diff --git a/book/src/DEVELOPER_README.md b/book/src/DEVELOPER_README.md index 1a0629fee..03548839b 100644 --- a/book/src/DEVELOPER_README.md +++ b/book/src/DEVELOPER_README.md @@ -259,15 +259,11 @@ is critical. Once you have the source code, you need encryption certificates to use with the server, because without certificates, authentication will fail. -We recommend using [Let's Encrypt](https://letsencrypt.org), but if this is not possible, please use -our insecure certificate tool (`scripts/insecure_generate_tls.sh`). The insecure certificate tool -creates `/tmp/kanidm` and puts some self-signed certificates there. - -**NOTE:** Windows developers can use `scripts/insecure_generate_tls.ps1`, which puts everything -(including a templated config file) in `$TEMP\kanidm`. Please adjust paths below to suit. +We recommend using [Let's Encrypt](https://letsencrypt.org), but if this is not possible kanidmd +will create self-signed certificates in `/tmp/kanidm`. You can now build and run the server with the commands below. It will use a database in -`/tmp/kanidm.db`. +`/tmp/kanidm/kanidm.db`. Create the initial database and generate an `admin` password: diff --git a/scripts/insecure_generate_tls.ps1 b/scripts/insecure_generate_tls.ps1 deleted file mode 100644 index 6b8ed477d..000000000 --- a/scripts/insecure_generate_tls.ps1 +++ /dev/null @@ -1,106 +0,0 @@ - -$ErrorActionPreference = "Stop" - -$KANI_TMP="$Env:TEMP\kanidm\" - -$ALTNAME_FILE="${KANI_TMP}altnames.cnf" -$CACERT="${KANI_TMP}ca.pem" -$CAKEY="${KANI_TMP}cakey.pem" - -$KEYFILE="${KANI_TMP}key.pem" -$CERTFILE="${KANI_TMP}cert.pem" -$CSRFILE="${KANI_TMP}cert.csr" -$CHAINFILE="${KANI_TMP}chain.pem" -# $DHFILE="${KANI_TMP}dh.pem" -$CONFIG_FILE="${KANI_TMP}server.toml" - - -if (Test-Path -Path "$KANI_TMP" ) { - Write-Output "Output dir exists at $KANI_TMP" -} else { - Write-Warning "Output dir missing at $KANI_TMP" - $result = New-Item -Path "$KANI_TMP" -ItemType Directory -} - - -if ( $(Test-Path -Path "examples\insecure_server.toml") -eq $false ) { - Write-Error "You need to run this from the base dir of the repo!" - exit 1 -} -# Building the config file -$CONFIG = Get-Content "examples\insecure_server.toml" -$CONFIG = $CONFIG -replace "/tmp/kanidm/", "$KANI_TMP" -$CONFIG = $CONFIG -replace "\\", "/" - -$CONFIG | Set-Content "${CONFIG_FILE}" -Force - -$ALTNAME_FILE_CONTENTS = @' -[req] -nsComment = "Certificate" -distinguished_name = req_distinguished_name -req_extensions = v3_req - -[ req_distinguished_name ] - -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Queensland - -localityName = Locality Name (eg, city) -localityName_default = Brisbane - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = INSECURE EXAMPLE - -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = kanidm - -commonName = Common Name (eg, your name or your servers hostname) -commonName_max = 64 -commonName_default = localhost - -[ v3_req ] -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -subjectAltName = @alt_names - -[alt_names] -DNS.1 = localhost -IP.1 = 127.0.0.1 -'@ - -Write-Output "Creating cert template" -$result = New-Item -Path "$ALTNAME_FILE" -ItemType File -Value "$ALTNAME_FILE_CONTENTS" -Force - -write-debug $result - -Write-Output "Generate the CA" -openssl req -x509 -new -newkey rsa:4096 -sha256 -keyout "${CAKEY}" -out "${CACERT}" -days 31 -subj "/C=AU/ST=Queensland/L=Brisbane/O=INSECURE/CN=insecure.ca.localhost" -nodes -if ( $LastExitCode -ne 0 ){ - exit 1 -} - -Write-Output "Generating the private key" -openssl genrsa -out "${KEYFILE}" 4096 -if ( $LastExitCode -ne 0 ){ - exit 1 -} - -Write-Output "Generating the certificate signing request" -openssl req -sha256 -config "${ALTNAME_FILE}" -days 31 -new -extensions v3_req -key "${KEYFILE}" -out "${CSRFILE}" -if ( $LastExitCode -ne 0 ){ - exit 1 -} -Write-Output "Signing the certificate" -openssl x509 -req -days 31 -extfile "${ALTNAME_FILE}" -CA "${CACERT}" -CAkey "${CAKEY}" -CAcreateserial -in "${CSRFILE}" -out "${CERTFILE}" -extensions v3_req -sha256 - -Write-Output "Creating the certificate chain" -Get-Content "${CERTFILE}" ,"${CACERT}" | Set-Content "${CHAINFILE}" -Force - -Write-Output "Certificate chain is at: ${CHAINFILE}" -Write-Output "Private key is at: ${KEYFILE}" -Write-Output "The configuration file is at: ${CONFIG_FILE}" diff --git a/scripts/insecure_generate_tls.sh b/scripts/insecure_generate_tls.sh deleted file mode 100755 index aba20fb34..000000000 --- a/scripts/insecure_generate_tls.sh +++ /dev/null @@ -1,190 +0,0 @@ -#!/bin/sh - -set -e - -# you can set the hostname if you want, but it'll default to localhost -if [ -z "$CERT_HOSTNAME" ]; then - CERT_HOSTNAME="localhost" -fi - -# also where the files are stored -if [ -z "$KANI_TMP" ]; then - KANI_TMP=/tmp/kanidm/ -fi - -ALTNAME_FILE="${KANI_TMP}altnames.cnf" -CANAME_FILE="${KANI_TMP}ca.cnf" -CACERT="${KANI_TMP}ca.pem" -CAKEY="${KANI_TMP}cakey.pem" -CADB="${KANI_TMP}ca.txt" -CASRL="${KANI_TMP}ca.srl" - -KEYFILE="${KANI_TMP}key.pem" -CERTFILE="${KANI_TMP}cert.pem" -CSRFILE="${KANI_TMP}cert.csr" -CHAINFILE="${KANI_TMP}chain.pem" -DHFILE="${KANI_TMP}dh.pem" - -if [ ! -d "${KANI_TMP}" ]; then - echo "Creating temp kanidm dir: ${KANI_TMP}" - mkdir -p "${KANI_TMP}" -fi - -cat > "${CANAME_FILE}" << DEVEOF -[req] -nsComment = "Certificate Authority" -distinguished_name = req_distinguished_name -req_extensions = v3_ca - -[ req_distinguished_name ] - -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Queensland - -localityName = Locality Name (eg, city) -localityName_default = Brisbane - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = INSECURE EXAMPLE - -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = kanidm - -commonName = Common Name (eg, your name or your server\'s hostname) -commonName_max = 64 -commonName_default = insecure.ca.localhost - -[ v3_ca ] -subjectKeyIdentifier = hash -basicConstraints = critical, CA:true -keyUsage = critical, digitalSignature, cRLSign, keyCertSign - -DEVEOF - -cat > "${ALTNAME_FILE}" << DEVEOF - -[ca] -default_ca = CA_default - -[ CA_default ] -# Directory and file locations. -dir = ${KANI_TMP} -certs = ${KANI_TMP} -crl_dir = ${KANI_TMP} -new_certs_dir = ${KANI_TMP} -database = ${CADB} -serial = ${CASRL} - -# The root key and root certificate. -private_key = ${CAKEY} -certificate = ${CACERT} - -# SHA-1 is deprecated, so use SHA-2 instead. -default_md = sha256 - -name_opt = ca_default -cert_opt = ca_default -default_days = 3650 -preserve = no -policy = policy_loose - -[ policy_loose ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -[req] -nsComment = "Certificate" -distinguished_name = req_distinguished_name -req_extensions = v3_req - -[ req_distinguished_name ] - -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Queensland - -localityName = Locality Name (eg, city) -localityName_default = Brisbane - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = INSECURE EXAMPLE - -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = kanidm - -commonName = Common Name (eg, your name or your server\'s hostname) -commonName_max = 64 -commonName_default = ${CERT_HOSTNAME} - -[ v3_req ] -basicConstraints = CA:FALSE -nsCertType = server -nsComment = "Server Certificate" -subjectKeyIdentifier = hash -keyUsage = critical, digitalSignature, keyEncipherment -extendedKeyUsage = serverAuth -subjectAltName = @alt_names - -[alt_names] -DNS.1 = localhost -IP.1 = 127.0.0.1 - -DEVEOF - -touch ${CADB} -echo 1000 > ${CASRL} - -echo "Make the ca key..." -openssl ecparam -genkey -name prime256v1 -noout -out "${CAKEY}" - -echo "Self sign the CA..." -openssl req -batch -config "${CANAME_FILE}" \ - -key "${CAKEY}" \ - -new -x509 -days +31 \ - -sha256 -extensions v3_ca \ - -out "${CACERT}" \ - -nodes - -echo "Generating the server private key..." -openssl ecparam -genkey -name prime256v1 -noout -out "${KEYFILE}" - -echo "Generating the certificate signing request..." -openssl req -sha256 -new \ - -batch \ - -config "${ALTNAME_FILE}" -extensions v3_req \ - -key "${KEYFILE}"\ - -nodes \ - -out "${CSRFILE}" - -echo "Signing the certificate..." -openssl ca -config "${ALTNAME_FILE}" \ - -batch \ - -extensions v3_req \ - -days 31 -notext -md sha256 \ - -in "${CSRFILE}" \ - -out "${CERTFILE}" - -# Create the chain -cat "${CERTFILE}" "${CACERT}" > "${CHAINFILE}" - -# create the dh file for RADIUS -openssl dhparam -in "${CAFILE}" -out "${DHFILE}" 2048 - -echo "Certificate chain is at: ${CHAINFILE}" -echo "Private key is at: ${KEYFILE}" -echo "" -echo "**Remember** the default action is to store the files in /tmp/ so they'll be deleted on reboot! Set the KANI_TMP environment variable before running this script if you want to change that. You'll need to update server config elsewhere if you do, however." diff --git a/server/daemon/run_insecure_dev_server.sh b/server/daemon/run_insecure_dev_server.sh index d1f1a7415..074ed5fd8 100755 --- a/server/daemon/run_insecure_dev_server.sh +++ b/server/daemon/run_insecure_dev_server.sh @@ -6,6 +6,16 @@ if [ -z "$KANI_CARGO_OPTS" ]; then KANI_CARGO_OPTS="" fi +# also where the files are stored +if [ -z "$KANI_TMP" ]; then + KANI_TMP=/tmp/kanidm/ +fi + +if [ ! -d "${KANI_TMP}" ]; then + echo "Creating temp kanidm dir: ${KANI_TMP}" + mkdir -p "${KANI_TMP}" +fi + CONFIG_FILE="../../examples/insecure_server.toml" if [ ! -f "${CONFIG_FILE}" ]; then diff --git a/tools/cli/src/opt/kanidm.rs b/tools/cli/src/opt/kanidm.rs index 946bcb6dc..477850ecf 100644 --- a/tools/cli/src/opt/kanidm.rs +++ b/tools/cli/src/opt/kanidm.rs @@ -138,7 +138,7 @@ pub struct AccountNamedExpireDateTimeOpt { #[clap(flatten)] copt: CommonOpt, #[clap(name = "datetime", verbatim_doc_comment)] - /// This accepts mulitple options: + /// This accepts multiple options: /// - An RFC3339 time of the format "YYYY-MM-DDTHH:MM:SS+TZ", "2020-09-25T11:22:02+10:00" /// - One of "any", "clear" or "never" to remove account expiry. /// - "epoch" to set the expiry to the UNIX epoch