Kanidm is an identity management platform written in rust. Our goals are:
- Modern identity management platform
- Simple to deploy and integrate with
- Extensible for various needs
- Correct and secure behaviour by default
Today the project is still under heavy development to achieve these goals - We have many foundational parts in place, and many of the required security features, but it is still an Alpha, and should be treated as such.
If you want to deploy kanidm to see what it can do, you should read the kanidm book
We also publish limited support guidelines.
See our code of conduct
See our documentation on rights and ethics
We have a gitter community channel where we can talk. Firstyear is also happy to answer questions via email, which can be found on their github profile.
If you want to develop on the server, there is a getting started guide for developers. IDM is a diverse topic and we encourage contributions of many kinds in the project, from people of all backgrounds.
- SSH key distribution for servers
- Pam/nsswitch clients (with limited offline auth)
- MFA - TOTP
- Highly concurrent design (MVCC, COW)
- RADIUS integration
- MFA - Webauthn
- CLI for administration
- WebUI for self-service with wifi enrollment, claim management and more.
- RBAC/Claims/Policy (limited by time and credential scope)
- OIDC/Oauth
- Replication (async multiple active write servers, read-only servers)
- SSH CA management
- Sudo rule distribution via nsswitch
- WebUI for administration
- Account impersonation
- Synchronisation to other IDM services
- All people should be respected and able to be represented securely.
- Devices represent users and their identities - they are part of the authentication.
- Human error occurs - we should be designed to minimise human mistakes and empower people.
- The system should be easy to understand and reason about for users and admins.
- Auditing: This is better solved by SIEM software, so we should generate data they can consume.
- Fully synchronous behaviour: This prevents scaling and our future ability to expand.
- Generic database: We don't want to be another NoSQL database, we want to be an IDM solution.
- Being like LDAP/GSSAPI/Kerberos: These are all legacy protocols that are hard to use and confine our thinking - we should avoid "being like them" or using them as models.
The original project name was rsidm while it was a thought experiment. Now that it's growing and developing, we gave it a better project name. Kani is Japanese for "crab". Rust's mascot is a crab. IDM is the common industry term for identity management services.