This hackweek I'll be working on Kanidm, an IDM system written in Rust for modern systems authentication. The github repo has a detailed "getting started" on the readme.

Kanidm Github

Specifically I'll be looking at writing Pam/nsswitch clients (or starting on) this hackweek.

Pam nsswitch client issue

For anyone who wants to participate, some good places to start:

I'm happy to help and mentor, so please get in touch!

Looking for hackers with the skills:

authentication security kanidm ldap radius databases rust

This project is part of:

Hack Week 19

Activity

  • about 4 years ago: aplanas liked this project.
  • about 4 years ago: mkamprianis liked this project.
  • about 4 years ago: firstyear started this project.
  • about 4 years ago: firstyear added keyword "authentication" to this project.
  • about 4 years ago: firstyear added keyword "security" to this project.
  • about 4 years ago: firstyear added keyword "kanidm" to this project.
  • about 4 years ago: firstyear added keyword "ldap" to this project.
  • about 4 years ago: firstyear added keyword "radius" to this project.
  • about 4 years ago: firstyear added keyword "databases" to this project.
  • about 4 years ago: firstyear added keyword "rust" to this project.
  • about 4 years ago: firstyear originated this project.

  • Comments

    • mvidner
      about 4 years ago by mvidner | Reply

      TIL: IDM = IDentity Management services

    • firstyear
      about 4 years ago by firstyear | Reply

      It's now the end of the hackweek, so I think it's worth giving an update on what was achieved.

      Two (very large) PR's were created, at +2,457 -35 and +1,675 -143. This covered a lot of needed functionality, testing and more.

      • Server side generation of unix account and group tokens (blobs of data that represent everything needed for auth/identity to be resolved).
      • Addition of client tools to manage posix extensions to accounts and groups.
      • The creation of a client localhost resolver daemon - think unbound or sssd.
      • Clients that can speak to the localhost daemon via unix domain sockets.
      • A client that gets ssh authorized keys in the format needed for openssh authorized keys command.
      • A nss library that can get uid/gid/name information from the localhost daemon.
      • Client tools to invalidate and clear the localhost daemon cache
      • An end-to-end integration test suite that can test online/offline caching behaviours
      • Handling of many edge cases such as account updates, cache invalidation, deleting groups, etc.

      So this puts us in a great spot for next completing the pam module, and getting this all packaged into https://build.opensuse.org/package/show/home:firstyear:kanidm/kanidm in the coming weeks.

      As a small demo of the success:

      id testunix uid=3524161420(testunix) gid=3524161420(testunix) groups=3524161420(testunix),2439676479(testgroup) getent passwd testunix testunix:x:3524161420:3524161420:testunix:/home/testunix:/bin/bash getent group testgroup testgroup:x:2439676479:testunix

      This is on opensuse tumbleweed with libnss_kanidm.so.2, and the git master with the PR's applied.

    • firstyear

    Similar Projects

    Kanidm - Account Policy by firstyear

    Project Description

    Kanidm is a identity ...


    Port NeuVector zero-trust security functions to host/VM by feih

    Project Description

    Today, NeuVector on...


    Predefined app security policy template for NeuVector by feih

    Project Description

    Idea is to predefin...


    Model checking the BPF verifier by shunghsiyu

    Project Description

    BPF verifier plays a ...


    Kanidm - Account Policy by firstyear

    Project Description

    Kanidm is a identity ...


    Relm4-based user interface for Agama by IGonzalezSosa

    Motivation

    Disclaimer: the idea of this pr...


    toniowm by fabriziosestito

    toniowm is yet another window manager written i...


    (Rust) Manage systems in NetBox using NetBox-Sync by chock

    [comment]: # (Please use the project descriptio...


    A set of utilities to produce a "from scratch" OCI/Docker container using Opensuse/SLE rpms by ldragon

    [comment]: # (Please use the project descriptio...


    Waysettings by dspinella

    [comment]: # (Please use the project descriptio...