Manage your User Identities with sssd
This article is about how desktop users can replace their existing authentication mechanism with SSSD, and how roaming users can do away with maintaining multiple accounts. It is more of a how-to on managing your local or network accounts using SSSD. The
The System Security Service Daemon (SSSD) was conceived as a client-side tool for the FREEIPA project. However, over a period of time, so many features were developed that it could be conveniently forked to become an independent project. Let's take a brief tour of SSSD and see how it can be configured effectively on your laptops and workstations.
SSSD is a client-side service daemon; its primary function is to provide authentication through a common framework. It manages communication with centralised identity and authentication servers. The most visible and promising feature is the addition of offline authentication, with cached credentials for network accounts. Till now, especially for roaming profiles, it was necessary to create a local login account when not connected to the network. This problem has been resolved with the launch of SSSD. It can also manage your local accounts—you can create local users bypassing the traditional /etc/passwd format, and store much more user-related information than just the GECOS fields.
SSSD is available in the Red Hat family distributions like Fedora, RHEL (and its derivatives), and other distros like Debian and Ubuntu. Fedora is used as a primary development platform. As a result, bleeding-edge/ development builds are rst available in Fedora. Some of the feature highlights are: The tool has been integrated to use SSSD, and can now be used to con gure SSSD trivially. An example is provided later in this article. You can do away with /etc/passwd and /etc/shadow for local accounts, and use commands from the sssd-tools package to create local accounts that will store your password in ldb format, and leave the /etc/passwd le exclusively for systems accounts. SSSD can be con gured to use LDAP identity and LDAP authentication. SSSD can be con gured to use LDAP identity and Kerberos authentication. SSSD is Selinux compatible, and should be used with Selinux in enforcing mode. Ipv6-compatible, IPV4 and IPV6 records are looked up from the identity provider before establishing a connection. It has an access control list to lter users and groups. It has the ability to use fully quali ed names to differentiate users between domains—which means, if you have multiple domains con gured in the same sssd.conf, then you can set the directive