SSSD - System Security Services Daemon

SSSD is a system daemon. Its primary function is to provide access to local or remote identity and authentication resources through a common framework that can provide caching and offline support to the system. It provides several interfaces, including NSS and PAM modules or a D-Bus interface.

The primary resources to learn about SSSD or to get involved in its development are:

• Home page
• Bug tracker
• Mailing list for SSSD users discussion
• Mailing list for SSSD development discussion
• GitHub mirror
• GitHub pull requests

Contents:

• Newcomers Guide
  • Getting started with SSSD
• User facing documentation
  • Integrating with a Windows server using the AD provider
  • Integrating with a Windows server using the LDAP provider
  • Frequently Asked Questions
  • Debugging and troubleshooting SSSD
  • Troubleshooting SUDO
  • Migrating from pam_krb5 to sssd
  • How to file a useful SSSD bug report
  • SSSD Releases

• External documentation about SSSD
  • Red Hat documentation
  • Community documentation

• Developer documentation
  • Contribute
  • Coding guidelines
  • Running and developing SSSD tests
  • Release Process for SSSD
  • SSSD Internals
  • Inter-process communication between SSSD processes
  • How does the memory mapped cache work

• SSSD feature design pages
  • Blank template
    • Blank Feature Template
  • Implemented in 2.0.x
    • Certificate mapping and matching rules for all providers
    • Require Smartcard authentication (for local users)
    • Make authentication prompting configurable
  • Implemented in 1.16.x
    • Multiple server addresses or names in kdcinfo files
    • Automatic Private Groups for LDAP and AD domains
    • Hybrid Private Groups for LDAP and AD domains
    • Using the Global Catalog to speed up lookups by ID
    • Smartcard authentication - Multiple Certificates on a Smartcard
    • Enhanced NSS (Name Service Switch) API
    • Generate an access control report for IPA domains
    • Kdcinfo files for trusted domains
    • Detecting POSIX attributes in Global Catalog using the Partial Attribute Set
    • Change password on LDAP server that does not support Password Mofify Extended Operation
  • Implemented in 1.15.x
    • Matching and Mapping Certificates
    • Trusted domain configuration
    • KCM server for SSSD
    • Support for non-POSIX users and groups
    • Shortnames in trusted domains
    • Systemd Activatable Responders
    • Fleet Commander Integration
    • “Files” data provider to serve contents of /etc/passwd and /etc/group
    • Smartcard Authentication - PKINIT
    • Smartcards and Multiple Identities
    • Socket Activatable Responders
  • Implemented in 1.14.x
    • sss_confcheck tool (deprecated and moved to sssctl)
    • Improve config validation
    • Data Provider Refactoring
    • Config file validation
    • Lookup Users by Certificate - Active Directory
    • Improve SSSD Performance with a timestamp cache
    • Prompting For Multiple Authentication Types
    • Secrets Service
    • SSSCTL - a CLI tool to control and monitor SSSD
    • Invalidate Cached SUDO Rules
    • Change format of SYSDB_NAME attribute for users and groups
  • Implemented in 1.13.x
    • Authenticate against cache in SSSD
    • D-Bus Interface: Cached Objects
    • D-Bus Interface: Domains
    • Support for multiple D-Bus interfaces on single object path
    • D-Bus Interface: Users and Groups
    • DDNS - specify which server to update DNS with
    • ID mapping - Automatically assign new slices for any AD domain
    • Lookup Users by Certificate
    • One way trust support
    • OTP Related Improvements
    • PAM Conversation for OTP/Two-Factor-Authentication
    • Smart Cards
    • Smartcard authentication - Step 1 (local authentication)
    • Smartcard authentication - Testing with AD
    • IPA sudo schema support
    • Do not always override home directory with subdomain_homedir value in server mode
    • Wildcard refresh through InfoPipe
  • Implemented in 1.12.x
    • Specify the DNS site a client is using
    • GPO-Based Access Control
    • LDAP provider integration tests
    • DBus responder
    • Simple D-Bus API wrapper library
    • Integrate SSSD with CIFS Client
    • Mapping ID provider names to Kerberos principals
    • Running SSSD as a non-root user
    • ID Mapping calls for the NSS responder
    • Allow Kerberos Principals in getpwnam() calls
    • OpenLMI provider design
    • Restricting the domains a PAM service can auth against
    • SSS NFS Client (rpc.idmapd plugin)
  • Implemented in 1.11.x
    • Adding the ad_access_filter option
    • IPA Server Mode
  • Implemented in 1.10.x
    • Use Active Directory’s DNS sites
    • Active Directory client DNS updates
    • Global Catalog Lookups in SSSD
    • Periodical refresh of expired entries
    • Periodic task API
    • Recognize trusted domains in AD provider
  • Implemented in 1.9.x
    • FastNSSCache
    • Supporting Local Users as members of LDAP Groups for RRFc2307 servers
    • Sub-Domains in SSSD
    • SUDO caching rules
    • SUDO integration
    • SUDO Responder Cache Behaviour
    • SUDO Support to SSSD
  • Implemented in 1.8.x
    • SSSD and automounter integration
    • Multiple LDAP search bases support
  • Not implemented
    • AccountsService takeover
    • Async WinBind
    • D-Bus Signal: Notify Property Changed
    • Kerberos Locator Plugin Redesign
    • LDAP Referrals
    • Proposal to redesign the memberOf plugin (v1)
    • Proposal to redesign the memberOf plugin (v2)
    • Code refactoring for the 1.15 release
    • Sockets for domains in a multi-tenant setup
    • SSSD 2.0
    • SUDO integration proposal using sudo policy plugin
    • Sudo Plugin Wire Protocol
    • User Account Management Consolidation
  • Assorted old (pre-1.8) design documents
    • Backend DNS Helpers
    • Netgroup NSS map support
    • Common SIGCHLD handler

Indices and tables

• Index
• Module Index
• Search Page