kanidm

Commits

• d3891e3: 20240810 SCIM entry basic (#3032) (Firstyear) #3032

Commits

• f053ff7: CreatedAt/ModifiedAt fix (#3034) (Firstyear) #3034

Commits

• 95fc6fc: 20240828 Support Larger Images, Allow Custom Domain Icons (#3016) (Firstyear) #3016

Commits

• 0fac1f3: 20240820 SCIM value (#2992) (Firstyear) #2992

2024-08-20 - Kanidm 1.3.3 Patch

• A required re-index of the database was not correctly executed when upgrading from 1.2.x to 1.3.x. This triggers the re-index to occur on next server restart.
• Substring indexes on mail attributes via ldap matched no entries.

2024-08-10 - Kanidm 1.3.2 Patch (Security)

• Newer versions of Rust/LLVM would optimise-out a call to pam_get_user due to a library using const incorrectly on a pointer. This could result in a username not being set with an invalid fall through condition. In some cases this COULD CAUSE UNAUTHENTICATED system access.
  • Affected versions: 1.3.0 and 1.3.1.
• Reduce logging of client_requests in INFO for unix resolver.
• Security key migrations had an incorrect migration warning displayed.

2024-08-08 - Kanidm 1.3.1 Patch

• Resolve incorrect logic in kanidm cli which prevented valid credential update sessions from being committed

2024-08-07 - Kanidm 1.3.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation
as this may have important effects on your distribution or upgrades in future.

Before upgrading you should review our upgrade documentation

1.3.0 Important Changes

• New GID number constraints are now enforced in this version. To upgrade from 1.2.0 all accounts
  and groups must adhere to these rules. See our upgrade documentation.
  about tools to help you detect and correct affected entries.
• OAuth2 URIs require stricter matching rules to be applied from 1.4.0.
• Security Keys will be removed as a second factor alternative to TOTP from accounts in 1.4.0. It
  has not been possible to register a new security for more than 1 year. Security Keys are surpassed
  by PassKeys which give a better user experience.
• Kanidm now supports FreeBSD and Illumos in addition to Linux

1.3.0 Release Highlights

• TOTP update user interface improvements
• Improved error messages when a load balancer is failing
• Reduced server log noise to improve event clarity
• Replace jemalloc with mimalloc
• User session storage can optionally use cookies
• Strictly enforce same-version for backup/restore processes
• Allow name self-write to be withheld
• Add support for LDAP Compare operations
• Upgrade Axum HTTP framework to the latest stable
• Reduced memory usage
• Improved update flow when changing from dev to stable server versions
• PIV authentication foundations
• Significant improvements to performance for write and search operations
• Support Illumos
• Begin rewrite of the webui
• OAuth2 allows multiple origins
• Lengthen replication MTLS certificate lifetime
• UNIX daemon allows home paths to be in an external mount folder
• Strict redirect URI enforcement in OAuth2
• Substring indexing for improved search performance

2024-08-10 - Kanidm 1.3.2 Patch (Security)

• Newer versions of Rust/LLVM would optimise-out a call to pam_get_user due to a library using const incorrectly on a pointer. This could result in a username not being set with an invalid fall through condition. In some cases this COULD CAUSE UNAUTHENTICATED system access.
  • Affected versions: 1.3.0 and 1.3.1.
• Reduce logging of client_requests in INFO for unix resolver.
• Security key migrations had an incorrect migration warning displayed.

2024-08-08 - Kanidm 1.3.1 Patch

• Resolve incorrect logic in kanidm cli which prevented valid credential update sessions from being committed

2024-08-07 - Kanidm 1.3.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation
as this may have important effects on your distribution or upgrades in future.

Before upgrading you should review our upgrade documentation

1.3.0 Important Changes

• New GID number constraints are now enforced in this version. To upgrade from 1.2.0 all accounts
  and groups must adhere to these rules. See our upgrade documentation.
  about tools to help you detect and correct affected entries.
• OAuth2 URIs require stricter matching rules to be applied from 1.4.0.
• Security Keys will be removed as a second factor alternative to TOTP from accounts in 1.4.0. It
  has not been possible to register a new security for more than 1 year. Security Keys are surpassed
  by PassKeys which give a better user experience.
• Kanidm now supports FreeBSD and Illumos in addition to Linux

1.3.0 Release Highlights

• TOTP update user interface improvements
• Improved error messages when a load balancer is failing
• Reduced server log noise to improve event clarity
• Replace jemalloc with mimalloc
• User session storage can optionally use cookies
• Strictly enforce same-version for backup/restore processes
• Allow name self-write to be withheld
• Add support for LDAP Compare operations
• Upgrade Axum HTTP framework to the latest stable
• Reduced memory usage
• Improved update flow when changing from dev to stable server versions
• PIV authentication foundations
• Significant improvements to performance for write and search operations
• Support Illumos
• Begin rewrite of the webui
• OAuth2 allows multiple origins
• Lengthen replication MTLS certificate lifetime
• UNIX daemon allows home paths to be in an external mount folder
• Strict redirect URI enforcement in OAuth2
• Substring indexing for improved search performance

Commits

• d19bd99: Prevent bug in pam (#2960) (Firstyear) #2960

2024-08-08 - Kanidm 1.3.1 Patch

• Resolve incorrect logic in kanidm cli which prevented valid credential update sessions from being committed

2024-08-07 - Kanidm 1.3.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation
as this may have important effects on your distribution or upgrades in future.

Before upgrading you should review our upgrade documentation

1.3.0 Important Changes

• New GID number constraints are now enforced in this version. To upgrade from 1.2.0 all accounts
  and groups must adhere to these rules. See our upgrade documentation.
  about tools to help you detect and correct affected entries.
• OAuth2 URIs require stricter matching rules to be applied from 1.4.0.
• Security Keys will be removed as a second factor alternative to TOTP from accounts in 1.4.0. It
  has not been possible to register a new security for more than 1 year. Security Keys are surpassed
  by PassKeys which give a better user experience.
• Kanidm now supports FreeBSD and Illumos in addition to Linux

1.3.0 Release Highlights

• TOTP update user interface improvements
• Improved error messages when a load balancer is failing
• Reduced server log noise to improve event clarity
• Replace jemalloc with mimalloc
• User session storage can optionally use cookies
• Strictly enforce same-version for backup/restore processes
• Allow name self-write to be withheld
• Add support for LDAP Compare operations
• Upgrade Axum HTTP framework to the latest stable
• Reduced memory usage
• Improved update flow when changing from dev to stable server versions
• PIV authentication foundations
• Significant improvements to performance for write and search operations
• Support Illumos
• Begin rewrite of the webui
• OAuth2 allows multiple origins
• Lengthen replication MTLS certificate lifetime
• UNIX daemon allows home paths to be in an external mount folder
• Strict redirect URI enforcement in OAuth2
• Substring indexing for improved search performance

2024-08-07 - Kanidm 1.3.0

This is the latest stable release of the Kanidm Identity Management project. Every release is
the combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.

You should review our
support documentation
as this may have important effects on your distribution or upgrades in future.

Before upgrading you should review our upgrade documentation

1.3.0 Important Changes

• New GID number constraints are now enforced in this version. To upgrade from 1.2.0 all accounts
  and groups must adhere to these rules. See [our upgrade documentation].
  about tools to help you detect and correct affected entries.
• OAuth2 URIs require stricter matching rules to be applied from 1.4.0.
• Security Keys will be removed as a second factor alternative to TOTP from accounts in 1.4.0. It
  has not been possible to register a new security for more than 1 year. Security Keys are surpassed
  by PassKeys which give a better user experience.
• Kanidm now supports FreeBSD and Illumos in addition to Linux

1.3.0 Release Highlights

• TOTP update user interface improvements
• Improved error messages when a load balancer is failing
• Reduced server log noise to improve event clarity
• Replace jemalloc with mimalloc
• User session storage can optionally use cookies
• Strictly enforce same-version for backup/restore processes
• Allow name self-write to be withheld
• Add support for LDAP Compare operations
• Upgrade Axum HTTP framework to the latest stable
• Reduced memory usage
• Improved update flow when changing from dev to stable server versions
• PIV authentication foundations
• Significant improvements to performance for write and search operations
• Support Illumos
• Begin rewrite of the webui
• OAuth2 allows multiple origins
• Lengthen replication MTLS certificate lifetime
• UNIX daemon allows home paths to be in an external mount folder
• Strict redirect URI enforcement in OAuth2
• Substring indexing for improved search performance

Commits

• 5313c5f: Reorganising the daemon startup so it doesn't fail with OTEL configured (#2934) (James Hodgkinson) #2934

Commits

• 2a7a009: clippying all the things (#2931) (James Hodgkinson) #2931

Commits

• fb6c4a8: Bump the all group with 5 updates (#2925) (dependabot[bot]) #2925
• 9a4ca18: Bump the all group in /pykanidm with 4 updates (#2924) (dependabot[bot]) #2924
• e1a1bff: Docs rework (#2919) (James Hodgkinson) #2919

Commits

• 681080b: Bump certifi from 2023.7.22 to 2024.7.4 in /pykanidm (#2877) (dependabot[bot]) #2877
• b1480e3: 20240703 htmx (#2870) (Firstyear) #2870

Commits

• 8ceeed3: Tweaks to make the makefile make things make easier. (James Hodgkinson) #2860

2024-06-04 - Kanidm 1.2.3

In 1.2.0 a bug was discovered where the db_path variable was incorrectly handled.

This update corrects setting the db_path.

2024-05-30 - Kanidm 1.2.2

In 1.2.0 a bug was discovered which prevented the commandline tools from removing session tokens after a logout. This did not affect the logout process, it only prevented removal of the now revoked token.

This update corrects the behaviour, improves output if a corrupted token is detected, and allows local token removal even if the token itself is invalid.

2024-05-18 - Kanidm 1.2.1

In 1.2.0 a bug was discovered where the dynamic groups idm_all_persons and idm_all_accounts were not loaded correctly on restart. This caused users created after the restart to be missing these dynamic groups.

This patch release resolves the loading of these groups and contains an automated fix that triggers all dynamic groups to re-evaluate their members at start up to automatically fix any missing memberships.

We would like to thank @rungmc for their assistance to isolate and resolve this issue.

Commits

• a67d1f5: Fix broken links in sections (#2737) (Matthew Wilks) #2737

2024-05-01 - Kanidm 1.2.0

This is the first stable release of the Kanidm Identity Management project. We want to thank every
one in our community who has supported to the project to this point with their invaluable
contributions, comments, questions, feedback and support.

Importantly this release makes a number of changes to our project's support processes. You should
review our support documentation
as this may have important effects on your distribution or upgrades in future.

1.2.0 Important Changes

• On upgrade all OAuth2 sessions and user sessions will be reset due to changes in cryptographic key handling. This does not affect api tokens.
• There is a maximum limit of 48 interactive sessions for persons where older sessions are automatically removed.

1.2.0 Release Highlights

• The book now contains a list of supported RFCs and standards
• Add code challenge methods to OIDC discovery
• CLI lists authentication methods in security preference order
• Mark replication as stable for two node usage
• Automatically conflict and disable nscd and sssd in the unixd resolver
• Harden unixd resolver against memory inspection
• Enable unixd hardware TPM support
• Allow setting resource limits in account policy to raise query limits
• Reduce logging noise on /status checks
• Allow /dev/tpmrm0 access on older systemd versions
• Add an improved migration test framework
• Create an object graph in the experimental admin ui
• Add a built-in class for all entries that are system provided
• Fix uid number range handling with systemd
• Remodel orca for improved load testing features
• Upgrade concread with non-blocking read transaction acquisition
• ldap-sync allows re-use of attributes on entry import
• Support improved MFA challenge response process in unixd
• Add support for async tasks in unixd
• Add improved TPM handling for unixd
• Migrate cryptographic key handling to an object model with future HSM support
• Limit maximum active sessions on an account to 48

Staged release for 1.2.0, due to be finalised on 2024-05-01.