From f48e10e21cba3df59673952b5cb06b632de75b54 Mon Sep 17 00:00:00 2001 From: James Hodgkinson Date: Thu, 29 Dec 2022 13:02:51 +1000 Subject: [PATCH] Fix the book again (#1302) * fixing templates and making the book build script quit harder on failures --- Makefile | 2 + build_all_the_docs.sh | 18 ++++++- kanidm_book/src/accounts_and_groups.md | 48 +++++++++++++------ kanidm_book/src/choosing_a_domain_name.md | 20 +++++--- .../src/developers/designs/rest_interface.md | 16 +++++-- kanidm_book/src/installing_client_tools.md | 12 +++-- kanidm_book/src/integrations/ldap.md | 15 ++++-- kanidm_book/src/integrations/oauth2.md | 32 ++++++++----- kanidm_book/src/intro.md | 11 ++++- kanidm_book/src/prepare_the_server.md | 21 +++++--- kanidm_book/src/recycle_bin.md | 17 ++++--- kanidm_book/src/server_configuration.md | 26 ++++++---- kanidm_book/src/server_update.md | 22 +++++---- kanidm_book/src/sync/concepts.md | 37 ++++++++++---- 14 files changed, 207 insertions(+), 90 deletions(-) diff --git a/Makefile b/Makefile index 278e3c2ba..52a1039a1 100644 --- a/Makefile +++ b/Makefile @@ -160,6 +160,7 @@ book: ## Build the Kanidm book book: cargo doc --no-deps mdbook build kanidm_book + rm -rf ./docs/ mv ./kanidm_book/book/ ./docs/ mkdir -p ./docs/rustdoc/${BOOK_VERSION} mv ./target/doc/* ./docs/rustdoc/${BOOK_VERSION}/ @@ -172,6 +173,7 @@ book_versioned: git pull origin "${BOOK_VERSION}" cargo doc --no-deps --quiet mdbook build kanidm_book + rm -rf ./docs/ mkdir -p ./docs mv ./kanidm_book/book/ ./docs/${BOOK_VERSION}/ mkdir -p ./docs/${BOOK_VERSION}/rustdoc/ diff --git a/build_all_the_docs.sh b/build_all_the_docs.sh index 17160f079..69786665e 100755 --- a/build_all_the_docs.sh +++ b/build_all_the_docs.sh @@ -1,24 +1,37 @@ #!/bin/bash +set -e + git config --global pull.ff only DOCS_DIR="/tmp/kanidm_docs" echo "DOCS DIR: ${DOCS_DIR}" echo "PWD: $(pwd)" +if [ "${GITHUB_ACTIONS}" ]; then + echo "Running in Github Actions" + git config user.email "kanidm@kanidm.com" + git config user.name "Kanidm Github Actions Runner" +fi + +git fetch --all + function build_version() { BOOK_VERSION=$1 echo "Book version: ${BOOK_VERSION}" echo "
  • ${BOOK_VERSION}
    • " >> "${DOCS_DIR}/index.html" - git switch -c "${BOOK_VERSION}" || git switch "${BOOK_VERSION}" - git pull origin "${BOOK_VERSION}" + if [ "$(git branch --show-current)" != "${BOOK_VERSION}" ]; then + git switch -c "${BOOK_VERSION}" || git switch "${BOOK_VERSION}" + fi echo "Running mdbook build" mdbook build kanidm_book echo "Running cargo doc" cargo doc --quiet --no-deps echo "Moving book to ${DOCS_DIR}/${BOOK_VERSION}/" mv ./kanidm_book/book/ "${DOCS_DIR}/${BOOK_VERSION}/" + echo "Cleaning out rustdoc dir..." + rm -rf "${DOCS_DIR}/${BOOK_VERSION}/rustdoc/" echo "Moving rustdoc to ${DOCS_DIR}/${BOOK_VERSION}/rustdoc/" mkdir -p "${DOCS_DIR}/${BOOK_VERSION}/rustdoc/" mv ./target/doc/* "${DOCS_DIR}/${BOOK_VERSION}/rustdoc/" @@ -61,5 +74,6 @@ cat >> "${DOCS_DIR}/index.html" <<-'EOM' EOM ls -la "${DOCS_DIR}" +rm -rf ./docs/ mv "${DOCS_DIR}" ./docs/ ln -s "${LATEST}" ./docs/stable diff --git a/kanidm_book/src/accounts_and_groups.md b/kanidm_book/src/accounts_and_groups.md index 0ca04a082..f0c832a05 100644 --- a/kanidm_book/src/accounts_and_groups.md +++ b/kanidm_book/src/accounts_and_groups.md @@ -51,8 +51,15 @@ sensitive data), group management, and more. By default the `admin` and `idm_admin` accounts have no password, and can not be accessed. They need to be "recovered" from the server that is running the kanidmd server. -{{#template templates/kani-warning.md imagepath=images title=Warning! text=The server must not be -running at this point, as it requires exclusive access to the database. }} + + +{{#template templates/kani-warning.md +imagepath=images +title=Warning! +text=The server must not be running at this point, as it requires exclusive access to the database. +}} + + ```shell kanidmd recover_account admin -c /etc/kanidm/server.toml @@ -127,10 +134,15 @@ these attributes. kanidm person update demo_user --legalname "initial name" --mail "initial@email.address" ``` -{{#template templates/kani-warning.md imagepath=images title=Warning! text=Persons may change their -own displayname, name, and legal name at any time. You MUST NOT use these values as primary keys in -external systems. You MUST use the `uuid` attribute present on all entries as an external primary -key. }} + + +{{#template templates/kani-warning.md +imagepath=images +title=Warning! +text=Persons may change their own displayname, name, and legal name at any time. You MUST NOT use these values as primary keys in external systems. You MUST use the `uuid` attribute present on all entries as an external primary key. +}} + + ## Resetting Person Account Credentials @@ -225,8 +237,14 @@ ldapwhoami -H ldaps://idm.example.com -x -D "dn=token" -w "..." ## Resetting Service Account Credentials (Deprecated) -{{#template templates/kani-warning.md imagepath=images text=Api Tokens are a better method to manage -credentials for service accounts, and passwords may be removed in the future! }} + + +{{#template templates/kani-warning.md +imagepath=images +text=Api Tokens are a better method to manage credentials for service accounts, and passwords may be removed in the future! +}} + + Service accounts can not have their credentials interactively updated in the same manner as persons. Service accounts may only have server side generated high entropy passwords. @@ -262,9 +280,11 @@ Kanidm supports accounts that are only able to authenticate between a pair of da This can be displayed with: - kanidm person validity show demo_user --name idm_admin - valid after: 2020-09-25T21:22:04+10:00 - expire: 2020-09-25T01:22:04+10:00 +```bash +kanidm person validity show demo_user --name idm_admin +valid after: 2020-09-25T21:22:04+10:00 +expire: 2020-09-25T01:22:04+10:00 +``` These datetimes are stored in the server as UTC, but presented according to your local system time to aid correct understanding of when the events will occur. @@ -276,7 +296,7 @@ You may set these time and date values in any timezone you wish (such as your lo the server will transform these to UTC. These time values are in iso8601 format, and you should specify this as: -``` +```shell YYYY-MM-DDThh:mm:ssZ+-hh:mm Year-Month-Day T hour:minutes:seconds Z +- timezone offset ``` @@ -304,7 +324,7 @@ kanidm person validity expire_at demo_user never|clear --name idm_admin To "lock" an account, you can set the expire_at value to the past, or unix epoch. Even in the situation where the "valid from" is _after_ the expire_at, the expire_at will be respected. -``` +```bash kanidm person validity expire_at demo_user 1970-01-01T00:00:00+00:00 --name idm_admin ``` @@ -317,7 +337,7 @@ By default, Kanidm allows an account to change some attributes, but not their ma Adding the user to the `idm_people_self_write_mail` group, as shown below, allows the user to edit their own mail. -``` +```bash kanidm group add_members idm_people_self_write_mail_priv demo_user --name idm_admin ``` diff --git a/kanidm_book/src/choosing_a_domain_name.md b/kanidm_book/src/choosing_a_domain_name.md index aaafb1f90..9bc740825 100644 --- a/kanidm_book/src/choosing_a_domain_name.md +++ b/kanidm_book/src/choosing_a_domain_name.md @@ -4,9 +4,15 @@ Through out this book, Kanidm will make reference to a "domain name". This is yo name that you intend to use for Kanidm. Choosing this domain name however is not simple as there are a number of considerations you need to be careful of. -{{#template templates/kani-warning.md imagepath=images/ title=Take note! text=Incorrect choice of -the domain name may have security impacts on your Kanidm instance, not limited to credential -phishing, theft, session leaks and more. It is critical you follow the advice in this chapter. }} + + +{{#template templates/kani-warning.md +imagepath=images/ +title=Take note! +text=Incorrect choice of the domain name may have security impacts on your Kanidm instance, not limited to credential phishing, theft, session leaks and more. It is critical you follow the advice in this chapter. +}} + + ## Considerations @@ -45,7 +51,7 @@ some phishing scenarioes. Consider we own `kanidm.com`. If we were to run geographical instances, and have testing environments the following domain and hostnames could be used. -_production_ +#### Production Domain Name - origin: `https://idm.kanidm.com` - domain name: `idm.kanidm.com` @@ -56,7 +62,7 @@ still works with webauthn and cookies which are transferable between instances. It is critical no other hosts are registered under this domain name. -_testing_ +#### Testing Domain Name - origin: `https://idm.dev.kanidm.com` - domain name: `idm.dev.kanidm.com` @@ -77,12 +83,12 @@ access the cookies issued by `kanidm.com`, effectively leaking them to all other Second instance overlap: -_production_ +#### Production - origin: `https://idm.kanidm.com` - domain name: `idm.kanidm.com` -_testing_ +#### Testing - origin: `https://dev.idm.kanidm.com` - domain name: `dev.idm.kanidm.com` diff --git a/kanidm_book/src/developers/designs/rest_interface.md b/kanidm_book/src/developers/designs/rest_interface.md index f26d5c6d6..8766188f5 100644 --- a/kanidm_book/src/developers/designs/rest_interface.md +++ b/kanidm_book/src/developers/designs/rest_interface.md @@ -1,11 +1,17 @@ # REST Interface -{{#template\ -../../templates/kani-warning.md imagepath=../../images/ title=Note! text=Here begins some early -notes on the REST interface - much better ones are in the repository's designs directory. }} + -There's an endpoint at `//routemap` (for example, https://localhost/v1/routemap) which -is based on the API routes as they get instantiated. +{{#template ../../templates/kani-warning.md +imagepath=../../images/ +title=Note! +text=Here begins some early notes on the REST interface - much better ones are in the repository's designs directory. +}} + + + +There's an endpoint at `//routemap` (for example, `https://localhost/v1/routemap`) +which is based on the API routes as they get instantiated. It's _very, very, very_ early work, and should not be considered stable at all. diff --git a/kanidm_book/src/installing_client_tools.md b/kanidm_book/src/installing_client_tools.md index cc1874bf7..c0655e62a 100644 --- a/kanidm_book/src/installing_client_tools.md +++ b/kanidm_book/src/installing_client_tools.md @@ -62,9 +62,15 @@ brew install kanidm ### Fedora / Centos Stream -{{#template templates/kani-warning.md imagepath=images title=Take Note! text=Kanidm frequently uses -new Rust versions and features, however Fedora and Centos frequently are behind in Rust releases. As -a result, they may not always have the latest Kanidm versions available. }} + + +{{#template templates/kani-warning.md +imagepath=images +title=Take Note! +text=Kanidm frequently uses new Rust versions and features, however Fedora and Centos frequently are behind in Rust releases. As a result, they may not always have the latest Kanidm versions available. +}} + + Fedora has limited support through the development repository. You need to add the repository metadata into the correct directory: diff --git a/kanidm_book/src/integrations/ldap.md b/kanidm_book/src/integrations/ldap.md index d77577283..2fb92d47a 100644 --- a/kanidm_book/src/integrations/ldap.md +++ b/kanidm_book/src/integrations/ldap.md @@ -6,10 +6,15 @@ authentication for many years, with almost every application in the world being bind to LDAP. As many organisations still rely on LDAP, Kanidm can host a read-only LDAP interface for these legacy applications. -{{#template\ -../templates/kani-warning.md imagepath=../images title=Warning! text=The LDAP server in Kanidm is -not a fully RFC-compliant LDAP server. This is intentional, as Kanidm wants to cover the common use -cases - simple bind and search. }} + + +{{#template ../templates/kani-warning.md +imagepath=../images +title=Warning! +text=The LDAP server in Kanidm is not a fully RFC-compliant LDAP server. This is intentional, as Kanidm wants to cover the common use cases - simple bind and search. +}} + + ## What is LDAP @@ -187,7 +192,7 @@ ldapsearch -H ldap://127.0.0.1:3389 -b 'dc=example,dc=com' -x '(name=test1)' All give the same error: -``` +```bash ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ``` diff --git a/kanidm_book/src/integrations/oauth2.md b/kanidm_book/src/integrations/oauth2.md index 5a1504f2c..39bd43dc6 100644 --- a/kanidm_book/src/integrations/oauth2.md +++ b/kanidm_book/src/integrations/oauth2.md @@ -129,10 +129,15 @@ kanidm system oauth2 update_scope_map [scopes]... kanidm system oauth2 update_scope_map nextcloud nextcloud_admins admin ``` -{{#template ../templates/kani-warning.md imagepath=../images title=WARNING text=If you are creating -an OpenID Connect (OIDC) resource server you -MUST provide a scope map named openid. Without this, OpenID clients WILL NOT -WORK }} + + +{{#template ../templates/kani-warning.md +imagepath=../images +title=WARNING +text=If you are creating an OpenID Connect (OIDC) resource server you MUST provide a scope map named openid. Without this, OpenID clients WILL NOT WORK! +}} + + > **HINT** OpenID connect allows a number of scopes that affect the content of the resulting > authorisation token. If one of the following scopes are requested by the OpenID client, then the @@ -194,9 +199,14 @@ Not all resource servers support modern standards like PKCE or ECDSA. In these s necessary to disable these on a per-resource server basis. Disabling these on one resource server will not affect others. -{{#template ../templates/kani-warning.md imagepath=../images title=WARNING text=Changing these -settings MAY have serious consequences on the security of your resource server. You should avoid -changing these if at all possible! }} + + +{{#template ../templates/kani-warning.md +imagepath=../images +title=WARNING text=Changing these settings MAY have serious consequences on the security of your resource server. You should avoid changing these if at all possible! +}} + + To disable PKCE for a resource server: @@ -217,7 +227,7 @@ kanidm system oauth2 warning_enable_legacy_crypto Add the following to a `mod_auth_openidc.conf`. It should be included in a `mods_enabled` folder or with an appropriate include. -``` +```conf OIDCRedirectURI /protected/redirect_uri OIDCCryptoPassphrase OIDCProviderMetadataURL https://kanidm.example.com/oauth2/openid//.well-known/openid-configuration @@ -264,7 +274,7 @@ You may optionally choose to add: If you forget this, you may see the following error in logs: -``` +```bash Host 172.24.11.129 was not connected to because it violates local access rules ``` @@ -292,7 +302,7 @@ Velociraptor supports OIDC. To configure it select "Authenticate with SSO" then interactive configuration generator. Alternately, you can set the following keys in server.config.yaml: -``` +```yaml GUI: authenticator: type: OIDC @@ -309,7 +319,7 @@ kanidm system oauth2 warning_insecure_client_disable_pkce Initial users are mapped via their email in the Velociraptor server.config.yaml config: -``` +```yaml GUI: initial_users: - name: diff --git a/kanidm_book/src/intro.md b/kanidm_book/src/intro.md index c2a82e8d8..eeb564ea6 100644 --- a/kanidm_book/src/intro.md +++ b/kanidm_book/src/intro.md @@ -10,8 +10,15 @@ The intent of the Kanidm project is to: - Make system, network, application and web authentication easy and accessible. - Secure and reliable by default, aiming for the highest levels of quality. -{{#template templates/kani-warning.md imagepath=images title=NOTICE text=Kanidm is still a work in -progress. Many features will evolve and change over time which may not be suitable for all users. }} + + +{{#template templates/kani-warning.md +imagepath=images +title=NOTICE +text=Kanidm is still a work in progress. Many features will evolve and change over time which may not be suitable for all users. +}} + + ## Why do I want Kanidm? diff --git a/kanidm_book/src/prepare_the_server.md b/kanidm_book/src/prepare_the_server.md index 0ab7a7b17..4e2178a6c 100644 --- a/kanidm_book/src/prepare_the_server.md +++ b/kanidm_book/src/prepare_the_server.md @@ -36,12 +36,12 @@ report issues, we will make every effort to help resolve them. ## System Requirements -#### CPU +### CPU If you are using the x86\_64 cpu-optimised version, you must have a CPU that is from 2013 or newer (Haswell, Ryzen). The following instruction flags are used. -``` +```asm cmov, cx8, fxsr, mmx, sse, sse2, cx16, sahf, popcnt, sse3, sse4.1, sse4.2, avx, avx2, bmi, bmi2, f16c, fma, lzcnt, movbe, xsave ``` @@ -54,12 +54,19 @@ In this case, you should use the standard server:latest image. In the future we may apply a baseline of flags as a requirement for x86\_64 for the server:latest image. These flags will be: -``` +```asm cmov, cx8, fxsr, mmx, sse, sse2 ``` -{{#template templates/kani-alert.md imagepath=images title=Tip text=You can check your cpu flags on -Linux with the command `lscpu` }} + + +{{#template templates/kani-alert.md +imagepath=images +title=Tip +text=You can check your cpu flags on Linux with the command `lscpu` +}} + + #### Memory @@ -91,7 +98,7 @@ critical element of ensuring a secure system. The key.pem should be a single PEM private key, with no encryption. The file content should be similar to: -``` +```bash -----BEGIN RSA PRIVATE KEY----- MII... -----END RSA PRIVATE KEY----- @@ -101,7 +108,7 @@ The chain.pem is a series of PEM formatted certificates. The leaf certificate, o that matches the private key should be the first certificate in the file. This should be followed by the series of intermediates, and the final certificate should be the CA root. For example: -``` +```bash -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- diff --git a/kanidm_book/src/recycle_bin.md b/kanidm_book/src/recycle_bin.md index 1ec917bce..4b7d90cca 100644 --- a/kanidm_book/src/recycle_bin.md +++ b/kanidm_book/src/recycle_bin.md @@ -3,10 +3,15 @@ The recycle bin is a storage of deleted entries from the server. This allows recovery from mistakes for a period of time. -{{#template\ -templates/kani-warning.md imagepath=images title=Warning! text=The recycle bin is a best effort - -when recovering in some cases not everything can be "put back" the way it was. Be sure to check your -entries are valid once they have been revived. }} + + +{{#template templates/kani-warning.md +imagepath=images +title=Warning! +text=The recycle bin is a best effort - when recovering in some cases not everything can be "put back" the way it was. Be sure to check your entries are valid once they have been revived. +}} + + ## Where is the Recycle Bin? @@ -51,7 +56,7 @@ such as the oauth2 scope map type. An example of this data loss is the following steps: -``` +```bash add user1 add group1 add user1 as member of group1 @@ -64,7 +69,7 @@ revive group1 In this series of steps, due to the way that referential integrity is implemented, the membership of user1 in group1 would be lost in this process. To explain why: -``` +```bash add user1 add group1 add user1 as member of group1 // refint between the two established, and memberof added diff --git a/kanidm_book/src/server_configuration.md b/kanidm_book/src/server_configuration.md index 2ba0007bc..3c499f8ea 100644 --- a/kanidm_book/src/server_configuration.md +++ b/kanidm_book/src/server_configuration.md @@ -1,22 +1,28 @@ -## Configuring the Server +# Configuring the Server -### Configuring server.toml +## Configuring server.toml You need a configuration file in the volume named `server.toml`. (Within the container it should be `/data/server.toml`) Its contents should be as follows: -``` +```toml {{#rustdoc_include ../../examples/server_container.toml}} ``` This example is located in [examples/server_container.toml](https://github.com/kanidm/kanidm/blob/master/examples/server_container.toml). -{{#template templates/kani-warning.md imagepath=images title=Warning! text=You MUST set the `domain` -name correctly, aligned with your `origin`, else the server may refuse to start or some features -(e.g. webauthn, oauth) may not work correctly! }} + -### Check the configuration is valid. +{{#template templates/kani-warning.md +imagepath=images +title=Warning! +text=You MUST set the `domain` name correctly, aligned with your `origin`, else the server may refuse to start or some features (e.g. webauthn, oauth) may not work correctly! +}} + + + +## Check the configuration is valid You should test your configuration is valid before you proceed. @@ -25,7 +31,7 @@ docker run --rm -i -t -v kanidmd:/data \ kanidm/server:latest /sbin/kanidmd configtest -c /data/server.toml ``` -### Default Admin Account +## Default Admin Account Then you can setup the initial admin account and initialise the database into your volume. This command will generate a new random password for the admin account. @@ -36,7 +42,7 @@ docker run --rm -i -t -v kanidmd:/data \ # success - recover_account password for user admin: vv... ``` -### Run the Server +## Run the Server Now we can run the server so that it can accept connections. This defaults to using `-c /data/server.toml` @@ -45,7 +51,7 @@ Now we can run the server so that it can accept connections. This defaults to us docker run -p 443:8443 -v kanidmd:/data kanidm/server:latest ``` -### Using the NET\_BIND\_SERVICE capability +## Using the NET\_BIND\_SERVICE capability If you plan to run without using docker port mapping or some other reverse proxy, and your bindaddress or ldapbindaddress port is less than `1024` you will need the `NET_BIND_SERVICE` in diff --git a/kanidm_book/src/server_update.md b/kanidm_book/src/server_update.md index bca21ce7e..a9cd9f3e9 100644 --- a/kanidm_book/src/server_update.md +++ b/kanidm_book/src/server_update.md @@ -1,6 +1,6 @@ -## Updating the Server +# Updating the Server -### Preserving the Previous Image +## Preserving the Previous Image You may wish to preserve the previous image before updating. This is useful if an issue is encountered in upgrades. @@ -10,7 +10,7 @@ docker tag kanidm/server:latest kanidm/server: docker tag kanidm/server:latest kanidm/server:2022-10-24 ``` -### Update your Image +## Update your Image Pull the latest version of Kanidm that matches your CPU profile @@ -19,15 +19,21 @@ docker pull kanidm/server:latest docker pull kanidm/server:x86_64_latest ``` -### Perform a backup +## Perform a backup See [backup and restore](backup_restore.md) -### Update your Instance +## Update your Instance -{{#template templates/kani-warning.md imagepath=images title=WARNING text=It is not always -guaranteed that downgrades are possible. It is critical you know how to backup and restore before -you proceed with this step. }} + + +{{#template templates/kani-warning.md +imagepath=images +title=WARNING +text=It is not always guaranteed that downgrades are possible. It is critical you know how to backup and restore before you proceed with this step. +}} + + Docker updates by deleting and recreating the instance. All that needs to be preserved in your storage volume. diff --git a/kanidm_book/src/sync/concepts.md b/kanidm_book/src/sync/concepts.md index c67ad4ed8..f3ba5967a 100644 --- a/kanidm_book/src/sync/concepts.md +++ b/kanidm_book/src/sync/concepts.md @@ -53,10 +53,15 @@ kanidm system sync generate-token ipasync mylabel token: eyJhbGci... ``` -{{#template\ -../templates/kani-warning.md imagepath=../images title=Warning! text=The sync account token has a -high level of privilege, able to create new accounts and groups. It should be treated carefully as a -result! }} + + +{{#template ../templates/kani-warning.md +imagepath=../images +title=Warning! +text=The sync account token has a high level of privilege, able to create new accounts and groups. It should be treated carefully as a result! +}} + + If you need to revoke the token, you can do so with: @@ -89,9 +94,15 @@ If you are performing a migration from an external IDM to Kanidm, when that migr you can nominate that Kanidm now owns all of the imported data. This is achieved by finalising the sync account. -{{#template ../templates/kani-warning.md imagepath=../images title=Warning! text=You can not undo -this operation. Once you have finalised an agreement, Kanidm owns all of the synchronised data, and -you can not resume synchronisation. }} + + +{{#template ../templates/kani-warning.md +imagepath=../images +title=Warning! +text=You can not undo this operation. Once you have finalised an agreement, Kanidm owns all of the synchronised data, and you can not resume synchronisation. +}} + + ```bash kanidm system sync finalise @@ -106,9 +117,15 @@ Once finalised, imported accounts can now be fully managed by Kanidm. If you decide to cease importing accounts or need to remove all imported accounts from a sync account, you can choose to terminate the agreement removing all data that was imported. -{{#template ../templates/kani-warning.md imagepath=../images title=Warning! text=You can not undo -this operation. Once you have terminated an agreement, Kanidm deletes all of the synchronised data, -and you can not resume synchronisation. }} + + +{{#template ../templates/kani-warning.md +imagepath=../images +title=Warning! +text=You can not undo this operation. Once you have terminated an agreement, Kanidm deletes all of the synchronised data, and you can not resume synchronisation. +}} + + ```bash kanidm system sync terminate