mirror of
https://github.com/kanidm/kanidm.git
synced 2025-02-24 13:07:00 +01:00
328 lines
22 KiB
HTML
328 lines
22 KiB
HTML
<!DOCTYPE HTML>
|
|
<html lang="en" class="sidebar-visible no-js light">
|
|
<head>
|
|
<!-- Book generated using mdBook -->
|
|
<meta charset="UTF-8">
|
|
<title>Administrative Tasks - Kanidm Administration</title>
|
|
<!-- Custom HTML head -->
|
|
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
|
|
<meta name="description" content="">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
<meta name="theme-color" content="#ffffff" />
|
|
|
|
<link rel="shortcut icon" href="favicon.png">
|
|
<link rel="stylesheet" href="css/variables.css">
|
|
<link rel="stylesheet" href="css/general.css">
|
|
<link rel="stylesheet" href="css/chrome.css">
|
|
<link rel="stylesheet" href="css/print.css" media="print">
|
|
<!-- Fonts -->
|
|
<link rel="stylesheet" href="FontAwesome/css/font-awesome.css">
|
|
<link rel="stylesheet" href="fonts/fonts.css">
|
|
<!-- Highlight.js Stylesheets -->
|
|
<link rel="stylesheet" href="highlight.css">
|
|
<link rel="stylesheet" href="tomorrow-night.css">
|
|
<link rel="stylesheet" href="ayu-highlight.css">
|
|
|
|
<!-- Custom theme stylesheets -->
|
|
</head>
|
|
<body>
|
|
<!-- Provide site root to javascript -->
|
|
<script type="text/javascript">
|
|
var path_to_root = "";
|
|
var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "navy" : "light";
|
|
</script>
|
|
|
|
<!-- Work around some values being stored in localStorage wrapped in quotes -->
|
|
<script type="text/javascript">
|
|
try {
|
|
var theme = localStorage.getItem('mdbook-theme');
|
|
var sidebar = localStorage.getItem('mdbook-sidebar');
|
|
|
|
if (theme.startsWith('"') && theme.endsWith('"')) {
|
|
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
|
|
}
|
|
|
|
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
|
|
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
|
|
}
|
|
} catch (e) { }
|
|
</script>
|
|
|
|
<!-- Set the theme before any content is loaded, prevents flash -->
|
|
<script type="text/javascript">
|
|
var theme;
|
|
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
|
|
if (theme === null || theme === undefined) { theme = default_theme; }
|
|
var html = document.querySelector('html');
|
|
html.classList.remove('no-js')
|
|
html.classList.remove('light')
|
|
html.classList.add(theme);
|
|
html.classList.add('js');
|
|
</script>
|
|
|
|
<!-- Hide / unhide sidebar before it is displayed -->
|
|
<script type="text/javascript">
|
|
var html = document.querySelector('html');
|
|
var sidebar = 'hidden';
|
|
if (document.body.clientWidth >= 1080) {
|
|
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
|
|
sidebar = sidebar || 'visible';
|
|
}
|
|
html.classList.remove('sidebar-visible');
|
|
html.classList.add("sidebar-" + sidebar);
|
|
</script>
|
|
|
|
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
|
|
<div class="sidebar-scrollbox">
|
|
<ol class="chapter"><li class="chapter-item expanded "><a href="intro.html"><strong aria-hidden="true">1.</strong> Introduction to Kanidm</a></li><li class="chapter-item expanded "><a href="installing_the_server.html"><strong aria-hidden="true">2.</strong> Installing the Server</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="server_configuration.html"><strong aria-hidden="true">2.1.</strong> Server Configuration</a></li><li class="chapter-item expanded "><a href="security_hardening.html"><strong aria-hidden="true">2.2.</strong> Security Hardening</a></li></ol></li><li class="chapter-item expanded "><a href="client_tools.html"><strong aria-hidden="true">3.</strong> Client Tools</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="installing_client_tools.html"><strong aria-hidden="true">3.1.</strong> Installing client tools</a></li></ol></li><li class="chapter-item expanded "><a href="accounts_and_groups.html"><strong aria-hidden="true">4.</strong> Accounts and Groups</a></li><li class="chapter-item expanded "><a href="administrivia.html" class="active"><strong aria-hidden="true">5.</strong> Administrative Tasks</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="monitoring.html"><strong aria-hidden="true">5.1.</strong> Monitoring the platform</a></li><li class="chapter-item expanded "><a href="password_quality.html"><strong aria-hidden="true">5.2.</strong> Password Quality and Badlisting</a></li><li class="chapter-item expanded "><a href="posix_accounts.html"><strong aria-hidden="true">5.3.</strong> POSIX Accounts and Groups</a></li><li class="chapter-item expanded "><a href="ssh_key_dist.html"><strong aria-hidden="true">5.4.</strong> SSH Key Distribution</a></li><li class="chapter-item expanded "><a href="recycle_bin.html"><strong aria-hidden="true">5.5.</strong> The Recycle Bin</a></li><li class="chapter-item expanded "><a href="why_tls.html"><strong aria-hidden="true">5.6.</strong> Why TLS?</a></li></ol></li><li class="chapter-item expanded "><li class="part-title">For Developers</li><li class="chapter-item expanded "><a href="DEVELOPER_README.html"><strong aria-hidden="true">6.</strong> Developer Guide</a></li><li class="chapter-item expanded "><div><strong aria-hidden="true">7.</strong> Design Documents</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="developers/designs/access_profiles_and_security.html"><strong aria-hidden="true">7.1.</strong> Access Profiles</a></li></ol></li><li class="chapter-item expanded "><a href="developers/python.html"><strong aria-hidden="true">8.</strong> Python Module</a></li><li class="chapter-item expanded "><a href="developers/radius.html"><strong aria-hidden="true">9.</strong> RADIUS Integration</a></li><li class="chapter-item expanded affix "><li class="part-title">Integrations</li><li class="chapter-item expanded "><a href="integrations/oauth2.html"><strong aria-hidden="true">10.</strong> Oauth2</a></li><li class="chapter-item expanded "><a href="integrations/pam_and_nsswitch.html"><strong aria-hidden="true">11.</strong> PAM and nsswitch</a></li><li class="chapter-item expanded "><a href="integrations/radius.html"><strong aria-hidden="true">12.</strong> RADIUS</a></li><li class="chapter-item expanded "><a href="integrations/ldap.html"><strong aria-hidden="true">13.</strong> LDAP</a></li><li class="chapter-item expanded affix "><li class="part-title">Integration Examples</li><li class="chapter-item expanded "><a href="examples/k8s_ingress_example.html"><strong aria-hidden="true">14.</strong> Kubernetes Ingress</a></li></ol>
|
|
</div>
|
|
<div id="sidebar-resize-handle" class="sidebar-resize-handle"></div>
|
|
</nav>
|
|
|
|
<div id="page-wrapper" class="page-wrapper">
|
|
|
|
<div class="page">
|
|
<div id="menu-bar-hover-placeholder"></div>
|
|
<div id="menu-bar" class="menu-bar sticky bordered">
|
|
<div class="left-buttons">
|
|
<button id="sidebar-toggle" class="icon-button" type="button" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
|
|
<i class="fa fa-bars"></i>
|
|
</button>
|
|
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
|
|
<i class="fa fa-paint-brush"></i>
|
|
</button>
|
|
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
|
|
<li role="none"><button role="menuitem" class="theme" id="light">Light (default)</button></li>
|
|
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
|
|
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
|
|
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
|
|
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
|
|
</ul>
|
|
<button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
|
|
<i class="fa fa-search"></i>
|
|
</button>
|
|
</div>
|
|
|
|
<h1 class="menu-title">Kanidm Administration</h1>
|
|
|
|
<div class="right-buttons">
|
|
<a href="print.html" title="Print this book" aria-label="Print this book">
|
|
<i id="print-button" class="fa fa-print"></i>
|
|
</a>
|
|
<a href="https://github.com/kanidm/kanidm" title="Git repository" aria-label="Git repository">
|
|
<i id="git-repository-button" class="fa fa-github"></i>
|
|
</a>
|
|
<a href="https://github.com/kanidm/kanidm/edit/master/kanidm_book/src/administrivia.md" title="Suggest an edit" aria-label="Suggest an edit">
|
|
<i id="git-edit-button" class="fa fa-edit"></i>
|
|
</a>
|
|
</div>
|
|
</div>
|
|
|
|
<div id="search-wrapper" class="hidden">
|
|
<form id="searchbar-outer" class="searchbar-outer">
|
|
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
|
|
</form>
|
|
<div id="searchresults-outer" class="searchresults-outer hidden">
|
|
<div id="searchresults-header" class="searchresults-header"></div>
|
|
<ul id="searchresults">
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
|
|
<script type="text/javascript">
|
|
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
|
|
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
|
|
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
|
|
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
|
|
});
|
|
</script>
|
|
|
|
<div id="content" class="content">
|
|
<main>
|
|
<h1 id="administration-tasks"><a class="header" href="#administration-tasks">Administration Tasks</a></h1>
|
|
<p>This chapter describes some of the routine administration tasks for running
|
|
a Kanidm server, such as making backups and restoring from backups, testing
|
|
server configuration, reindexing, verifying data consistency, and renaming
|
|
your domain.</p>
|
|
<h1 id="backup-and-restore"><a class="header" href="#backup-and-restore">Backup and Restore</a></h1>
|
|
<p>With any Identity Management (IDM) software, it's important you have the capability to restore in
|
|
case of a disaster - be that physical damage or a mistake. Kanidm supports backup
|
|
and restore of the database with three methods.</p>
|
|
<h2 id="method-1-preferred"><a class="header" href="#method-1-preferred">Method 1 (Preferred)</a></h2>
|
|
<p>Method 1 involves taking a backup of the database entry content, which is then re-indexed on restore.
|
|
This is the preferred method.</p>
|
|
<p>To take the backup (assuming our docker environment) you first need to stop the instance:</p>
|
|
<pre><code>docker stop <container name>
|
|
docker run --rm -i -t -v kanidmd:/data -v kanidmd_backups:/backup \
|
|
kanidm/server:latest /sbin/kanidmd backup -c /data/server.toml \
|
|
/backup/kanidm.backup.json
|
|
docker start <container name>
|
|
</code></pre>
|
|
<p>You can then restart your instance. DO NOT modify the backup.json as it may introduce
|
|
data errors into your instance.</p>
|
|
<p>To restore from the backup:</p>
|
|
<pre><code>docker stop <container name>
|
|
docker run --rm -i -t -v kanidmd:/data -v kanidmd_backups:/backup \
|
|
kanidm/server:latest /sbin/kanidmd restore -c /data/server.toml \
|
|
/backup/kanidm.backup.json
|
|
docker start <container name>
|
|
</code></pre>
|
|
<p>That's it!</p>
|
|
<h2 id="method-2"><a class="header" href="#method-2">Method 2</a></h2>
|
|
<p>This is a simple backup of the data volume.</p>
|
|
<pre><code>docker stop <container name>
|
|
# Backup your docker's volume folder
|
|
docker start <container name>
|
|
</code></pre>
|
|
<h2 id="method-3"><a class="header" href="#method-3">Method 3</a></h2>
|
|
<p>Automatic backups can be generated online by a <code>kanidmd server</code> instance
|
|
by including the <code>[online_backup]</code> section in the <code>server.toml</code>.
|
|
This allows you to run regular backups, defined by a cron schedule, and maintain
|
|
the number of backup versions to keep. An example is located in
|
|
<a href="https://github.com/kanidm/kanidm/blob/master/examples/server.toml">examples/server.toml</a>.</p>
|
|
<h1 id="configuration-test"><a class="header" href="#configuration-test">Configuration Test</a></h1>
|
|
<p>You can test your configuration will correctly start with the server.</p>
|
|
<blockquote>
|
|
<p><strong>WARNING:</strong> While this is a configuration test, it still needs to open the database so that
|
|
it can check a number of internal values are consistent with the configuration. As a result,
|
|
this requires the instance under config test to be stopped!</p>
|
|
</blockquote>
|
|
<pre><code>docker stop <container name>
|
|
docker run --rm -i -t -v kanidmd:/data \
|
|
kanidm/server:latest /sbin/kanidmd configtest -c /data/server.toml
|
|
docker start <container name>
|
|
</code></pre>
|
|
<h1 id="reindexing-after-schema-extension"><a class="header" href="#reindexing-after-schema-extension">Reindexing after schema extension</a></h1>
|
|
<p>In some (rare) cases you may need to reindex.
|
|
Please note the server will sometimes reindex on startup as a result of the project
|
|
changing its internal schema definitions. This is normal and expected - you may never need
|
|
to start a reindex yourself as a result!</p>
|
|
<p>You'll likely notice a need to reindex if you add indexes to schema and you see a message in
|
|
your logs such as:</p>
|
|
<pre><code>Index EQUALITY name not found
|
|
Index {type} {attribute} not found
|
|
</code></pre>
|
|
<p>This indicates that an index of type equality has been added for name, but the indexing process
|
|
has not been run. The server will continue to operate and the query execution code will correctly
|
|
process the query - however it will not be the optimal method of delivering the results as we need to
|
|
disregard this part of the query and act as though it's un-indexed.</p>
|
|
<p>Reindexing will resolve this by forcing all indexes to be recreated based on their schema
|
|
definitions (this works even though the schema is in the same database!)</p>
|
|
<pre><code>docker stop <container name>
|
|
docker run --rm -i -t -v kanidmd:/data \
|
|
kanidm/server:latest /sbin/kanidmd reindex -c /data/server.toml
|
|
docker start <container name>
|
|
</code></pre>
|
|
<p>Generally, reindexing is a rare action and should not normally be required.</p>
|
|
<h1 id="vacuum"><a class="header" href="#vacuum">Vacuum</a></h1>
|
|
<p><a href="https://www.sqlite.org/lang_vacuum.html">Vacuuming</a> is the process of reclaiming un-used pages
|
|
from the sqlite freelists, as well as performing some data reordering tasks that may make some
|
|
queries more efficient . It is recommended that you vacuum after a reindex is performed or
|
|
when you wish to reclaim space in the database file.</p>
|
|
<p>Vacuum is also able to change the pagesize of the database. After changing <code>db_fs_type</code> (which affects
|
|
pagesize) in server.toml, you must run a vacuum for this to take effect:</p>
|
|
<pre><code>docker stop <container name>
|
|
docker run --rm -i -t -v kanidmd:/data \
|
|
kanidm/server:latest /sbin/kanidmd vacuum -c /data/server.toml
|
|
docker start <container name>
|
|
</code></pre>
|
|
<h1 id="verification"><a class="header" href="#verification">Verification</a></h1>
|
|
<p>The server ships with a number of verification utilities to ensure that data is consistent such
|
|
as referential integrity or memberof.</p>
|
|
<p>Note that verification really is a last resort - the server does <em>a lot</em> to prevent and self-heal
|
|
from errors at run time, so you should rarely if ever require this utility. This utility was
|
|
developed to guarantee consistency during development!</p>
|
|
<p>You can run a verification with:</p>
|
|
<pre><code>docker stop <container name>
|
|
docker run --rm -i -t -v kanidmd:/data \
|
|
kanidm/server:latest /sbin/kanidmd verify -c /data/server.toml
|
|
docker start <container name>
|
|
</code></pre>
|
|
<p>If you have errors, please contact the project to help support you to resolve these.</p>
|
|
<h1 id="rename-the-domain"><a class="header" href="#rename-the-domain">Rename the domain</a></h1>
|
|
<p>There are some cases where you may need to rename the domain. You should have configured
|
|
this initially in the setup, however you may have a situation where a business is changing
|
|
name, merging, or other needs which may prompt this needing to be changed.</p>
|
|
<blockquote>
|
|
<p><strong>WARNING:</strong> This WILL break ALL u2f/webauthn tokens that have been enrolled, which MAY cause
|
|
accounts to be locked out and unrecoverable until further action is taken. DO NOT CHANGE
|
|
the domain name unless REQUIRED and have a plan on how to manage these issues.</p>
|
|
</blockquote>
|
|
<blockquote>
|
|
<p><strong>WARNING:</strong> This operation can take an extensive amount of time as ALL accounts and groups
|
|
in the domain MUST have their Security Principal Names (SPNs) regenerated. This WILL also cause
|
|
a large delay in replication once the system is restarted.</p>
|
|
</blockquote>
|
|
<p>You should make a backup before proceeding with this operation.</p>
|
|
<p>When you have a created a migration plan and strategy on handling the invalidation of webauthn,
|
|
you can then rename the domain.</p>
|
|
<p>First, stop the instance.</p>
|
|
<pre><code>docker stop <container name>
|
|
</code></pre>
|
|
<p>Second, change <code>domain</code> and <code>origin</code> in <code>server.toml</code>.</p>
|
|
<p>Third, trigger the database domain rename process.</p>
|
|
<pre><code>docker run --rm -i -t -v kanidmd:/data \
|
|
kanidm/server:latest /sbin/kanidmd domain rename -c /data/server.toml
|
|
</code></pre>
|
|
<p>Finally, you can now start your instance again.</p>
|
|
<pre><code>docker start <container name>
|
|
</code></pre>
|
|
<h1 id="raw-actions"><a class="header" href="#raw-actions">Raw actions</a></h1>
|
|
<p>The server has a low-level stateful API you can use for more complex or advanced tasks on large numbers
|
|
of entries at once. Some examples are below, but generally we advise you to use the APIs as listed
|
|
above.</p>
|
|
<pre><code># Create from json (group or account)
|
|
kanidm raw create -H https://localhost:8443 -C ../insecure/ca.pem -D admin example.create.account.json
|
|
kanidm raw create -H https://localhost:8443 -C ../insecure/ca.pem -D idm_admin example.create.group.json
|
|
|
|
# Apply a json stateful modification to all entries matching a filter
|
|
kanidm raw modify -H https://localhost:8443 -C ../insecure/ca.pem -D admin '{"or": [ {"eq": ["name", "idm_person_account_create_priv"]}, {"eq": ["name", "idm_service_account_create_priv"]}, {"eq": ["name", "idm_account_write_priv"]}, {"eq": ["name", "idm_group_write_priv"]}, {"eq": ["name", "idm_people_write_priv"]}, {"eq": ["name", "idm_group_create_priv"]} ]}' example.modify.idm_admin.json
|
|
kanidm raw modify -H https://localhost:8443 -C ../insecure/ca.pem -D idm_admin '{"eq": ["name", "idm_admins"]}' example.modify.idm_admin.json
|
|
|
|
# Search and show the database representations
|
|
kanidm raw search -H https://localhost:8443 -C ../insecure/ca.pem -D admin '{"eq": ["name", "idm_admin"]}'
|
|
|
|
# Delete all entries matching a filter
|
|
kanidm raw delete -H https://localhost:8443 -C ../insecure/ca.pem -D idm_admin '{"eq": ["name", "test_account_delete_me"]}'
|
|
</code></pre>
|
|
|
|
</main>
|
|
|
|
<nav class="nav-wrapper" aria-label="Page navigation">
|
|
<!-- Mobile navigation buttons -->
|
|
<a rel="prev" href="accounts_and_groups.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
|
|
<i class="fa fa-angle-left"></i>
|
|
</a>
|
|
<a rel="next" href="monitoring.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
|
|
<i class="fa fa-angle-right"></i>
|
|
</a>
|
|
<div style="clear: both"></div>
|
|
</nav>
|
|
</div>
|
|
</div>
|
|
|
|
<nav class="nav-wide-wrapper" aria-label="Page navigation">
|
|
<a rel="prev" href="accounts_and_groups.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
|
|
<i class="fa fa-angle-left"></i>
|
|
</a>
|
|
<a rel="next" href="monitoring.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
|
|
<i class="fa fa-angle-right"></i>
|
|
</a>
|
|
</nav>
|
|
|
|
</div>
|
|
|
|
<script type="text/javascript">
|
|
window.playground_copyable = true;
|
|
</script>
|
|
<script src="elasticlunr.min.js" type="text/javascript" charset="utf-8"></script>
|
|
<script src="mark.min.js" type="text/javascript" charset="utf-8"></script>
|
|
<script src="searcher.js" type="text/javascript" charset="utf-8"></script>
|
|
<script src="clipboard.min.js" type="text/javascript" charset="utf-8"></script>
|
|
<script src="highlight.js" type="text/javascript" charset="utf-8"></script>
|
|
<script src="book.js" type="text/javascript" charset="utf-8"></script>
|
|
|
|
<!-- Custom JS scripts -->
|
|
</body>
|
|
</html>
|