/kanidm

Kanidm: A simple, secure and fast identity management platform

Primary LanguageRustMozilla Public License 2.0MPL-2.0

Kanidm

Kanidm is an identity management platform written in rust. Our goals are:

  • Modern identity management platform
  • Simple to deploy and integrate with
  • Extensible for various needs
  • Correct and secure behaviour by default

Today the project is still under heavy development to achieve these goals - We have many foundational parts in place, and many of the required security features, but it is still an Alpha, and should be treated as such.

Documentation / Getting Started / Install

If you want to deploy Kanidm to see what it can do, you should read the kanidm book.

We also publish limited support guidelines.

Code of Conduct / Ethics

See our code of conduct

See our documentation on rights and ethics

Getting in Contact / Questions

We have a gitter community channel where we can talk. Firstyear is also happy to answer questions via email, which can be found on their github profile.

Developer Getting Started

If you want to develop on the server, there is a getting started guide for developers. IDM is a diverse topic and we encourage contributions of many kinds in the project, from people of all backgrounds.

Features

Implemented

  • SSH key distribution for servers
  • PAM/nsswitch clients (with limited offline auth)
  • MFA - TOTP
  • Highly concurrent design (MVCC, COW)
  • RADIUS integration
  • MFA - Webauthn

Currently Working On

  • CLI for administration
  • WebUI for self-service with wifi enrollment, claim management and more.
  • RBAC/Claims/Policy (limited by time and credential scope)
  • OIDC/Oauth

Upcoming Focus Areas

  • Replication (async multiple active write servers, read-only servers)

Future

  • SSH CA management
  • Sudo rule distribution via nsswitch
  • WebUI for administration
  • Account impersonation
  • Synchronisation to other IDM services

Some key project ideas

  • All people should be respected and able to be represented securely.
  • Devices represent users and their identities - they are part of the authentication.
  • Human error occurs - we should be designed to minimise human mistakes and empower people.
  • The system should be easy to understand and reason about for users and admins.

Features We Want to Avoid

  • Auditing: This is better solved by SIEM software, so we should generate data they can consume.
  • Fully synchronous behaviour: This prevents scaling and our future ability to expand.
  • Generic database: We don't want to be another NoSQL database, we want to be an IDM solution.
  • Being like LDAP/GSSAPI/Kerberos: These are all legacy protocols that are hard to use and confine our thinking - we should avoid "being like them" or using them as models.

What does Kanidm mean?

The original project name was rsidm while it was a thought experiment. Now that it's growing and developing, we gave it a better project name. Kani is Japanese for "crab". Rust's mascot is a crab. IDM is the common industry term for identity management services.