13.2. Using and Caching Credentials with SSSD
13.2.1. About SSSD
- Reducing the load on identification/authentication servers. Rather than having every client service attempt to contact the identification server directly, all of the local clients can contact SSSD which can connect to the identification server or check its cache.
- Permitting offline authentication. SSSD can optionally keep a cache of user identities and credentials that it retrieves from remote services. This allows users to authenticate to resources successfully, even if the remote identification server is offline or the local machine is offline.
- Using a single user account. Remote users frequently have two (or even more) user accounts, such as one for their local system and one for the organizational system. This is necessary to connect to a virtual private network (VPN). Because SSSD supports caching and offline authentication, remote users can connect to network resources by authenticating to their local machine and then SSSD maintains their network credentials.
While this chapter covers the basics of configuring services and domains in SSSD, this is not a comprehensive resource. Many other configuration options are available for each functional area in SSSD; check out the man page for the specific functional area to get a complete list of options.
Table 13.1. A Sampling of SSSD Man Pages
|Functional Area||Man Page|
|Active Directory Domains|| |
|Identity Management (IdM or IPA) Domains|| |
|Kerberos Authentication for Domains||sssd-krb5|
|OpenSSH Keys|| |
|Cache Maintenance|| |