8.3. SSSD

SSSD (System Security Services Daemon) offers access to remote identity and authentication mechanisms, referred to as providers. SSSD allows these providers to be configured as SSSD back-ends, abstracting the actual (local and network) identity and authentication sources. It also allows any kind of identity data provider to be plugged in. A domain is a database containing user information, which can serve as the source of a provider’s identity information. Multiple identity providers are supported, allowing two or more identity servers to act as separate user namespaces. Collected information is available to applications on the front-end through standard PAM and NSS interfaces.

SSSD runs as a suite of services, independent of the applications that use it. Those applications therefore no longer need to make their own connections to remote domains, or even be aware of which is being used. Robust local caching of identity and group membership information allows operations regardless of where identity comes from (e.g., LDAP, NIS, IPA, DB, Samba, and so on), offers improved performance, and allows authentication to be performed even when operating offline and online authentication is unavailable. SSSD also allows the use of multiple providers of the same type (e.g., multiple LDAP providers) and allows domain-qualified identity requests to be resolved by those different providers. Further details can found in the Red Hat Enterprise Linux 6 Deployment Guide.