PAM vs LDAP vs SSSD vs Kerberos

login pam ldap kerberos sssd
14,324

The sssd daemon acts as the spider in the web, controlling the login process and more. The login program communicates with the configured pam and nss modules, which in this case are provided by the SSSD package. These modules communicate with the corresponding SSSD responders, which in turn talk to the SSSD Monitor. SSSD looks up the user in the LDAP directory, then contacts the Kerberos KDC for authentication and to aquire tickets.

(PAM and NSS can also talk to LDAP directly using pam_ldap and nss_ldap respectively. However SSSD provides additional functionality.)

Of course, a lot of this depends on how SSSD has been configured; there lots of different scenarios. For example, you can configure SSSD to do authentication directly with LDAP, or authenticate via Kerberos.

The sssd daemon does not actually do much that cannot be done with a system that has been "assembled by hand", but has the advantage that it handles everything in a centralised place. Another important benefit of SSSD is that it caches the credentials, which eases the load on servers and makes it possible to go offline and still login. This way you don't need a local account on the machine for offline authentication.

Share:
14,324

Related videos on Youtube

tfh
Author by

tfh

Knee deep into scala, akka, play & slick

Updated on September 18, 2022

Comments

  • tfh
    tfh almost 2 years

    I am basically aware of what these services do separate from each other. What I want to know: what exactly happens on a successful login in a linux based network that uses all of these services? In which order these services are consulted? What service talks to what service?

  • tfh
    tfh over 7 years
    Quite surprising to see that sssd seems to be the coordinator of the process. I thought that would be the task of PAM as it abstracts over implementation details.
  • user2066657
    user2066657 almost 5 years
    Yeah, but the devs of SSSD decided to reinvent 'coordination' ... mostly. It follows the old unix adage of "do everything, mostly okay".

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

LDAP/Pam: No passwd entry for user while getent passwd shows all LDAP users
How do I clear a user's cached Active Directory password on CentOS 7?
pam_sss access denied with kerberos authentication ok
Linux AD integration, unable to login when using Windows Server 2012 DC
SSSD Kerberos Authentication vs AD
Fedora 21 pam_sss authentication failure - permission denied
Apply changes to PAM changes
sssd vs nslcd for RHEL-5/6
Troubles with sssd and Active Directory Integration
kinit & pam_sss: Cannot find KDC for requested realm while getting initial credentials