2020-01-27 13:30:09 +01:00
|
|
|
# Introduction to Kanidm
|
2019-12-03 07:03:05 +01:00
|
|
|
|
2021-10-17 00:21:55 +02:00
|
|
|
Kanidm is an identity management server, acting as an authority on account information, authentication
|
|
|
|
|
and authorisation within a technical environment.
|
2019-12-03 07:03:05 +01:00
|
|
|
|
2021-04-06 02:08:36 +02:00
|
|
|
The intent of the Kanidm project is to:
|
2019-12-03 07:03:05 +01:00
|
|
|
|
2021-04-06 02:08:36 +02:00
|
|
|
* Provide a single truth source for accounts, groups and privileges.
|
|
|
|
|
* Enable integrations to systems and services so they can authenticate accounts.
|
|
|
|
|
* Make system, network, application and web authentication easy and accessible.
|
2019-12-03 07:03:05 +01:00
|
|
|
|
2021-03-25 01:34:29 +01:00
|
|
|
> **NOTICE:**
|
2021-04-06 02:08:36 +02:00
|
|
|
> This is a pre-release project. While all effort has been made to ensure no data loss
|
2021-03-25 01:34:29 +01:00
|
|
|
> or security flaws, you should still be careful when using this in your environment.
|
|
|
|
|
|
2021-07-24 03:12:35 +02:00
|
|
|
## Library documentation
|
|
|
|
|
|
2022-03-09 23:55:44 +01:00
|
|
|
Looking for the `rustdoc` documentation for the libraries themselves? [Click here!](./rustdoc/master/kanidm/)
|
2021-07-24 03:12:35 +02:00
|
|
|
|
2021-03-25 01:34:29 +01:00
|
|
|
## Why do I want Kanidm?
|
|
|
|
|
|
2021-04-06 02:08:36 +02:00
|
|
|
Whether you work in a business, a volunteer organisation, or are an enthusiast who manages
|
|
|
|
|
their personal services, we need methods of authenticating and identifying ourselves
|
|
|
|
|
to these systems and subsequently, ways to determine what authorisation and privileges we have
|
2021-03-25 01:34:29 +01:00
|
|
|
while accessing these systems.
|
|
|
|
|
|
2021-04-06 02:08:36 +02:00
|
|
|
We've probably all been in workplaces where you end up with multiple accounts on various
|
|
|
|
|
systems - one for a workstation, different SSH keys for different tasks, maybe some shared
|
2021-03-25 01:34:29 +01:00
|
|
|
account passwords. Not only is it difficult for people to manage all these different credentials
|
|
|
|
|
and what they have access to, but it also means that sometimes these credentials have more
|
2021-04-06 02:08:36 +02:00
|
|
|
access or privilege than they require.
|
2021-03-25 01:34:29 +01:00
|
|
|
|
2021-04-06 02:08:36 +02:00
|
|
|
Kanidm acts as a central authority of accounts in your organisation and allows each account to associate
|
2021-03-25 01:34:29 +01:00
|
|
|
many devices and credentials with different privileges. An example of how this looks:
|
|
|
|
|
|
2021-07-24 03:12:35 +02:00
|
|
|
┌──────────────────┐
|
|
|
|
|
┌┴─────────────────┐│
|
|
|
|
|
│ ││
|
|
|
|
|
┌───────────────┬───▶│ Kanidm │◀─────┬─────────────────────────┐
|
|
|
|
|
│ │ │ ├┘ │ │
|
|
|
|
|
│ │ └──────────────────┘ │ Verify
|
|
|
|
|
Account Data │ ▲ │ Radius
|
|
|
|
|
References │ │ │ Password
|
|
|
|
|
│ │ │ │ │
|
|
|
|
|
│ │ │ │ ┌────────────┐
|
|
|
|
|
│ │ │ │ │ │
|
|
|
|
|
│ │ │ Verify │ RADIUS │
|
|
|
|
|
┌────────────┐ │ Retrieve SSH Application │ │
|
|
|
|
|
│ │ │ Public Keys Password └────────────┘
|
|
|
|
|
│ Database │ │ │ │ ▲
|
|
|
|
|
│ │ │ │ │ │
|
|
|
|
|
└────────────┘ │ │ │ ┌────────┴──────┐
|
|
|
|
|
▲ │ │ │ │ │
|
|
|
|
|
│ │ │ │ │ │
|
|
|
|
|
┌────────────┐ │ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
|
|
|
|
|
│ │ │ │ │ │ │ │ │ │ │
|
|
|
|
|
│ Web Site │ │ │ SSH │ │ Email │ │ WIFI │ │ VPN │
|
|
|
|
|
│ │ │ │ │ │ │ │ │ │ │
|
|
|
|
|
└────────────┘ │ └────────────┘ └────────────┘ └────────────┘ └────────────┘
|
|
|
|
|
▲ │ ▲ ▲ ▲ ▲
|
|
|
|
|
│ │ │ │ │ │
|
|
|
|
|
│ │ │ │ │ │
|
|
|
|
|
│ Login To │ │ │ │
|
|
|
|
|
SSO/Oauth Oauth/SSO SSH Keys Application Radius Radius
|
|
|
|
|
│ │ │ Password Password Password
|
|
|
|
|
│ │ │ │ │ │
|
|
|
|
|
│ │ │ │ │ │
|
|
|
|
|
│ │ │ │ │ │
|
|
|
|
|
│ │ ┌──────────┐ │ │ │
|
|
|
|
|
│ │ │ │ │ │ │
|
|
|
|
|
└──────────────┴────────│ Laptop │──────────┴───────────────┴───────────────┘
|
|
|
|
|
│ │
|
|
|
|
|
└──────────┘
|
|
|
|
|
▲
|
|
|
|
|
│
|
|
|
|
|
│
|
|
|
|
|
┌──────────┐
|
|
|
|
|
│ You │
|
|
|
|
|
└──────────┘
|
2021-03-25 01:34:29 +01:00
|
|
|
|
2021-04-06 02:08:36 +02:00
|
|
|
A key design goal is that you authenticate with your device in some manner, and then your device will
|
|
|
|
|
continue to authenticate you in the future. Each of these different types of credential from SSH keys,
|
|
|
|
|
application passwords, RADIUS passwords and others, are "things your device knows". Each password
|
2021-03-25 01:34:29 +01:00
|
|
|
has limited capability, and can only access that exact service or resource.
|
|
|
|
|
|
2021-04-06 02:08:36 +02:00
|
|
|
This helps improve security; a compromise of the service or the network transmission does not
|
|
|
|
|
grant you unlimited access to your account and all its privileges. As the credentials are specific
|
|
|
|
|
to a device, if a device is compromised you can revoke its associated credentials. If a
|
2021-03-25 01:34:29 +01:00
|
|
|
specific service is compromised, only the credentials for that service need to be revoked.
|
|
|
|
|
|
|
|
|
|
Due to this model, and the design of Kanidm to centre the device and to have more per-service credentials,
|
2021-04-06 02:08:36 +02:00
|
|
|
workflows and automation are added or designed to reduce human handling. An example of this
|
|
|
|
|
is the use of QR codes with deployment profiles to automatically enrol wireless credentials.
|
