Home_greyopenFATE - openSUSE feature tracking > #310176
Dashboard | Search | Sign up | Login

Please login or register to be able to edit or vote this feature.

Switch to sssd for LDAP/Kerberos authentication

Feature state



Because of the various issues we face with nss_ldap/pam_ldap (see e.g. Bug #477061, Bug #157078 and others) and because of the added value sssd gives us (e.g. offline support, integrated kerberos support). We should change yast2-ldap-client to configure sssd instead of (in addition to) nss_ldap/pam_ldap/pam_kerberos.

sssd packages are already available for 11.3. We still need to add support for it in pam-config.



packages: sssd


icons/user_comment.png A. J. wrote: (8 years ago)

Note: This feature tracks the basesystem changes for this, especially pam_ldap. The YaST part is tracked in Fate #308902.

icons/user_comment.png A. J. wrote: (8 years ago)

Correction pam-config instead of pam_ldap since pam_ldap does not need to be changed.

icons/user_comment.png R. H. wrote: (8 years ago)

sssd support has now been implemented in pam-config (starting with Version  0.77)

icons/user_comment.png A. J. wrote: (8 years ago)

It also tracks changes in glibc to fix Bug #621454 and Bug #477061.

icons/user_comment.png B. S. wrote: (8 years ago)

Does this feature imply replacing both the LDAP client and Kerberos client modules with a single SSSD module in Yast? Would that be advisable for servers?

icons/user_comment.png M. E. wrote: (8 years ago)

It's far too early to talk about replacement in my view: while sssd sounds not too bad as of today, experience and code consolidation will show, if it is the right way for the future. We should include it in future versions for openSUSE to give it a real field testing before cutting the proven modules.

icons/user_comment.png R. H. wrote: (8 years ago)

Please note that the YaST related changes are tracked in Fate #308902

icons/user_comment.png A. J. wrote: (8 years ago)

Marcus, please schedule a security review of sssd.

Are there any comments for the evaluation of this feature from the security team?

icons/user_comment.png M. M. wrote: (7 years ago)

Sorry, I missed the NEEDINFO.

I now opened an AUDIT tracking bug, we will review.

icons/user_comment.png J. S. wrote: (7 years ago)

For 11.4, Feature #308902 (sssd support in YaST) was implemented and made a default option instead of pam_ldap/nss_ldap. Therefor I think this one is also finished.

Last change: 2 years ago
Loading tags...
Feature Export
Application-xmlXML   Text-x-logPlaintext   PrinterPrint