Fixes#362 moves vacuum to a dedicated task. This is needed as previous vacuuming on startup on large databases could cause the server to fail to start. By making this a task it avoids this error case, and makes the vacuum more predictable, and only run when required.
Fixes#357 - this allows the password MFA handler to correct handle a mixed totp or webauthn credential with passwords. This is likely the "majority" of accounts we will see on the service.
Fixes#356 - this changes from a split ca_chain/cert configuration to a single chain file. This allows rustls in tide-rustls to present the chain correctly, and allows openssl for ldaps to present the chain correctly too. it also simplifies integration to lets encrypt which provides a chain and key file by default.
Fixes#306 adding command line autocompletion. These are generated to: CARGO_TARGET_DIR/item-hash/out/. These will need to be packaged for distros later, it's unclear how we could use cargo install with these as cargo doesn't support arbitrary artefacts like this (yet?).
Fixes#202 - This adds support for enrolling and removing totp on the cli, as well as a rebuilt work flow for login to allow dynamic prompting of what credetials are required.
Fixes#320, remove double verification of filters. In addition this replaces attr strings with smartstring to allow better inling due to their static and compact nature.
Previously we would only cache "hits" - items that kanidm is aware
of and did know about. However, this mean querying a raw uid/gid
number that was not known to files or kanidm would result in kanidm
doing an online check each request.
This adds a NXcache to cache misses, so they can be served as misses,
faster, and to reduce load on the main kanidm servers.
Fixes#336
This is a rewrite of the "on the wire" json for auth. This is a breaking change required to allow webauthn to work given limitations within Webauthn as a standard and how mixed credentials are challenged for.
Fixes#13 and Fixes#135 - webauthn and webauthn with cli. This is the core of webauthn, but only as a single factor. Some changes are still needed for webauthn as MFA and as a verified single factor. This will be made in a subsequent PR.
Fixes#327 - In container run times, the default is to run as root. This may be user with virtualised containers or even to just smooth the "first run" process rather than requiring a user for the process and volumes.
This provides bruteforce protection and ratelimiting to stop
classes of attacks. This impacts all areas where a password or
authentication is performed (unix, ldap, auth).
