2022-12-29 04:22:16 +01:00
<!DOCTYPE HTML>
< html lang = "en" class = "sidebar-visible no-js light" >
< head >
<!-- Book generated using mdBook -->
< meta charset = "UTF-8" >
< title > Server Configuration and Install - Kanidm Administration< / title >
<!-- Custom HTML head -->
< meta name = "description" content = "" >
< meta name = "viewport" content = "width=device-width, initial-scale=1" >
< meta name = "theme-color" content = "#ffffff" / >
< link rel = "shortcut icon" href = "favicon.png" >
< link rel = "stylesheet" href = "css/variables.css" >
< link rel = "stylesheet" href = "css/general.css" >
< link rel = "stylesheet" href = "css/chrome.css" >
< link rel = "stylesheet" href = "css/print.css" media = "print" >
<!-- Fonts -->
< link rel = "stylesheet" href = "FontAwesome/css/font-awesome.css" >
< link rel = "stylesheet" href = "fonts/fonts.css" >
<!-- Highlight.js Stylesheets -->
< link rel = "stylesheet" href = "highlight.css" >
< link rel = "stylesheet" href = "tomorrow-night.css" >
< link rel = "stylesheet" href = "ayu-highlight.css" >
<!-- Custom theme stylesheets -->
< / head >
< body >
2023-02-17 08:24:03 +01:00
< div id = "body-container" >
2022-12-29 04:22:16 +01:00
<!-- Provide site root to javascript -->
< script >
var path_to_root = "";
var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "navy" : "light";
< / script >
<!-- Work around some values being stored in localStorage wrapped in quotes -->
< script >
try {
var theme = localStorage.getItem('mdbook-theme');
var sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') & & theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') & & sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
< / script >
<!-- Set the theme before any content is loaded, prevents flash -->
< script >
var theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
var html = document.querySelector('html');
html.classList.remove('no-js')
html.classList.remove('light')
html.classList.add(theme);
html.classList.add('js');
< / script >
<!-- Hide / unhide sidebar before it is displayed -->
< script >
var html = document.querySelector('html');
var sidebar = 'hidden';
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
}
html.classList.remove('sidebar-visible');
html.classList.add("sidebar-" + sidebar);
< / script >
< nav id = "sidebar" class = "sidebar" aria-label = "Table of contents" >
< div class = "sidebar-scrollbox" >
2023-03-02 04:03:10 +01:00
< ol class = "chapter" > < li class = "chapter-item expanded " > < a href = "intro.html" > < strong aria-hidden = "true" > 1.< / strong > Introduction to Kanidm< / a > < / li > < li class = "chapter-item expanded " > < a href = "installing_the_server.html" > < strong aria-hidden = "true" > 2.< / strong > Installing the Server< / a > < / li > < li > < ol class = "section" > < li class = "chapter-item expanded " > < a href = "choosing_a_domain_name.html" > < strong aria-hidden = "true" > 2.1.< / strong > Choosing a Domain Name< / a > < / li > < li class = "chapter-item expanded " > < a href = "prepare_the_server.html" > < strong aria-hidden = "true" > 2.2.< / strong > Preparing for your Deployment< / a > < / li > < li class = "chapter-item expanded " > < a href = "server_configuration.html" class = "active" > < strong aria-hidden = "true" > 2.3.< / strong > Server Configuration and Install< / a > < / li > < li class = "chapter-item expanded " > < a href = "security_hardening.html" > < strong aria-hidden = "true" > 2.4.< / strong > Platform Security Hardening< / a > < / li > < li class = "chapter-item expanded " > < a href = "server_update.html" > < strong aria-hidden = "true" > 2.5.< / strong > Server Updates< / a > < / li > < / ol > < / li > < li class = "chapter-item expanded " > < a href = "client_tools.html" > < strong aria-hidden = "true" > 3.< / strong > Client Tools< / a > < / li > < li > < ol class = "section" > < li class = "chapter-item expanded " > < a href = "installing_client_tools.html" > < strong aria-hidden = "true" > 3.1.< / strong > Installing client tools< / a > < / li > < / ol > < / li > < li class = "chapter-item expanded " > < li class = "part-title" > Administration< / li > < li class = "chapter-item expanded " > < a href = "administrivia.html" > < strong aria-hidden = "true" > 4.< / strong > Administration< / a > < / li > < li > < ol class = "section" > < li class = "chapter-item expanded " > < a href = "accounts_and_groups.html" > < strong aria-hidden = "true" > 4.1.< / strong > Accounts and Groups< / a > < / li > < li class = "chapter-item expanded " > < a href = "posix_accounts.html" > < strong aria-hidden = "true" > 4.2.< / strong > POSIX Accounts and Groups< / a > < / li > < li class = "chapter-item expanded " > < a href = "backup_restore.html" > < strong aria-hidden = "true" > 4.3.< / strong > Backup and Restore< / a > < / li > < li class = "chapter-item expanded " > < a href = "database_maint.html" > < strong aria-hidden = "true" > 4.4.< / strong > Database Maintenance< / a > < / li > < li class = "chapter-item expanded " > < a href = "domain_rename.html" > < strong aria-hidden = "true" > 4.5.< / strong > Domain Rename< / a > < / li > < li class = "chapter-item expanded " > < a href = "monitoring.html" > < strong aria-hidden = "true" > 4.6.< / strong > Monitoring the platform< / a > < / li > < li class = "chapter-item expanded " > < a href = "password_quality.html" > < strong aria-hidden = "true" > 4.7.< / strong > Password Quality and Badlisting< / a > < / li > < li class = "chapter-item expanded " > < a href = "recycle_bin.html" > < strong aria-hidden = "true" > 4.8.< / strong > The Recycle Bin< / a > < / li > < / ol > < / li > < li class = "chapter-item expanded " > < li class = "part-title" > Services< / li > < li class = "chapter-item expanded " > < a href = "integrations/pam_and_nsswitch.html" > < strong aria-hidden = "true" > 5.< / strong > PAM and nsswitch< / a > < / li > < li class = "chapter-item expanded " > < a href = "ssh_key_dist.html" > < strong aria-hidden = "true" > 6.< / strong > SSH Key Distribution< / a > < / li > < li class = "chapter-item expanded " > < a href = "integrations/oauth2.html" > < strong aria-hidden = "true" > 7.< / strong > Oauth2< / a > < / li > < li class = "chapter-item expanded " > < a href = "integrations/ldap.html" > < strong aria-hidden = "true" > 8.< / strong > LDAP< / a > < / li > < li class = "chapter-item expanded " > < a href = "integrations/radius.html" > < strong aria-hidden = "true" > 9.< / strong > RADIUS< / a > < / li > < li class = "chapter-item expanded affix " > < li class = "part-title" > Synchronisation< / li > < li class = "chapter-item expanded " > < a href = "sync/concepts.html" > < strong aria-hidden = "true" > 10.< / strong > Concepts< / a > < / li > < li class = "chapter-item expanded " > < a href = "sync/freeipa.html" > < strong aria-hidden = "true" > 11.< / strong > FreeIPA< / a > < / li > < li class = "chapter-item expanded affix " > < li class = "part-title" > Integration Examples< / li > < li class = "chapter-item expanded " > < a href = "examples/k8s_ingress_example.html" > < strong aria-hidden = "true" > 12.< / strong > Kubernetes Ingress< / a > < / li > < li class = "chapter-item expanded " > < a href = "integrations/traefik.html" > < strong aria-hidden = "true" > 13.< / strong > Traefik< / a > < /li
2022-12-29 04:22:16 +01:00
< / div >
< div id = "sidebar-resize-handle" class = "sidebar-resize-handle" > < / div >
< / nav >
< div id = "page-wrapper" class = "page-wrapper" >
< div class = "page" >
< div id = "menu-bar-hover-placeholder" > < / div >
< div id = "menu-bar" class = "menu-bar sticky bordered" >
< div class = "left-buttons" >
< button id = "sidebar-toggle" class = "icon-button" type = "button" title = "Toggle Table of Contents" aria-label = "Toggle Table of Contents" aria-controls = "sidebar" >
< i class = "fa fa-bars" > < / i >
< / button >
< button id = "theme-toggle" class = "icon-button" type = "button" title = "Change theme" aria-label = "Change theme" aria-haspopup = "true" aria-expanded = "false" aria-controls = "theme-list" >
< i class = "fa fa-paint-brush" > < / i >
< / button >
< ul id = "theme-list" class = "theme-popup" aria-label = "Themes" role = "menu" >
< li role = "none" > < button role = "menuitem" class = "theme" id = "light" > Light< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "rust" > Rust< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "coal" > Coal< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "navy" > Navy< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "ayu" > Ayu< / button > < / li >
< / ul >
< button id = "search-toggle" class = "icon-button" type = "button" title = "Search. (Shortkey: s)" aria-label = "Toggle Searchbar" aria-expanded = "false" aria-keyshortcuts = "S" aria-controls = "searchbar" >
< i class = "fa fa-search" > < / i >
< / button >
< / div >
< h1 class = "menu-title" > Kanidm Administration< / h1 >
< div class = "right-buttons" >
< a href = "print.html" title = "Print this book" aria-label = "Print this book" >
< i id = "print-button" class = "fa fa-print" > < / i >
< / a >
< a href = "https://github.com/kanidm/kanidm" title = "Git repository" aria-label = "Git repository" >
< i id = "git-repository-button" class = "fa fa-github" > < / i >
< / a >
2023-03-02 04:03:10 +01:00
< a href = "https://github.com/kanidm/kanidm/edit/master/book/src/server_configuration.md" title = "Suggest an edit" aria-label = "Suggest an edit" >
2022-12-29 04:22:16 +01:00
< i id = "git-edit-button" class = "fa fa-edit" > < / i >
< / a >
< / div >
< / div >
< div id = "search-wrapper" class = "hidden" >
< form id = "searchbar-outer" class = "searchbar-outer" >
< input type = "search" id = "searchbar" name = "searchbar" placeholder = "Search this book ..." aria-controls = "searchresults-outer" aria-describedby = "searchresults-header" >
< / form >
< div id = "searchresults-outer" class = "searchresults-outer hidden" >
< div id = "searchresults-header" class = "searchresults-header" > < / div >
< ul id = "searchresults" >
< / ul >
< / div >
< / div >
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
< script >
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
< / script >
< div id = "content" class = "content" >
< main >
< h1 id = "configuring-the-server" > < a class = "header" href = "#configuring-the-server" > Configuring the Server< / a > < / h1 >
< h2 id = "configuring-servertoml" > < a class = "header" href = "#configuring-servertoml" > Configuring server.toml< / a > < / h2 >
< p > You need a configuration file in the volume named < code > server.toml< / code > . (Within the container it should be
< code > /data/server.toml< / code > ) Its contents should be as follows:< / p >
< pre > < code class = "language-toml" > # The webserver bind address. Will use HTTPS if tls_*
# is provided. If set to 443 you may require the
# NET_BIND_SERVICE capability.
# Defaults to " 127.0.0.1:8443"
bindaddress = " [::]:8443"
#
# The read-only ldap server bind address. The server
# will use LDAPS if tls_* is provided. If set to 636
# you may require the NET_BIND_SERVICE capability.
# Defaults to " " (disabled)
# ldapbindaddress = " [::]:3636"
#
# HTTPS requests can be reverse proxied by a loadbalancer.
# To preserve the original IP of the caller, these systems
# will often add a header such as " Forwarded" or
# " X-Forwarded-For" . If set to true, then this header is
2023-01-10 05:08:56 +01:00
# respected as the " authoritative" source of the IP of the
2022-12-29 04:22:16 +01:00
# connected client. If you are not using a load balancer
# then you should leave this value as default.
# Defaults to false
# trust_x_forward_for = false
#
# The path to the kanidm database.
db_path = " /data/kanidm.db"
#
2023-01-03 21:48:16 +01:00
# If you have a known filesystem, kanidm can tune database
2022-12-29 04:22:16 +01:00
# to match. Valid choices are:
# [zfs, other]
# If you are unsure about this leave it as the default
# (other). After changing this
# value you must run a vacuum task.
# - zfs:
2023-01-03 21:48:16 +01:00
# * sets database pagesize to 64k. You must set
2022-12-29 04:22:16 +01:00
# recordsize=64k on the zfs filesystem.
# - other:
2023-01-03 21:48:16 +01:00
# * sets database pagesize to 4k, matching most
2022-12-29 04:22:16 +01:00
# filesystems block sizes.
# db_fs_type = " zfs"
#
# The number of entries to store in the in-memory cache.
# Minimum value is 256. If unset
# an automatic heuristic is used to scale this.
# db_arc_size = 2048
#
# TLS chain and key in pem format. Both must be present
tls_chain = " /data/chain.pem"
tls_key = " /data/key.pem"
#
# The log level of the server. May be default, verbose,
# perfbasic, perffull
# Defaults to " default"
# log_level = " default"
#
# The DNS domain name of the server. This is used in a
# number of security-critical contexts
# such as webauthn, so it *must* match your DNS
# hostname. It is used to create
# security principal names such as `william@idm.example.com`
# so that in a (future)
# trust configuration it is possible to have unique Service
# Principal Names (spns) throughout the topology.
# ⚠️ WARNING ⚠️
# Changing this value WILL break many types of registered
# credentials for accounts
# including but not limited to webauthn, oauth tokens, and more.
# If you change this value you *must* run
# `kanidmd domain_name_change` immediately after.
domain = " idm.example.com"
#
# The origin for webauthn. This is the url to the server,
# with the port included if
# it is non-standard (any port except 443). This must match
# or be a descendent of the
# domain name you configure above. If these two items are
# not consistent, the server WILL refuse to start!
# origin = " https://idm.example.com"
origin = " https://idm.example.com:8443"
#
# The role of this server. This affects available features
# and how replication may interact.
# Valid roles are:
# - WriteReplica
# This server provides all functionality of Kanidm. It
# allows authentication, writes, and
# the web user interface to be served.
# - WriteReplicaNoUI
# This server is the same as a WriteReplica, but does NOT
# offer the web user interface.
# - ReadOnlyReplica
# This server will not writes initiated by clients. It
# supports authentication and reads,
# and must have a replication agreement as a source of
# its data.
# Defaults to " WriteReplica" .
# role = " WriteReplica"
#
# [online_backup]
# The path to the output folder for online backups
# path = " /var/lib/kanidm/backups/"
# The schedule to run online backups (see https://crontab.guru/)
# every day at 22:00 UTC (default)
# schedule = " 00 22 * * *"
# four times a day at 3 minutes past the hour, every 6th hours
# schedule = " 03 */6 * * *"
# Number of backups to keep (default 7)
# versions = 7
#
< / code > < / pre >
< p > This example is located in
< a href = "https://github.com/kanidm/kanidm/blob/master/examples/server_container.toml" > examples/server_container.toml< / a > .< / p >
<!-- deno - fmt - ignore - start -->
< table >
< tr >
< td rowspan = 2 > < img src = "images/kani-warning.png" alt = "Kani Warning" / > < / td >
< td > < strong > Warning!< / strong > < / td >
< / tr >
< tr >
< td > You MUST set the `domain` name correctly, aligned with your `origin`, else the server may refuse to start or some features (e.g. webauthn, oauth) may not work correctly!< / td >
< / tr >
< / table >
<!-- deno - fmt - ignore - end -->
< h2 id = "check-the-configuration-is-valid" > < a class = "header" href = "#check-the-configuration-is-valid" > Check the configuration is valid< / a > < / h2 >
< p > You should test your configuration is valid before you proceed.< / p >
< pre > < code class = "language-bash" > docker run --rm -i -t -v kanidmd:/data \
kanidm/server:latest /sbin/kanidmd configtest -c /data/server.toml
< / code > < / pre >
< h2 id = "default-admin-account" > < a class = "header" href = "#default-admin-account" > Default Admin Account< / a > < / h2 >
< p > Then you can setup the initial admin account and initialise the database into your volume. This
command will generate a new random password for the admin account.< / p >
2023-03-02 04:03:10 +01:00
<!-- deno - fmt - ignore - start -->
< table >
< tr >
< td rowspan = 2 > < img src = "images/kani-warning.png" alt = "Kani Warning" / > < / td >
< td > < strong > Warning!< / strong > < / td >
< / tr >
< tr >
< td > The server must not be running at this point, as it requires exclusive access to the database.< / td >
< / tr >
< / table >
<!-- deno - fmt - ignore - end -->
2022-12-29 04:22:16 +01:00
< pre > < code class = "language-bash" > docker run --rm -i -t -v kanidmd:/data \
2023-03-02 04:03:10 +01:00
kanidm/server:latest /sbin/kanidmd recover-account -c /data/server.toml admin
# success - recovery of account password for admin: vv...
2022-12-29 04:22:16 +01:00
< / code > < / pre >
2023-03-02 04:03:10 +01:00
< p > After the recovery is complete the server can be started again.< / p >
2022-12-29 04:22:16 +01:00
< h2 id = "run-the-server" > < a class = "header" href = "#run-the-server" > Run the Server< / a > < / h2 >
< p > Now we can run the server so that it can accept connections. This defaults to using
< code > -c /data/server.toml< / code > < / p >
< pre > < code class = "language-bash" > docker run -p 443:8443 -v kanidmd:/data kanidm/server:latest
< / code > < / pre >
< h2 id = "using-the-net_bind_service-capability" > < a class = "header" href = "#using-the-net_bind_service-capability" > Using the NET_BIND_SERVICE capability< / a > < / h2 >
< p > If you plan to run without using docker port mapping or some other reverse proxy, and your
bindaddress or ldapbindaddress port is less than < code > 1024< / code > you will need the < code > NET_BIND_SERVICE< / code > in
docker to allow these port binds. You can add this with < code > --cap-add< / code > in your docker run command.< / p >
< pre > < code class = "language-bash" > docker run --cap-add NET_BIND_SERVICE --network [host OR macvlan OR ipvlan] \
-v kanidmd:/data kanidm/server:latest
< / code > < / pre >
2023-03-02 04:03:10 +01:00
<!-- deno - fmt - ignore - start -->
< table >
< tr >
< td rowspan = 2 > < img src = "images/kani-alert.png" alt = "Kani Alert" / > < / td >
< td > < strong > Tip< / strong > < / td >
< / tr >
< tr >
< td > However you choose to run your server, you should document and keep note of the docker run / create command you chose to start the instance. This will be used in the upgrade procedure.< / td >
< / tr >
< / table >
<!-- deno - fmt - ignore - end -->
2022-12-29 04:22:16 +01:00
< / main >
< nav class = "nav-wrapper" aria-label = "Page navigation" >
<!-- Mobile navigation buttons -->
< a rel = "prev" href = "prepare_the_server.html" class = "mobile-nav-chapters previous" title = "Previous chapter" aria-label = "Previous chapter" aria-keyshortcuts = "Left" >
< i class = "fa fa-angle-left" > < / i >
< / a >
2023-03-02 04:03:10 +01:00
< a rel = "next" href = "security_hardening.html" class = "mobile-nav-chapters next" title = "Next chapter" aria-label = "Next chapter" aria-keyshortcuts = "Right" >
2022-12-29 04:22:16 +01:00
< i class = "fa fa-angle-right" > < / i >
< / a >
< div style = "clear: both" > < / div >
< / nav >
< / div >
< / div >
< nav class = "nav-wide-wrapper" aria-label = "Page navigation" >
< a rel = "prev" href = "prepare_the_server.html" class = "nav-chapters previous" title = "Previous chapter" aria-label = "Previous chapter" aria-keyshortcuts = "Left" >
< i class = "fa fa-angle-left" > < / i >
< / a >
2023-03-02 04:03:10 +01:00
< a rel = "next" href = "security_hardening.html" class = "nav-chapters next" title = "Next chapter" aria-label = "Next chapter" aria-keyshortcuts = "Right" >
2022-12-29 04:22:16 +01:00
< i class = "fa fa-angle-right" > < / i >
< / a >
< / nav >
< / div >
< script >
window.playground_copyable = true;
< / script >
< script src = "elasticlunr.min.js" > < / script >
< script src = "mark.min.js" > < / script >
< script src = "searcher.js" > < / script >
< script src = "clipboard.min.js" > < / script >
< script src = "highlight.js" > < / script >
< script src = "book.js" > < / script >
<!-- Custom JS scripts -->
2023-02-17 08:24:03 +01:00
< / div >
2022-12-29 04:22:16 +01:00
< / body >
< / html >
