diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index e2e24d498..b661e1521 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -16,21 +16,22 @@ report it to our [issue tracker]. ## 2024-08-07 - Kanidm 1.3.0 -This is the latest stable release of the Kanidm Identity Management project. Every release is -the combined effort of our community and we appreciate their invaluable contributions, comments, +This is the latest stable release of the Kanidm Identity Management project. Every release is the +combined effort of our community and we appreciate their invaluable contributions, comments, questions, feedback and support. You should review our -[support documentation](https://github.com/kanidm/kanidm/blob/master/book/src/support.md) -as this may have important effects on your distribution or upgrades in future. +[support documentation](https://github.com/kanidm/kanidm/blob/master/book/src/support.md) as this +may have important effects on your distribution or upgrades in future. -Before upgrading you should review [our upgrade documentation](https://github.com/kanidm/kanidm/blob/master/book/src/server_updates.md#general-update-notes) +Before upgrading you should review +[our upgrade documentation](https://github.com/kanidm/kanidm/blob/master/book/src/server_updates.md#general-update-notes) ### 1.3.0 Important Changes - New GID number constraints are now enforced in this version. To upgrade from 1.2.0 all accounts - and groups must adhere to these rules. See [our upgrade documentation]. - about tools to help you detect and correct affected entries. + and groups must adhere to these rules. See [our upgrade documentation]. about tools to help you + detect and correct affected entries. - OAuth2 URIs require stricter matching rules to be applied from 1.4.0. - Security Keys will be removed as a second factor alternative to TOTP from accounts in 1.4.0. It has not been possible to register a new security for more than 1 year. Security Keys are surpassed diff --git a/book/src/access_control/intro.md b/book/src/access_control/intro.md index e93c5c098..48800986d 100644 --- a/book/src/access_control/intro.md +++ b/book/src/access_control/intro.md @@ -77,6 +77,7 @@ groups. | `idm_schema_admins` | add and modify elements of schema | | `idm_service_account_admins` | create and modify service accounts | | `idm_unix_admins` | enable posix attributes on accounts and groups | +| `idm_application_admins` | create and modify ldap applications which use per-user application passwords | ## Default Roles diff --git a/book/src/accounts/authentication_and_credentials.md b/book/src/accounts/authentication_and_credentials.md index 04cd75cb9..00ba82a0e 100644 --- a/book/src/accounts/authentication_and_credentials.md +++ b/book/src/accounts/authentication_and_credentials.md @@ -16,8 +16,8 @@ secure method of authentication in Kanidm. > [!WARNING] > -> Kanidm's definition of Passkeys may differ from that of other systems. This is because -> we adopted the term very early, before it has changed and evolved. +> Kanidm's definition of Passkeys may differ from that of other systems. This is because we adopted +> the term very early, before it has changed and evolved. ### Attested Passkeys @@ -101,8 +101,8 @@ update interface. This allows the user to directly manage the credentials of ano > [!WARNING] > -> Don't use the direct credential reset to lock or invalidate an account. You should -> expire the account instead. +> Don't use the direct credential reset to lock or invalidate an account. You should expire the +> account instead. ```bash kanidm person credential update demo_user --name idm_admin @@ -155,6 +155,5 @@ kanidm reauth -D william > [!NOTE] > -> During reauthentication an account must use the same credential that was used to -> initially authenticate to the session. The reauth flow will not allow any other credentials to be -> used! +> During reauthentication an account must use the same credential that was used to initially +> authenticate to the session. The reauth flow will not allow any other credentials to be used! diff --git a/book/src/accounts/people_accounts.md b/book/src/accounts/people_accounts.md index f30e83222..cd3e7a3a6 100644 --- a/book/src/accounts/people_accounts.md +++ b/book/src/accounts/people_accounts.md @@ -37,16 +37,16 @@ kanidm person get demo_user --name anonymous > [!NOTE] > -> Only members of `idm_people_pii_read` and `idm_people_admins` may read personal -> information by default. +> Only members of `idm_people_pii_read` and `idm_people_admins` may read personal information by +> default. Also > [!WARNING] > -> Persons may change their own displayname, name and legal name at any time. You MUST NOT -> use these values as primary keys in external systems. You MUST use the `uuid` attribute present on -> all entries as an external primary key. +> Persons may change their own displayname, name and legal name at any time. You MUST NOT use these +> values as primary keys in external systems. You MUST use the `uuid` attribute present on all +> entries as an external primary key. ## Account Validity diff --git a/book/src/accounts/service_accounts.md b/book/src/accounts/service_accounts.md index 26b7bc9c9..7343e6b36 100644 --- a/book/src/accounts/service_accounts.md +++ b/book/src/accounts/service_accounts.md @@ -23,7 +23,7 @@ kanidm service-account get demo_service --name idm_admin By delegating the administration of this service account to `demo_group` this allows our `demo_user` to administer the service account. -## Using API Tokens with Service Accounts +## Generating API Tokens For Service Accounts Service accounts can have API tokens generated and associated with them. These tokens can be used for identification of the service account, and for granting extended access rights where the service @@ -66,7 +66,15 @@ kanidm service-account api-token destroy --name ENTRY_MANAGER ACCOUNT_ID TOKEN_I kanidm service-account api-token destroy --name demo_user demo_service 4de2a4e9-e06a-4c5e-8a1b-33f4e7dd5dc7 ``` -## API Tokens with LDAP +### API Tokens with Kanidm HTTPS/REST API + +The API token issued for a service account can be used by putting the token into the HTTP request +`Authorization` header with the format `Bearer `. + +For more see the +[MDN documentation for Authorisation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization) + +### API Tokens with LDAP API tokens can also be used to gain extended search permissions with LDAP. To do this you can bind with a dn of `dn=token` and provide the API token as the password. diff --git a/book/src/developers/designs/access_profiles_original.md b/book/src/developers/designs/access_profiles_original.md index cf9ce341a..5d305efd2 100644 --- a/book/src/developers/designs/access_profiles_original.md +++ b/book/src/developers/designs/access_profiles_original.md @@ -185,12 +185,13 @@ moment. An example: -Alice should only be able to modify a user's password if that user is a member of the students group. +Alice should only be able to modify a user's password if that user is a member of the students +group. > [!NOTE] > -> `modify` does not imply `read` of the attribute. Care should be taken that we don't -> disclose the current value in any error messages if the operation fails. +> `modify` does not imply `read` of the attribute. Care should be taken that we don't disclose the +> current value in any error messages if the operation fails. ## Targeting Requirements @@ -416,9 +417,9 @@ depending on the entries and if you can/can't see them. > [!NOTE] > -> You can only `delete`/`modify` within the read scope you have. If you can't read it (based -> on the read rules of `search`), you can't `delete` it. This is in addition to the filter rules of -> the `delete` applying as well. So performing a `delete` of `Pres(class)`, will only delete in your +> You can only `delete`/`modify` within the read scope you have. If you can't read it (based on the +> read rules of `search`), you can't `delete` it. This is in addition to the filter rules of the +> `delete` applying as well. So performing a `delete` of `Pres(class)`, will only delete in your > `read` scope and will never disclose if you are denied access. @@ -100,19 +123,19 @@ And example would be ``` ```js - +// ../static/profile.js --> // Magically gets called on page load and swaps function onProfileSshKeysSwapped() { - // Do implementation things like attaching event listeners + // Do implementation things like attaching event listeners } -indow.onload = function () { - // Event triggered by HTMX because we supply a HxTrigger response header when loading this profile category. - document.body.addEventListener("profileSshKeysSwapped", () => { - onProfileSshKeysSwapped() - }); -} +window.onload = function () { + // Event triggered by HTMX because we supply a HxTrigger response header when loading this profile category. + document.body.addEventListener("profileSshKeysSwapped", () => { + onProfileSshKeysSwapped(); + }); +}; ``` ```rust @@ -125,7 +148,7 @@ struct SshKeysPartialView { fn view_ssh_keys(...) { // ... - + let ssh_keys_swapped_trigger = HxResponseTrigger::after_swap([HxEvent::new("profileSshKeysSwapped".to_string())]); Ok(( ssh_keys_swapped_trigger, @@ -133,4 +156,4 @@ fn view_ssh_keys(...) { HtmlTemplate(SshKeysPartialView { ssh_keys, }) ).into_response()) } -``` \ No newline at end of file +``` diff --git a/book/src/developers/designs/rest_interface.md b/book/src/developers/designs/rest_interface.md index 0052895cc..950b56e00 100644 --- a/book/src/developers/designs/rest_interface.md +++ b/book/src/developers/designs/rest_interface.md @@ -2,8 +2,8 @@ > [!NOTE] > -> This is a work in progress and not all endpoints have perfect schema definitions, but -> they're all covered! +> This is a work in progress and not all endpoints have perfect schema definitions, but they're all +> covered! We're generating an OpenAPI specification file and Swagger interface using [utoipa](https://crates.io/crates/utoipa). diff --git a/book/src/developers/readme.md b/book/src/developers/readme.md index f667751b0..ec0b0b646 100644 --- a/book/src/developers/readme.md +++ b/book/src/developers/readme.md @@ -84,8 +84,8 @@ deployment, will aim to provide a positive experience to all people. It's important before you start trying to write code and contribute that you understand what Kanidm does and its goals. -An important first step is to [install the server](../installing_the_server.md) so if you have not done -that yet, go and try that now! 😄 +An important first step is to [install the server](../installing_the_server.md) so if you have not +done that yet, go and try that now! 😄 ## Setting up your Machine @@ -169,8 +169,8 @@ Tested with Ubuntu 20.04 and 22.04. > [!CAUTION] > -> Our support for Windows is still in development, so you may encounter some compilation -> or build issues. +> Our support for Windows is still in development, so you may encounter some compilation or build +> issues. You need [rustup](https://rustup.rs/) to install a Rust toolchain. @@ -227,8 +227,8 @@ cargo test > [!IMPORTANT] > -> Kanidm is unable to accept code that is generated by an AI for legal reasons. copilot -> and other tools that generate code in this way can not be used in Kanidm. +> Kanidm is unable to accept code that is generated by an AI for legal reasons. copilot and other +> tools that generate code in this way can not be used in Kanidm. When you are ready for review (even if the feature isn't complete and you just want some advice): @@ -331,7 +331,7 @@ KANIDM_BUILD_PROFILE=release_linux cargo build --release --bin kanidmd > [!NOTE:] > > There is a pre-packaged version of the Web UI at `/server/web_ui/pkg/`, which can be used -directly. This means you don't need to build the Web UI yourself. +> directly. This means you don't need to build the Web UI yourself. The Web UI uses Rust WebAssembly rather than Javascript. To build this you need to set up the environment: @@ -398,8 +398,8 @@ You may find it easier to modify `~/.config/kanidm` per the > [!NOTICE] > -> It's not recommended to use these tools outside of extremely complex or advanced -> development requirements. These are a last resort! +> It's not recommended to use these tools outside of extremely complex or advanced development +> requirements. These are a last resort! The server has a low-level stateful API you can use for more complex or advanced tasks on large numbers of entries at once. Some examples are below, but generally we advise you to use the APIs or diff --git a/book/src/domain_rename.md b/book/src/domain_rename.md index 40c2dadc7..ee78a0f7a 100644 --- a/book/src/domain_rename.md +++ b/book/src/domain_rename.md @@ -6,17 +6,17 @@ or other needs which may prompt this needing to be changed. > [!WARNING] > -> This WILL break ALL u2f/webauthn tokens that have been enrolled, which MAY cause -> accounts to be locked out and unrecoverable until further action is taken. DO NOT CHANGE the -> domain name unless REQUIRED and have a plan on how to manage these issues. +> This WILL break ALL PassKeys (WebAuthn tokens) that have been enrolled, which MAY cause accounts to be +> locked out and unrecoverable until further action is taken. DO NOT CHANGE the domain name unless +> REQUIRED and have a plan on how to manage these issues.   > [!NOTE] > -> This operation can take an extensive amount of time as ALL accounts and groups in the -> domain MUST have their Security Principal Names (SPNs) regenerated. This WILL also cause a large -> delay in replication once the system is restarted. +> This operation MAY take an extensive amount of time as ALL accounts and groups in the domain MUST +> have their Security Principal Names (SPNs) regenerated. This WILL also cause a large delay in +> replication once the system is restarted. You should make a backup before proceeding with this operation. diff --git a/book/src/evaluation_quickstart.md b/book/src/evaluation_quickstart.md index e34bb6297..856931927 100644 --- a/book/src/evaluation_quickstart.md +++ b/book/src/evaluation_quickstart.md @@ -7,7 +7,8 @@ considerations you should be aware of for production deployments. ## Requirements -The only thing you'll need for this is Docker, Podman, or a compatible containerd environment installed and running. +The only thing you'll need for this is Docker, Podman, or a compatible containerd environment +installed and running. ## Get the software @@ -17,7 +18,8 @@ docker pull docker.io/kanidm/server:latest ## Create your configuration -Create `server.toml`. The important parts are the `domain` and `origin`. For this example, if you use `localhost` and `https://localhost:8443` this will match later commands. +Create `server.toml`. The important parts are the `domain` and `origin`. For this example, if you +use `localhost` and `https://localhost:8443` this will match later commands. ```toml {{#rustdoc_include ../../examples/server_container.toml}} @@ -105,7 +107,8 @@ Then follow the presented steps. ## What next? -You'll probably want to set it up properly, so that other computers can access it, so [choose a domain name](choosing_a_domain_name.md) and complete the full server installation. +You'll probably want to set it up properly, so that other computers can access it, so +[choose a domain name](choosing_a_domain_name.md) and complete the full server installation. Alternatively you might like to try configurig one of these: diff --git a/book/src/examples/kubernetes_ingress.md b/book/src/examples/kubernetes_ingress.md index 21a0d8004..c2f2253d4 100644 --- a/book/src/examples/kubernetes_ingress.md +++ b/book/src/examples/kubernetes_ingress.md @@ -15,8 +15,7 @@ We recommend you have the following before continuing: ## Instructions 1. Create a Kanidm account and group: - 1. Create a Kanidm account. Please see the section - [Creating Accounts](../accounts/intro.md). + 1. Create a Kanidm account. Please see the section [Creating Accounts](../accounts/intro.md). 2. Give the account a password. Please see the section [Resetting Account Credentials](../accounts/authentication_and_credentials.md). 3. Make the account a person. Please see the section diff --git a/book/src/examples/traefik.md b/book/src/examples/traefik.md index fb7317c2d..5bdc2eb3d 100644 --- a/book/src/examples/traefik.md +++ b/book/src/examples/traefik.md @@ -14,9 +14,9 @@ line `traefik.http.services.kanidm.loadbalancer.server.port=8443` sets this on t > [!NOTE] > -> You will need to generate self-signed certificates for Kanidm, and copy the configuration -> into the `kanidm_data` volume. Some instructions are available in the "Installing the Server" -> section of this book. +> You will need to generate self-signed certificates for Kanidm, and copy the configuration into the +> `kanidm_data` volume. Some instructions are available in the "Installing the Server" section of +> this book. `docker-compose.yml` diff --git a/book/src/installing_client_tools.md b/book/src/installing_client_tools.md index f3d0bd285..ae0552c0c 100644 --- a/book/src/installing_client_tools.md +++ b/book/src/installing_client_tools.md @@ -2,9 +2,9 @@ > [!NOTE] > -> Running different release versions will likely present incompatibilities. Ensure you're -> running matching release versions of client and server binaries. If you have any issues, check -> that you are running the latest version of Kanidm. +> Running different release versions will likely present incompatibilities. Ensure you're running +> matching release versions of client and server binaries. If you have any issues, check that you +> are running the latest version of Kanidm. ## From packages @@ -65,9 +65,9 @@ brew install kanidm > [!NOTE] > -> Kanidm frequently uses new Rust versions and features, however Fedora and CentOS -> frequently are behind in Rust releases. As a result, they may not always have the latest Kanidm -> versions available. +> Kanidm frequently uses new Rust versions and features, however Fedora and CentOS frequently are +> behind in Rust releases. As a result, they may not always have the latest Kanidm versions +> available. Fedora has limited support through the development repository. You need to add the repository metadata into the correct directory: @@ -91,11 +91,13 @@ dnf install kanidm-clients ### Ubuntu and Debian -See for nightly-built packages of the current development builds, and how to install them. +See for nightly-built packages of the current development +builds, and how to install them. ## Alpine Linux -Kanidm is available in the [Alpine Linux testing repository](https://pkgs.alpinelinux.org/packages?name=kanidm%2A). +Kanidm is available in the +[Alpine Linux testing repository](https://pkgs.alpinelinux.org/packages?name=kanidm%2A). To install the Kanidm client use: diff --git a/book/src/integrations/ldap.md b/book/src/integrations/ldap.md index efff7f502..da28e67ed 100644 --- a/book/src/integrations/ldap.md +++ b/book/src/integrations/ldap.md @@ -8,9 +8,9 @@ interface for these legacy applications and services. > [!WARNING] > -> The LDAP server in Kanidm is not a complete LDAP implementation. This is intentional, -> as Kanidm wants to cover the common use cases - simple bind and search. The parts we do support -> are RFC compliant however. +> The LDAP server in Kanidm is not a complete LDAP implementation. This is intentional, as Kanidm +> wants to cover the common use cases - simple bind and search. The parts we do support are RFC +> compliant however. ## What is LDAP @@ -144,8 +144,8 @@ with a dn of `dn=token` and provide the api token in the password. > [!NOTE] > -> The `dn=token` keyword is guaranteed to not be used by any other entry, which is why it -> was chosen as the keyword to initiate api token binds. +> The `dn=token` keyword is guaranteed to not be used by any other entry, which is why it was chosen +> as the keyword to initiate api token binds. ```bash ldapwhoami -H ldaps://URL -x -D "dn=token" -w "TOKEN" @@ -163,8 +163,8 @@ name. > [!WARNING] > -> Changing the LDAP Basedn will require you to reconfigure your client applications so -> they search the correct basedn. Be careful when changing this value! +> Changing the LDAP Basedn will require you to reconfigure your client applications so they search +> the correct basedn. Be careful when changing this value! As an admin you can change the domain ldap basedn with: diff --git a/book/src/integrations/oauth2.md b/book/src/integrations/oauth2.md index 4b1acb13c..f81f2f590 100644 --- a/book/src/integrations/oauth2.md +++ b/book/src/integrations/oauth2.md @@ -2,8 +2,8 @@ OAuth is a web authorisation protocol that allows "single sign on". It's key to note OAuth only provides authorisation, as the protocol in its default forms do not provide identity or -authentication information. All that OAuth can provide is information that an entity is authorised for -the requested resources. +authentication information. All that OAuth can provide is information that an entity is authorised +for the requested resources. OAuth can tie into extensions allowing an identity provider to reveal information about authorised sessions. This extends OAuth from an authorisation only system to a system capable of identity and @@ -12,11 +12,13 @@ connect. ## Resource Server and Clients -This is the resource that a user wants to access. Common [examples](oauth2/examples.md) could be Nextcloud, a Wiki, or a -chat service. In these cases the service is both the _client_ and the _resource server_ within the -OAuth2 workflow. We will refer to the combination of both client and resource server as a service. +This is the resource that a user wants to access. Common [examples](oauth2/examples.md) could be +Nextcloud, a Wiki, or a chat service. In these cases the service is both the _client_ and the +_resource server_ within the OAuth2 workflow. We will refer to the combination of both client and +resource server as a service. -It's important for you to know _how_ your service will interact with OAuth2. For example, does it rely on OpenID connect for identity information, or does it support RFC7662 token introspection? +It's important for you to know _how_ your service will interact with OAuth2. For example, does it +rely on OpenID connect for identity information, or does it support RFC7662 token introspection? Kanidm will expose its OAuth2 APIs at the following URLs: @@ -36,8 +38,8 @@ Kanidm issues tokens that are RFC9068 JWT's allowing service introspection. > [!NOTE] > -> Previous versions of this document incorrectly named clients as resource servers due to -> clarity issues in the OAuth2 RFC. +> Previous versions of this document incorrectly named clients as resource servers due to clarity +> issues in the OAuth2 RFC. ### OAuth2 Server Metadata @@ -64,10 +66,12 @@ You need to substitute your OAuth2 `:client_id:` in the following urls: ### Create the Kanidm Configuration -By default, members of the `system_admins` or `idm_hp_oauth2_manage_priv` groups are able to create or manage OAuth2 client integrations. +By default, members of the `system_admins` or `idm_hp_oauth2_manage_priv` groups are able to create +or manage OAuth2 client integrations. You can create a new client by specifying its client name, application display name and the landing -page (home page) of the client. The landing page is where users will be redirected to from the Kanidm application portal. +page (home page) of the client. The landing page is where users will be redirected to from the +Kanidm application portal. ```bash kanidm system oauth2 create @@ -90,13 +94,13 @@ kanidm system oauth2 update-scope-map nextcloud nextcloud_admins admin > [!TIP] > -> OpenID connect allows a number of scopes that affect the content of the resulting -> authorisation token. If one of the following scopes are requested by the OpenID client, then the -> associated claims may be added to the authorisation token. It is not guaranteed that all of the -> associated claims will be added. +> OpenID connect allows a number of scopes that affect the content of the resulting authorisation +> token. If one of the following scopes are requested by the OpenID client, then the associated +> claims may be added to the authorisation token. It is not guaranteed that all of the associated +> claims will be added. > -> - **profile** - name, family_name, given_name, middle_name, nickname, preferred_username, -> profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at +> - **profile** - name, family_name, given_name, middle_name, nickname, preferred_username, profile, +> picture, website, gender, birthdate, zoneinfo, locale, and updated_at > - **email** - email, email_verified > - **address** - address > - **phone** - phone_number, phone_number_verified @@ -105,8 +109,8 @@ kanidm system oauth2 update-scope-map nextcloud nextcloud_admins admin > [!WARNING] > -> If you are creating an OpenID Connect (OIDC) client you **MUST** provide a scope map -> named `openid`. Without this, OpenID Connect clients **WILL NOT WORK**! +> If you are creating an OpenID Connect (OIDC) client you **MUST** provide a scope map named +> `openid`. Without this, OpenID Connect clients **WILL NOT WORK**! You can create a supplemental scope map with: @@ -148,9 +152,10 @@ You should now be able to test authorisation to the client. ## Scope Relationships -For an authorisation to proceed, the client will request a list of scopes. For example, when a user wishes to login to the admin panel of the resource server, it may -request the "admin" scope from Kanidm for authorisation. But when a user wants to login, it may only -request "access" as a scope from Kanidm. +For an authorisation to proceed, the client will request a list of scopes. For example, when a user +wishes to login to the admin panel of the resource server, it may request the "admin" scope from +Kanidm for authorisation. But when a user wants to login, it may only request "access" as a scope +from Kanidm. As each service may have its own scopes and understanding of these, Kanidm isolates scopes to each service connected to Kanidm. Kanidm has two methods of granting scopes to accounts (users). @@ -162,11 +167,11 @@ groups/roles in Kanidm which can be specific to that service. For an authorisation to proceed, all scopes requested by the client must be available in the final scope set that is granted to the account. -The second part is supplemental scope mappings. These function the same as scope maps where membership of -a group provides a set of scopes to the account. However these scopes are NOT consulted during -authorisation decisions made by Kanidm. These scopes exist to allow optional properties to be -provided (such as personal information about a subset of accounts to be revealed) or so that the -service may make its own authorisation decisions based on the provided scopes. +The second part is supplemental scope mappings. These function the same as scope maps where +membership of a group provides a set of scopes to the account. However these scopes are NOT +consulted during authorisation decisions made by Kanidm. These scopes exist to allow optional +properties to be provided (such as personal information about a subset of accounts to be revealed) +or so that the service may make its own authorisation decisions based on the provided scopes. This use of scopes is the primary means to control who can access what resources. These access decisions can take place either on Kanidm or the service. @@ -214,8 +219,8 @@ kanidm system oauth2 enable-localhost-redirects mywebapp > > You **MUST NOT** share a single OAuth2 client definition between multiple applications. > -> The ability to configure multiple redirect URLs is **NOT** intended to allow you to share a single Kanidm -> client definition between multiple OAuth2 clients. +> The ability to configure multiple redirect URLs is **NOT** intended to allow you to share a single +> Kanidm client definition between multiple OAuth2 clients. > > Sharing OAuth2 client configurations between applications **FUNDAMENTALLY BREAKS** the OAuth2 > security model and is **NOT SUPPORTED** as a configuration. The Kanidm Project **WILL NOT** @@ -266,8 +271,8 @@ settings are explained in detail in [our FAQ](../frequently_asked_questions.html > [!WARNING] > -> Changing these settings MAY have serious consequences on the security of your services. -> You should avoid changing these if at all possible! +> Changing these settings MAY have serious consequences on the security of your services. You should +> avoid changing these if at all possible! To disable PKCE for a confidential client: diff --git a/book/src/integrations/oauth2/how_does_oauth2_work.md b/book/src/integrations/oauth2/how_does_oauth2_work.md index e7ba7b73d..dcccf6b5b 100644 --- a/book/src/integrations/oauth2/how_does_oauth2_work.md +++ b/book/src/integrations/oauth2/how_does_oauth2_work.md @@ -3,15 +3,15 @@ OAuth2 uses a number of terms in ways that can make it unclear and difficult to understand. A user wishes to access a service (resource, resource server) through an OAuth2 client. The client -does not have an active session for the userm so it redirects to the authorisation server (Kanidm) to -determine if the user has the appropriate permissions (scopes) for -the requested resources, and should be allowed to proceed. +does not have an active session for the userm so it redirects to the authorisation server (Kanidm) +to determine if the user has the appropriate permissions (scopes) for the requested resources, and +should be allowed to proceed. The authorisation server checks the current session of the user and may present a login flow if -required. Based on the identity of the user and the requested scopes, -the authorisation server makes a decision if it allows the authorisation to proceed. The user is -then prompted to consent to the authorisation from the authorisation server to the client as some -identity information may be revealed by granting this consent. +required. Based on the identity of the user and the requested scopes, the authorisation server makes +a decision if it allows the authorisation to proceed. The user is then prompted to consent to the +authorisation from the authorisation server to the client as some identity information may be +revealed by granting this consent. If successful and consent is given, the user is redirected back to the client with an authorisation code. The client then contacts the authorisation server directly with this code and exchanges it for diff --git a/book/src/integrations/pam_and_nsswitch.md b/book/src/integrations/pam_and_nsswitch.md index 23c3b7300..30af6354e 100644 --- a/book/src/integrations/pam_and_nsswitch.md +++ b/book/src/integrations/pam_and_nsswitch.md @@ -39,9 +39,9 @@ systemctl status kanidm-unixd-tasks > [!NOTE] > -> The `kanidm_unixd_tasks` daemon is not required for PAM and nsswitch functionality. If -> disabled, your system will function as usual. It is however strongly recommended due to the -> features it provides supporting Kanidm's capabilities. +> The `kanidm_unixd_tasks` daemon is not required for PAM and nsswitch functionality. If disabled, +> your system will function as usual. It is however strongly recommended due to the features it +> provides supporting Kanidm's capabilities. Both unixd daemons use the connection configuration from /etc/kanidm/config. This is the covered in [client_tools](../client_tools.md#kanidm-configuration). @@ -54,11 +54,10 @@ You can also configure some unixd-specific options with the file /etc/kanidm/uni > [!NOTE] > -> All users in Kanidm can change their name (and their spn) at any time. If you change -> `home_attr` from `uuid` you _must_ have a plan on how to manage these directory renames in your -> system. We recommend that you have a stable ID (like the UUID), and symlinks from the name to the -> UUID folder. Automatic support is provided for this via the unixd tasks daemon, as documented -> here. +> All users in Kanidm can change their name (and their spn) at any time. If you change `home_attr` +> from `uuid` you _must_ have a plan on how to manage these directory renames in your system. We +> recommend that you have a stable ID (like the UUID), and symlinks from the name to the UUID +> folder. Automatic support is provided for this via the unixd tasks daemon, as documented here. > > Ubuntu users please see: > [Why aren't snaps launching with home_alias set?](../frequently_asked_questions.md#why-arent-snaps-launching-with-home_alias-set) @@ -122,9 +121,9 @@ testgroup:x:2439676479:testunix > [!WARNING] > -> Modifications to PAM configuration _may_ leave your system in a state where you are -> unable to login or authenticate. You should always have a recovery shell open while making changes -> (for example, root), or have access to single-user mode at the machine's console. +> Modifications to PAM configuration _may_ leave your system in a state where you are unable to +> login or authenticate. You should always have a recovery shell open while making changes (for +> example, root), or have access to single-user mode at the machine's console. Pluggable Authentication Modules (PAM) is the mechanism a UNIX-like system that authenticates users, and to control access to some resources. This is configured through a stack of modules that are diff --git a/book/src/integrations/pam_and_nsswitch/fedora.md b/book/src/integrations/pam_and_nsswitch/fedora.md index 84679e950..dbd725969 100644 --- a/book/src/integrations/pam_and_nsswitch/fedora.md +++ b/book/src/integrations/pam_and_nsswitch/fedora.md @@ -2,8 +2,8 @@ > [!WARNING] > -> Kanidm currently has no support for SELinux policy - this may mean you need to run -> the daemon with permissive mode for the `unconfined_service_t` daemon type. To do this run: +> Kanidm currently has no support for SELinux policy - this may mean you need to run the daemon with +> permissive mode for the `unconfined_service_t` daemon type. To do this run: > `semanage permissive -a unconfined_service_t`. To undo this run > `semanage permissive -d unconfined_service_t`. > diff --git a/book/src/integrations/pam_and_nsswitch/suse.md b/book/src/integrations/pam_and_nsswitch/suse.md index 59e19e31d..72d69ff04 100644 --- a/book/src/integrations/pam_and_nsswitch/suse.md +++ b/book/src/integrations/pam_and_nsswitch/suse.md @@ -71,5 +71,5 @@ session optional pam_env.so > [!WARNING] > -> Ensure that `pam_mkhomedir` or `pam_oddjobd` are _not_ present in any stage of your -> PAM configuration, as they interfere with the correct operation of the Kanidm tasks daemon. +> Ensure that `pam_mkhomedir` or `pam_oddjobd` are _not_ present in any stage of your PAM +> configuration, as they interfere with the correct operation of the Kanidm tasks daemon. diff --git a/book/src/integrations/ssh_key_distribution.md b/book/src/integrations/ssh_key_distribution.md index b2cc8ac4f..bc11bc104 100644 --- a/book/src/integrations/ssh_key_distribution.md +++ b/book/src/integrations/ssh_key_distribution.md @@ -77,8 +77,8 @@ management tool such as salt or ansible. > [!NOTE] > -> With a working SSH key setup, you should also consider adding the following -> `sshd_config` options as hardening. +> With a working SSH key setup, you should also consider adding the following `sshd_config` options +> as hardening. ```text PermitRootLogin no @@ -94,9 +94,9 @@ In this mode, the authorised keys commands will contact Kanidm directly. > [!NOTE] > -> As Kanidm is being contacted directly there is no SSH public key cache. Any network outage -> or communication loss may prevent you accessing your systems. You should only use this version if -> you have a requirement for it. +> As Kanidm is being contacted directly there is no SSH public key cache. Any network outage or +> communication loss may prevent you accessing your systems. You should only use this version if you +> have a requirement for it. The `kanidm_ssh_authorizedkeys_direct` command is part of the kanidm-clients package, so should be installed on the servers. diff --git a/book/src/integrations/sssd.md b/book/src/integrations/sssd.md index 397deaccc..27a99bdd8 100644 --- a/book/src/integrations/sssd.md +++ b/book/src/integrations/sssd.md @@ -1,12 +1,12 @@ # SSSD -[SSSD](https://sssd.io/) is an alternative [PAM and nsswitch](./pam_and_nsswitch.md) provider that is -commonly available on Linux. +[SSSD](https://sssd.io/) is an alternative [PAM and nsswitch](./pam_and_nsswitch.md) provider that +is commonly available on Linux. > [!WARNING] > -> SSSD should be considered a "last resort". If possible, always use the native Kanidm -> pam and nsswitch tools instead. +> SSSD should be considered a "last resort". If possible, always use the native Kanidm pam and +> nsswitch tools instead. ## Limitations diff --git a/book/src/preparing_for_your_deployment.md b/book/src/preparing_for_your_deployment.md index c17167b60..10fc26775 100644 --- a/book/src/preparing_for_your_deployment.md +++ b/book/src/preparing_for_your_deployment.md @@ -18,11 +18,10 @@ docker pull kanidm/tools:latest > [!NOTE] > -> Our preferred deployment method is in containers, and this documentation assumes you're -> running in docker. Kanidm will alternately run as a daemon/service, and server builds are -> available for multiple platforms if you prefer this option. You may need to adjust the example -> commands throughout this document to suit your desired server type if you choose not to use -> containers. +> Our preferred deployment method is in containers, and this documentation assumes you're running in +> docker. Kanidm will alternately run as a daemon/service, and server builds are available for +> multiple platforms if you prefer this option. You may need to adjust the example commands +> throughout this document to suit your desired server type if you choose not to use containers. ## Development Version @@ -102,8 +101,8 @@ the series of intermediates, and the final certificate should be the CA root. Fo > [!NOTE] > -> If you are using Let's Encrypt the provided files "fullchain.pem" and "privkey.pem" are -> already correctly formatted as required for Kanidm. +> If you are using Let's Encrypt the provided files "fullchain.pem" and "privkey.pem" are already +> correctly formatted as required for Kanidm. You can validate that the leaf certificate matches the key with the command: @@ -136,9 +135,9 @@ openssl verify -untrusted fullchain.pem fullchain.pem > [!NOTE] > -> Here "-untrusted" flag means a list of further certificates in the chain to build up to -> the root is provided, but that the system CA root should be consulted. Verification is NOT -> bypassed or allowed to be invalid. +> Here "-untrusted" flag means a list of further certificates in the chain to build up to the root +> is provided, but that the system CA root should be consulted. Verification is NOT bypassed or +> allowed to be invalid. If these verifications pass you can now use these certificates with Kanidm. To put the certificates in place you can use a shell container that mounts the volume such as: diff --git a/book/src/recycle_bin.md b/book/src/recycle_bin.md index 36d5d8c11..f2d1d815e 100644 --- a/book/src/recycle_bin.md +++ b/book/src/recycle_bin.md @@ -5,8 +5,8 @@ for a period of time. > [!WARNING] > -> The recycle bin is a best effort - when recovering in some cases not everything can be -> "put back" the way it was. Be sure to check your entries are valid once they have been revived. +> The recycle bin is a best effort - when recovering in some cases not everything can be "put back" +> the way it was. Be sure to check your entries are valid once they have been revived. ## Where is the Recycle Bin? diff --git a/book/src/repl/administration.md b/book/src/repl/administration.md index 068301708..6649a44bd 100644 --- a/book/src/repl/administration.md +++ b/book/src/repl/administration.md @@ -16,8 +16,8 @@ You must then copy the new certificate to other nodes in the topology. > [!NOTE] > -> In the future we will develop a replication coordinator so that you don't have to -> manually renew this. But for now, if you want replication, you have to do it the hard way. +> In the future we will develop a replication coordinator so that you don't have to manually renew +> this. But for now, if you want replication, you have to do it the hard way. ## Refresh a Lagging Consumer diff --git a/book/src/repl/deployment.md b/book/src/repl/deployment.md index 585c0debf..312e72f42 100644 --- a/book/src/repl/deployment.md +++ b/book/src/repl/deployment.md @@ -2,8 +2,8 @@ > [!WARNING] > -> Replication is a newly developed feature. This means it requires manual configuration -> and careful monitoring. You should take regular backups if you choose to proceed. +> Replication is a newly developed feature. This means it requires manual configuration and careful +> monitoring. You should take regular backups if you choose to proceed. ## Node Setup @@ -32,8 +32,8 @@ Once configured, deploy this config to your servers and restart the nodes. > [!NOTE] > -> In the future we will develop a replication coordinator so that you don't have to -> manually configure this. But for now, if you want replication, you have to do it the hard way. +> In the future we will develop a replication coordinator so that you don't have to manually +> configure this. But for now, if you want replication, you have to do it the hard way. Each node has an identify certificate that is internally generated and used to communicate with other nodes in the topology. This certificate is also used by other nodes to validate this node. @@ -95,8 +95,8 @@ docker exec -i -t \ > [!NOTE] > -> In the future we will develop a replication coordinator so that you don't have to -> manually configure this. But for now, if you want replication, you have to do it the hard way. +> In the future we will develop a replication coordinator so that you don't have to manually +> configure this. But for now, if you want replication, you have to do it the hard way. This is the same as the manual process, but a single server is defined as the "primary" and the partner server is the "secondary". This means that if database issues occur the content of the diff --git a/book/src/repl/planning.md b/book/src/repl/planning.md index aec667a1f..b3f2f63cb 100644 --- a/book/src/repl/planning.md +++ b/book/src/repl/planning.md @@ -2,8 +2,8 @@ > [!WARNING] > -> Replication is a newly developed feature. This means it requires manual configuration -> and careful monitoring. You should keep backups if you choose to proceed. +> Replication is a newly developed feature. This means it requires manual configuration and careful +> monitoring. You should keep backups if you choose to proceed. It is important that you plan your replication deployment before you proceed. You may have a need for high availability within a datacentre, geographic redundancy, or improvement of read scaling. diff --git a/book/src/security_hardening.md b/book/src/security_hardening.md index fd3ef1174..825e11eec 100644 --- a/book/src/security_hardening.md +++ b/book/src/security_hardening.md @@ -151,8 +151,8 @@ docker run --rm -i -t -u 1000:1000 -v kanidmd:/data kanidm/server:latest /sbin/k > [!HINT] > -> You need to use the UID or GID number with the `-u` argument, as the container can't -> resolve usernames from the host system. +> You need to use the UID or GID number with the `-u` argument, as the container can't resolve +> usernames from the host system. ## Minimum TLS key lengths diff --git a/book/src/server_configuration.md b/book/src/server_configuration.md index 2905aa4db..8ddb96f64 100644 --- a/book/src/server_configuration.md +++ b/book/src/server_configuration.md @@ -18,8 +18,8 @@ docs page for your particular build. > [!WARNING] > -> You MUST set the `domain`, `origin`, `tls_chain` and `tls_path` options via one method -> or the other, or the server cannot start! +> You MUST set the `domain`, `origin`, `tls_chain` and `tls_path` options via one method or the +> other, or the server cannot start! The following is a commented example configuration. @@ -32,13 +32,14 @@ This example is located in > [!WARNING] > -> You MUST set the "domain" name correctly, aligned with your "origin", else the server -> may refuse to start or some features (e.g. WebAuthn, OAuth2) may not work correctly! +> You MUST set the "domain" name correctly, aligned with your "origin", else the server may refuse +> to start or some features (e.g. WebAuthn, OAuth2) may not work correctly! ### Check the configuration is valid You should test your configuration is valid before you proceed. This defaults to using -`-c /data/server.toml`. The `kanidmd` volume was created in the [evaluation quickstart](evaluation_quickstart.md) +`-c /data/server.toml`. The `kanidmd` volume was created in the +[evaluation quickstart](evaluation_quickstart.md) ```bash docker run --rm -i -t -v kanidmd:/data \ @@ -69,8 +70,8 @@ docker run --cap-add NET_BIND_SERVICE \ > [!TIP] > -> However you choose to run your server, you should document and keep note of the docker run -> / create command you chose to start the instance. This will be used in the upgrade procedure. +> However you choose to run your server, you should document and keep note of the docker run / +> create command you chose to start the instance. This will be used in the upgrade procedure. ### Default Admin Accounts diff --git a/book/src/server_updates.md b/book/src/server_updates.md index f0811ba23..63cadb298 100644 --- a/book/src/server_updates.md +++ b/book/src/server_updates.md @@ -32,9 +32,9 @@ process. > [!TIP] > -> You should have documented and preserved your Kanidm container create / run command from -> the server preparation guide. If not, you'll need to use `docker inspect` to work out how to -> recreate these parameters. +> You should have documented and preserved your Kanidm container create / run command from the +> server preparation guide. If not, you'll need to use `docker inspect` to work out how to recreate +> these parameters. ### Upgrade Check @@ -80,8 +80,8 @@ See [backup and restore](backup_and_restore.md) > [!WARNING] > -> Downgrades are not possible. It is critical you know how to backup and restore before -> you proceed with this step. +> Downgrades are not possible. It is critical you know how to backup and restore before you proceed +> with this step. Docker updates operate by deleting and recreating the container. All state that needs to be preserved is within your storage volume. diff --git a/book/src/sync/concepts.md b/book/src/sync/concepts.md index 28af927d5..99ba0a8d6 100644 --- a/book/src/sync/concepts.md +++ b/book/src/sync/concepts.md @@ -55,8 +55,8 @@ token: eyJhbGci... > [!WARNING] > -> The sync account token has a high level of privilege, able to create new accounts and -> groups. It should be treated carefully as a result! +> The sync account token has a high level of privilege, able to create new accounts and groups. It +> should be treated carefully as a result! If you need to revoke the token, you can do so with: @@ -120,8 +120,8 @@ sync account. > [!WARNING] > -> You can not undo this operation. Once you have finalised an agreement, Kanidm owns all -> of the synchronised data, and you can not resume synchronisation. +> You can not undo this operation. Once you have finalised an agreement, Kanidm owns all of the +> synchronised data, and you can not resume synchronisation. ```bash kanidm system sync finalise @@ -138,8 +138,8 @@ account, you can choose to terminate the agreement removing all data that was im > [!WARNING] > -> You can not undo this operation. Once you have terminated an agreement, Kanidm deletes -> all of the synchronised data, and you can not resume synchronisation. +> You can not undo this operation. Once you have terminated an agreement, Kanidm deletes all of the +> synchronised data, and you can not resume synchronisation. ```bash kanidm system sync terminate