Simplify and modernize my current setup for identity and authentication
Migrating to KanIDM
https://kanidm.com/
/usr/local/libexec/kanidmd --config-path /usr/local/etc/kanidm/config.toml help
Install
Install kanidm-server` (in a jail)
pkg install kanidm-server
and install kanidm-client somewhere else, can be a different system
pkg install kanidm-client
In this guide, we'll set up mod_auth_openidc in Apache httpd as a consumer of the OAuth2 service that kanidm provides.
kanidm server (kanidmd) configuration
The FreeBSD port (by default) uses /usr/local/etc/kanidm/config.toml as configuration file.
See the documentation for more information.
A PR exists that takes care of setting up directories for kandimd.
The PR also adds a configuration test command.
install -d -m 770 -g kanidmd /var/db/kanidm
install -d -m 770 -g kanidmd /var/db/kanidm/backups
When these directories exist, you can start kanidmd
service kanidmd enable
service kanidmd start
Create your initial admin user and random password (note that the documentation uses idm_admin and admin interchangibly).
# Use an alias so we don't have to add the path and config-path with every cmd
alias kanidmd='/usr/local/libexec/kanidmd --config-path /usr/local/etc/kanidm'
kanidmd recover-account idm_admin
...
00000000-0000-0000-0000-000000000000 INFO i [info]: | new_password: "srwuhaxyp1gddpgyc6zybk182eept8yp2t05bq0fxb69wbvv"
...
You can see the available commands (and environment variables)
$ kanidmd help
Commands:
server Start the IDM Server
configtest Test the IDM Server configuration, without starting network listeners
cert-generate Create a self-signed ca and tls certificate in the locations listed from the configuration. These certificates should *not* be used in production, they are for testing and evaluation only!
recover-account Recover an account's password
disable-account Disable an account so that it can not be used. This can be reset with `recover-account`
show-replication-certificate Display this server's replication certificate
renew-replication-certificate Renew this server's replication certificate
refresh-replication-consumer Refresh this servers database content with the content from a supplier. This means that all local content will be deleted and replaced with the supplier content
db-scan Inspect the internal content of the database datastructures
database Database maintenance, backups, restoration etc
domain Change domain settings
version Print the program version and exit
scripting A dedicated scripting interface that has machine parsable input/outputs
help Print this message or the help of the given subcommand(s)
Client kanidm tooling
$ kanidm help
Kanidm Client Utility
Usage: kanidm [OPTIONS] <COMMAND>
Commands:
login Login to an account to use with future cli operations
reauth Reauthenticate to access privileged functions of this account for a short period
logout Logout of an active cli session
session Manage active cli sessions
self Actions for the current authenticated account
person Actions to manage and view person (user) accounts
group Actions to manage groups
service-account Actions to manage and view service accounts
graph Prints graphviz dot file of all groups
system System configuration operations
recycle-bin Recycle Bin operations
version Print the program version and exit
help Print this message or the help of the given subcommand(s)
Options:
-d, --debug Enable debugging of the kanidm tool [env: KANIDM_DEBUG=]
-I, --instance <INSTANCE> Select the instance name you wish to connect to [env: KANIDM_INSTANCE=]
-H, --url <ADDR> The URL of the kanidm instance [env: KANIDM_URL=]
-D, --name <USERNAME> User which will initiate requests [env: KANIDM_NAME=]
-C, --ca <CA_PATH> Path to a CA certificate file [env: KANIDM_CA_PATH=]
-o, --output <OUTPUT_MODE> Log format [env: KANIDM_OUTPUT=] [default: text]
--skip-hostname-verification Skip hostname verification [env: KANIDM_SKIP_HOSTNAME_VERIFICATION=]
--accept-invalid-certs Don't verify CA [env: KANIDM_ACCEPT_INVALID_CERTS=]
-h, --help Print help
