SSSD connects Linux system to central identity stores (IdM, AD, LDAP)
All information is cached locally for offline use
Advanced integration with IdM and AD, integration with Linux (SUDO, SELinux, 2FA)
Modules Evolution
pam_pkcs11 is abandoned (upstream decision)
nss_ldap & pam_ldap will be removed in next major release, bug fix only in RHEL 8
SSSD introduces Kerberos Credential Manager service
Authselect
Brand new tool replacing authconfig
Main motivation: administrator no longer builds a PAM stack by a tool (potentially ending with broken configuration), but rather selects a tested PAM profile
Other motivations: authconfig was a dated component (initiated back in 1999), with no Python 3 support and deprecated GUI (Python 2.7 will EOL support in 2020)
Benefits
Properly tested profiles – lower risk of lock out
Clarity and quality – profiles are easy to read, modify and test
Custom profiles – allows administrator to create and ship own profiles in /etc/authselect/custom
Smaller footprint, written in C
Scope: configures authentication and identity resources
Generates /etc/nsswitch.conf and PAM configuration from selected profile
Does not configure actual PAM modules, done by ipa-client-install, realmd, Ansible
Compatibility: for applications, scripts and kickstarts that were relaying on the authconfig, there is now a wrapper around authselect
It is translating calls to authconfig into calls to authselect
Not all options are supported but the main ones are
Recent Comments