* Add a new ACP and group allowing self-service mail updates
This adds a new "idm_people_self_write_mail_priv" group which follows
the existing canned group+acp format closely.
This also adds a test for the functionality
See the discussion in #648 for a bit more background
* Limit the self-write ACP to targets with the "account" class
Per feedback on #672, it's better to limit these APIs specifically to
accounts.
* Fix up
Co-authored-by: Firstyear <william.brown@suse.com>
* Add 'account person set' command
This command allows a user to modify, say, their legal name in a
self-service fashion.
This wasn't possible before by default since the 'extend' operation
required additional ACPs in order to operate which not every user would
have.
The new "person set" api is compatible with the default self_write ACP,
and so allows self-service modification.
* Add a short section on people attributes to the book
Fixes#180 - this adds an oddjobd style tasks daemon to the unix tools. This supports creation of home directories and the maintenance of alias symlinks to these allowing user renames. The tasks daemon is written to require root, but is seperate from the unixd daemon. Communication is via a root-only unix socket that the task daemon connects into to reduce the possibility of exploit.
Fixes#369 due to the changes to call_daemon_blocking
Fixes#362 moves vacuum to a dedicated task. This is needed as previous vacuuming on startup on large databases could cause the server to fail to start. By making this a task it avoids this error case, and makes the vacuum more predictable, and only run when required.
Fixes#356 - this changes from a split ca_chain/cert configuration to a single chain file. This allows rustls in tide-rustls to present the chain correctly, and allows openssl for ldaps to present the chain correctly too. it also simplifies integration to lets encrypt which provides a chain and key file by default.
Previously we would only cache "hits" - items that kanidm is aware
of and did know about. However, this mean querying a raw uid/gid
number that was not known to files or kanidm would result in kanidm
doing an online check each request.
This adds a NXcache to cache misses, so they can be served as misses,
faster, and to reduce load on the main kanidm servers.
Fixes#336
Fixes#13 and Fixes#135 - webauthn and webauthn with cli. This is the core of webauthn, but only as a single factor. Some changes are still needed for webauthn as MFA and as a verified single factor. This will be made in a subsequent PR.
Fixes#327 - In container run times, the default is to run as root. This may be user with virtualised containers or even to just smooth the "first run" process rather than requiring a user for the process and volumes.
This provides bruteforce protection and ratelimiting to stop
classes of attacks. This impacts all areas where a password or
authentication is performed (unix, ldap, auth).
