* More "choosing a domain" revision:
* Link to the domain rename process
* Add some hyphens to make things easier to read
* Move the OAuth 2.0 domain sharing guidance into the origin section
* Add DNS -> IP as a potential issue
* Discourage requesting public suffix list inclusion as a workaround
* Add "own hostname" section
* Bump mermaid to 11.3.0
* Mermaid theme changes based on mdbook theme
* Replace old use cases diagram with mermaid one
* Change out ASCII git art with mermaid git graph
* Remove old theme.css file from book
Anyone that had the alpha version of the kanidm_ppa repo in use
will need to follow the guidance under "Installing stable on top of nightly"
to migrate.
* feat: Rebuild the deb packaging flow
fix: Add more sudo, GHA likes sudo
fix: Give build_debs.sh only the triplet argument
fix: Work around more GHA weirdness in apt sources
Drop crossbuild as it was only used by debian packaging
docs: Update book and other docs for packaging flow
feat: package kanidm_tools aka kanidm cli
docs: Update packaging docs for latest process and clarity
fix: use full triple in sdynlib variants
fix: Correct kanidm.pam asset placement
fix: Give pam & nss modules a description so the debs get it
fix: Work around wonky libssl3 naming in Ubuntu 24.04
fix: Place kanidm bin correctly :3
feat: Pin all blame on @yaleman :3
WIP: Swap out the submodule reference. Still not the final one though.
refactor: Switch kanidm-pam & kanidm-nss to mandatory deps
While in theory unixd will start and run without them, it also won't do
anything useful.
fix: explicit depends for nss & pam libs without versions
We build the debs on the ubuntu24.04 GHA runner so automatic pins
versions that are too new for 22.04. Ideally we'd run cargo-deb also on
the target images but that'll have to be a future improvement.
* refactor: Switch nss_kanidm & pam_kanidm package naming closer to debian guidance
* feat: Attempt enabling unixd by default with secure defaults
* fix: Relax config permissions so the kanidm user can read
Also, update postinst config instructions
Allow caching and checking of shadow entries (passwords)
Cache and serve system id's
improve some security warnings
prepare for multi-resolver
Allow the kanidm provider to be not configured
Allow group extension
Add the server side components for application passwords. This adds the needed datatypes and handling via the ldap components.
Admin tools will be in a follow up PR.
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Co-authored-by: Samuel Cabrero <scabrero@suse.de>
This starts the support for multi-resolver operation as well as a system level nss resolver.
In future we'll add the remaining support to auth system users with pam too.
The option use_authok for pam_unix requires a password on the stack, for example from a previous module such as pam_cracklib.
If that is not the case, pam_unix fails, leading to this error:
~ # passwd
passwd: Authentication token manipulation error
passwd: password unchanged
Signed-off-by: Tiziano Müller <tiziano.mueller@hpe.com>
* fix typos and misspellings
* use proper capitalization
* Apply suggestions from code review
---------
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
