Release Notes (#3149)

* Update RELEASE_NOTES.md

README.md

@@ -14,7 +14,7 @@ of requirements and integrations. You should not need any other components (like
 use Kanidm - we already have everything you need!
 
 To achieve this we rely heavily on strict defaults, simple configuration, and self-healing
-components. This allows Kanidm to run from small home labs, families, small businesses, and all the
+components. This allows Kanidm to support small home labs, families, small businesses, and all the
 way to the largest enterprise needs.
 
 If you want to host your own authentication service, then Kanidm is for you!
@@ -121,7 +121,7 @@ of resource overhead and difficulty for administration and upgrades.
 
 Kanidm aims to have the features richness of FreeIPA, but without the resource and administration
 overheads. If you want a complete IDM package, but in a lighter footprint and easier to manage, then
-Kanidm is probably for you. In testing with 3000 users + 1500 groups, Kanidm is 3 times faster for
+Kanidm is probably for you. In testing with 3000 users and 1500 groups, Kanidm is 3 times faster for
 search operations and 5 times faster for modification and addition of entries (your results may
 differ however, but generally Kanidm is much faster than FreeIPA).
 
@@ -147,7 +147,7 @@ elements in a simpler and correct way out of the box in comparison.
   <summary>Rauthy</summary>
 
 Rauthy is a minimal OIDC provider. It supports WebAuthn just like Kanidm - they actually use our
-library for it!
+libraries for it!
 
 Rauthy only provides support for OIDC and so is unable to support other use cases like RADIUS and
 unix authentication.
@@ -161,7 +161,7 @@ then Kanidm will support those.
   <summary>Authentik / Authelia / Zitadel</summary>
 
 Authentik is an IDM provider written in Python and, Authelia and Zitadel are written in Go. all
-similar to Kanidm in the features it offers but notably all have weaker support for unix
+similar to Kanidm in the features it offers but notably all have weaker support for UNIX
 authentication and do not support the same level of authentication policy as Kanidm. Notably, all
 are missing WebAuthn Attestation.
 

RELEASE_NOTES.md

@@ -14,6 +14,57 @@ report it to our [issue tracker].
 
 # Release Notes
 
+## 2024-08-07 - Kanidm 1.4.0
+
+This is the latest stable release of the Kanidm Identity Management project. Every release is the
+combined effort of our community and we appreciate their invaluable contributions, comments,
+questions, feedback and support.
+
+You should review our
+[support documentation](https://github.com/kanidm/kanidm/blob/master/book/src/support.md) as this
+may have important effects on your distribution or upgrades in future.
+
+Before upgrading you should review
+[our upgrade documentation](https://github.com/kanidm/kanidm/blob/master/book/src/server_updates.md#general-update-notes)
+
+### 1.4.0 Important Changes
+
+- The web user interface has been rewritten and now supports theming. You will notice that your
+domain displayname is included in a number of locations on upgrade, and that you can set
+your own domain and OAuth2 client icons.
+- OAuth2 strict redirect uri is now required. Ensure you have read
+[our upgrade documentation](https://github.com/kanidm/kanidm/blob/master/book/src/server_updates.md#general-update-notes).
+and taken the needed steps before upgrading.
+
+### 1.4.0 Release Highlights
+
+- Improve handling of client timeouts when the server is under high load
+- Resolve a minor issue preventing some credential updates from saving
+- PAM/NSS unixd now allow non-Kanidm backends - more to come soon
+- Mail attributes have substring indexing added
+- Access controls for mail servers to read mail attributes
+- Admin CLI tools support instance profiles allowing admin of multiple sites to be easier
+- Resolve a minor issue in OAuth2 introspection which returned the wrong claim for `token_type`
+- Resolve an issue where memberOf should imply dynamicMemberOf in access controls
+- Allow configuration of custom domain icons
+- Internal representation of attributes changed to an enum to reduce memory consumption
+- Add CreatedAt and ModifiedAt timestamps to entries
+- Expose RFC7009 and RFC7662 via OIDC metadata discovery
+- Improve pipe handling for CLI tools
+- Large techdebt cleanups
+- PAM/NSS unixd can provide system users, replacing `pam_unix`
+- Account policy supports LDAP password fallback to main password
+- PAM/NSS unixd can extend a system group with members from remote sources (such as Kanidm)
+- Resolve a potential issue in replication on upgrade where migrated entries cause a referential
+  integrity conflict leading to a forced initialisation
+- Display credential reset token expiry time when created on CLI
+- Reload certificates and private keys on SIGHUP
+- Remove a large number of dependencies that were either not needed or could be streamlined
+- SCIM foundations for getting and modifying entries, reference handling, and complex attribute
+  display. Much more to come in this space!
+- Rewrite the entire web frontend to be simpler and faster, allowing more features to be added
+  in future. Greatly improves user expirence as the pages are now very fast to load!
+
 ## 2024-08-07 - Kanidm 1.3.0
 
 This is the latest stable release of the Kanidm Identity Management project. Every release is the