* change capitalization on section headings, and some terminology, small wording tweaks
* more small corrections, line breaks, capitalization, small wording changes
* minor corrections, punctuation, wording
* NAS = Network Access Server
* windows build automation
* making fmt happy, fixing windows-related bug
* disabled cargo_incremental when using `sccache`, added build options ARG to Dockerfile, limit docker build to one job
- Fix volume mount name typo in the server configuration and
administrivia documentation pages
- Fix typo in link from PAM and nsswitch documentation
Signed-off-by: Kellin <kellin@retromud.org>
* Add a new ACP and group allowing self-service mail updates
This adds a new "idm_people_self_write_mail_priv" group which follows
the existing canned group+acp format closely.
This also adds a test for the functionality
See the discussion in #648 for a bit more background
* Limit the self-write ACP to targets with the "account" class
Per feedback on #672, it's better to limit these APIs specifically to
accounts.
* Fix up
Co-authored-by: Firstyear <william.brown@suse.com>
* Add 'account person set' command
This command allows a user to modify, say, their legal name in a
self-service fashion.
This wasn't possible before by default since the 'extend' operation
required additional ACPs in order to operate which not every user would
have.
The new "person set" api is compatible with the default self_write ACP,
and so allows self-service modification.
* Add a short section on people attributes to the book
Fixes#180 - this adds an oddjobd style tasks daemon to the unix tools. This supports creation of home directories and the maintenance of alias symlinks to these allowing user renames. The tasks daemon is written to require root, but is seperate from the unixd daemon. Communication is via a root-only unix socket that the task daemon connects into to reduce the possibility of exploit.
Fixes#369 due to the changes to call_daemon_blocking
Fixes#362 moves vacuum to a dedicated task. This is needed as previous vacuuming on startup on large databases could cause the server to fail to start. By making this a task it avoids this error case, and makes the vacuum more predictable, and only run when required.
Fixes#356 - this changes from a split ca_chain/cert configuration to a single chain file. This allows rustls in tide-rustls to present the chain correctly, and allows openssl for ldaps to present the chain correctly too. it also simplifies integration to lets encrypt which provides a chain and key file by default.
Previously we would only cache "hits" - items that kanidm is aware
of and did know about. However, this mean querying a raw uid/gid
number that was not known to files or kanidm would result in kanidm
doing an online check each request.
This adds a NXcache to cache misses, so they can be served as misses,
faster, and to reduce load on the main kanidm servers.
Fixes#336
Fixes#13 and Fixes#135 - webauthn and webauthn with cli. This is the core of webauthn, but only as a single factor. Some changes are still needed for webauthn as MFA and as a verified single factor. This will be made in a subsequent PR.
Fixes#327 - In container run times, the default is to run as root. This may be user with virtualised containers or even to just smooth the "first run" process rather than requiring a user for the process and volumes.
This provides bruteforce protection and ratelimiting to stop
classes of attacks. This impacts all areas where a password or
authentication is performed (unix, ldap, auth).
Fixes#250, replacing cookies with auth-bearer tokens. This is done using fernet with randomised keys each startup. The reason for this is that in the future the size of the auth token may exceed cookie limits, so we must be able to understand and process auth bearer. Additionaly, this lets us store the tokens for say the kanidm cli as reqwest today can't persist a cookie jar.
This allows configuration of which attribute is presented during gid/uid resolution, adds home directory prefixing, and home directory name attribute selection.
Fixes#195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
Add default entries test to apply behaviours according to
`designs/default_idm_layout.rst`.
Add expected behaviours for:
- Users
- Account managers
- Group managers
- Admins
- People Managers
- Anonymous clients
- Radius servers
Also, refactor `kanidmd_client` tests to separate into different files
and fix some documentation typos
Resolves: #108
Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with.
Implements #137 and parts of #132. This adds full support for CID's to the server, and some parts for recyclebin to work such as internal lessthan queries.
Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries..
