sssd vs nslcd for RHEL-5/6

redhat ldap pam nss sssd
193

Solution 1

sssd is probably the more "forward thinking" option to go with. To that extent, the other answers are correct. That said, sssd does not completely supersede the features of nslcd, contrary to popular opinion.

The primary (situational) advantage of nslcd over sssd is that you can write a custom authz query with parameter substitution:

   pam_authz_search FILTER
          This option allows flexible fine tuning of the authorisation check that should be performed. The search filter specified is executed and if  any  entries
          match, access is granted, otherwise access is denied.

          The  search  filter can contain the following variable references: $username, $service, $ruser, $rhost, $tty, $hostname, $dn, and $uid.  These references
          are substituted in the search filter using the same syntax as described in the section on attribute mapping expressions below.

          For example, to check that the user has a proper  authorizedService  value  if  the  attribute  is  present:  (&(objectClass=posixAccount)(uid=$username)
          (|(authorizedService=$service)(!(authorizedService=*))))

          The default behaviour is not to do this extra search and always grant access.

The last time I checked the sssd docs (within the last six months), there was still no replacement for this capability. So it really depends on whether this feature is important enough to put aside the benefits of sssd's consolidated solution.

Solution 2

I would prefer an environment with the same software and configuration as much as possible, unless people say that sssd is really better for RH-6 and nscd/nslcd is really better for RH-5.

SSSD is the future and you get Kerberos auth & better compatibility with AD if that's your LDAP server for instance.

Otherwise I don't see any reason not to use nslcd, it works fine in my environment assuming you're using a new enough version that it supports nested groups - see the "nss_nested_groups" option (assuming you use them, otherwise you should be fine).

Solution 3

SSSD is the future and much more powerful than nslcd.

SSSD can provide additional features like SSO in offline machines, so you can as example, use SSSD in Notebook Workstations and the users will be able to login through the Single Sigo-On Daemon even without connection with the authentication server.

There's no reason to implement nslcd and all the dependencies that nslcd requires with sssd in the game.

And finally, SSSD is a Fedora Hosted project. So it should play nicely with RHEL.

Additional information can be found in the website: http://fedoraproject.org/wiki/Features/SSSD

There's a plenty of AD, LDAP, and multiple authentication backends howtos on the web.

Share:
193

Related videos on Youtube

Big Cat Public Safety Law
Author by

Big Cat Public Safety Law

Updated on September 18, 2022

Comments

  • Big Cat Public Safety Law
    Big Cat Public Safety Law almost 2 years

    In my C++ game program, how do I write a function that accepts an input per turn from a bot running on a separate thread? The function should update the game state immediately upon receiving the input but will wait no more than x seconds.

    I am aware of conditional variables but is not aware of how to set a time limit for the thread that is waiting on the bot?

  • Andrew B
    Andrew B over 10 years
    I'm going to have to downvote this for saying that there is "no" reason to use nslcd. Unless you've exhaustively researched documentation and confirmed that one presents an entirely superior featureset (which is incorrect in this case) or can identify a significant design flaw for production environment use, that tends to be an irresponsible generalization.
  • Tcharl
    Tcharl over 2 years
    NSLCD is not maintained anymore whereas SSSD is. The only feature NSLCD provides that SSSD don't is host caching.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I log on my linux machine with my Active Directory credentials?
Fedora 21 pam_sss authentication failure - permission denied
What is nsswitch compat mode?
Understand PAM and NSS
PAM vs LDAP vs SSSD vs Kerberos
Is anyone using access.conf and netgroup authentication with sssd?
Where are passwords stored?
LDAP/Pam: No passwd entry for user while getent passwd shows all LDAP users
Why is sssd an unrecognized service, even though it is installed and can be restarted?
Restrict ssh login from LDAP to users who have a /home directory