kdcinfo files
- Automatic Private Groups for LDAP and AD domains
- Hybrid Private Groups for LDAP and AD domains
- Using the Global Catalog to speed up lookups by ID
- Smartcard authentication - Multiple Certificates on a Smartcard
- Enhanced NSS (Name Service Switch) API
- Generate an access control report for IPA domains
- Kdcinfo files for trusted domains
- Detecting POSIX attributes in Global Catalog using the Partial Attribute Set
- Change password on LDAP server that does not support Password Mofify Extended Operation
Implemented in 1.15.x¶
- Matching and Mapping Certificates
- Trusted domain configuration
- KCM server for SSSD
- Support for non-POSIX users and groups
- Shortnames in trusted domains
- Systemd Activatable Responders
- Fleet Commander Integration
- “Files” data provider to serve contents of
/etc/passwdand/etc/group - Smartcard Authentication - PKINIT
- Smartcards and Multiple Identities
- Socket Activatable Responders
Implemented in 1.14.x¶
- sss_confcheck tool (deprecated and moved to sssctl)
- Improve config validation
- Data Provider Refactoring
- Config file validation
- Lookup Users by Certificate - Active Directory
- Improve SSSD Performance with a timestamp cache
- Prompting For Multiple Authentication Types
- Secrets Service
- SSSCTL - a CLI tool to control and monitor SSSD
- Invalidate Cached SUDO Rules
- Change format of SYSDB_NAME attribute for users and groups
Implemented in 1.13.x¶
- Authenticate against cache in SSSD
- D-Bus Interface: Cached Objects
- D-Bus Interface: Domains
- Support for multiple D-Bus interfaces on single object path
- D-Bus Interface: Users and Groups
- DDNS - specify which server to update DNS with
- ID mapping - Automatically assign new slices for any AD domain
- Lookup Users by Certificate
- One way trust support
- OTP Related Improvements
- PAM Conversation for OTP/Two-Factor-Authentication
- Smart Cards
- Smartcard authentication - Step 1 (local authentication)
- Smartcard authentication - Testing with AD
- IPA sudo schema support
- Do not always override home directory with subdomain_homedir value in server mode
- Wildcard refresh through InfoPipe
Implemented in 1.12.x¶
- Specify the DNS site a client is using
- GPO-Based Access Control
- LDAP provider integration tests
- DBus responder
- Simple D-Bus API wrapper library
- Integrate SSSD with CIFS Client
- Mapping ID provider names to Kerberos principals
- Running SSSD as a non-root user
- ID Mapping calls for the NSS responder
- Allow Kerberos Principals in getpwnam() calls
- OpenLMI provider design
- Restricting the domains a PAM service can auth against
- SSS NFS Client (rpc.idmapd plugin)
Implemented in 1.11.x¶
Implemented in 1.10.x¶
Implemented in 1.9.x¶
Implemented in 1.8.x¶
Not implemented¶
- AccountsService takeover
- Async WinBind
- D-Bus Signal: Notify Property Changed
- Kerberos Locator Plugin Redesign
- LDAP Referrals
- Proposal to redesign the memberOf plugin (v1)
- Proposal to redesign the memberOf plugin (v2)
- Code refactoring for the 1.15 release
- Sockets for domains in a multi-tenant setup
- SSSD 2.0
- SUDO integration proposal using sudo policy plugin
- Sudo Plugin Wire Protocol
- User Account Management Consolidation