But, as in all types of centralized authorization/authentications systems, it does not work well when your machine is disconnected
from the network.
sssd - System Security Services Daemon to the rescue.
sssd was added to Fedora a few releases ago, as I blogged about back in March 2011.
One of the biggest benefits of sssd is that it allows for disconnected access to cached authorization/authentication data.
A new feature in Fedora 17 adds sssd as a source for sudoers data.
The benefits of this integration as described on the feature page are:
- offline access - sudoers rules would be stored in a persistent cache, allowing sudo to fetch the rules seamlessly even in cases when the LDAP server is not reachable such as user roaming with a laptop.
- unified configuration of LDAP parameters such as the servers used, timeout options and security properties at one places (sssd.conf)
- sudo would take advantage of the advanced features SSSD has such as server fail over, server discovery using DNS SRV lookups and more
- only one connection to the LDAP server open at a time resulting in less load on the LDAP server and better performance
- caching of the rules - less load on the LDAP server and better performance on the client side as the client wouldn't have to go to the server with each request
- back end abstraction - data may be stored in NIS or other databases and accessed by the sudo transparently