-----BEGIN PGP SIGNED MESSAGE-----
On 04/12/2010 01:56 PM, Stephen John Smoogen wrote:
> On Mon, Apr 12, 2010 at 11:46 AM, Stephen Gallagher <firstname.lastname@example.org> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> On 04/12/2010 01:35 PM, Stephen John Smoogen wrote:
>>> On Mon, Apr 12, 2010 at 11:13 AM, Stephen Gallagher <email@example.com> wrote:
>>> I'm trying to figure out how to do a little PR around the SSSD (the
>>> System Security Services Daemon). I've been tracking mentions of it
>>> around the web with Google Alerts and in the last few weeks, there have
>>> been several dozen hits... all in the Ubuntu context -_-
>>> So I'm looking for advice on how to draw attention to the fact that this
>>> is a Fedora project. And moreover, works better on Fedora, since we have
>>> authconfig making setup a breeze.
>>> The SSSD is an advertised Feature for Fedora 13:
>>> http://fedoraproject.org/wiki/Fedora_13_Talking_Points#System_Security_Services_ Daemon_.28SSSD.29
>>> My main concern is that most of the chatter that Google Alerts has been
>>> picking up have been leading back to blogs written about the Ubuntu
>>> package of SSSD (which is an older version than what is available in
>>> Fedora and also has no UI for configuring it).
>>>> Ok lets look at the following:
>>>> 1) What does it do?
>> We're targeting it as a replacement for nss_ldap, pam_ldap and pam_krb5.
>> The main idea is that it handles cached authentication. It's target is
>> mainly for larger Fedora deployments that use centralized
>> authentication. Within this group, there are two main use-cases we're
>> 1) Laptop users. With the SSSD, there's no longer a need to maintain a
>> separate local user account. You will be able to sign in with your
>> centrally-managed account even when not connected to the LDAP/Kerberos
>> server. The SSSD caches credentials so that if the server is
>> unavailable, the user can still gain access to their local machine.
>> 2) Datacenter servers that rely on LDAP and/or Kerberos for
>> authentication will be able to survive authentication outages.
>>>> 2) How does it work?
>> Quite well, thank you
>>>> 3) Why should I be excited about it?
>> In the case of a laptop user, no more managing two sets of passwords to
>> get into your system. Plus, with Kerberos, if you log in online, it will
>> automatically use your login credentials to acquire your Kerberos
>> ticket-granting ticket for access to network credentials. (And if you're
>> offline, integration with krb5-auth-dialog will make sure you can easily
>> acquire that ticket when you go online)
>>>> 4) Can we make a video that shows this all to put up on the tubes somewhere.
>> I'm not sure what we can do for a video. I suppose we could record a
>> Fedora 13 install, setting up the SSSD with authconfig during firstboot
>> and then demonstrating how it works by simulating offline behavior with
>> 'service [network|Network Manager] stop'
> A) Does it have a gui? Show off the gui
Starting in Fedora 13, th authconfig UI (aka
system-config-authentication) has been completely redesigned, and will
now configure the SSSD.
> B) Show two systems.. one with it and one without it. Take it off
> networking or (for the corporate IT person who needs to show their
> boss... take it off vpn..) log into both.. which one works.. which one
> doesn't. Do a 'time' elapsed cut to 2-3 days later when the ticket no
> longer is valid.. log into both... do you get locked out of both?
> Tada... extra security for the stolen laptop.
We could do that pretty easily. Although the latter feature is one that
isn't configured in the UI. We CAN set it so that after N days it
disallows logins, but that requires manually editing the config file.
But yes, it would be added security (just not useful for the 90% case,
so we left it out of the UI)
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
marketing mailing list