sssd vs nslcd for RHEL-5/6
Solution 1
sssd is probably the more "forward thinking" option to go with. To that extent, the other answers are correct. That said, sssd does not completely supersede the features of nslcd, contrary to popular opinion.
The primary (situational) advantage of nslcd over sssd is that you can write a custom authz query with parameter substitution:
pam_authz_search FILTER
This option allows flexible fine tuning of the authorisation check that should be performed. The search filter specified is executed and if any entries
match, access is granted, otherwise access is denied.
The search filter can contain the following variable references: $username, $service, $ruser, $rhost, $tty, $hostname, $dn, and $uid. These references
are substituted in the search filter using the same syntax as described in the section on attribute mapping expressions below.
For example, to check that the user has a proper authorizedService value if the attribute is present: (&(objectClass=posixAccount)(uid=$username)
(|(authorizedService=$service)(!(authorizedService=*))))
The default behaviour is not to do this extra search and always grant access.
The last time I checked the sssd docs (within the last six months), there was still no replacement for this capability. So it really depends on whether this feature is important enough to put aside the benefits of sssd's consolidated solution.
Solution 2
I would prefer an environment with the same software and configuration as much as possible, unless people say that sssd is really better for RH-6 and nscd/nslcd is really better for RH-5.
SSSD is the future and you get Kerberos auth & better compatibility with AD if that's your LDAP server for instance.
Otherwise I don't see any reason not to use nslcd, it works fine in my environment assuming you're using a new enough version that it supports nested groups - see the "nss_nested_groups" option (assuming you use them, otherwise you should be fine).
Solution 3
SSSD is the future and much more powerful than nslcd.
SSSD can provide additional features like SSO in offline machines, so you can as example, use SSSD in Notebook Workstations and the users will be able to login through the Single Sigo-On Daemon even without connection with the authentication server.
There's no reason to implement nslcd and all the dependencies that nslcd requires with sssd in the game.
And finally, SSSD is a Fedora Hosted project. So it should play nicely with RHEL.
Additional information can be found in the website: http://fedoraproject.org/wiki/Features/SSSD
There's a plenty of AD, LDAP, and multiple authentication backends howtos on the web.
Related videos on Youtube
![Big Cat Public Safety Law](https://i.stack.imgur.com/mLCl2.jpg?s=256&g=1)
Big Cat Public Safety Law
Updated on September 18, 2022Comments
-
Big Cat Public Safety Law almost 2 years
In my C++ game program, how do I write a function that accepts an input per turn from a bot running on a separate thread? The function should update the game state immediately upon receiving the input but will wait no more than x seconds.
I am aware of conditional variables but is not aware of how to set a time limit for the thread that is waiting on the bot?
-
Andrew B over 10 yearsI'm going to have to downvote this for saying that there is "no" reason to use nslcd. Unless you've exhaustively researched documentation and confirmed that one presents an entirely superior featureset (which is incorrect in this case) or can identify a significant design flaw for production environment use, that tends to be an irresponsible generalization.
-
Tcharl over 2 yearsNSLCD is not maintained anymore whereas SSSD is. The only feature NSLCD provides that SSSD don't is host caching.