mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
kanidm/GETTING_STARTED.md
Firstyear 6c44297bd9
6 create modify tool (#113) 
Implements #6 - create, modify and delete. These are the raw/lowlevel db commands which are really useful for administrators. They aren't intended for normal day to day use though.

This also adds a basic getting started, fixes a missing privilege, adds support for reseting another accounts password, and for server side password generation.

It's likely I'm going to reformat some of the current REST api though to use our higher level internal types.
2019-10-07 08:41:30 +10:00

2.4 KiB
Raw Blame History

Getting Started

WARNING: This document is still in progress, and due to the high rate of change in the cli tooling, may be OUT OF DATE or otherwise incorrect. If you have questions, please get in contact!

Create the service account

cargo run -- raw create -H https://localhost:8080 -C ../insecure/ca.pem -D admin example.create.account.json

Give it permissions

cargo run -- raw modify -H https://localhost:8080 -C ../insecure/ca.pem -D admin '{"Or": [ {"Eq": ["name", "idm_person_account_create_priv"]}, {"Eq": ["name", "idm_service_account_create_priv"]}, {"Eq": ["name", "idm_account_write_priv"]}, {"Eq": ["name", "idm_group_write_priv"]}, {"Eq": ["name", "idm_people_write_priv"]}, {"Eq": ["name", "idm_group_create_priv"]} ]}' example.modify.idm_admin.json

Show the account details now:

cargo run -- raw search -H https://localhost:8080 -C ../insecure/ca.pem -D admin '{"Eq": ["name", "idm_admin"]}'
> Entry { attrs: {"class": ["account", "memberof", "object"], "displayname": ["IDM Admin"], "memberof": ["idm_people_read_priv", "idm_people_write_priv", "idm_group_write_priv", "idm_account_read_priv", "idm_account_write_priv", "idm_service_account_create_priv", "idm_person_account_create_priv", "idm_high_privilege"], "name": ["idm_admin"], "uuid": ["bb852c38-8920-4932-a551-678253cae6ff"]} }

Set the password

cargo run -- account credential set_password -H https://localhost:8080 -C ../insecure/ca.pem -D admin idm_admin

Or even better:

cargo run -- account credential generate_password -H https://localhost:8080 -C ../insecure/ca.pem -D admin idm_admin

Show it works:

cargo run -- self whoami -H 'https://localhost:8080' -C ../insecure/ca.pem -D idm_admin

Now our service account can create and administer accounts and groups:

cargo run -- raw create  -H https://localhost:8080 -C ../insecure/ca.pem -D idm_admin example.create.group.json

And of course, as the idm_admin, we can't write back to admin:

cargo run -- account credential generate_password -H https://localhost:8080 -C ../insecure/ca.pem -D idm_admin admin

Nor can we escalate privs (we are not allow to modify HP groups):

cargo run -- raw modify -H https://localhost:8080 -C ../insecure/ca.pem -D idm_admin '{"Eq": ["name", "idm_admins"]}' example.modify.idm_admin.json

So we have a secure way to manage the identities in the directory, without giving full control to any one account!