d8f195915d
* Instead of wasm_bindgen creating a JS snippet to externalize code, we're now loading pure-JS util functions from wasmloader.js (#[wasm_bindgen(raw_module = "/pkg/wasmloader.js")]) * Sign out is now a confirmation box instead of "oh no I have to log back in because I'm clumsy and clicked a thing" * Now using the urlencoding crate for encoding the TOTP URLs because string replacing encoded characters felt like writing our own crypto (and now you can call yourself whatever arbitrary string you want) * This fixed an issue in the web UI where the "Add a TOTP" interface would show URL-encoded things, but also made things easier for consistency. * Moved the other web middleware objects into the middleware module because the main module was getting a bit unwieldy. * Started auto-generating the integrity hashes in a different way on start up, which removes a middleware doing random string replacements to inject them, and means we can update modules without having to manually update the string values in the HTML. |
||
|---|---|---|
| .. | ||
| pkg | ||
| src | ||
| build_wasm.sh | ||
| build_wasm_dev.sh | ||
| build_wasm_release.sh | ||
| Cargo.toml | ||
| LICENSE.md | ||
| README.md | ||
Kanidm
Kanidm is an identity management platform written in rust. Our goals are:
- Modern identity management platform
- Simple to deploy and integrate with
- Extensible for various needs
- Correct and secure behaviour by default
Today the project is still under heavy development to achieve these goals - We have many foundational parts in place, and many of the required security features, but it is still an Alpha, and should be treated as such.
Documentation / Getting Started / Install
If you want to deploy Kanidm to see what it can do, you should read the kanidm book.
We also publish limited support guidelines.
Code of Conduct / Ethics
See our code of conduct
See our documentation on rights and ethics
Getting in Contact / Questions
We have a gitter community channel where we can talk. Firstyear is also happy to answer questions via email, which can be found on their github profile.
Developer Getting Started
If you want to develop on the server, there is a getting started guide for developers. IDM is a diverse topic and we encourage contributions of many kinds in the project, from people of all backgrounds.
Features
Implemented
- SSH key distribution for servers
- PAM/nsswitch clients (with limited offline auth)
- MFA - TOTP
- Highly concurrent design (MVCC, COW)
- RADIUS integration
- MFA - Webauthn
Currently Working On
- CLI for administration
- WebUI for self-service with wifi enrollment, claim management and more.
- RBAC/Claims/Policy (limited by time and credential scope)
- OIDC/Oauth
Upcoming Focus Areas
- Replication (async multiple active write servers, read-only servers)
Future
- SSH CA management
- Sudo rule distribution via nsswitch
- WebUI for administration
- Account impersonation
- Synchronisation to other IDM services
Some key project ideas
- All people should be respected and able to be represented securely.
- Devices represent users and their identities - they are part of the authentication.
- Human error occurs - we should be designed to minimise human mistakes and empower people.
- The system should be easy to understand and reason about for users and admins.
Features We Want to Avoid
- Auditing: This is better solved by SIEM software, so we should generate data they can consume.
- Fully synchronous behaviour: This prevents scaling and our future ability to expand.
- Generic database: We don't want to be another NoSQL database, we want to be an IDM solution.
- Being like LDAP/GSSAPI/Kerberos: These are all legacy protocols that are hard to use and confine our thinking - we should avoid "being like them" or using them as models.
What does Kanidm mean?
The original project name was rsidm while it was a thought experiment. Now that it's growing and developing, we gave it a better project name. Kani is Japanese for "crab". Rust's mascot is a crab. IDM is the common industry term for identity management services.