<buttonid="sidebar-toggle"class="icon-button"type="button"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<inputtype="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
<p>You may have noticed that Kanidm requires you to configure TLS in your container or server install.</p>
<p>We are a secure-by-design rather than secure-by-configuration system, so TLS for all connections is
considered mandatory and a default rather than an optional feature you add later.</p>
<h3id="why-disallow-http-without-tls-between-my-load-balancer-and-kanidm"><aclass="header"href="#why-disallow-http-without-tls-between-my-load-balancer-and-kanidm">Why disallow HTTP (without TLS) between my load balancer and Kanidm?</a></h3>
<p>Because Kanidm is one of the keys to a secure network, and insecure connections to them are not best
practice. This can allow account hijacking, privilege escalation, credential disclosures, personal
information leaks and more.</p>
<h3id="what-are-secure-cookies"><aclass="header"href="#what-are-secure-cookies">What are Secure Cookies?</a></h3>
<p><code>secure-cookies</code> is a flag set in cookies that asks a client to transmit them back to the origin
site if and only if the client sees HTTPS is present in the URL.</p>
<p>Certificate authority (CA) verification is <em>not</em> checked - you can use invalid, out of date
certificates, or even certificates where the <code>subjectAltName</code> does not match, but the client must
see https:// as the destination else it <em>will not</em> send the cookies.</p>
<h3id="how-does-that-affect-kanidm"><aclass="header"href="#how-does-that-affect-kanidm">How Does That Affect Kanidm?</a></h3>
<p>Kanidm's authentication system is a stepped challenge response design, where you initially request
an "intent" to authenticate. Once you establish this intent, the server sets up a session-id into a
cookie, and informs the client of what authentication methods can proceed.</p>
<p>If you do NOT have a HTTPS URL, the cookie with the session-id is not transmitted. The server
detects this as an invalid-state request in the authentication design, and immediately breaks the
connection, because it appears insecure. This prevents credential disclosure since the
authentication session was not able to be established due to the lost session-id cookie.</p>
<p>Simply put, we are trying to use settings like <code>secure_cookies</code> to add constraints to the server so
that you <em>must</em> perform and adhere to best practices - such as having TLS present on your
communication channels.</p>
<h2id="can-i-change-the-database-backend-from-sqlite-to---name-of-favourite-database-here--"><aclass="header"href="#can-i-change-the-database-backend-from-sqlite-to---name-of-favourite-database-here--">Can I change the database backend from SQLite to - name of favourite database here -</a></h2>
<p>No, it is not possible swap out the SQLite database for any other type of SQL server.</p>
<p><em>ATTEMPTING THIS WILL BREAK YOUR KANIDM INSTANCE IRREPARABLY</em></p>
<p>This question is normally asked because people want to setup multiple Kanidm servers connected to a
single database.</p>
<p>Kanidm does not use SQL as a <em>database</em>. Kanidm uses SQL as a durable key-value store and Kanidm
implements it's own database, caching, querying, optimisation and indexing on top of that key-value
store.</p>
<p>As a result, because Kanidm specifically implements it's own cache layer above the key-value store
(sqlite in this example) then if you were to connect two Kanidm instances to the same key-value
store, as each server has it's own cache layer and they are not in contact, it is possible for
writes on one server to never be observed by the second, and if the second were to then write over
those entries it will cause loss of the changes from the first server.</p>
<h2id="why-so-many-crabs"><aclass="header"href="#why-so-many-crabs">Why so many crabs?</a></h2>
<h2id="why-wont-you-take-this-faq-thing-seriously"><aclass="header"href="#why-wont-you-take-this-faq-thing-seriously">Why won't you take this FAQ thing seriously?</a></h2>
<p>Look, people just haven't asked many questions yet.</p>
