mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Improve book and errors related to domain name and origin mismatch (#617)

Browse source
This commit is contained in:
Firstyear 2021-11-25 08:37:50 +10:00 committed by GitHub
parent 492cb653e8
commit fad0dd86e0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
kanidm_book/src/server_configuration.md
View file

@ -1,5 +1,7 @@
## Configuring the Server
### Configuring server.toml
You will also need a config file in the volume named `server.toml` (Within the container it should be `/data/server.toml`). Its contents should be as follows:
# The webserver bind address. Will use HTTPS if tls_* is provided.
@ -36,7 +38,8 @@ You will also need a config file in the volume named `server.toml` (Within the c
# log_level = "default"
#
# The origin for webauthn. This is the url to the server, with the port included if
# it is non-standard (any port except 443)
# it is non-standard (any port except 443). This must match or be a descendent of the
# domain name you configure with `kanidmd domain_name_change`
# origin = "https://idm.example.com"
origin = "https://idm.example.com:8443"
#
@ -68,16 +71,26 @@ You will also need a config file in the volume named `server.toml` (Within the c
An example is located in [examples/server.toml](../../examples/server.toml).
Then you can setup the initial admin account and initialise the database into your volume.
### Domain Name
docker run --rm -i -t -v kanidmd:/data kanidm/server:latest /sbin/kanidmd recover_account -c /data/server.toml -n admin
You then want to set your domain name so that security principal names (spn's) are generated correctly.
You then *MUST* set your domain name so that security principal names (spn's) are generated correctly.
This domain name _must_ match the url/origin of the server that you plan to use to interact with
so that other features work correctly. It is possible to change this domain name later.
docker run --rm -i -t -v kanidmd:/data kanidm/server:latest /sbin/kanidmd domain_name_change -c /data/server.toml -n idm.example.com
> **WARNING** You MUST set the domain name correctly, aligned with your origin, else the server
> may refuse to start, or some features may not work correctly!
### Default Admin Account
Then you can setup the initial admin account and initialise the database into your volume.
docker run --rm -i -t -v kanidmd:/data kanidm/server:latest /sbin/kanidmd recover_account -c /data/server.toml -n admin
### Run the Server
Now we can run the server so that it can accept connections. This defaults to using `-c /data/server.toml`
docker run -p 8443:8443 -v kanidmd:/data kanidm/server:latest

4
kanidmd/src/lib/idm/server.rs
View file

@ -187,7 +187,9 @@ impl IdmServer {
if valid {
Ok(url)
} else {
admin_error!("Effective domain is not a descendent of server domain name (rp_id). You must change origin or domain name to be consistent. ed: {:?} - rp_id: {:?}", origin, rp_id);
admin_error!("Effective domain is not a descendent of server domain name (rp_id).");
admin_error!("You must change origin or domain name to be consistent. ed: {:?} - rp_id: {:?}", origin, rp_id);
admin_error!("To change the origin or domain name see: https://kanidm.github.io/kanidm/server_configuration.html");
Err(OperationError::InvalidState)
}
})?;