* Resolve kanidm-unix auth-test bug
When reworking the unix daemon, we missed changing the auth-test
tool to handle the new challenge-response flow correctly which
would cause the session to disconnect.
* Cleanup
While testing for everything open I noticed two possible
issues. This PR fixes both.
The first is a possible recursion in the resolver. I think
I need to fix up it's transactions a bit in another PR.
The second was that the submit button on the reset form
doesn't work. This fixes that as well as post reset redirecting
to the correct location.
Some areas of the code were emitting 0 uuids, rather than associating
a client/connection uuid. This improves the startup and client handling
code so that we have stable uuids present during operation.
This can have visible impacts on accounts that don't have a pam password
cached yet, but then appear to "stall" for a minute or two until it works
due to the fact that the provider was offline and waiting to reauth.
When we are still connected but our provider auth session has expired
we should reconnect faster. This reduces the timeout for reauthentication
for the provider so that it can return to the online state sooner. We
also loop when we detect the provider session is no longer authenticated
so that we can reauth immediately, rather than causing a noticable
interuption.
* kanidm-unixd default config via PPA problem with version 2 on debian bookworm
Fixes#3312
* fix(coverage): moving to using cargo-tarpaulin
* kanidm-unixd default config via PPA problem with version 2 on debian bookworm
Fixes#3312
Our unix resolver would attempt the right thing to synthesise
user private groups on linux as these are an important security
boundary. However, it turns out that almost every distro has
botched their default system user accounts, and many are
installed with numeric-only UPGs that don't resolve. In the
case that later the user does attempt to fix that, because we
synthesised as UPG for the system account, the user trying to
add the UPG would now fail. In some cases this could cause
system updates to be prevented from installing.
This change limits UPG synth to user accounts only (uid > 1000)
which is the common uid boundary on unix-like platforms.
Options like map_group would fail silently when version=2 wasn't
set in our unix config. this detects that case and warns that it
is occuring.
To prevent this in the future, we deny unknown keys in v2 so that
if (when?) we add v3, new keys will cause an error.
In some cases if the transport drops out from underneath unixd,
it can be difficult to diagnose and leads to inconsistent errors
and output such as prompting for a password multiple times when
it can't succeed.
This makes it clearer that the transport had an error, and it
denies the inflight authsession to prevent spurious password
prompts.
Allow caching and checking of shadow entries (passwords)
Cache and serve system id's
improve some security warnings
prepare for multi-resolver
Allow the kanidm provider to be not configured
Allow group extension
This starts the support for multi-resolver operation as well as a system level nss resolver.
In future we'll add the remaining support to auth system users with pam too.
