Improve book and errors related to domain name and origin mismatch (#617)

kanidm_book/src/server_configuration.md

@@ -1,5 +1,7 @@
 ## Configuring the Server
 
+### Configuring server.toml
+
 You will also need a config file in the volume named `server.toml` (Within the container it should be `/data/server.toml`). Its contents should be as follows:
 
     #   The webserver bind address. Will use HTTPS if tls_* is provided.
@@ -36,7 +38,8 @@ You will also need a config file in the volume named `server.toml` (Within the c
     # log_level = "default"
     #
     #   The origin for webauthn. This is the url to the server, with the port included if
-    #   it is non-standard (any port except 443)
+    #   it is non-standard (any port except 443). This must match or be a descendent of the
+    #   domain name you configure with `kanidmd domain_name_change`
     # origin = "https://idm.example.com"
     origin = "https://idm.example.com:8443"
     #
@@ -68,16 +71,26 @@ You will also need a config file in the volume named `server.toml` (Within the c
 
 An example is located in [examples/server.toml](../../examples/server.toml).
 
-Then you can setup the initial admin account and initialise the database into your volume.
+### Domain Name
 
-    docker run --rm -i -t -v kanidmd:/data kanidm/server:latest /sbin/kanidmd recover_account -c /data/server.toml -n admin
+You then *MUST* set your domain name so that security principal names (spn's) are generated correctly.
-
-You then want to set your domain name so that security principal names (spn's) are generated correctly.
 This domain name _must_ match the url/origin of the server that you plan to use to interact with
 so that other features work correctly. It is possible to change this domain name later.
 
     docker run --rm -i -t -v kanidmd:/data kanidm/server:latest /sbin/kanidmd domain_name_change -c /data/server.toml -n idm.example.com
 
+> **WARNING** You MUST set the domain name correctly, aligned with your origin, else the server
+> may refuse to start, or some features may not work correctly!
+
+### Default Admin Account
+
+Then you can setup the initial admin account and initialise the database into your volume.
+
+    docker run --rm -i -t -v kanidmd:/data kanidm/server:latest /sbin/kanidmd recover_account -c /data/server.toml -n admin
+
+### Run the Server
+
 Now we can run the server so that it can accept connections. This defaults to using `-c /data/server.toml`
 
     docker run -p 8443:8443 -v kanidmd:/data kanidm/server:latest
+

kanidmd/src/lib/idm/server.rs

@@ -187,7 +187,9 @@ impl IdmServer {
                 if valid {
                     Ok(url)
                 } else {
-                    admin_error!("Effective domain is not a descendent of server domain name (rp_id). You must change origin or domain name to be consistent. ed: {:?} - rp_id: {:?}", origin, rp_id);
+                    admin_error!("Effective domain is not a descendent of server domain name (rp_id).");
+                    admin_error!("You must change origin or domain name to be consistent. ed: {:?} - rp_id: {:?}", origin, rp_id);
+                    admin_error!("To change the origin or domain name see: https://kanidm.github.io/kanidm/server_configuration.html");
                     Err(OperationError::InvalidState)
                 }
             })?;