Allow caching and checking of shadow entries (passwords)
Cache and serve system id's
improve some security warnings
prepare for multi-resolver
Allow the kanidm provider to be not configured
Allow group extension
This starts the support for multi-resolver operation as well as a system level nss resolver.
In future we'll add the remaining support to auth system users with pam too.
* disable mimalloc on illumos, in part because it immediately segfaults,
but also because we prefer libumem and link it into all Rust binaries
* switch from fs2 (unmaintained crate) to fs4 which provides the same
interface and has wider platform support
While basking under the shade of the coolabah tree, I was overcome by an intense desire to improve the performance and memory usage of Kanidm.
This pr reduces a major source of repeated small clones, lowers default log level in testing, removes some trace fields that are both large and probably shouldn't be traced, and also changes some lto settings for release builds.
* kanidm cli logs on debug level - Fixes#2745
* such clippy like wow
* It's important for a wordsmith to know when to get its fixes in.
* updootin' wasms
* Add keystore to unix_user_online_auth_init
Himmelblau needs this to check whether the device
is enrolled in the domain (via the presence of
TPM keys), to know whether to attempt Windows
Hello PIN auth, or to enroll first in the domain.
Signed-off-by: David Mulder <dmulder@samba.org>
* Implement PIN setup
After enrolling in a domain, Himmelblau will
prompt the user to choose a pin, which will be
the auth value for an associated Windows Hello
TPM key. We loop here until the values match.
Otherwise no validation is performed. Validation
can be done by the id provider, and can send an
additional request to PAM if the PIN is invalid.
Signed-off-by: David Mulder <dmulder@samba.org>
* Add Pin authentication
After setting up a Windows Hello pin, users can
authentication using this pin.
Signed-off-by: David Mulder <dmulder@samba.org>
Improve the support for the resolver to support MFA options with pam. This enables async task spawning and cancelation via the resolver backend as well.
Co-authored-by: David Mulder <dmulder@samba.org>
* fixing up error handling for prctl calls
* minor clippy lintypoos
* making clippy happier
* clippizing a test
* more clippy-calming
* adding tpm-udev to ubuntu flows for testing
* rebuilt wasm
* moving from rg to grep because someone doesn't like nice things
* such clippy like wow
* clippy config to the rescue
I need access to the machine key here in order to
send a new request to Azure for user details.
Signed-off-by: David Mulder <dmulder@samba.org>
Co-authored-by: Firstyear <william@blackhats.net.au>
* betterer errors on things
* Adding tpm-udev as a dependency of kanidm-unixd
* fixing makefile arch error
* adding jq to deb build deps
* adding kanidm deb to autobuild
* making the debian build script more resilient
Himmelblau requires access to the keystore at
auth time in order to store the id key modified
during a device join.
Signed-off-by: David Mulder <dmulder@samba.org>
Co-authored-by: Firstyear <william@blackhats.net.au>
