mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Minor typo and formatting fixes.

Browse source
This commit is contained in:
Charelle Collett 2020-01-27 22:30:09 +10:00 committed by Firstyear
parent 9360ba78f3
commit e41fada28a
5 changed files with 29 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
kanidm_book/src/SUMMARY.md
View file

@ -1,6 +1,6 @@
# Summary
[Kanidm Administration](./intro.md)
[Introduction to Kanidm](./intro.md)
- [Installing the Server](./installing_the_server.md)
- [Administrative Tasks](./administrivia.md)
- [Interacting with the Server](./client_tools.md)

20
kanidm_book/src/administrivia.md
View file

@ -1,6 +1,6 @@
# Administration Tasks
There are a number of tasks that you may wish to perform as an administrator of a service like kanidm.
There are a number of tasks that you may wish to perform as an administrator of a service like Kanidm.
# Backup and Restore
@ -10,7 +10,7 @@ that physical damage or mistake. Kanidm supports backup and restore of the datab
## Method 1
Method 1 involves taking a backup of the database entry content, which is then re-indexed on restore.
This is the "prefered" method.
This is the preferred method.
To take the backup (assuming our docker environment) you first need to stop the instance:
@ -20,7 +20,7 @@ To take the backup (assuming our docker environment) you first need to stop the
/backup/kanidm.backup.json -D /data/kanidm.db
docker start <container name>
You can then restart your instance. It's advised you DO NOT modify the backup.json as it may introduce
You can then restart your instance. DO NOT modify the backup.json as it may introduce
data errors into your instance.
To restore from the backup:
@ -47,13 +47,13 @@ There are some cases where you may need to rename the domain. You should have co
this initially in the setup, however you may have a situation where a business is changing
name, merging, or other needs which may prompt this needing to be changed.
WARNING: This WILL break ALL u2f/webauthn tokens that have been enrolled, which MAY cause
accounts to be locked out and unrecoverable until further action is taken. DO NOT CHANGE
the domain_name unless REQUIRED and have a plan on how to manage these issues.
> **WARNING:** This WILL break ALL u2f/webauthn tokens that have been enrolled, which MAY cause
> accounts to be locked out and unrecoverable until further action is taken. DO NOT CHANGE
> the `domain_name` unless REQUIRED and have a plan on how to manage these issues.
WARNING: This operation can take an extensive amount of time as ALL accounts and groups
in the domain MUST have their SPN's regenerated. This will also cause a large delay in
replication once the system is restarted.
> **WARNING:** This operation can take an extensive amount of time as ALL accounts and groups
> in the domain MUST have their SPN's regenerated. This will also cause a large delay in
> replication once the system is restarted.
You should take a backup before proceeding with this operation.
@ -93,7 +93,7 @@ definitions (this works even though the schema is in the same database!)
-D /data/kanidm.db
docker start <container name>
Generally reindexing is a rare action and should not normally be required.
Generally, reindexing is a rare action and should not normally be required.
# Verification

7
kanidm_book/src/client_tools.md
View file

@ -4,7 +4,10 @@ To interact with Kanidm as an administration, you'll need to use our command lin
## From (experimental) packages
Today we support Fedora 30/31 and OpenSUSE leap 15.1 and Tumbleweed.
Kanidm currently supports:
* Fedora 30/31
* OpenSUSE leap 15.1
* Tumbleweed
### SUSE
@ -39,7 +42,7 @@ After you check out the source (see github), navigate to:
cargo build
cargo install --path ./
## Check the tools work.
## Check the tools work
Now you can check your instance is working. You may need to provide a CA certificate for verification
with the -C parameter:

8
kanidm_book/src/intro.md
View file

@ -1,11 +1,11 @@
# Kanidm Administration
# Introduction to Kanidm
Kanidm is an identity management server, acting as an authority on accounts and authorisation
within a technical environment.
WARNING: This project is still under heavy development, and has not had a production ready
release yet. It may lose your data, be offline for some periods of time, or otherwise cause
disruptions if you aren't ready.
> **WARNING:** This project is still under heavy development, and has not had a production ready
> release yet. It may lose your data, be offline for some periods of time, or otherwise cause
> disruptions if you aren't ready.
The intent of the Kanidm project is:

18
kanidm_book/src/why_tls.md
View file

@ -1,28 +1,28 @@
# Why TLS?
In the getting started you may notice that we require TLS to be configure in
You may have noticed that Kanidm requires you to configure TLS in
your container - or that you provide something *with* TLS in front like haproxy.
This is due to a single setting on the server - secure_cookies
This is due to a single setting on the server - `secure_cookies`
## What are secure cookies?
## What are Secure Cookies?
Secure Cookies is a flag set in cookies that "asks" a client only to transmit them
`secure-cookies` is a flag set in cookies that "asks" a client to transmit them
back to the origin site if and only if https is present in the URL.
CA verification is *not* checked - you can use invalid, out of date certificates,
or even certificates where the subjectAltName does not match. But the client
or even certificates where the `subjectAltName` does not match, but the client
must see https:// as the destination else it *will not* send the cookies.
## How does that affect kanidm?
## How does that affect Kanidm?
Kanidm's authentication system is a stepped challenge response design, where you
initially request an "intent" to authenticated. Once you establish this intent
the server set's up a session-id into a cookie, and we inform the client of
initially request an "intent" to authenticate. Once you establish this intent,
the server sets up a session-id into a cookie, and informs the client of
what authentication methods can proceed.
When you then go to continue the authentication if you do NOT have a https url
When you then go to continue the authentication, if you do NOT have a https url,
the cookie with the session-id is not transmitted. The server detects this as
an invalid-state request in the authentication design and immediately disconnects
you from attempting to continue the authentication as you may be using an insecure