SSSD
- SSSD connects Linux system to central identity stores (IdM, AD, LDAP)
- All information is cached locally for offline use
- Advanced integration with IdM and AD, integration with Linux (SUDO, SELinux, 2FA)

Modules Evolution
- pam_pkcs11 is abandoned (upstream decision)
- nss_ldap & pam_ldap will be removed in next major release, bug fix only in RHEL 8
- SSSD introduces Kerberos Credential Manager service

Authselect
- Brand new tool replacing authconfig
- Main motivation: administrator no longer builds a PAM stack by a tool (potentially ending with broken configuration), but rather selects a tested PAM profile
- Other motivations: authconfig was a dated component (initiated back in 1999), with no Python 3 support and deprecated GUI (Python 2.7 will EOL support in 2020)

- Benefits
- Properly tested profiles – lower risk of lock out
- Clarity and quality – profiles are easy to read, modify and test
- Custom profiles – allows administrator to create and ship own profiles in /etc/authselect/custom
- Smaller footprint, written in C
- Scope: configures authentication and identity resources
- Generates /etc/nsswitch.conf and PAM configuration from selected profile
- Does not configure actual PAM modules, done by ipa-client-install, realmd, Ansible
- Compatibility: for applications, scripts and kickstarts that were relaying on the authconfig, there is now a wrapper around authselect
- It is translating calls to authconfig into calls to authselect
- Not all options are supported but the main ones are
Recent Comments