#50: Adding SSSD client bits to Fedora base image
-----------------------------+---------------------
Reporter: adelton | Owner: kanarip
Type: task | Status: new
Priority: major | Milestone:
Component: kickstart pool | Keywords:
Blocked By: | Blocking:
-----------------------------+---------------------
= phenomenon =
Hello,
we are working on SSSD container for Atomic Host:
https://lists.projectatomic.io/projectatomic-archives/atomic-
devel/2015-September/msg00086.html
It allows SSSD (the daemon) plus the configuration tools (ipa-client-
install, realm) to be in container but for other container to be able to
use it for resolution of user identities or authentication, NSS and PAM
libraries that would be able to talk to the SSSD container via Unix
sockets are needed.
= background analysis =
The libraries that I consider essential are
/usr/lib64/libnss_sss.so.2
/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
/usr/lib64/security/pam_sss.so
The package that contains them is sssd-client and it has two dependencies,
libsss_idmap and libsss_nss_idmap. The total size as reported by dnf in a
fedora:22 container is
Total download size: 284 k
Installed size: 336 k
= implementation recommendation =
Could these packages be added to Fedora base image? It would make it much
easier to deploy images built from the base image with SSSD's Unix socket
directory bind-mounted and NSS and PAM would automatically be able to use
remote user identities (from FreeIPA, Active Directory, or possibly other
backends supported by SSSD), without any explicit changes needed in the
layered images.
The SSSD container can also serve as plugin for sudo via
/usr/lib64/libsss_sudo.so but dependencies of sssd-common where it is
distributed would add 5.6 M when installed and I believe having out-of-box
support for remote sudo rules is not that critical -- if the layered image
uses sudo, it can add it explicitly.
--
Ticket URL: <
https://fedorahosted.org/spin-kickstarts/ticket/50>
spin-kickstarts <
https://fedorahosted.org/spin-kickstarts/>
Kickstarts that the Spin SIG reviews, tests, maintains and releases (as a package).