mirror of
https://github.com/kanidm/kanidm.git
synced 2025-02-24 13:07:00 +01:00
263 lines
22 KiB
HTML
263 lines
22 KiB
HTML
<!DOCTYPE HTML>
|
|
<html lang="en" class="sidebar-visible no-js light">
|
|
<head>
|
|
<!-- Book generated using mdBook -->
|
|
<meta charset="UTF-8">
|
|
<title>Introduction to Kanidm - Kanidm Administration</title>
|
|
<!-- Custom HTML head -->
|
|
<meta name="description" content="">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
<meta name="theme-color" content="#ffffff" />
|
|
|
|
<link rel="shortcut icon" href="favicon.png">
|
|
<link rel="stylesheet" href="css/variables.css">
|
|
<link rel="stylesheet" href="css/general.css">
|
|
<link rel="stylesheet" href="css/chrome.css">
|
|
<link rel="stylesheet" href="css/print.css" media="print">
|
|
<!-- Fonts -->
|
|
<link rel="stylesheet" href="FontAwesome/css/font-awesome.css">
|
|
<link rel="stylesheet" href="fonts/fonts.css">
|
|
<!-- Highlight.js Stylesheets -->
|
|
<link rel="stylesheet" href="highlight.css">
|
|
<link rel="stylesheet" href="tomorrow-night.css">
|
|
<link rel="stylesheet" href="ayu-highlight.css">
|
|
|
|
<!-- Custom theme stylesheets -->
|
|
</head>
|
|
<body>
|
|
<!-- Provide site root to javascript -->
|
|
<script>
|
|
var path_to_root = "";
|
|
var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "navy" : "light";
|
|
</script>
|
|
|
|
<!-- Work around some values being stored in localStorage wrapped in quotes -->
|
|
<script>
|
|
try {
|
|
var theme = localStorage.getItem('mdbook-theme');
|
|
var sidebar = localStorage.getItem('mdbook-sidebar');
|
|
|
|
if (theme.startsWith('"') && theme.endsWith('"')) {
|
|
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
|
|
}
|
|
|
|
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
|
|
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
|
|
}
|
|
} catch (e) { }
|
|
</script>
|
|
|
|
<!-- Set the theme before any content is loaded, prevents flash -->
|
|
<script>
|
|
var theme;
|
|
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
|
|
if (theme === null || theme === undefined) { theme = default_theme; }
|
|
var html = document.querySelector('html');
|
|
html.classList.remove('no-js')
|
|
html.classList.remove('light')
|
|
html.classList.add(theme);
|
|
html.classList.add('js');
|
|
</script>
|
|
|
|
<!-- Hide / unhide sidebar before it is displayed -->
|
|
<script>
|
|
var html = document.querySelector('html');
|
|
var sidebar = 'hidden';
|
|
if (document.body.clientWidth >= 1080) {
|
|
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
|
|
sidebar = sidebar || 'visible';
|
|
}
|
|
html.classList.remove('sidebar-visible');
|
|
html.classList.add("sidebar-" + sidebar);
|
|
</script>
|
|
|
|
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
|
|
<div class="sidebar-scrollbox">
|
|
<ol class="chapter"><li class="chapter-item expanded "><a href="intro.html" class="active"><strong aria-hidden="true">1.</strong> Introduction to Kanidm</a></li><li class="chapter-item expanded "><a href="frequently_asked_questions.html"><strong aria-hidden="true">2.</strong> Frequently Asked Questions</a></li><li class="chapter-item expanded "><a href="installing_the_server.html"><strong aria-hidden="true">3.</strong> Installing the Server</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="choosing_a_domain_name.html"><strong aria-hidden="true">3.1.</strong> Choosing a Domain Name</a></li><li class="chapter-item expanded "><a href="prepare_the_server.html"><strong aria-hidden="true">3.2.</strong> Preparing for your Deployment</a></li><li class="chapter-item expanded "><a href="server_configuration.html"><strong aria-hidden="true">3.3.</strong> Server Configuration and Install</a></li><li class="chapter-item expanded "><a href="server_update.html"><strong aria-hidden="true">3.4.</strong> Server Updates</a></li><li class="chapter-item expanded "><a href="security_hardening.html"><strong aria-hidden="true">3.5.</strong> Platform Security Hardening</a></li></ol></li><li class="chapter-item expanded "><a href="client_tools.html"><strong aria-hidden="true">4.</strong> Client Tools</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="installing_client_tools.html"><strong aria-hidden="true">4.1.</strong> Installing client tools</a></li></ol></li><li class="chapter-item expanded "><a href="administrivia.html"><strong aria-hidden="true">5.</strong> Administration</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="accounts_and_groups.html"><strong aria-hidden="true">5.1.</strong> Accounts and Groups</a></li><li class="chapter-item expanded "><a href="backup_restore.html"><strong aria-hidden="true">5.2.</strong> Backup and Restore</a></li><li class="chapter-item expanded "><a href="database_maint.html"><strong aria-hidden="true">5.3.</strong> Database Maintenance</a></li><li class="chapter-item expanded "><a href="domain_rename.html"><strong aria-hidden="true">5.4.</strong> Domain Rename</a></li><li class="chapter-item expanded "><a href="monitoring.html"><strong aria-hidden="true">5.5.</strong> Monitoring the platform</a></li><li class="chapter-item expanded "><a href="password_quality.html"><strong aria-hidden="true">5.6.</strong> Password Quality and Badlisting</a></li><li class="chapter-item expanded "><a href="posix_accounts.html"><strong aria-hidden="true">5.7.</strong> POSIX Accounts and Groups</a></li><li class="chapter-item expanded "><a href="ssh_key_dist.html"><strong aria-hidden="true">5.8.</strong> SSH Key Distribution</a></li><li class="chapter-item expanded "><a href="recycle_bin.html"><strong aria-hidden="true">5.9.</strong> The Recycle Bin</a></li><li class="chapter-item expanded "><a href="why_tls.html"><strong aria-hidden="true">5.10.</strong> Why TLS?</a></li></ol></li><li class="chapter-item expanded "><a href="troubleshooting.html"><strong aria-hidden="true">6.</strong> Troubleshooting</a></li><li class="chapter-item expanded "><a href="glossary.html"><strong aria-hidden="true">7.</strong> Glossary of Technical Terms</a></li><li class="chapter-item expanded affix "><li class="part-title">Services</li><li class="chapter-item expanded "><a href="integrations/oauth2.html"><strong aria-hidden="true">8.</strong> Oauth2</a></li><li class="chapter-item expanded "><a href="integrations/pam_and_nsswitch.html"><strong aria-hidden="true">9.</strong> PAM and nsswitch</a></li><li class="chapter-item expanded "><a href="integrations/radius.html"><strong aria-hidden="true">10.</strong> RADIUS</a></li><li class="chapter-item expanded "><a href="integrations/ldap.html"><strong aria-hidden="true">11.</strong> LDAP</a></li><li class="chapter-item expanded affix "><li class="part-title">Integration Examples</li><li class="chapter-item expanded "><a href="examples/k8s_ingress_example.html"><strong aria-hidden="true">12.</strong> Kubernetes Ingress</a></li><li class="chapter-item expanded "><a href="integrations/traefik.html"><strong aria-hidden="true">13.</strong> Traefik</a></li><li class="chapter-item expanded affix "><li class="part-title">For Developers</li><li class="chapter-item expanded "><a href="DEVELOPER_README.html"><strong aria-hidden="true">14.</strong> Developer Guide</a></li><li class="chapter-item expanded "><div><strong aria-hidden="true">15.</strong> Design Documents</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="developers/designs/access_profiles_rework_2022.html"><strong aria-hidden="true">15.1.</strong> Access Profiles 2022</a></li><li class="chapter-item expanded "><a href="developers/designs/access_profiles_and_security.html"><strong aria-hidden="true">15.2.</strong> Access Profiles Original</a></li><li class="chapter-item expanded "><a href="developers/designs/rest_interface.html"><strong aria-hidden="true">15.3.</strong> REST Interface</a></li></ol></li><li class="chapter-item expanded "><a href="developers/python.html"><strong aria-hidden="true">16.</strong> Python Module</a></li><li class="chapter-item expanded "><a href="developers/radius.html"><strong aria-hidden="true">17.</strong> RADIUS Integration</a></li><li class="chapter-item expanded "><a href="packaging.html"><strong aria-hidden="true">18.</strong> Packaging</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="packaging_debs.html"><strong aria-hidden="true">18.1.</strong> Debian/Ubuntu</a></li></ol></li></ol>
|
|
</div>
|
|
<div id="sidebar-resize-handle" class="sidebar-resize-handle"></div>
|
|
</nav>
|
|
|
|
<div id="page-wrapper" class="page-wrapper">
|
|
|
|
<div class="page">
|
|
<div id="menu-bar-hover-placeholder"></div>
|
|
<div id="menu-bar" class="menu-bar sticky bordered">
|
|
<div class="left-buttons">
|
|
<button id="sidebar-toggle" class="icon-button" type="button" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
|
|
<i class="fa fa-bars"></i>
|
|
</button>
|
|
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
|
|
<i class="fa fa-paint-brush"></i>
|
|
</button>
|
|
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
|
|
<li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
|
|
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
|
|
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
|
|
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
|
|
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
|
|
</ul>
|
|
<button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
|
|
<i class="fa fa-search"></i>
|
|
</button>
|
|
</div>
|
|
|
|
<h1 class="menu-title">Kanidm Administration</h1>
|
|
|
|
<div class="right-buttons">
|
|
<a href="print.html" title="Print this book" aria-label="Print this book">
|
|
<i id="print-button" class="fa fa-print"></i>
|
|
</a>
|
|
<a href="https://github.com/kanidm/kanidm" title="Git repository" aria-label="Git repository">
|
|
<i id="git-repository-button" class="fa fa-github"></i>
|
|
</a>
|
|
<a href="https://github.com/kanidm/kanidm/edit/master/kanidm_book/src/intro.md" title="Suggest an edit" aria-label="Suggest an edit">
|
|
<i id="git-edit-button" class="fa fa-edit"></i>
|
|
</a>
|
|
</div>
|
|
</div>
|
|
|
|
<div id="search-wrapper" class="hidden">
|
|
<form id="searchbar-outer" class="searchbar-outer">
|
|
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
|
|
</form>
|
|
<div id="searchresults-outer" class="searchresults-outer hidden">
|
|
<div id="searchresults-header" class="searchresults-header"></div>
|
|
<ul id="searchresults">
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
|
|
<script>
|
|
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
|
|
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
|
|
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
|
|
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
|
|
});
|
|
</script>
|
|
|
|
<div id="content" class="content">
|
|
<main>
|
|
<h1 id="introduction-to-kanidm"><a class="header" href="#introduction-to-kanidm">Introduction to Kanidm</a></h1>
|
|
<p>Kanidm is an identity management server, acting as an authority on account information, authentication
|
|
and authorisation within a technical environment.</p>
|
|
<p>The intent of the Kanidm project is to:</p>
|
|
<ul>
|
|
<li>Provide a single truth source for accounts, groups and privileges.</li>
|
|
<li>Enable integrations to systems and services so they can authenticate accounts.</li>
|
|
<li>Make system, network, application and web authentication easy and accessible.</li>
|
|
<li>Secure and reliable by default, aiming for the highest levels of quality.</li>
|
|
</ul>
|
|
<table>
|
|
<tr>
|
|
<td rowspan=2><img src="images/kani-warning.png" alt="Kani Warning" /></td>
|
|
<td><strong>NOTICE</strong></td>
|
|
</tr>
|
|
<tr>
|
|
<td>Kanidm is still a work in progress. Many features will evolve and change over time which may not be suitable for all users.</td>
|
|
</tr>
|
|
</table>
|
|
<h2 id="why-do-i-want-kanidm"><a class="header" href="#why-do-i-want-kanidm">Why do I want Kanidm?</a></h2>
|
|
<p>Whether you work in a business, a volunteer organisation, or are an enthusiast who manages
|
|
their personal services, you need methods of authenticating and identifying
|
|
to your systems, and subsequently, ways to determine what authorisation and privileges you have
|
|
while accessing these systems.</p>
|
|
<p>We've probably all been in workplaces where you end up with multiple accounts on various
|
|
systems - one for a workstation, different SSH keys for different tasks, maybe some shared
|
|
account passwords. Not only is it difficult for people to manage all these different credentials
|
|
and what they have access to, but it also means that sometimes these credentials have more
|
|
access or privilege than they require.</p>
|
|
<p>Kanidm acts as a central authority of accounts in your organisation and allows each account to associate
|
|
many devices and credentials with different privileges. An example of how this looks:</p>
|
|
<pre><code> ┌──────────────────┐
|
|
┌┴─────────────────┐│
|
|
│ ││
|
|
┌───────────────┬───▶│ Kanidm │◀─────┬─────────────────────────┐
|
|
│ │ │ ├┘ │ │
|
|
│ │ └──────────────────┘ │ Verify
|
|
Account Data │ ▲ │ Radius
|
|
References │ │ │ Password
|
|
│ │ │ │ │
|
|
│ │ │ │ ┌────────────┐
|
|
│ │ │ │ │ │
|
|
│ │ │ Verify │ RADIUS │
|
|
┌────────────┐ │ Retrieve SSH Application │ │
|
|
│ │ │ Public Keys Password └────────────┘
|
|
│ Database │ │ │ │ ▲
|
|
│ │ │ │ │ │
|
|
└────────────┘ │ │ │ ┌────────┴──────┐
|
|
▲ │ │ │ │ │
|
|
│ │ │ │ │ │
|
|
┌────────────┐ │ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
|
|
│ │ │ │ │ │ │ │ │ │ │
|
|
│ Web Site │ │ │ SSH │ │ Email │ │ WIFI │ │ VPN │
|
|
│ │ │ │ │ │ │ │ │ │ │
|
|
└────────────┘ │ └────────────┘ └────────────┘ └────────────┘ └────────────┘
|
|
▲ │ ▲ ▲ ▲ ▲
|
|
│ │ │ │ │ │
|
|
│ │ │ │ │ │
|
|
│ Login To │ │ │ │
|
|
SSO/Oauth Oauth/SSO SSH Keys Application Radius Radius
|
|
│ │ │ Password Password Password
|
|
│ │ │ │ │ │
|
|
│ │ │ │ │ │
|
|
│ │ │ │ │ │
|
|
│ │ ┌──────────┐ │ │ │
|
|
│ │ │ │ │ │ │
|
|
└──────────────┴────────│ Laptop │──────────┴───────────────┴───────────────┘
|
|
│ │
|
|
└──────────┘
|
|
▲
|
|
│
|
|
│
|
|
┌──────────┐
|
|
│ You │
|
|
└──────────┘
|
|
</code></pre>
|
|
<p>A key design goal is that you authenticate with your device in some manner, and then your device will
|
|
continue to authenticate you in the future. Each of these different types of credentials, from SSH keys,
|
|
application passwords, to RADIUS passwords and others, are "things your device knows". Each password
|
|
has limited capability, and can only access that exact service or resource.</p>
|
|
<p>This helps improve security; a compromise of the service or the network transmission does not
|
|
grant you unlimited access to your account and all its privileges. As the credentials are specific
|
|
to a device, if a device is compromised you can revoke its associated credentials. If a
|
|
specific service is compromised, only the credentials for that service need to be revoked.</p>
|
|
<p>Due to this model, and the design of Kanidm to centre the device and to have more per-service credentials,
|
|
workflows and automation are added or designed to reduce human handling.</p>
|
|
<h2 id="library-documentation"><a class="header" href="#library-documentation">Library documentation</a></h2>
|
|
<p>Looking for the <code>rustdoc</code> documentation for the libraries themselves? <a href="https://kanidm.com/documentation/">Click here!</a></p>
|
|
|
|
</main>
|
|
|
|
<nav class="nav-wrapper" aria-label="Page navigation">
|
|
<!-- Mobile navigation buttons -->
|
|
<a rel="next" href="frequently_asked_questions.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
|
|
<i class="fa fa-angle-right"></i>
|
|
</a>
|
|
<div style="clear: both"></div>
|
|
</nav>
|
|
</div>
|
|
</div>
|
|
|
|
<nav class="nav-wide-wrapper" aria-label="Page navigation">
|
|
<a rel="next" href="frequently_asked_questions.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
|
|
<i class="fa fa-angle-right"></i>
|
|
</a>
|
|
</nav>
|
|
|
|
</div>
|
|
|
|
<script>
|
|
window.playground_copyable = true;
|
|
</script>
|
|
<script src="elasticlunr.min.js"></script>
|
|
<script src="mark.min.js"></script>
|
|
<script src="searcher.js"></script>
|
|
<script src="clipboard.min.js"></script>
|
|
<script src="highlight.js"></script>
|
|
<script src="book.js"></script>
|
|
|
|
<!-- Custom JS scripts -->
|
|
</body>
|
|
</html>
|