20250209 pre release (#3409)

* fix: removing unused dependencies (assert_cmd, gethostname) * chore: Release Notes
2025-02-23 04:27:02 +01:00 · 2025-02-09 21:06:01 +11:00 · 2025-02-09 21:06:01 +11:00 · c89f0c011e
parent b15ff89b39
commit c89f0c011e
25 changed files with 406 additions and 348 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -4,7 +4,7 @@ authors = [
    "William Brown <william@blackhats.net.au>",
    "James Hodgkinson <james@terminaloutcomes.com>",
 ]
-rust-version = "1.79"
+rust-version = "1.80"
 edition = "2021"
 license = "MPL-2.0"
 homepage = "https://github.com/kanidm/kanidm/"
@ -165,15 +165,15 @@ clap_complete = "^4.5.42"
 chrono = "^0.4.39"
 compact_jwt = { version = "^0.4.2", default-features = false }
 concread = "^0.5.3"
-cron = "0.12.1"
+cron = "0.15.0"
 crossbeam = "0.8.4"
 csv = "1.3.1"
-dialoguer = "0.10.4"
+dialoguer = "0.11.0"
 dhat = "0.3.3"
 dyn-clone = "^1.0.17"
 fernet = "^0.2.1"
 filetime = "^0.2.24"
-fs4 = "^0.8.3"
+fs4 = "^0.12.0"
 futures = "^0.3.31"
 futures-util = { version = "^0.3.30", features = ["sink"] }
 gix = { version = "0.64.0", default-features = false }
@ -225,7 +225,6 @@ opentelemetry-semantic-conventions = "0.27.0"
 tracing-opentelemetry = "0.28.0"
 tracing-core = "0.1.33"
 paste = "^1.0.14"
 peg = "0.8"
 pkg-config = "^0.3.31"
 prctl = "1.0.0"
--- a/README.md
+++ b/README.md
@ -1,8 +1,6 @@
 # Kanidm - Simple and Secure Identity Management
-<p align="center">
+![Kanidm Logo](artwork/logo-small.png)
  <img src="https://raw.githubusercontent.com/kanidm/kanidm/master/artwork/logo-small.png" width="20%" height="auto" />
 </p>
 ## About
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@ -1,42 +1,93 @@
-<p align="center">
+# Kanidm Release Notes
  <img src="https://raw.githubusercontent.com/kanidm/kanidm/master/artwork/logo-small.png" width="20%" height="auto" />
 </p>
-# Getting Started
+![Kanidm Logo](artwork/logo-small.png)
 ## Getting Started
 To get started, see the [kanidm book]
-# Feedback
+## Feedback
 We value your feedback! First, please see our [code of conduct]. If you have questions please join
 our [gitter community channel] so that we can help. If you find a bug or issue, we'd love you to
 report it to our [issue tracker].
-# Release Notes
+## Release Notes
-## 2024-11-01 - Kanidm 1.4.0
+### 2025-02-09 - Kanidm 1.5.0
 This is the latest stable release of the Kanidm Identity Management project. Every release is the
 combined effort of our community and we appreciate their invaluable contributions, comments,
 questions, feedback and support.
 You should review our
-[support documentation](https://github.com/kanidm/kanidm/blob/master/book/src/support.md) as this
+[support documentation] as this
 may have important effects on your distribution or upgrades in future.
 Before upgrading you should review
-[our upgrade documentation](https://github.com/kanidm/kanidm/blob/master/book/src/server_updates.md#general-update-notes)
+[our upgrade documentation]
-### 1.4.0 Important Changes
+#### 1.5.0 Important Changes
 - There has been a lot of tweaks to how cookies are handled in this release, if you're having issues with the login flow please clear all cookies as an initial troubleshooting step.
 #### 1.5.0 Release Highlights
 - Many updates to the UI!
  - SSH Keys in Credentials Update (#3027)
  - Improved error message when PassKey is missing PIN (mainly for Firefox) (#3403)
  - Fix the password reset form and possible resolver issue (#3398)
  - Fixed unrecoverable error page doesn't include logo or domain name (#3352)
  - Add support for prefers-color-scheme using Bootstrap classes. Dark mode! (#3327)
  - Automatically trigger passkeys on login view (#3307)
 - Two new operating systems!
  - Initial OpenBSD support (#3381)
  - FreeBSD client (#3333)
 - Many SCIM-related improvements
  - SCIM access control (#3359)
  - SCIM put (#3151)
 - OAuth2 Things
  - Allow OAuth2 with empty `state` parameter (#3396)
  - Allow POST on oauth userinfo (#3395)
  - Add OAuth2 `response_mode=fragment` (#3335)
  - Add CORS headers to jwks and userinfo (#3283)
 - Allowing SPN query with non-SPN structured data in LDAP (#3400)
 - Correctly return that uuid2spn changed on domain rename (#3402)
 - RADIUS startup fixing (#3388)
 - Repaired systemd reload notifications (#3355)
 - Add `ssh_publickeys` as a claim for OAuth2 (#3346)
 - Allow modification of password minimum length (#3345)
 - PAM on Debian, enable use_first_pass by default (#3326)
 - Allow opt-in of easter eggs (#3308)
 - Allow reseting account policy values to defaults (#3306)
 - Ignore system users for UPG synthesiseation (#3297)
 - Allow group managers to modify entry-managed-by (#3272)
 And many more!
 ### 2024-11-01 - Kanidm 1.4.0
 This is the latest stable release of the Kanidm Identity Management project. Every release is the
 combined effort of our community and we appreciate their invaluable contributions, comments,
 questions, feedback and support.
 You should review our
 [support documentation] as this
 may have important effects on your distribution or upgrades in future.
 Before upgrading you should review
 [our upgrade documentation]
 #### 1.4.0 Important Changes
 - The web user interface has been rewritten and now supports theming. You will notice that your
 domain displayname is included in a number of locations on upgrade, and that you can set
 your own domain and OAuth2 client icons.
 - OAuth2 strict redirect uri is now required. Ensure you have read
-[our upgrade documentation](https://github.com/kanidm/kanidm/blob/master/book/src/server_updates.md#general-update-notes).
+[our upgrade documentation].
 and taken the needed steps before upgrading.
-### 1.4.0 Release Highlights
+#### 1.4.0 Release Highlights
 - Improve handling of client timeouts when the server is under high load
 - Resolve a minor issue preventing some credential updates from saving
@ -65,20 +116,20 @@ and taken the needed steps before upgrading.
 - Rewrite the entire web frontend to be simpler and faster, allowing more features to be added
  in the future. Greatly improves user experience as the pages are now very fast to load!
-## 2024-08-07 - Kanidm 1.3.0
+### 2024-08-07 - Kanidm 1.3.0
 This is the latest stable release of the Kanidm Identity Management project. Every release is the
 combined effort of our community and we appreciate their invaluable contributions, comments,
 questions, feedback and support.
 You should review our
-[support documentation](https://github.com/kanidm/kanidm/blob/master/book/src/support.md) as this
+[support documentation] as this
 may have important effects on your distribution or upgrades in future.
 Before upgrading you should review
-[our upgrade documentation](https://github.com/kanidm/kanidm/blob/master/book/src/server_updates.md#general-update-notes)
+[our upgrade documentation]
-### 1.3.0 Important Changes
+#### 1.3.0 Important Changes
 - New GID number constraints are now enforced in this version. To upgrade from 1.2.0 all accounts
  and groups must adhere to these rules. See [our upgrade documentation]. about tools to help you
@ -89,7 +140,7 @@ Before upgrading you should review
  by PassKeys which give a better user experience.
 - Kanidm now supports FreeBSD and Illumos in addition to Linux
-### 1.3.0 Release Highlights
+#### 1.3.0 Release Highlights
 - TOTP update user interface improvements
 - Improved error messages when a load balancer is failing
@ -112,24 +163,24 @@ Before upgrading you should review
 - Strict redirect URI enforcement in OAuth2
 - Substring indexing for improved search performance
-## 2024-05-01 - Kanidm 1.2.0
+### 2024-05-01 - Kanidm 1.2.0
 This is the first stable release of the Kanidm Identity Management project. We want to thank every
 one in our community who has supported to the project to this point with their invaluable
 contributions, comments, questions, feedback and support.
 Importantly this release makes a number of changes to our project's support processes. You should
-review our [support documentation](https://github.com/kanidm/kanidm/blob/master/book/src/support.md)
+review our [support documentation]
 as this may have important effects on your distribution or upgrades in future.
-### 1.2.0 Important Changes
+#### 1.2.0 Important Changes
 - On upgrade all OAuth2 sessions and user sessions will be reset due to changes in cryptographic key
  handling. This does not affect api tokens.
 - There is a maximum limit of 48 interactive sessions for persons where older sessions are
  automatically removed.
-### 1.2.0 Release Highlights
+#### 1.2.0 Release Highlights
 - The book now contains a list of supported RFCs and standards
 - Add code challenge methods to OIDC discovery
@ -154,7 +205,7 @@ as this may have important effects on your distribution or upgrades in future.
 - Migrate cryptographic key handling to an object model with future HSM support
 - Limit maximum active sessions on an account to 48
-## 2024-02-07 - Kanidm 1.1.0-rc.16
+### 2024-02-07 - Kanidm 1.1.0-rc.16
 This is the sixteenth pre-release of the Kanidm Identity Management project. Pre-releases are to
 help get feedback and ideas from the community on how we can continue to make this project better.
@ -163,7 +214,7 @@ This is the final release candidate before we publish a release version. We beli
 server interfaces are stable and reliable enough for people to depend on, and to develop external
 tools to interact with Kanidm.
-### 1.1.0-rc.16 Release Highlights
+#### 1.1.0-rc.16 Release Highlights
 - Replication for two node environments is now supported
 - Account policy supports password minimum length
@ -182,7 +233,7 @@ tools to interact with Kanidm.
 - Support RFC6749 Client Credentials Grant
 - Support custom claim maps in OIDC
-## 2023-10-31 - Kanidm 1.1.0-beta14
+### 2023-10-31 - Kanidm 1.1.0-beta14
 This is the fourteenth pre-release of the Kanidm Identity Management project. Pre-releases are to
 help get feedback and ideas from the community on how we can continue to make this project better.
@ -191,7 +242,7 @@ At this point we believe we are on the final stretch to making something we cons
 ready". After this we will start to ship release candidates as our focus will now be changing to
 finish our production components and the stability of the API's for longer term support.
-### 1.1.0-beta14 Release Highlights
+#### 1.1.0-beta14 Release Highlights
 - Replication is in Beta! Please test carefully!
 - Web UI WASM has been split up, significantly improving the responsiveness.
@ -205,7 +256,7 @@ finish our production components and the stability of the API's for longer term
 - Removed a lot of uses of `unwrap` and `expect` to improve reliability.
 - Account policy framework is now in place.
-## 2023-05-01 - Kanidm 1.1.0-beta13
+### 2023-05-01 - Kanidm 1.1.0-beta13
 This is the thirteenth pre-release of the Kanidm Identity Management project. Pre-releases are to
 help get feedback and ideas from the community on how we can continue to make this project better.
@ -214,7 +265,7 @@ At this point we believe we are on the final stretch to making something we cons
 ready". After this we will start to ship release candidates as our focus will now be changing to
 finish our production components and the stability of the API's for longer term support.
-### 1.1.0-beta13 Release Highlights
+#### 1.1.0-beta13 Release Highlights
 - Replication foundations
  - Full implementation of replication refresh
@ -255,7 +306,7 @@ finish our production components and the stability of the API's for longer term
 - Improve create-reset-token user experience
 - Improve self-healing for some reference issues
-## 2023-05-01 - Kanidm 1.1.0-alpha12
+### 2023-05-01 - Kanidm 1.1.0-alpha12
 This is the twelfth alpha series release of the Kanidm Identity Management project. Alpha releases
 are to help get feedback and ideas from the community on how we can continue to make this project
@ -266,7 +317,7 @@ done so yet is we haven't decided if we want to commit to the current API layout
 There are still things we want to change there. Otherwise the server is stable and reliable for
 production usage.
-### Release Highlights
+#### 1.1.0-alpha12 Release Highlights
 - Allow full server content replication in testing (yes we're finally working on replication!)
 - Improve OAuth2 to allow scoped members to see RS they can access for UI flows
@ -286,7 +337,7 @@ production usage.
 - Add exclusive process lock to daemon
 - Allow dns/rdns in ldap search contexts
-## 2023-02-01 - Kanidm 1.1.0-alpha11
+### 2023-02-01 - Kanidm 1.1.0-alpha11
 This is the eleventh alpha series release of the Kanidm Identity Management project. Alpha releases
 are to help get feedback and ideas from the community on how we can continue to make this project
@ -296,7 +347,7 @@ The project is shaping up very nicely, and a beta will be coming soon! The main
 done so yet is we haven't decided if we want to commit to the current API layout and freeze it yet.
 There are still things we want to change there. Otherwise the server is stable and reliable.
-### Release Highlights
+#### 1.1.0-alpha11 Release Highlights
 - Support /etc/skel home dir templates in kanidm-unixd
 - Improve warning messages for openssl when a cryptographic routine is not supported
@ -317,7 +368,7 @@ There are still things we want to change there. Otherwise the server is stable a
 - Improve the access control module to evaluate access in a clearer way
 - Allow synced users to correct modify their local sessions
-## 2022-11-01 - Kanidm 1.1.0-alpha10
+### 2022-11-01 - Kanidm 1.1.0-alpha10
 This is the tenth alpha series release of the Kanidm Identity Management project. Alpha releases are
 to help get feedback and ideas from the community on how we can continue to make this project better
@ -325,12 +376,12 @@ for a future supported release.
 The project is shaping up very nicely, and a beta will be coming soon!
-### Upgrade Note
+#### 1.1.0-alpha10 Upgrade Note
 This version will _require_ TLS on all servers, even if behind a load balancer or TLS terminating
 proxy. You should be ready for this change when you upgrade to the latest version.
-### Release Highlights
+#### 1.1.0-alpha10 Release Highlights
 - Management and tracking of authenticated sessions
 - Make upgrade migrations more robust when upgrading over multiple versions
@ -352,7 +403,7 @@ proxy. You should be ready for this change when you upgrade to the latest versio
 - Cleanup of expired authentication sessions
 - Improved administration of password badlists
-## 2022-08-02 - Kanidm 1.1.0-alpha9
+### 2022-08-02 - Kanidm 1.1.0-alpha9
 This is the ninth alpha series release of the Kanidm Identity Management project. Alpha releases are
 to help get feedback and ideas from the community on how we can continue to make this project better
@ -360,7 +411,7 @@ for a future supported release.
 The project is shaping up very nicely, and a beta will be coming soon!
-### Release Highlights
+#### 1.1.0-alpha9 Release Highlights
 - Inclusion of a Python3 API library
 - Improve orca usability
@ -376,13 +427,13 @@ The project is shaping up very nicely, and a beta will be coming soon!
 - CTAP2+ support in Webauthn via CLI
 - Radius supports EAP TLS identities in addition to EAP PEAP
-## 2022-05-01 - Kanidm 1.1.0-alpha8
+### 2022-05-01 - Kanidm 1.1.0-alpha8
 This is the eighth alpha series release of the Kanidm Identity Management project. Alpha releases
 are to help get feedback and ideas from the community on how we can continue to make this project
 better for a future supported release.
-### Release Highlights
+#### 1.1.0-alpha8 Release Highlights
 - Foundations for cryptographic trusted device authentication
 - Foundations for new user onboarding and credential reset
@ -398,13 +449,13 @@ better for a future supported release.
 - Highlight that the WebUI is in alpha to prevent confusion
 - Remove sync only client paths
-## 2022-01-01 - Kanidm 1.1.0-alpha7
+### 2022-01-01 - Kanidm 1.1.0-alpha7
 This is the seventh alpha series release of the Kanidm Identity Management project. Alpha releases
 are to help get feedback and ideas from the community on how we can continue to make this project
 better for a future supported release.
-### Release Highlights
+#### 1.1.0-alpha7 Release Highlights
 - OAuth2 scope to group mappings
 - Webauthn subdomain support
@ -415,7 +466,7 @@ better for a future supported release.
 - Addition of email address attributes
 - Web UI improvements for OAuth2
-## 2021-10-01 - Kanidm 1.1.0-alpha6
+### 2021-10-01 - Kanidm 1.1.0-alpha6
 This is the sixth alpha series release of the Kanidm Identity Management project. Alpha releases are
 to help get feedback and ideas from the community on how we can continue to make this project better
@ -424,7 +475,7 @@ for a future supported release.
 It's also a special release as Kanidm has just turned 3 years old! Thank you all for helping to
 bring the project this far! 🎉 🦀
-### Release Highlights
+#### 1.1.0-alpha6 Release Highlights
 - Support backup codes as MFA in case of lost TOTP/Webauthn
 - Dynamic menus on CLI for usernames when multiple sessions exist
@ -444,13 +495,13 @@ bring the project this far! 🎉 🦀
 - Improvements to performance with high cache sizes
 - Session tokens persist over a session restart
-## 2021-07-07 - Kanidm 1.1.0-alpha5
+### 2021-07-07 - Kanidm 1.1.0-alpha5
 This is the fifth alpha series release of the Kanidm Identity Management project. Alpha releases are
 to help get feedback and ideas from the community on how we can continue to make this project better
 for a future supported release.
-### Release Highlights
+#### 1.1.0-alpha5 Release Highlights
 - Fix a major defect in how backup/restore worked
 - Improve query performance by caching partial queries
@ -465,13 +516,13 @@ for a future supported release.
 - Statistical analysis of indexes to improve query optimisation
 - Handle broken TOTP authenticator apps
-## 2021-04-01 - Kanidm 1.1.0-alpha4
+### 2021-04-01 - Kanidm 1.1.0-alpha4
 This is the fourth alpha series release of the Kanidm Identity Management project. Alpha releases
 are to help get feedback and ideas from the community on how we can continue to make this project
 better for a future supported release.
-### Release Highlights
+#### 1.1.0-alpha4 Release Highlights
 - Performance Improvements
 - TOTP CLI enrollment
@ -485,13 +536,13 @@ better for a future supported release.
 - Badlist checked at login to determine account compromise
 - Minor Fixes for attribute display
-## 2021-01-01 - Kanidm 1.1.0-alpha3
+### 2021-01-01 - Kanidm 1.1.0-alpha3
 This is the third alpha series release of the Kanidm Identity Management project. Alpha releases are
 to help get feedback and ideas from the community on how we can continue to make this project better
 for a future supported release.
-### Release Highlights
+#### 1.1.0-alpha3 Release Highlights
 - Account "valid from" and "expiry" times.
 - Rate limiting and softlocking of account credentials to prevent bruteforcing.
@ -499,13 +550,13 @@ for a future supported release.
 - Rewrite of json authentication protocol components.
 - Unixd will cache "non-existent" items to improve nss/pam latency.
-## 2020-10-01 - Kanidm 1.1.0-alpha2
+### 2020-10-01 - Kanidm 1.1.0-alpha2
 This is the second alpha series release of the Kanidm Identity Management project. Alpha releases
 are to help get feedback and ideas from the community on how we can continue to make this project
 better for a future supported release.
-### Release Highlights
+#### 1.1.0-alpha2 Release Highlights
 - SIMD key lookups in container builds for datastructures
 - Server and Client hardening warnings for running users and file permissions
@ -517,7 +568,7 @@ better for a future supported release.
 - Reduction in memory footprint during searches
 - Change authentication from cookies to auth-bearer tokens
-## 2020-07-01 - Kanidm 1.1.0-alpha1
+### 2020-07-01 - Kanidm 1.1.0-alpha1
 This is the first alpha series release of the Kanidm Identity Management project. Alpha releases are
 to help get feedback and ideas from the community on how we can continue to make this project better
@ -536,7 +587,7 @@ people. I would especially like to thank:
 - Samuel Cabrero (scabrero)
 - Jim McDonough
-### Release Highlights
+#### 1.1.0-alpha1 Release Highlights
 - A working identity management server, including database
 - RADIUS authentication and docker images
@ -552,3 +603,5 @@ people. I would especially like to thank:
 [gitter community channel]: https://gitter.im/kanidm/community
 [code of conduct]: https://github.com/kanidm/kanidm/blob/master/CODE_OF_CONDUCT.md
 [kanidm book]: https://kanidm.github.io/kanidm/stable/
 [our upgrade documentation]: https://github.com/kanidm/kanidm/blob/master/book/src/server_updates.md#general-update-notes
 [support documentation]: https://github.com/kanidm/kanidm/blob/master/book/src/support.md
--- a/book/src/developers/release_checklist.md
+++ b/book/src/developers/release_checklist.md
@ -3,57 +3,58 @@
 ## Pre-Reqs
 ```bash
-cargo install cargo-audit
+cargo install  --force \
-cargo install cargo-outdated
+      cargo-audit \
-cargo install cargo-udeps
+      cargo-outdated \
-cargo install cargo-machete
+      cargo-udeps \
      cargo-machete
 ```
 ## Pre Release Check List
 ### Start a release
- [ ] git checkout -b YYYYMMDD-pre-release
+- [ ] `git checkout -b "$(date +%Y%m%d)-pre-release"`
 ### Cargo Tasks
 - [ ] Update MSRV if applicable
- [ ] cargo update
+- [ ] `cargo update`
 - [ ] `RUSTC_BOOTSTRAP=1 cargo udeps`
- [ ] `cargo machete`
+- [ ] `cargo machete --with-metadata`
- [ ] cargo outdated -R
+- [ ] `cargo outdated -R`
- [ ] cargo audit
+- [ ] `cargo audit`
- [ ] cargo test
+- [ ] `cargo test`
 - [ ] setup a local instance and run orca (TBD)
 - [ ] store a copy an an example db (TBD)
 ### Code Changes
- [ ] upgrade crypto policy values if required
+- [ ] upgrade crypto policy values if required (see `libs/crypto/src/lib.rs` -> `CryptoPolicy`)
 - [ ] check for breaking db entry changes.
 ### Administration
 - [ ] Update `RELEASE_NOTES.md`
 - [ ] Update `README.md`
- [ ] cargo test
+- [ ] `cargo test`
- [ ] git commit -a -m "Release Notes"
+- [ ] `git commit -a -m 'chore: Release Notes'`
- [ ] git push origin YYYYMMDD-pre-release
+- [ ] `git push origin "$(date +%Y%m%d)-pre-release"`
 - [ ] Merge PR
 ### Git Management
- [ ] git checkout master
+- [ ] `git checkout master`
- [ ] git pull
+- [ ] `git pull`
 - [ ] git checkout -b 1.x.0 (Note no v to prevent ref conflict)
 - [ ] update version to set pre tag in ./Cargo.toml
- [ ] git commit -m "Release 1.x.0-pre"
+- [ ] `git commit -m "Release $(cargo metadata --format-version 1 | jq '.packages[] | select(.name=="kanidm_proto") | .version')-pre"`
- [ ] git tag v1.x.0-pre
+- [ ] `git tag v$(cargo metadata --format-version 1 | jq '.packages[] | select(.name=="kanidm_proto") | .version')-pre`
 - [ ] Final inspect of the branch
- [ ] git push origin 1.x.0 --tags
+- [ ] `git push origin "$(cargo metadata --format-version 1 | jq '.packages[] | select(.name=="kanidm_proto") | .version')" --tags`
 - [ ] github -> Ensure release branch is protected
@ -106,4 +107,3 @@ cargo install cargo-machete
 ### Distro
 - [ ] vendor and release to build.opensuse.org
--- a/libs/crypto/Cargo.toml
+++ b/libs/crypto/Cargo.toml
@ -35,3 +35,7 @@ x509-cert = { workspace = true, features = ["pem"] }
 [dev-dependencies]
 sketching = { workspace = true }
 [package.metadata.cargo-machete]
 ignored = ["openssl-sys"]
--- a/libs/file_permissions/Cargo.toml
+++ b/libs/file_permissions/Cargo.toml
@ -16,8 +16,5 @@ doctest = false
 [dependencies]
 [target.'cfg(target_family = "windows")'.dependencies]
 whoami = { workspace = true }
 [target.'cfg(not(target_family = "windows"))'.dependencies]
 kanidm_utils_users = { workspace = true }
--- a/libs/profiles/Cargo.toml
+++ b/libs/profiles/Cargo.toml
@ -28,3 +28,7 @@ toml = { workspace = true }
 [build-dependencies]
 base64 = { workspace = true }
 gix = { workspace = true, default-features = false }
 [package.metadata.cargo-machete]
 ignored = ["gix"]
--- a/libs/sketching/Cargo.toml
+++ b/libs/sketching/Cargo.toml
@ -17,7 +17,6 @@ test = false
 doctest = false
 [dependencies]
 gethostname = "0.5.0"
 num_enum = { workspace = true }
 opentelemetry = { workspace = true, features = ["metrics"] }
 opentelemetry-otlp = { workspace = true, default-features = false, features = [
--- a/libs/users/Cargo.toml
+++ b/libs/users/Cargo.toml
@ -1,13 +1,13 @@
 [package]
 name = "kanidm_utils_users"
 description = "Kanidm utility crate"
-version.workspace = true
+version = { workspace = true }
-authors.workspace = true
+authors = { workspace = true }
-rust-version.workspace = true
+rust-version = { workspace = true }
-edition.workspace = true
+edition = { workspace = true }
-license.workspace = true
+license = { workspace = true }
-homepage.workspace = true
+homepage = { workspace = true }
-repository.workspace = true
+repository = { workspace = true }
 [lib]
 test = true
--- a/server/core/Cargo.toml
+++ b/server/core/Cargo.toml
@ -45,7 +45,6 @@ ldap3_proto = { workspace = true }
 libc = { workspace = true }
 openssl = { workspace = true }
 opentelemetry = { workspace = true, features = ["logs"] }
 # opentelemetry_api = { workspace = true, features = ["logs"] }
 qrcode = { workspace = true, features = ["svg"] }
 regex = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
@ -94,3 +93,10 @@ kanidmd_lib = { workspace = true, features = ["test"] }
 [build-dependencies]
 kanidm_build_profiles = { workspace = true }
 [package.metadata.cargo-machete]
 ignored = [
    "opentelemetry",         # feature gated
    "kanidm_build_profiles",
 ]
--- a/server/daemon/Cargo.toml
+++ b/server/daemon/Cargo.toml
@ -37,11 +37,11 @@ reqwest = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread", "macros", "signal"] }
 tokio-util = { workspace = true, features = ["codec"] }
 tracing = { workspace = true }
-serde_json.workspace = true
+serde_json = { workspace = true }
 [target.'cfg(target_os = "linux")'.dependencies]
-sd-notify.workspace = true
+sd-notify = { workspace = true }
-prctl.workspace = true
+prctl = { workspace = true }
 [target.'cfg(target_family = "windows")'.dependencies]
 whoami = { workspace = true }
@ -53,7 +53,10 @@ kanidm_utils_users = { workspace = true }
 mimalloc = { workspace = true }
 [build-dependencies]
 serde = { workspace = true, features = ["derive"] }
 clap = { workspace = true, features = ["derive"] }
 clap_complete = { workspace = true }
 kanidm_build_profiles = { workspace = true }
 [package.metadata.cargo-machete]
 ignored = ["clap_complete", "kanidm_build_profiles"]
--- a/server/daemon/src/main.rs
+++ b/server/daemon/src/main.rs
@ -20,7 +20,7 @@ static ALLOC: dhat::Alloc = dhat::Alloc;
 use std::fs::{metadata, File};
 // This works on both unix and windows.
-use fs4::FileExt;
+use fs4::fs_std::FileExt;
 use kanidm_proto::messages::ConsoleOutputMode;
 use sketching::otel::TracingPipelineGuard;
 use std::io::Read;
--- a/server/lib/Cargo.toml
+++ b/server/lib/Cargo.toml
@ -79,7 +79,7 @@ webauthn-rs = { workspace = true, features = [
 webauthn-rs-core = { workspace = true }
 zxcvbn = { workspace = true }
 serde_with = { workspace = true, features = ["time_0_3", "base64"] }
-hex.workspace = true
+hex = { workspace = true }
 lodepng = { workspace = true }
 image = { workspace = true, default-features = false, features = [
    "gif",
@ -113,3 +113,9 @@ mimalloc = { workspace = true }
 hashbrown = { workspace = true }
 kanidm_build_profiles = { workspace = true }
 regex = { workspace = true }
 [package.metadata.cargo-machete]
 ignored = [
    "openssl-sys", # see note above
    "whoami",      # used in windows
 ]
--- a/server/testkit/Cargo.toml
+++ b/server/testkit/Cargo.toml
@ -49,7 +49,6 @@ url = { workspace = true, features = ["serde"] }
 kanidm_build_profiles = { workspace = true }
 [dev-dependencies]
 assert_cmd = "2.0.16"
 compact_jwt = { workspace = true }
 escargot = "0.5.13"
 # used for webdriver testing
@ -59,11 +58,14 @@ oauth2_ext = { workspace = true, default-features = false, features = [
    "reqwest",
 ] }
 openssl = { workspace = true }
-petgraph = { version = "0.7.1", features = ["serde", "serde-1"] }
+petgraph = { version = "0.7.1", features = ["serde"] }
 serde_json = { workspace = true }
 time = { workspace = true }
 tokio-openssl = { workspace = true }
 kanidm_lib_crypto = { workspace = true }
 uuid = { workspace = true }
 webauthn-authenticator-rs = { workspace = true }
-jsonschema = "0.28.3"
+jsonschema = "0.29.0"
 [package.metadata.cargo-machete]
 ignored = ["escargot", "futures", "kanidm_build_profiles"]
--- a/server/testkit/examples/enumerating_access.rs
+++ b/server/testkit/examples/enumerating_access.rs
@ -3,14 +3,13 @@
 //! - @yaleman
 //!
 use std::collections::{BTreeMap, BTreeSet};
 // use kanidm_client::KanidmClient;
 use kanidmd_lib::constants::entries::Attribute;
 use kanidmd_lib::constants::groups::{idm_builtin_admin_groups, idm_builtin_non_admin_groups};
 use kanidmd_lib::prelude::{builtin_accounts, EntryInitNew};
 use petgraph::graphmap::{AllEdges, GraphMap, NodeTrait};
 use petgraph::Directed;
 use serde::{Deserialize, Serialize};
 use std::collections::{BTreeMap, BTreeSet};
 use uuid::Uuid;
 #[derive(Clone, Deserialize, Serialize)]
--- a/tools/cli/Cargo.toml
+++ b/tools/cli/Cargo.toml
@ -58,7 +58,7 @@ tokio = { workspace = true, features = ["rt", "macros", "fs", "signal"] }
 url = { workspace = true, features = ["serde"] }
 uuid = { workspace = true }
 zxcvbn = { workspace = true }
-lazy_static.workspace = true
+lazy_static = { workspace = true }
 regex = { workspace = true }
 [dev-dependencies]
@ -119,3 +119,6 @@ assets = [
    ],
 ]
 maintainer-scripts = "debian/"
 [package.metadata.cargo-machete]
 ignored = ["clap_complete", "kanidm_build_profiles"]
--- a/tools/device_flow/Cargo.toml
+++ b/tools/device_flow/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "kanidm_device_flow"
-description = "Kanidm Device Flow Client"
+description = "Kanidm Device Flow Example Client"
 documentation = "https://kanidm.github.io/kanidm/stable/"
 version = { workspace = true }
 authors = { workspace = true }
@ -18,15 +18,12 @@ doctest = false
 [features]
 [dependencies]
 kanidm_proto = { workspace = true }
 anyhow = { workspace = true }
 kanidm_proto = { workspace = true }
 oauth2 = "5.0.0"
-reqwest = { version = "0.12.12", default-features = false, features = [
+reqwest = { workspace = true, default-features = false, features = [
    "rustls-tls",
 ] }
 tokio = { workspace = true, features = ["full"] }
 url = { workspace = true }
 tracing = { workspace = true }
 sketching = { workspace = true }
-base64.workspace = true
+tokio = { workspace = true, features = ["full"] }
 tracing = { workspace = true }
--- a/tools/iam_migrations/freeipa/Cargo.toml
+++ b/tools/iam_migrations/freeipa/Cargo.toml
@ -39,3 +39,6 @@ kanidm_utils_users = { workspace = true }
 [build-dependencies]
 clap = { workspace = true, features = ["derive"] }
 clap_complete = { workspace = true }
 [package.metadata.cargo-machete]
 ignored = ["clap_complete"]
--- a/tools/iam_migrations/ldap/Cargo.toml
+++ b/tools/iam_migrations/ldap/Cargo.toml
@ -42,3 +42,6 @@ clap_complete = { workspace = true }
 [dev-dependencies]
 sketching = { workspace = true }
 [package.metadata.cargo-machete]
 ignored = ["clap_complete"]
--- a/tools/orca/Cargo.toml
+++ b/tools/orca/Cargo.toml
@ -42,3 +42,5 @@ mimalloc = { workspace = true }
 [build-dependencies]
 kanidm_build_profiles = { workspace = true }
 [package.metadata.cargo-machete]
 ignored = ["kanidm_build_profiles"]
--- a/unix_integration/common/Cargo.toml
+++ b/unix_integration/common/Cargo.toml
@ -37,3 +37,6 @@ tracing = { workspace = true }
 [build-dependencies]
 kanidm_build_profiles = { workspace = true }
 [package.metadata.cargo-machete]
 ignored = ["kanidm_build_profiles"]
--- a/unix_integration/nss_kanidm/Cargo.toml
+++ b/unix_integration/nss_kanidm/Cargo.toml
@ -12,7 +12,7 @@ repository = { workspace = true }
 [lib]
 name = "nss_kanidm"
-crate-type = [ "cdylib" ]
+crate-type = ["cdylib"]
 path = "src/lib.rs"
 [dependencies]
@ -21,7 +21,6 @@ kanidm_unix_common = { workspace = true }
 [target.'cfg(not(target_family = "windows"))'.dependencies]
 libnss = { workspace = true }
 libc = { workspace = true }
 paste = { workspace = true }
 lazy_static = { workspace = true }
 [target."cfg(target_os = \"freebsd\")".build-dependencies]
@ -42,10 +41,22 @@ assets = [
 [package.metadata.deb.variants.aarch64-unknown-linux-gnu]
 merge-assets.append = [
-    [ "target/release/libnss_kanidm.so", "usr/lib/aarch64-linux-gnu/libnss_kanidm.so.2", "644"],
+    [
        "target/release/libnss_kanidm.so",
        "usr/lib/aarch64-linux-gnu/libnss_kanidm.so.2",
        "644",
    ],
 ]
 [package.metadata.deb.variants.x86_64-unknown-linux-gnu]
 merge-assets.append = [
-    [ "target/release/libnss_kanidm.so", "usr/lib/x86_64-linux-gnu/libnss_kanidm.so.2", "644"],
+    [
        "target/release/libnss_kanidm.so",
        "usr/lib/x86_64-linux-gnu/libnss_kanidm.so.2",
        "644",
    ],
 ]
 [package.metadata.cargo-machete]
 ignored = ["cc", "lazy_static"]
--- a/unix_integration/pam_kanidm/Cargo.toml
+++ b/unix_integration/pam_kanidm/Cargo.toml
@ -13,7 +13,7 @@ repository = { workspace = true }
 [lib]
 name = "pam_kanidm"
-crate-type = [ "cdylib" ]
+crate-type = ["cdylib"]
 path = "src/lib.rs"
 [dependencies]
@ -42,12 +42,31 @@ assets = [
 [package.metadata.deb.variants.aarch64-unknown-linux-gnu]
 merge-assets.append = [
-    [ "target/release/libpam_kanidm.so", "usr/lib/aarch64-linux-gnu/security/pam_kanidm.so", "644"],
+    [
-    [ "debian/kanidm.pam", "usr/share/pam-configs/kanidm", "644"],
+        "target/release/libpam_kanidm.so",
        "usr/lib/aarch64-linux-gnu/security/pam_kanidm.so",
        "644",
    ],
    [
        "debian/kanidm.pam",
        "usr/share/pam-configs/kanidm",
        "644",
    ],
 ]
 [package.metadata.deb.variants.x86_64-unknown-linux-gnu]
 merge-assets.append = [
-    [ "target/release/libpam_kanidm.so", "usr/lib/x86_64-linux-gnu/security/pam_kanidm.so", "644"],
+    [
-    [ "debian/kanidm.pam", "usr/share/pam-configs/kanidm", "644"],
+        "target/release/libpam_kanidm.so",
        "usr/lib/x86_64-linux-gnu/security/pam_kanidm.so",
        "644",
    ],
    [
        "debian/kanidm.pam",
        "usr/share/pam-configs/kanidm",
        "644",
    ],
 ]
 [package.metadata.cargo-machete]
 ignored = ["pkg-config"]
--- a/unix_integration/resolver/Cargo.toml
+++ b/unix_integration/resolver/Cargo.toml
@ -52,7 +52,7 @@ test = true
 doctest = false
 [dependencies]
-async-trait.workspace = true
+async-trait = { workspace = true }
 bytes = { workspace = true }
 clap = { workspace = true, features = ["derive", "env"] }
 dialoguer = { workspace = true }
@ -89,8 +89,8 @@ uuid = { workspace = true }
 walkdir = { workspace = true }
 [target.'cfg(target_os = "linux")'.dependencies]
-sd-notify.workspace = true
+sd-notify = { workspace = true }
-prctl.workspace = true
+prctl = { workspace = true }
 [target.'cfg(not(target_family = "windows"))'.dependencies]
 kanidm_utils_users = { workspace = true }
@ -138,3 +138,6 @@ systemd-units = [
 	{ unit-name = "kanidm-unixd", enable = true},
 	{ unit-name = "kanidm-unixd-tasks", enable = true},
 ]
 [package.metadata.cargo-machete]
 ignored = ["kanidm_build_profiles", "clap_complete"]