RHEL8 Identity

SSSD

• SSSD connects Linux system to central identity stores (IdM, AD, LDAP)
• All information is cached locally for offline use
• Advanced integration with IdM and AD, integration with Linux (SUDO, SELinux, 2FA)

Modules Evolution

• pam_pkcs11 is abandoned (upstream decision)
• nss_ldap & pam_ldap will be removed in next major release, bug fix only in RHEL 8
• SSSD introduces Kerberos Credential Manager service

Authselect

• Brand new tool replacing authconfig
  • Main motivation: administrator no longer builds a PAM stack by a tool (potentially ending with broken configuration), but rather selects a tested PAM profile
  • Other motivations: authconfig was a dated component (initiated back in 1999), with no Python 3 support and deprecated GUI (Python 2.7 will EOL support in 2020)

• Benefits
  • Properly tested profiles – lower risk of lock out 
  • Clarity and quality – profiles are easy to read, modify and test
  • Custom profiles – allows administrator to create and ship own profiles in /etc/authselect/custom
  • Smaller footprint, written in C
• Scope: configures authentication and identity resources
  • Generates /etc/nsswitch.conf and PAM configuration from selected profile
  • Does not configure actual PAM modules, done by ipa-client-install, realmd, Ansible
• Compatibility: for applications, scripts and kickstarts that were relaying on the authconfig, there is now a wrapper around authselect
  • It is translating calls to authconfig into calls to authselect
  • Not all options are supported but the main ones are