This hackweek I'll be working on Kanidm, an IDM system written in Rust for modern systems authentication. The github repo has a detailed "getting started" on the readme.

Kanidm Github

Specifically I'll be looking at writing Pam/nsswitch clients (or starting on) this hackweek.

Pam nsswitch client issue

For anyone who wants to participate, some good places to start:

I'm happy to help and mentor, so please get in touch!

Looking for hackers with the skills:

authentication security kanidm ldap radius databases rust

This project is part of:

Hack Week 19

Activity

  • 4 months ago: aplanas liked Kanidm: A safe and modern IDM system
  • 4 months ago: mkamprianis liked Kanidm: A safe and modern IDM system
  • 4 months ago: firstyear started Kanidm: A safe and modern IDM system
  • 4 months ago: firstyear added keyword "authentication" to Kanidm: A safe and modern IDM system
  • 4 months ago: firstyear added keyword "security" to Kanidm: A safe and modern IDM system
  • 4 months ago: firstyear added keyword "kanidm" to Kanidm: A safe and modern IDM system
  • 4 months ago: firstyear added keyword "ldap" to Kanidm: A safe and modern IDM system
  • 4 months ago: firstyear added keyword "radius" to Kanidm: A safe and modern IDM system
  • 4 months ago: firstyear added keyword "databases" to Kanidm: A safe and modern IDM system
  • 4 months ago: firstyear added keyword "rust" to Kanidm: A safe and modern IDM system
  • All Activity

    Comments

    • mvidner
      4 months ago by mvidner | Reply

      TIL: IDM = IDentity Management services

    • firstyear
      3 months ago by firstyear | Reply

      It's now the end of the hackweek, so I think it's worth giving an update on what was achieved.

      Two (very large) PR's were created, at +2,457 -35 and +1,675 -143. This covered a lot of needed functionality, testing and more.

      • Server side generation of unix account and group tokens (blobs of data that represent everything needed for auth/identity to be resolved).
      • Addition of client tools to manage posix extensions to accounts and groups.
      • The creation of a client localhost resolver daemon - think unbound or sssd.
      • Clients that can speak to the localhost daemon via unix domain sockets.
      • A client that gets ssh authorized keys in the format needed for openssh authorized keys command.
      • A nss library that can get uid/gid/name information from the localhost daemon.
      • Client tools to invalidate and clear the localhost daemon cache
      • An end-to-end integration test suite that can test online/offline caching behaviours
      • Handling of many edge cases such as account updates, cache invalidation, deleting groups, etc.

      So this puts us in a great spot for next completing the pam module, and getting this all packaged into https://build.opensuse.org/package/show/home:firstyear:kanidm/kanidm in the coming weeks.

      As a small demo of the success:

      id testunix uid=3524161420(testunix) gid=3524161420(testunix) groups=3524161420(testunix),2439676479(testgroup) getent passwd testunix testunix:x:3524161420:3524161420:testunix:/home/testunix:/bin/bash getent group testgroup testgroup:x:2439676479:testunix

      This is on opensuse tumbleweed with libnss_kanidm.so.2, and the git master with the PR's applied.

    • firstyear
      3 months ago by firstyear | Reply

      These are the related PR's

      https://github.com/kanidm/kanidm/commit/d063d358ad958598777e27d8cb619936d736cf95

      https://github.com/kanidm/kanidm/pull/185

    Similar Projects

    SUSE Manager Cluster Extension (PoC) by bmaryniuk

    Since SUSE Manager doesn't scale out and stacki...