mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00

Kanidm: A simple, secure, and fast identity management platform

authentication iam identity identity-management idm ldap oidc radius rust scim security ssh-authentication webauthn

Find a file

Firstyear c798322ad8 60 authsession gc (#80 ) Implements #60 authsession garbage collection. If we assume that an authsession is around 1024 bytes (this assumes a 16 char name + groups + claims) then this means that in 1Gb of ram we can store about 1 million in progress auth attempts. Obviously, we don't want infinite memory growth, but we can't use an LRU cache due to the future desire to use concurrent trees. So instead we prune the tree based on a timeout when we start and auth operation. Auth session id's are generated from a timestamp similar to how we'll generate replication csn's. We can then apply a diff that will split all items lower than the csn/sid and remove them from future consideration. We set the default timeout to 5 minutes. This means that assuming 10,000 auths per second, we would require 3GB of ram to process these sessions before they are expired. We expect any deployment with such large loadings can affort 3Gb of ram :)		2019-09-06 13:04:58 +10:00
artwork	3 authentication (#79 )	2019-09-04 11:06:37 +10:00
designs	Complete system protected objects implementation. This allows class: system	2019-07-20 18:20:29 +09:00
rsidm_client	3 authentication (#79 )	2019-09-04 11:06:37 +10:00
rsidm_proto	3 authentication (#79 )	2019-09-04 11:06:37 +10:00
rsidm_tools	3 authentication (#79 )	2019-09-04 11:06:37 +10:00
rsidmd	60 authsession gc (#80 )	2019-09-06 13:04:58 +10:00
.dockerignore	Large rework of audit logging	2018-12-27 15:22:03 +10:00
.gitignore	3 authentication (#79 )	2019-09-04 11:06:37 +10:00
Cargo.toml	3 authentication (#79 )	2019-09-04 11:06:37 +10:00
CHECKLIST.md	Add support for working server integration test!	2018-11-27 20:48:21 +10:00
CODE_OF_CONDUCT.md	Improve formatting of CoC (#77 )	2019-08-20 11:25:45 +10:00
CONTRIBUTORS.md	Add contributors	2019-07-15 09:20:41 +10:00
Dockerfile	20190607 authentication (#55 )	2019-07-12 15:28:46 +10:00
LICENSE.md	Change license to MPL #15	2019-02-03 10:27:49 +10:00
pull_request_template.md	Create pull_request_template.md	2019-03-28 13:58:14 +10:00
README.md	Update readme	2019-07-28 21:28:05 +09:00

README.md

Kanidm

Kanidm is an identity management platform written in rust. Our goals are:

Modern identity management platform
Simple to deploy and integrate with
Extensible for various needs
Correct and secure behaviour by default

Today the project is still under heavy development to achieve these goals - we don't expect a fully functional release before early 2020. It is important to note that not all needed security features of the system have been completed yet!

Code of Conduct

See CODE_OF_CONDUCT.md

Some key ideas

All people should be respected and able to be respresented securely.
Devices represent users and their identities - they are part of the authentication.
Human error occurs - we should be designed to minimise human mistakes and empower people.
The system should be easy to understand and reason about for users and admins.

Quick start

Details to come ...

Implemented/Planned features

RBAC design
SSH key distribution for servers
Pam/nsswitch clients (with limited offline auth)
Sudo rule distribution via nsswitch
CLI and WebUI for administration
OIDC/Oauth
Claims (limited by time and credential scope)
MFA (Webauthn, TOTP)
Highly concurrent desgin (MVCC, COW)
Replication (async multiple active write servers, read only servers)
Account impersonation
RADIUS integration
Self service UI with wifi enrollment, claim management and more.
Synchronisation to other IDM services

Features we want to avoid

Auditing: This is better solved by SIEM software, so we should generate data they can consume.
Fully synchronous behaviour: This is slow.
Generic database: We don't want to be another NoSQL database, we want to be an IDM solution.
Being LDAP/GSSAPI/Kerberos: These are all legacy protocols that are hard to use and confine our thinking - we should avoid "being like them".

Designs

See the designs folder

Get involved

To get started, you'll need to fork or branch, and we'll merge based on PR's.

If you are a contributor to the project, simply clone:

git clone git@github.com:Firstyear/kanidm.git

If you are forking, then Fork in github and clone with:

git clone https://github.com/Firstyear/kanidm.git
cd kanidm
git remote add myfork git@github.com:<YOUR USERNAME>/kanidm.git

Select and issue (and always feel free to reach out to us for advice!), and create a branch to start working:

git branch <feature-branch-name>
git checkout <feature-branche-name>

When you are ready for review (even if the feature isn't complete and you just want some advice)

git commit -m 'Commit message' change_file.rs ...
git push <myfork/origin> <feature-branch-name>

If you get advice or make changes, just keep commiting to the branch, and pushing to your branch. When we are happy with the code, we'll merge in github, meaning you can now cleanup your branch.

git checkout master
git pull
git branch -D <feature-branch-name>

Rebasing:

If you are asked to rebase your change, follow these steps:

git checkout master
git pull
git checkout <feature-branche-name>
git rebase master

Then be sure to fix any merge issues or other comments as they arise. If you have issues, you can always stop and reset with:

git rebase --abort

Why do I see rsidm references?

The original project name was rsidm while it was a thought experiment. Now that it's growing and developing, we gave it a better project name. Kani is Japanese for "crab". Rust's mascot is a crab. It all works out in the end.