Reference url:http://blog.sina.com.cn/s/blog_588c88cb0100ywoh.html
SSSD is a newly added daemon in Red Hat Enterprise Linux6 that can be used to access a variety of authentication servers, such as Ldap,kerberos, and provide authorization. SSSD is a process between a local user and a data store, where the local client first connects to SSSD, and the SSSD contacts the external resource provider (a remote server).
There are several advantages to doing so:
1. Avoid the local each client program to the authentication server a large number of connections, all local programs only contact SSSD, by SSSD connection authentication server or SSSD cache, effectively reduce the load.
2. Allow offline authorization. SSSD can cache the remote server's user authentication identity, which allows the Remote authentication server to go down and continue to successfully authorize users to access the necessary resources.
SSSD does not require special settings to run, and the service will run itself when you have finished configuring System-configure-authentication.
SSSD The default profile is located in/etc/sssd/sssd.conf, you can make the SSSD run with the specified configuration file by command:
# SSSD--c/etc/sssd/customfile.conf
The configuration file format is as follows,
Keyword = key value
#####################################################
# # [Section] # #
# # Key1 = value1 # #
# # Key2 = value2,value3 # #
#####################################################
Managing the SSSD Process
Service SSSD Start Open
Service SSSD Stop shutdown
Use the Authconfig command to turn on SSSD: # authconfig--ENABLESSSD--update
Use the Systemctl command to turn on SSSD: # Systemctl Enable SSSD
Summary: In simple terms, now in the RHEL6 connection LDAP or Kerberos authentication server, are the first SSSD connection authentication server to obtain authentication and authorization information, and then handed over to the local client program.
Reference url:http://www.myhack58.com/article/48/66/2015/64247.htm
SSSD is a software that replaces LDAP and AD, and is simple to configure.
This article describes how to deploy SSSD in an LDAP client to enable LDAP authentication.
-Installation SSSD
= "FONT-SIZE:16PX;" >yum Install SSSD
Yum Remove Pam_ldap samba*/span>
install SSSD, and uninstall Pam_ldap and Samba-related packages
-Configuration/etc/sssd/sssd.conf
= "FONT-SIZE:16PX;" >[SSSD]
config_file_version = 2
Services = NSS, Pam
domains = LDAP
[NSS]
filter_users = backup, bin, daemon, games, gnats, IRC, landscape, Libuuid, List, LP, Mail, Man, Messagebus, news, NTP, Proxy, Root, Smmsp, Smmta, sshd, Sync, sys, syslog, UUCP, Whoopsie, Www-data, Dw_adm
[pam]/span>
= "FONT-SIZE:16PX;" >[DOMAIN/LDAP]
Id_provider = LDAP
Auth_provider = LDAP
cache_credentials = TRUE
debug_level = 1
Ldap_uri = Ldaps://ldap.vip
#ldap_uri = ldaps://10.8.8.8, ldaps://10.8.8.9
ldap_search_base = dc=example,dc=com
#ldap_schema = Rfc2307bis
ldap_default_bind_dn = uid=proxyagent,ou=special_users,dc=example,dc=com
ldap_default_authtok_type = password
Ldap_default_authtok = gafn01n0w
Ldap_tls_reqcert = Never
Ldap_id_use_start_tls = True
ldap_netgroup_search_base = ou=netgroup,ou=example.com,ou=services,dc=example,dc=com?one?
ldap_user_search_base = ou=people,dc=example,dc=com?sub?organizationalstatus=active
ldap_group_search_base = ou=group,dc=example,dc=com?sub?
Cache_credentials = True
Enumerate = False
entry_cache_timeout = 5400
Ldap_uri point to your LDAP server, where the domain name, or IP address, Domani can also configure multiple domains, generally only need to configure one on it.
-Configuration/etc/nsswitch.conf
Configure the sssd.conf after configuring the/etc/nsswitch.conf to Tell name Service switch to find those places to service the logged-in user.
= "FONT-SIZE:16PX;" >passwd:files SSS
shadow:files SSS
group:files SSS
netgroup:files sss/span>
files sss says to find/etc/passwd,/etc/group, and so on, and then find the SSS module without the words.
-Modify/etc/nscd.conf
as a final step, if the NSCD service is turned on, disable the passwd and group cache features.
= "FONT-SIZE:16PX;" >enable-cache passwd No
Enable-cache Group No
Enable-cache netgroup no/span>
-finally open the SSSD service
/ETC/INIT.D/SSSD Start
sssd-System Security Service Daemon