2019-07-28 13:25:51 +02:00
|
|
|
|
|
|
|
|
<p align="center">
|
2020-01-17 02:51:15 +01:00
|
|
|
<img src="https://raw.githubusercontent.com/kanidm/kanidm/master/artwork/logo-small.png" width="20%" height="auto" />
|
2019-07-28 13:25:51 +02:00
|
|
|
</p>
|
|
|
|
|
|
2019-02-02 02:44:31 +01:00
|
|
|
# Kanidm
|
2018-09-29 09:54:16 +02:00
|
|
|
|
2019-02-02 02:44:31 +01:00
|
|
|
Kanidm is an identity management platform written in rust. Our goals are:
|
2018-09-29 09:54:16 +02:00
|
|
|
|
|
|
|
|
* Modern identity management platform
|
|
|
|
|
* Simple to deploy and integrate with
|
2019-07-28 14:25:12 +02:00
|
|
|
* Extensible for various needs
|
|
|
|
|
* Correct and secure behaviour by default
|
|
|
|
|
|
2021-02-15 00:35:52 +01:00
|
|
|
Today the project is still under heavy development to achieve these goals - We have many foundational
|
|
|
|
|
parts in place, and many of the required security features, but it is still an Alpha, and should be
|
|
|
|
|
treated as such.
|
2018-09-29 09:54:16 +02:00
|
|
|
|
2020-08-24 04:15:21 +02:00
|
|
|
## Code of Conduct / Ethics
|
2018-09-29 09:54:16 +02:00
|
|
|
|
2019-09-14 10:51:56 +02:00
|
|
|
See our [code of conduct]
|
2019-07-28 14:25:12 +02:00
|
|
|
|
2019-09-14 10:51:56 +02:00
|
|
|
See our documentation on [rights and ethics]
|
|
|
|
|
|
2020-08-24 04:15:21 +02:00
|
|
|
[code of conduct]: https://github.com/kanidm/kanidm/blob/master/CODE_OF_CONDUCT.md
|
2020-01-17 02:51:15 +01:00
|
|
|
[rights and ethics]: https://github.com/kanidm/kanidm/blob/master/ethics/README.md
|
2019-07-28 14:25:12 +02:00
|
|
|
|
2020-08-24 04:15:21 +02:00
|
|
|
## Documentation / Getting Started / Install
|
2018-09-29 09:54:16 +02:00
|
|
|
|
2020-04-21 04:35:08 +02:00
|
|
|
If you want to deploy kanidm, or to see what it can do, you should read the [kanidm book]
|
2019-09-14 10:21:41 +02:00
|
|
|
|
2020-01-17 02:51:15 +01:00
|
|
|
[kanidm book]: https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/SUMMARY.md
|
2019-10-05 02:40:43 +02:00
|
|
|
|
2020-08-24 04:15:21 +02:00
|
|
|
## Getting in Contact / Questions
|
2020-04-25 05:18:19 +02:00
|
|
|
|
2020-08-24 04:15:21 +02:00
|
|
|
We have a [gitter community channel] where we can talk. Firstyear is also happy to
|
|
|
|
|
answer questions via email, which can be found on their github profile.
|
2020-04-25 05:18:19 +02:00
|
|
|
|
|
|
|
|
[gitter community channel]: https://gitter.im/kanidm/community
|
|
|
|
|
|
2021-02-18 00:28:36 +01:00
|
|
|
## Features
|
2019-07-28 14:25:12 +02:00
|
|
|
|
2021-02-18 00:28:36 +01:00
|
|
|
### Implemented
|
|
|
|
|
|
|
|
|
|
* SSH key distribution for servers
|
|
|
|
|
* Pam/nsswitch clients (with limited offline auth)
|
|
|
|
|
* MFA - TOTP
|
|
|
|
|
* Highly concurrent design (MVCC, COW)
|
|
|
|
|
* RADIUS integration
|
|
|
|
|
|
|
|
|
|
### Currently Working On
|
|
|
|
|
|
|
|
|
|
* CLI for administration
|
|
|
|
|
* MFA - Webauthn
|
|
|
|
|
|
|
|
|
|
### Upcoming Focus Areas
|
|
|
|
|
|
|
|
|
|
* WebUI for self service with wifi enrollment, claim management and more.
|
2019-12-03 07:03:05 +01:00
|
|
|
* RBAC/Claims (limited by time and credential scope)
|
2021-02-18 00:28:36 +01:00
|
|
|
* OIDC/Oauth
|
2019-07-28 14:25:12 +02:00
|
|
|
* Replication (async multiple active write servers, read only servers)
|
2021-02-18 00:28:36 +01:00
|
|
|
|
|
|
|
|
### Future
|
|
|
|
|
|
|
|
|
|
* Sudo rule distribution via nsswitch
|
|
|
|
|
* WebUI for administration
|
2018-09-29 09:54:16 +02:00
|
|
|
* Account impersonation
|
2019-07-28 14:25:12 +02:00
|
|
|
* Synchronisation to other IDM services
|
2018-09-29 09:54:16 +02:00
|
|
|
|
2021-02-18 00:28:36 +01:00
|
|
|
### Features We Want to Avoid
|
2018-09-29 09:54:16 +02:00
|
|
|
|
2019-07-28 14:25:12 +02:00
|
|
|
* Auditing: This is better solved by SIEM software, so we should generate data they can consume.
|
2021-02-18 00:28:36 +01:00
|
|
|
* Fully synchronous behaviour: This prevents scaling and our future ability to expand.
|
2019-07-28 14:25:12 +02:00
|
|
|
* Generic database: We don't want to be another NoSQL database, we want to be an IDM solution.
|
|
|
|
|
* Being LDAP/GSSAPI/Kerberos: These are all legacy protocols that are hard to use and confine our thinking - we should avoid "being like them".
|
2018-09-29 09:54:16 +02:00
|
|
|
|
2020-08-24 04:15:21 +02:00
|
|
|
## Some key ideas
|
|
|
|
|
|
|
|
|
|
* All people should be respected and able to be respresented securely.
|
|
|
|
|
* Devices represent users and their identities - they are part of the authentication.
|
|
|
|
|
* Human error occurs - we should be designed to minimise human mistakes and empower people.
|
|
|
|
|
* The system should be easy to understand and reason about for users and admins.
|
|
|
|
|
|
2019-12-03 07:03:05 +01:00
|
|
|
## Development and Testing
|
|
|
|
|
|
|
|
|
|
### Designs
|
2019-07-28 14:28:05 +02:00
|
|
|
|
2020-02-16 22:39:33 +01:00
|
|
|
See the [designs] folder, and compile the private documentation locally:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
cargo doc --document-private-items --open --no-deps
|
|
|
|
|
```
|
2019-07-28 14:28:05 +02:00
|
|
|
|
2020-01-17 02:51:15 +01:00
|
|
|
[designs]: https://github.com/kanidm/kanidm/tree/master/designs
|
2019-07-28 14:28:05 +02:00
|
|
|
|
2019-12-03 07:03:05 +01:00
|
|
|
### Get involved
|
2018-09-29 09:54:16 +02:00
|
|
|
|
2019-03-22 01:09:05 +01:00
|
|
|
To get started, you'll need to fork or branch, and we'll merge based on PR's.
|
|
|
|
|
|
|
|
|
|
If you are a contributor to the project, simply clone:
|
|
|
|
|
|
|
|
|
|
```
|
2020-01-17 02:51:15 +01:00
|
|
|
git clone git@github.com:kanidm/kanidm.git
|
2019-03-22 01:09:05 +01:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
If you are forking, then Fork in github and clone with:
|
|
|
|
|
|
|
|
|
|
```
|
2020-01-17 02:51:15 +01:00
|
|
|
git clone https://github.com/kanidm/kanidm.git
|
2019-03-22 01:09:05 +01:00
|
|
|
cd kanidm
|
|
|
|
|
git remote add myfork git@github.com:<YOUR USERNAME>/kanidm.git
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Select and issue (and always feel free to reach out to us for advice!), and create a branch to
|
|
|
|
|
start working:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
git branch <feature-branch-name>
|
|
|
|
|
git checkout <feature-branche-name>
|
2019-12-03 07:03:05 +01:00
|
|
|
cargo test
|
2019-03-22 01:09:05 +01:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
When you are ready for review (even if the feature isn't complete and you just want some advice)
|
|
|
|
|
|
|
|
|
|
```
|
2019-12-03 07:03:05 +01:00
|
|
|
cargo test
|
2019-03-22 01:09:05 +01:00
|
|
|
git commit -m 'Commit message' change_file.rs ...
|
|
|
|
|
git push <myfork/origin> <feature-branch-name>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
If you get advice or make changes, just keep commiting to the branch, and pushing to your branch.
|
|
|
|
|
When we are happy with the code, we'll merge in github, meaning you can now cleanup your branch.
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
git checkout master
|
|
|
|
|
git pull
|
|
|
|
|
git branch -D <feature-branch-name>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Rebasing:
|
|
|
|
|
|
|
|
|
|
If you are asked to rebase your change, follow these steps:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
git checkout master
|
|
|
|
|
git pull
|
|
|
|
|
git checkout <feature-branche-name>
|
|
|
|
|
git rebase master
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Then be sure to fix any merge issues or other comments as they arise. If you have issues, you can
|
|
|
|
|
always stop and reset with:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
git rebase --abort
|
|
|
|
|
```
|
|
|
|
|
|
2019-12-03 07:03:05 +01:00
|
|
|
### Development Server Quickstart for Interactive Testing
|
|
|
|
|
|
|
|
|
|
After getting the code, you will need a rust environment. Please investigate rustup for your platform
|
|
|
|
|
to establish this.
|
|
|
|
|
|
|
|
|
|
Once you have the source code, you need certificates to use with the server. I recommend using
|
2020-06-21 13:57:48 +02:00
|
|
|
let's encrypt, but if this is not possible, please use our insecure cert tool. Without certificates
|
|
|
|
|
authentication will fail.
|
2019-12-03 07:03:05 +01:00
|
|
|
|
|
|
|
|
mkdir insecure
|
|
|
|
|
cd insecure
|
|
|
|
|
../insecure_generate_tls.sh
|
|
|
|
|
|
2020-06-21 13:57:48 +02:00
|
|
|
You can now build and run the server with the commands below. It will use a database in /tmp/kanidm.db
|
2019-12-03 07:03:05 +01:00
|
|
|
|
|
|
|
|
cd kanidmd
|
2020-06-21 13:57:48 +02:00
|
|
|
cargo run -- recover_account -c ./server.toml -n admin
|
|
|
|
|
cargo run -- server -c ./server.toml
|
2019-12-03 07:03:05 +01:00
|
|
|
|
|
|
|
|
In a new terminal, you can now build and run the client tools with:
|
|
|
|
|
|
|
|
|
|
cd kanidm_tools
|
|
|
|
|
cargo run -- --help
|
|
|
|
|
cargo run -- self whoami -H https://localhost:8080 -D anonymous -C ../insecure/ca.pem
|
|
|
|
|
cargo run -- self whoami -H https://localhost:8080 -D admin -C ../insecure/ca.pem
|
|
|
|
|
|
|
|
|
|
### Using curl with anonymous:
|
|
|
|
|
|
|
|
|
|
Sometimes you may want to check the json of an endpoint. Before you can do this, you need
|
|
|
|
|
a valid session and cookie jar established. To do this with curl and anonymous:
|
|
|
|
|
|
|
|
|
|
curl -b /tmp/cookie.jar -c /tmp/cookie.jar --cacert ../insecure/ca.pem -X POST -d "{\"step\":{\"Init\":[\"anonymous\",null]}}" https://localhost:8080/v1/auth
|
|
|
|
|
curl -b /tmp/cookie.jar -c /tmp/cookie.jar --cacert ../insecure/ca.pem -X POST -d "{\"step\":{\"Creds\":[\"Anonymous\"]}}" https://localhost:8080/v1/auth
|
|
|
|
|
|
2019-03-22 01:09:05 +01:00
|
|
|
|
2019-02-02 02:44:31 +01:00
|
|
|
## Why do I see rsidm references?
|
|
|
|
|
|
|
|
|
|
The original project name was rsidm while it was a thought experiment. Now that it's growing
|
2019-09-14 15:44:08 +02:00
|
|
|
and developing, we gave it a better project name. Kani is Japanese for "crab". Rust's mascot is a crab.
|
|
|
|
|
Idm is the common industry term for identity management services.
|
2018-09-29 09:54:16 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
