© Nikita Sobolkov, 123RF.com
The System Security Services Daemon
Detached
While I was having lunch with a colleague recently, conversation turned to the topic of SSSD and new features in Fedora 17. We also talked about sudo integration and other useful functions. Just to remind you: SSSD (System Security Services Daemon [1]) is the client-side daemon that handles communications between clients and centralized directory services.
Various authentication mechanisms can be used for this, and communication with the client is handled by classic PAM and NSS interfaces. Different security providers are then on the back end to handle, for example, communications with an LDAP or FreeIPA server [2].
The good thing about this setup is that authentication for a client will still work if the central back end server is not available. Of course, this can happen if the server crashes, but the cause is often much more trivial. For example, roaming users who do not always have a network connection for their laptops will obviously not always be able to communicate with a central directory service.
SSSD uses the cache to store authentication information. If the user wants to log in to the system, but the central server is not available on the back end, the login will still work because the information is taken from the SSSD cache in this case. The /etc/sssd/sssd.conf configuration file also defines precisely how this cache can be used. For example, the offline_credentials_expiration parameter defines how long the data from the cache will remain valid if the back-end server is not available.
The offline_failed_login_attempts instruction ensures that a user cannot make an arbitrary number of attempts to guess another user's password. Once the integer defined here has been exceeded, the attacking user is then blocked for the time defined in the offline_failed_login_delay
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Migration from LDAP to FreeIPA
The change from centralized user authentication on a vanilla LDAP server to the FreeIPA identity management solution is easier than many admins think. Given attention to a few points, the migration takes very little time and effort. -
Single sign-on with SSSD, LDAP, and Kerberos
Mobile users need a connection to the LDAP and Kerberos servers to authenticate over insecure IP networks. The System Security Services Daemon (SSSD) helps plug this gap. -
Integrating a Linux system with Active Directory
Your Active Directory system doesn't have to be a walled garden. A few easy steps are all you need to integrate Linux with AD. -
OpenLDAP Workshop
Centralized user management with LDAP or Active Directory is the standard today, although many prefer to manage user data manually rather than build this kind of infrastructure. In this article, we look at a better approach with OpenLDAP. -
ID Views smooth migration to a new identity management system
POSIX attributes are permanently connected to a user account, and they help identify the user; however, this permanent connection can lead to difficulties when migrating from one identity management system to another. ID Views help you make migration go smoothly.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
