ADSys architecture¶
Here, we explain ADSys and SSSD, and how they are used in combination for managing authentication and policies.
ADSys and SSSD¶
ADSys is a GPO client. In an AD-managed infrastructure, it can help with the management and control of Ubuntu clients through the AD controller. It compliments and depends on SSSD, which is a daemon that handles authentication and provides authorisation to access remote directories, including AD. ADSys can also be used in combination with Winbind, but here we will focus on SSSD.
SSSD runs on the client Ubuntu machine and enables basic authentication with AD. When a client machine that is enrolled in the domain attempts to log in, SSSD sends the user’s information to the AD controller. If the credentials are valid, they are returned to SSSD. This allows the user to successfully authenticate.
Tip
The diagrams on this page can be zoomed with a scroll-wheel or panned by clicking and dragging the left mouse button.
%%{init: {"theme": "base", "themeVariables": {
'background': '#DDC9D4',
'primaryColor': '#FFF',
'primaryTextColor': '#E95420',
'primaryBorderColor': '#7C0000',
'lineColor': '#E95420',
'secondaryColor': '#CECAC5'
}}}%%
flowchart TB
adcli(Ubuntu machine)
sssd(SSSD)
adcon(Active Directory controller)
adcli --"log in with user"--> sssd
sssd --"send user credentials"--> adcon
sssd --"allow authentication"--> adcli
adcon --"return user information"--> sssd
After the user is authenticated, ADSys queries the provider for policies that are directed to the authenticated user in the AD domain and resolves them, before applying the policies to the client.
%%{init: {"theme": "base", "themeVariables": {
'background': '#DDC9D4',
'primaryColor': '#FFF',
'primaryTextColor': '#E95420',
'primaryBorderColor': '#7C0000',
'lineColor': '#E95420',
'secondaryColor': '#CECAC5'
}}}%%
flowchart TB
adcli(Ubuntu machine)
adsys(ADSys)
adcon(Active Directory controller)
adcli --"authenticate user"--> adsys
adsys --"fetch GPOs"--> adcon
adcon --"relevant GPOs resolved"--> adsys
adsys --"parse GPOs and apply"--> adcli
Authentication and policy flow¶
A detailed visual explanation of the authentication and policy flow with ADSys and SSSD is shown below:
%%{init: {"theme": "base", "themeVariables": {
'background': '#DDC9D4',
'primaryColor': '#FFF',
'primaryTextColor': '#E95420',
'primaryBorderColor': '#7C0000',
'lineColor': '#E95420',
'secondaryColor': '#CECAC5'
}}}%%
stateDiagram-v2
um: Ubuntu machine
client: client.domain.com enrolled
user: user authenticated
fetch: fetch GPOs
parse: parse GPOs
update: update cached GPOs
GPOs: check GPOs are up-to-date
GPOs_applied_check: check GPOs are applied
GPOs_enforced_check: check GPOs are enforced
GPOs_apply: authenticate user and apply GPOs
auth_deny: don't authenticate user
state SSSD {
um --> client: enroll to domain.com
client --> um: unenroll from domain.com
client --> user: authenticate user
}
SSSD --> ADSys: if ADSys installed
SSSD --> End : if ADSys not installed
state ADSys{
start --> GPOs
GPOs --> fetch: if no
GPOs --> parse : if yes
fetch --> update
update --> GPOs
parse --> GPOs_applied_check
GPOs_applied_check --> GPOs_enforced_check: if no
GPOs_applied_check --> GPOs_apply: if yes
GPOs_enforced_check --> GPOs_apply: if no
GPOs_enforced_check --> auth_deny: if yes
}
SSSD manages the enrolment and authentication of clients with AD. If ADSys is not installed, the control and management of AD clients stops at that point.
If ADSys is installed, it checks whether GPOs on the client are up-to-date. If not, they are fetched from the domain controller. Once the latest GPOs are available, they are parsed and applied. The user then authenticates successfully and the GPOs are applied. If the GPOs are not applied and they are enforced, then ADSys will not permit the session to continue.