Commit graph

157 commits

Author SHA1 Message Date
Jinna Kiisuo 99a799d72a
docs: Update kanidm_ppa instructions for new repo logic (#3117)
Anyone that had the alpha version of the kanidm_ppa repo in use
will need to follow the guidance under "Installing stable on top of nightly"
to migrate.
2024-10-18 01:17:21 +00:00
Firstyear 2075125439
Working scim entry get for person (#3088) 2024-10-15 04:29:45 +00:00
Jinna Kiisuo 03645c8bf2
Improve deb packaging, add aarch64 (#3083)
* feat: Rebuild the deb packaging flow
fix: Add more sudo, GHA likes sudo
fix: Give build_debs.sh only the triplet argument
fix: Work around more GHA weirdness in apt sources
Drop crossbuild as it was only used by debian packaging
docs: Update book and other docs for packaging flow
feat: package kanidm_tools aka kanidm cli
docs: Update packaging docs for latest process and clarity
fix: use full triple in sdynlib variants
fix: Correct kanidm.pam asset placement
fix: Give pam & nss modules a description so the debs get it
fix: Work around wonky libssl3 naming in Ubuntu 24.04
fix: Place kanidm bin correctly :3
feat: Pin all blame on @yaleman :3
WIP: Swap out the submodule reference. Still not the final one though.
refactor: Switch kanidm-pam & kanidm-nss to mandatory deps
While in theory unixd will start and run without them, it also won't do
anything useful.
fix: explicit depends for nss & pam libs without versions
We build the debs on the ubuntu24.04 GHA runner so automatic pins
versions that are too new for 22.04. Ideally we'd run cargo-deb also on
the target images but that'll have to be a future improvement.
* refactor: Switch nss_kanidm & pam_kanidm package naming closer to debian guidance
* feat: Attempt enabling unixd by default with secure defaults
* fix: Relax config permissions so the kanidm user can read
Also, update postinst config instructions
2024-10-15 02:27:48 +00:00
micolous 00ab55f2d6
Fix landing and redirect URLs for GitLab, add some useful links (#3055) 2024-10-03 05:12:40 +00:00
micolous c904af2966
Add example Outline config (#3076) 2024-10-03 04:31:17 +00:00
micolous 30a04f9b8b
Add instructions for unlinking Homebrew Rust on macOS (#3085) 2024-10-03 13:28:31 +10:00
Firstyear cf63c6b98b
Complete the implementation of the posix account cache (#3041)
Allow caching and checking of shadow entries (passwords)
    Cache and serve system id's
    improve some security warnings
    prepare for multi-resolver
    Allow the kanidm provider to be not configured
    Allow group extension
2024-10-02 02:12:13 +00:00
micolous 983135e353
reformat oauth2 URL list, highlight legacy bits (#3062)
Co-authored-by: Firstyear <william@blackhats.net.au>
2024-09-26 03:34:07 +00:00
micolous 400dfc7e5c
Add ownCloud example config (#3059) 2024-09-26 12:53:51 +10:00
micolous ace7d2781b
Add example config for JetBrains Hub / YouTrack (#3058) 2024-09-25 13:04:41 +10:00
micolous 42304f8d3d
Document basic authenticating GitLab to Kanidm (#3050) 2024-09-21 09:50:33 +10:00
James Hodgkinson e5de6a28ab
fix(doc): updating docker container ref (#3049) 2024-09-19 10:56:58 +10:00
James Hodgkinson 5b699c242b
fix(docs): make it clearer that bearer auth is a thing (#3031) 2024-09-14 20:59:11 +10:00
Firstyear c8b9ff3274
Spattering of oauth2 stuff (#3000)
* fix(oauth2): refresh scope constraints
2024-08-24 14:02:16 +10:00
Firstyear a78692e9d1
Doc multi instance (#2997)
* fix(docs): document the "instance" settings and flag for the CLI

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
2024-08-23 17:53:10 +10:00
James Hodgkinson 7c3deab2c4
enforcen den clippen (#2990)
* enforcen den clippen
* updating outdated oauth2-related docs
* sorry clippy, we tried
2024-08-21 00:32:56 +00:00
Firstyear fbfea05c6c
20240817 group mail acp (#2982) 2024-08-21 09:59:50 +10:00
Firstyear 239f4594dd
20240810 application passwords (#2968)
Add the server side components for application passwords. This adds the needed datatypes and handling via the ldap components.

Admin tools will be in a follow up PR. 

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Co-authored-by: Samuel Cabrero <scabrero@suse.de>
2024-08-20 06:44:37 +00:00
Firstyear 0976e7d965
Doc format, add api-token section (#2975)
* Doc format, add api-token section
2024-08-17 11:38:52 +00:00
Firstyear b1099dfa3b
Foundations of pam/nss multi resolver
This starts the support for multi-resolver operation as well as a system level nss resolver.

In future we'll add the remaining support to auth system users with pam too.
2024-08-15 23:54:35 +00:00
James Hodgkinson 4feec82482
TLS, no seriously. (#2963) 2024-08-15 01:20:08 +00:00
Tiziano Müller 50da3ff9ae
Update suse.md to avoid Authentication token manipulation error (#2973)
The option use_authok for pam_unix requires a password on the stack, for example from a previous module such as pam_cracklib.
If that is not the case, pam_unix fails, leading to this error:

    ~ # passwd
    passwd: Authentication token manipulation error
    passwd: password unchanged

Signed-off-by: Tiziano Müller <tiziano.mueller@hpe.com>
2024-08-15 00:29:40 +00:00
fossdd 7ec36e5c6f
Add Alpine Linux installation instructions (#2871) 2024-08-13 02:32:51 +00:00
Merlijn f1dfbcc253
[HTMX] User settings (#2929)
* Initial structure of user settings in htmx
2024-08-12 17:20:50 +10:00
James Hodgkinson 3cbda02aa8
Docs updates (#2961) 2024-08-10 09:30:51 +00:00
James Hodgkinson d512954fe6
Docker-and-docs-fixes (#2954)
* removing VOLUME entry from server container

* link fixing

* link fixing in docs
2024-08-05 00:27:45 +00:00
Firstyear a365312076
Release 1.3.0 (#2941) 2024-07-31 03:13:00 +00:00
James Hodgkinson 2a5e8113e6
docs reordering and cleanup (#2932)
Co-authored-by: Firstyear <william@blackhats.net.au>
2024-07-26 16:42:46 +10:00
James Hodgkinson 38b0a6f8af
Ubuntu/Debian buildy scripty tweaky things (#2928)
* updating container builder
* tweaking dependency script
* closes #2749 - updates the book for install
2024-07-25 01:10:55 +00:00
James Hodgkinson e1a1bff94d
Docs rework (#2919)
* more markdowny linty things
* Fixes #2572 by replacing mdbook-template with github-flavoured and more markdowny alerts
2024-07-23 02:21:56 +00:00
Firstyear c7fcdc3e4e
Strict redirect URL enforcement (#2917)
Add strict OAuth2 URL enforcement per the RFC. This includes a transition process for the next release so that Admins can come into compliance.
2024-07-20 02:09:50 +00:00
Alin Trăistaru 562f352516
fix typos (#2908)
* fix typos and misspellings
* use proper capitalization
* Apply suggestions from code review
---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
2024-07-18 03:22:20 +00:00
Martin Weinelt 90002f5db7
Add missing groups scope to Grafana example scope-map (#2914) 2024-07-18 00:11:24 +00:00
Alin Trăistaru eb2b578c55
build profiles: rename release_suse_generic to release_linux (#2907)
Co-authored-by: Firstyear <william@blackhats.net.au>
2024-07-17 04:11:11 +00:00
Firstyear f9a77ee1f3
2818 2511 oauth2 urls (#2867)
* Allow multiple origins
* Docs
* Capitalization 'n stuff

---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
2024-07-05 23:17:26 +00:00
alexvonme 7c27b40018
Vale Edits 0.1 (#2869)
* Grammar/spell-checking using SUSE Vale ruleset
2024-07-04 23:10:28 +00:00
Firstyear 6c8d065e83 Update sssd.md
Copy paste fail - ignore_group_members should be true to prevent recursion.
2024-06-26 18:54:00 -07:00
boogiewoogie 1416a5c92f
Remove small ambiguity in docs (#2823)
Nonexistent `idm_people_self_write_mail_priv` is used in the example instead of the correct `idm_people_self_write_mail`.
2024-06-07 07:51:12 +10:00
Tobias Krischer 814380a7f4
feat: add support for ldap compare request (#2780) 2024-05-25 08:28:52 +10:00
Firstyear 3723abb25d
Allow name write privileges to be withheld (#2773) 2024-05-23 15:58:49 +10:00
Firstyear c1235a7186
Check for same version with backup/restore (#2789) 2024-05-23 01:48:37 +00:00
Firstyear 39ac38e266
Update our domain TGT level (#2776) 2024-05-17 16:06:14 +10:00
Firstyear 03f9943d41
Update design for KRC (#2713) 2024-05-15 01:05:11 +00:00
James Hodgkinson 7964f55d59
strip out some debug messages unless *really* debugging. (#2767)
* kanidm cli logs on debug level - Fixes #2745
* such clippy like wow
* It's important for a wordsmith to know when to get its fixes in.
* updootin' wasms
2024-05-14 14:56:55 +10:00
Felix Niederwanger dcb70c0cc2
Use fully qualified container URLS (#2754)
Use fully qualified container URLS instead of abbrevations to make the
quickstart guide better approachable for non-docker container engines,
which might not default to using docker.io.

Signed-off-by: phoenix <felix.niederwanger@suse.com>
2024-05-08 08:50:33 +00:00
Firstyear acc800f00e
Resolve OAuth2 client/rs confusion (#2719)
* Resolve OAuth2 client/rs confusion

* feedback
2024-04-24 15:34:50 +10:00
Firstyear 3707124218
Improve access control doc to describe privilege access mode (#2721)
* Improve access control doc to describe privilege access mode

* Update book/src/access_control/intro.md

---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
2024-04-24 04:29:58 +00:00
Firstyear d7834b52e6
Begin the basis of the key provider model (#2640)
This completely reworks how we approach and handle cryptographic keys in Kanidm. This is needed as a foundation for replication coordination which will require handling and rotation of cryptographic keys in automated ways. 

This change influences many other parts of the code base in it's implementation.

The primary influences are:

* Modification of how domain user signing keys are revoked or rotated.
* Merging of all existing service-account token keys are retired (retained) keys into the domain to simplify token signing and validation
* Allowing multiple configurations of local command line tools to swap between instances using disparate signing keys.
* Modification of key retrieval to be key id based (KID), removing the need to embed the JWK into tokens

A side effect of this change is that most user authentication sessions and oauth2 sessions will have to be re-established after upgrade. However we feel that session renewal after upgrade is an expected side effect of an upgrade. 

In the future this lays the ground work to remove a large number of legacy key handling processes that have evolved, which will allow large parts of code to be removed.
2024-04-15 23:44:37 +00:00
Pavel Dostál 03ce2a0c32
Add Grafana integration to OAuth2 documentation (#2685)
Signed-off-by: Pavel Dostál <pdostal@pdostal.cz>
2024-03-26 09:43:43 +00:00
alexvonme cc36fe7228
fix(docs): packaging section improved (#2677)
* fix(docs): packaging section improved
* Update ppa_packages.md
2024-03-23 22:54:52 +00:00