Simo's Blog


SSSD a tale of community, collaboration, success!

Today a long development cycle started more than a year an half ago comes to a conclusion with a great release: SSSD 1.2.0 is out!

First of all I must say I am extremely proud of the team. When I started the project in September 2008 I knew where I wanted to go, and I knew it would have been a long journey. But I didn't really know how the trip would be.

Looking back at the first days it seem magic what we achieved, so much was unknown, so high where my expectations, I almost feared I couldn't live up to them myself. But thanks to Steve, Sumit, Jakub, Martin and others the project grew, matured and now SSSD is going to be shipped in the forthcoming RHEL 6 release.

Since a few months ago Steve really took over the release management role and he's done an outstanding job. The SSSD 1.2.0 release has his name all over. The dedication he showed is truly remarkable. Thanks Steve!

Beside the more dedicated developers I also have to thank a lot of people that put SSSD under stress and tested it in real deployments, since the the early 0.x releases.

One of the most important factors for the success of a FOSS project is the formation of a community of people that can work together in a very cooperative way. All these people not only reported bugs but also patches and most importantly had the patience to interact and test fixes, make requests, discuss needs and expectations. A great positive feedback loop; extremely motivating! I can say beyond any doubt that without them SSSD wouldn't be even close to where it is now.

THANK YOU contributors, all of you!

Of course a new cycle opens now, as new releases are already waiting in the pipeline, but it is a good moment to stop and look at what has been done.

SSSD is something that I have been thinking about in various forms since I started working for Red Hat more than 3 years ago, and in vague forms way, way before that, back when I was still doing consulting jobs in Italy. Since I started formalizing it within Red Hat it was called in many ways (one of the stickier names we used internally for a while was "Blue Box"), and was often thought as a piece of the puzzle we call FreeIPA. You can still probably find references to it in the older design plans on the FreeIPA wiki.

So what can SSSD do today?

The most interesting features are related to the primary use case we've been working against. LDAP servers and Kerberos authentication.

SSSD works like a connection pooling an cache mechanism for a client. It will provide the machine with users and groups fetched and cached from the central server. Plus it adds neat feature like offline authentication, a real boon if you want to use LDAP and laptops at the same time, but in general a great feature if you have remote machines behind a slow or unstable link and you want to take sure your users can keep working if the connection goes temporarily down. It frees you from the need to put an LDAP replica in a remote office just for a very few users.

SSSD has a modular multi-process design, it has been built with resilience and robustness in mind, a very small process controls a bunch of children that handle specific tasks. If any component dies, the monitor restarts it to avoid service disruption. (although I have to say that it has been many many moons since I had an issues on my machines, and that's just great).

SSSD is built with frontends to handle NSS and PAM communication, and backend providers to handle access to remote servers, plus a file based mmaped cache that works as a unifying glue to store and retrieve data. Multiple different backends can be configured, to retrieve user information and perform authentication. And many of these modules can be combined together like in the case of the IPA backend that is substantially an LDAP identity provider plus a Kerberos authentication provider.

Much more could be said, but I think this is enough to ignite some curiosity for now ;-)

For the interested people I can say SSSD has been shipped in Fedora for quite a while now, but only recently authconfig was modified to make it simpler to configure it with the upcoming F-13 release. The integration is already quite nice and we hope to improve it even more in future. Although other distributions have already packaged it and will hopefully ship it soon as a first citizen too.

Last but not least, I must also thank Red Hat for believing in this small project and funding most of its development so far. Red Hat is a great place to stay if you want to develop core infrastructure technology.

Mail me if you have comments. They will be posted online after review.