SSSD: FROM AN LDAP CLIENT TO SYSTEM SECURITY SERVICES DEAMON

Similar documents
MIT Kerberos & Red Hat

SSSD. Client side identity management. LinuxDays 2012 Jakub Hrozek

FreeIPA Cross Forest Trusts

Identity Management In Red Hat Enterprise Linux. Dave Sirrine Solutions Architect

FreeIPA and SSSD. Free software identity management. Red Hat Developers Conference Jakub Hrozek Martin Nagy September 14, 2009

FreeIPA. Directory and authentication services the easy way. Christian Stankowic. Free and Open Source software Conference

Updates from MIT Kerberos

Using samba base libraries SSSD as an example application

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA. Alexander Bokovoy Red Hat Inc. May 4th, 2017

Kerberos & HPC Batch systems. Matthieu Hautreux (CEA/DAM/DIF)

Florence Blanc-Renaud Senior Software Engineer - Identity Management - Red Hat

Henry B. Hotz Jet Propulsion Laboratory California Institute of Technology. Kerberos 5 Upgrade

FreeIPA - Control your identity

Directory Services. MacSysAdmin 2012

Cross-realm trusts with FreeIPA v3

Factotum Sep. 24, 2007

Red Hat Enterprise Linux 7

SAS Grid Manager and Kerberos Authentication

Understanding the Local KDC

The Directory Schema Is Not Accessible Because The Logon Attempt Failed

Red Hat Enterprise Linux 7

Hardware Tokens in META Centre

The Kerberos Authentication Service

Red Hat Enterprise Linux 7

Identity Management Scaling Out and Up

The System Security Services Daemon (SSSD) explained

Open Source in the Corporate World. Open Source. Single Sign On. Erin Mulder

The Evolution of the NFS Protocol:

GSI Online Credential Retrieval Requirements. Jim Basney

KERBEROS PARTY TRICKS

Radius, LDAP, Radius used in Authenticating Users

Developing Microsoft Azure Solutions (70-532) Syllabus

Linux authentication using the System Security Services Daemon (SSSD) explained

Linux with Active Directory

FreeIPA - Control your identity

Document Type: Best Practice

Develop and test Web authentication with containers

CS615 - Aspects of System Administration. Multiuser Fundamentals

Lustre Client GSS with Linux Keyrings

Using Two-Factor Authentication to Connect to a Kerberos-enabled Informatica Domain

Client Certificates Are Going Away

Novell Kerberos Login Method for NMASTM

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Practical Steps Implementing Red Hat Identity Management Solution David Sirrine Senior Technical Account Manager, Red Hat Jerel Gilmer SEC June 29,

Kerberos and NFS4 on Linux. isginf Workshop

Guide to Windows 2000 Kerberos Settings

Samba4: War Stories. Andrew Bartlett Samba Team / Red Hat

Likewise Open provides smooth integration with Active Directory environments. We show you how to install

ArcGIS for Server: Administration and Security. Amr Wahba

SA1 CILogon pilot - motivation and setup

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811

RED HAT ENTERPRISE LINUX: ACTIVE DIRECTORY - CLIENT INTEGRATION OPTIONS

GSS Context Management for NFS: The NFS PAG. William A. (Andy) Adamson Connectathon 2014

Developing Microsoft Azure Solutions (70-532) Syllabus

Samba and Chrome OS the Start of a beautiful Friendship

Escape from the Identity crisis with FreeIPA

Nicolas Williams Staff Engineer Sun Microsystems, Inc.

VMware AirWatch - Workspace ONE, Single Sign-on and VMware Identity Manager

SDC EMEA 2019 Tel Aviv

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Erlang and Thrift for Web Development

Securing ArcGIS Services

Securing ArcGIS Server Services An Introduction

aehostd The PAM/NSS service for Æ-DIR

Integrating the RHCI Suite with IdM

Andrew Bartlett Hawker College

Setting Up Identity Management

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

Identity Management: Unicorn or Gorgon?

Configuration Guide. BlackBerry UEM. Version 12.9

NFSv4 Multi-Domain Access. Andy Adamson Connectathon 2010

TIBCO Spotfire Connecting to a Kerberized Data Source

Using the MyProxy Online Credential Repository

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Network Security: Kerberos. Tuomas Aura

jamf Nation - London Roadshow

Change Schema Active Directory Password Mac Users Can't

User Authentication Principles and Methods

How to Integrate an External Authentication Server

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Atrium Webinar- What's new in ADDM Version 10

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

BlackBerry UEM Configuration Guide

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Our Active Directory Schema Snap In 2008 R2

Oracle Big Data Cloud Service, Oracle Storage Cloud Service, Oracle Database Cloud Service

2010 Kerberos Conference

Developing Microsoft Azure Solutions (70-532) Syllabus

The Important Details Of Windows Authentication

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2

Publishing Enterprise Web Applications to BYOD using a Granular. Trust Model. Shachaf Levi IT Client Security & Connectivity May 2013.

Red Hat Enterprise Linux 8.0 Beta

Fall 2010/Lecture 32 1

Cloudera ODBC Driver for Apache Hive

Samba in Business. John H Terpstra

TLS Client Certificate and Smart Card Logon

VMware AirWatch On-Premises Certificate Authority Guide

Windows Authentication With Multiple Domains and Forests

Transcription:

SSSD: FROM AN LDAP CLIENT TO SYSTEM SECURITY SERVICES DEAMON

ABOUT ME AND THE TALK I'm a developer working for Red Hat, mostly on SSSD Twitter: @JakubHrozek Github: https://github.com/jhrozek/fosdem2018 This talk is about SSSD, but (hopefully) not about the known parts

TALK TOPICS Several topics, the talk might be fast please get in touch for more details about any topic SSSD APIs Local user handling Smart card management (for local users) Kerberos ticket management

SSSD APIS TALKING TO SSSD FROM AN APP

SSSD API USE-CASES Many applications implement some sort of an "LDAP driver" or an "LDAP connector" typically app-specific code, not reusable The job is not as easy as it might sound Server discovery, affinity, fail over, caching, different schemas SSSD is a "domain expert", let's leverage it!

HOW DOES ONE TALK TO SSSD API vs. plugin SSSD already provided several plugins for system APIs NSS - getent passwd $user -> getpwnam(3) -> _nss_sss_getpwnam Nontrivial to call directly, only through the system API Somewhat inflexible, e.g. getpwnam(3) can only return "struct passwd"

TALKING TO SSSD DIRECTLY D-Bus API Pros: many language bindings, type-safe, signals (notifications), introspection Cons: Requires a system bus, some language bindings not that great Currently used by several applications like ManageIQ, Keycloak, mod_lookup_identity,... Would some other API be more appealing to a project? REST perhaps? ldapi://?

DEMO TIME D-Bus API example compared to raw Python Keep in mind the raw Python script doesn't to caching, failover, service discovery,... Two D-Bus examples https://github.com/jhrozek/fosdem2018/tree/master/dbus-api The OO one is more verbose but more flexible as well all objects are represented with a path regardless of how was the object found signals (notifications)

MANAGING LOCAL USERS SSSD AND /ETC/{PASSWD,GROUP}

MOTIVATION Faster NSS API access without nscd Leverage the same APIs for local and remote users Additional attributes Smart cards for local users separate section later

CURRENT STATUS Caching enabled in Fedora since F-26 https://fedoraproject.org/wiki/changes/sssdcacheforlocalusers sssd is running by default /etc/passwd and group are mirrored into sssd on-disk cache any request triggers putting the user or group entry into mmap-ed cache without nscd or sssd, a request would trigger opening and parsing the files Pros: Interoperates easily with other SSSD domains, unlike nscd Cons: SSSD is "fatter" than nscd, requires modifications to nsswitch.conf passwd: sss files This doesn't require sssd to be running, though!

FUTURE DEVELOPMENT Improve the smart card integration for local users More on this later in this presentation.. Enable extending the SSSD database with extra attributes Currently the 'sss_override' tool can be used to add certs, but there's no general API Extend the D-Bus API to enable user database modifications probably backed by libuser? Implement the https://www.freedesktop.org/wiki/software/accountsservice/ API to get a consistent API for local and remote users Hopefully will happen this year...

SMART CARDS WITH SSSD FOR LOCAL AND REMOTE USERS

DISCLAIMER I'm not a Smart Cards expert The previous Jakub is https://fosdem.org/2018/schedule/event/smartcards_in_linux/ https://www.youtube.com/watch?v=x2mpba45uvc Not even expert in this part of SSSD Nonetheless, let's illustrate the state

CURRENT STATE Traditionally, pam_pkcs11 had been used lot of features, stable also dead upstream.. doesn't build against recent OpenSSL, was removed from Fedora SSSD in the meantime gained support primarily for remote users FreeIPA/IDM + AD trusts is the main scenario match or list user(s) against a certificate stored in the directory "local" authentication with the help of the keys on the smart card or Kerberos PKINIT UsableFunctional for local users as well already

SMART CARDS FOR LOCAL USERS Several manual configuration changes needed now SSSD must be serving users from local files Works with anything that implements the pkcs11 interface the demo is using a Yubikey The user database must augmented with the certificate pam_sss, not pam_unix must be handling authentication Should work in a user-friendly manner in Fedora-29

DEMO TIME Smart card authentication with SSSD and a local user

SSSD-KCM LET SSSD HANDLE YOUR KRB5 TICKETS

WHERE'S MY TICKET? Any successful Kerberos authentication yields a "ticket" KDC initial authentication (kinit) -> TGT service authentication -> service ticket A blob that must be stored in a credential cache Several options FILE, DIR, KEYRING, KCM...

KCM AND SSSD-KCM KCM is not our idea Comes from the Heimdal Kerberos distribution, circa 2005 The credentials are handled by a daemon All the other credential cache types are "passive" The application (e.g. kinit) is a client, KCM daemon is a server Client talks to the KCM server over a UNIX socket At the moment, Heimdal implements both server and client, MIT only the client you can mix and match, though

KCM CCACHE BENEFITS Stateful renewals, notifications, cleanup of expired caches or on logout... Credentials are not written to disk Better suited for containers UNIX socket can be selectively shared between containers or container and host The KCM deamon is subject to namespacing (root in container vs. root on host) Do people use Kerberos with containers, though?

SSSD-KCM SSSD-KCM is an implementation of the KCM server reuses a lot of SSSD code, but doesn't need the rest of SSSD systemctl enable sssd-kcm.socket should be enough planning to use some private SSSD APIs for advanced features (notifications,...) Default Kerberos cache in Fedora since F-27 some open bugs, though.. Feature-wise equivalent to other ccache types, more improvements planned for F-29 renewals notifications...and more

MORE RESOURCES SSSD upstream design page: https://docs.pagure.org/sssd.sssd/design_pages/kcm.html MIT documentation http://k5wiki.kerberos.org/wiki/projects/kcm_client

QUESTIONS? THANK YOU FOR LISTENING!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback