Introduction to FreeIPA Integration

SSSD is a key client-side component of the FreeIPA (also known as Red Hat Identity Management in RHEL, or simply IPA) architecture. SSSD is running on both IPA servers and IPA clients and is used to

  • Retrieve and cache data stored in IPA LDAP database, including

    • User and group identity information

    • Sudo rules

    • HBAC (Host-Based Access Rules)

    • SSH Keys

    • Automount maps

    • SELinux user maps

    • Netgroups

  • Perform authentication with IPA services like IPA’s embedded Kerberos server/KDC

  • Allow IPA user authentication though pam_sss PAM module

  • Automated Client Service discovery and failover

  • Dynamic DNS Updates

To read more about how SSSD is used in FreeIPA integration at a high level, refer to the following links:

Or on the terminal to read about SSSD’s IPA provider

$ man sssd-ipa

SSSD can also retrieve information and perform authentication against Active Directory Domain Controllers through IPA servers, this is done via IPA - AD Trust - also called Indirect AD integration. Red Hat documentation gives more information about how this works.