SSSD System Security Services Daemon. 2 Manages communication with centralized identity and authentication stores Provides robust, predictable caching.

Slides:



Advertisements
Similar presentations
Whats New in Fireware XTM v New Features in Fireware XTM v Major Changes FireCluster with XTM 330 appliances Mobile VPN with SSL using multiple.
Advertisements

Enabling Secure Internet Access with ISA Server
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
MyProxy: A Multi-Purpose Grid Authentication Service
Identity and Security Management Kevin Unthank Senior Product Manager Red Hat Security Management Products Cloud Business Unit.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Security and Policy Enforcement Mark Gibson Dave Northey
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Understanding Active Directory
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at.
Lecture – Single Login NIS and Winbind. NIS Network Information Service (NIS) is the traditional directory service on UNIX platforms Still widely used.
Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu LTS comes with MIT Kerberos Admin through CLI, but from.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Chapter 13 – Network Security
The Directory A distributed database Distributed maintenance.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Single Sign-on with Kerberos 1 Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
10.1 Silberschatz, Galvin and Gagne ©2005 Operating System Principles 10.4 File System Mounting A file system must be mounted before it can be accessed.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
Harshavardhan Achrekar - Grad Student Umass Lowell presents 1 Scenarios Authentication Patterns Direct Authentication v/s Brokered Authentication Kerberos.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
Module 3 Configuring File Access and Printers on Windows ® 7 Clients.
Module 11: Securing a Microsoft ASP.NET Web Application.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
Module 3: Configuring File Access and Printers on Windows 7 Clients
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Michael Tinker September 16, 2004
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
F5 APM & Security Assertion Markup Language ‘sam-el’
SSSD System Security Services Daemon. 2 Manages communication with centralized identity and authentication stores Provides robust, predictable caching.
SSSD and FreeIPA Advanced user management in Linux Red Hat Czech s.r.o. Jan Zelený 12 th February 2011.
Migrating to LDAP What is LDAP? Fedora Directory Server LdapImport
ArcGIS for Server Security: Advanced
Windows interoperability with Unix/Linux
Module 3: Enabling Access to Internet Resources
Federation made simple
Enabling Secure Internet Access with TMG
Information Security Professionals
Chapter 11: Managing Users
Configuring and Troubleshooting Routing and Remote Access
Radius, LDAP, Radius used in Authenticating Users
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain.
SSSD and OpenSSH Integration
SECURITY IN DISTRIBUTED FILE SYSTEMS
IIS.
Single Sign-on with Kerberos
Cyber Security Authentication Methods
Presentation transcript:

SSSD System Security Services Daemon

2 Manages communication with centralized identity and authentication stores Provides robust, predictable caching for network accounts Can cache authentication credentials locally to allow local updates Can handle multiple domains of user data and authentication

3 SSSD Use Cases Corporate Laptop ● Traditional problem: users maintain a separate local account on the laptop to log into when out of the office ● With SSSD providing cached credentials, the user can keep the same account (UID and all) when logging in remotely Datacenter ● Datacenters that require highly-available authentication can take advantage of SSSDs caching to ride out temporary internal service outages (such as an LDAP or Kerberos server outage)

4 Identity lookups without SSSD Network Boundary Identity Server Authentication Server Client

5 Identity lookups with SSSD Network Boundary Identity Server Authentication Server Client SSSD NSS Responde r PAM Responde r Domain Provider Auth Provider Identity Provider Cache

6 SSSD Data Providers Network Boundary Ident ity Serv er Auth Serv er Client SSSD NSS Responde r PAM Responde r Auth Provider Cache Dom ain Provi der 2 Identity Provider Dom ain Provi der 1 Auth Provider Identity Provider Dom ain Provi der N Auth Provider Identity Provider Dom ain Provi der... Auth Provider Identity Provider Ident ity Serv er Auth Serv er Ident ity Serv er Auth Serv er Ident ity Serv er Auth Serv er

7 Traditional Authentication Client Request Directory 2 Directory 1... Directory N PAM Auth N... Auth 2 Auth 1 NSS

8 Copyright Dbarefoot, used under Attribution-NonCommercial License

9 SSSD Authentication Client Request Directory 2 Directory 1... Directory N PAM Auth N... Auth 2 Auth 1 NSS

10 Improvements over nscd and pam_ccreds nscd ● SSSD user and group cache expiration is more predictable ● When cached in the SSSD, user identity entries will not expire while offline ● SSSD operates closer to the backends, so it can be aware of backend- specific temporary failures that nscd would report as missing entries pam_ccreds ● SSSD can be configured to perform offline expiration of cached credentials (requiring clients to 'check in' with the central server regularly) ● SSSD will inform the user when authenticating with cached credentials, and will warn of approaching offline expiration

11 Differences from traditional authentication SSSD requires the use of transport layer encryption when performing simple bind authentication against LDAP ● LDAPS, TLS or GSSAPI SSSD enforces a one-to-one relationship between user identities and authentication services Offline authentication against a Kerberos server can be configured to automatically perform a kinit when the server becomes available

12 What's new in SSSD 1.5? Full support for FreeIPA v2 Support for netgroups ● LDAP provider can now return nisNetgroup attributes for nsswitch lookups Kerberos FAST protocol can be used on supported platforms Improved LDAP access-control provider with support for shadow and authorizedService Add group allow-/deny-list for “simple” access provider Improved DNS-based discovery support

13 SSSD and FreeIPA v2 Support for FreeIPA's host-based access control ● Access is granted or denied centrally for users and groups of users to FreeIPA-managed hosts and hostgroups ● HBAC rules are cached for offline use ● Support for HBAC timerules (Future feature for FreeIPA v2.1) Support for FreeIPA migration mode ● SSSD can facilitate the migration of passwords from a classic LDAP server to FreeIPA's Kerberos ● Migration mode configured on FreeIPA server, can be turned on or off centrally Client host enrollment with FreeIPA server ● Host keytab from enrollment is used to simultaneously encrypt all communication to the FreeIPA server as well as validate that it originated from a recognized host

14 To Infinity and Beyond Developer environment ● Build custom identity and authentication backends Better ActiveDirectory Support ● Integrate with ActiveDirectory using winbind InfoPipe ● Advanced authentication interface over D-BUS system bus ● Provide access to extended directory information such as keyboard and language preferences

15 Configuration Basic configuration can be most easily managed with authconfig ● Version or later of authconfig ● Properly configures the following standard configuration files for use with SSSD: ● /etc/nsswitch.conf ● /etc/pam.d/system-auth ● /etc/pam.d/password-auth ● /etc/sssd/sssd.conf ● /etc/krb5/krb5.conf (when using Kerberos for auth) SSSD 1.2.x supports LDAP for identities and either LDAP or Kerberos for authentication

16 Advanced Configuration Many more complicated configuration settings are available Advanced options be set manually in /etc/sssd/sssd.conf For a complete listing of these options, see: ● sssd.conf(5) ● sssd-ldap(5) ● sssd-krb5(5) Options that may be of interest: ● enumerate – Whether to allow a complete listing of all users in a domain. Default: False ● ldap_tls_reqcert – How strict SSSD should be when validating the certificate for an LDAP server ● krb5_store_password_if_offline – Whether to store a user's password (securely) until the SSSD becomes online. When this occurs, the SSSD will perform a kinit on behalf of the user with this password to acquire a TGT

17 Identity Providers LDAP ● Supports LDAP servers using RFC2307 or RFC2307bis schema ● SSSD 1.2 supports users and groups ● Upcoming versions will also support netgroups IPA ● Support for the upcoming FreeIPA v2 identity store ● Uses (and requires) GSSAPI/KRB5 encrypted communication with the FreeIPA LDAP server Proxy ● Can support identity data from an existing nameservice library ● E.g. nss_nis.so.2 ● Requires additional configuration of the nameservice library

18 Authentication Providers LDAP ● Password authentication through LDAP simple bind KRB5 ● Password authentication through the Kerberos protocol ● Authentication through this backend will perform a kinit and acquire a Kerberos ticket-granting ticket for network single-sign-on IPA ● Password authentication to FreeIPA through the Kerberos protocol or LDAP simple bind (during password migration only) ● Can handle password migrations from LDAP -> FreeIPA migrations Proxy ● Invokes a custom PAM stack to perform authentication against a tradition PAM module (or series of modules)

19 Access Providers Permit ● Always allows access to any user that succeeded at authentication ● Default if no access_provider is specified Deny ● Always denies access, regardless of authentication success Simple ● Grants access to users in a list LDAP ● Grants access to users whose user entry matches a particular LDAP search query IPA ● Grants access based on complex host-based access control (HBAC) rules configured on a FreeIPA server

20 Chpass Providers LDAP ● Change password using the password change extended operation of the LDAP protocol KRB5 ● Change password through the Kerberos protocol to a kadmin server Proxy

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.