2024-11-22 - Kanidm 1.4.3 Patch

• Warn when v2 options are used in v1 unixd config to assist users with features like map_group
• Resolve UI Auth Loop with OAuth2 when an invalid cookie remains in the browser
• Harden transport in pam unixd to handle when a network drops connections quickly
• Improve warning around invalid JWT deserialisation in the server and it's causes
• Update and fix server config files in examples.
• Change CLI oauth2 command from set-display-name to set-displayname for consistency
• Add docs on customising Kanidm
• Correct spelling of occurred
• Optimise the autofocus for logins with passkeys to limit clicks
• Sort login mechs by strength during authentication
• Fix some cookies to persist between browser restarts
• Prevent Invalid MFA Registration States
• Change CSS for applications so SVG scales nicely in Firefox.
• Change OAuth2 handling of OIDC max_age to prevent incorrect deserialisation

2024-11-05 - Kanidm 1.4.2 Patch (Security: Low)

• A flaw in the servers internal database migrations prevented removal of attributes from some access controls. This led to some access controls which should have had permissions removed, being tainted by the state of the older database versions original access control. The most obvious impact of this was on the idm_acp_people_self_name_write which incorrectly retained idm_all_persons as an acp recipient. This meant that removal idm_all_persons from the idm_people_self_name_write group did not have the admins intended affect and users would be able to continue to self-modify name attributes. All other access controls were examined and no other potential issues were found. This patch corrects the migration path to force the value set states to be asserted correctly for access controls, and forces all access controls to be re-migrated to ensure they match their static definitions. This may be considered a security risk in some circumstances which is why we have designated it with low severity.

2024-11-05 - Kanidm 1.4.1 Patch

• Resolve incorrect CSP header definition that prevented TOTP entry in some cases.
• Fix erroneous PAM_CONV_ERR when PAM Service Info field requirements were not met.

2024-11-01 - Kanidm 1.4.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.

You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.

Before upgrading you should review
our upgrade documentation

1.4.0 Important Changes

• The web user interface has been rewritten and now supports theming. You will notice that your
  domain displayname is included in a number of locations on upgrade, and that you can set
  your own domain and OAuth2 client icons.
• OAuth2 strict redirect uri is now required. Ensure you have read
  our upgrade documentation.
  and taken the needed steps before upgrading.

1.4.0 Release Highlights

• Improve handling of client timeouts when the server is under high load
• Resolve a minor issue preventing some credential updates from saving
• PAM/NSS unixd now allow non-Kanidm backends - more to come soon
• Mail attributes have substring indexing added
• Access controls for mail servers to read mail attributes
• Admin CLI tools support instance profiles allowing admin of multiple sites to be easier
• Resolve a minor issue in OAuth2 introspection which returned the wrong claim for token_type
• Resolve an issue where memberOf should imply dynamicMemberOf in access controls
• Allow configuration of custom domain icons
• Internal representation of attributes changed to an enum to reduce memory consumption
• Add CreatedAt and ModifiedAt timestamps to entries
• Expose RFC7009 and RFC7662 via OIDC metadata discovery
• Improve pipe handling for CLI tools
• Large techdebt cleanups
• PAM/NSS unixd can provide system users, replacing pam_unix
• Account policy supports LDAP password fallback to main password
• PAM/NSS unixd can extend a system group with members from remote sources (such as Kanidm)
• Resolve a potential issue in replication on upgrade where migrated entries cause a referential
  integrity conflict leading to a forced initialisation
• Display credential reset token expiry time when created on CLI
• Reload certificates and private keys on SIGHUP
• Remove a large number of dependencies that were either not needed or could be streamlined
• SCIM foundations for getting and modifying entries, reference handling, and complex attribute
  display. Much more to come in this space!
• Rewrite the entire web frontend to be simpler and faster, allowing more features to be added
  in the future. Greatly improves user experience as the pages are now very fast to load!

2024-11-05 - Kanidm 1.4.2 Patch (Security: Low)

• A flaw in the servers internal database migrations prevented removal of attributes from some access controls. This led to some access controls which should have had permissions removed, being tainted by the state of the older database versions original access control. The most obvious impact of this was on the idm_acp_people_self_name_write which incorrectly retained idm_all_persons as an acp recipient. This meant that removal idm_all_persons from the idm_people_self_name_write group did not have the admins intended affect and users would be able to continue to self-modify name attributes. All other access controls were examined and no other potential issues were found. This patch corrects the migration path to force the value set states to be asserted correctly for access controls, and forces all access controls to be re-migrated to ensure they match their static definitions. This may be considered a security risk in some circumstances which is why we have designated it with low severity.

2024-11-05 - Kanidm 1.4.1 Patch

• Resolve incorrect CSP header definition that prevented TOTP entry in some cases.
• Fix erroneous PAM_CONV_ERR when PAM Service Info field requirements were not met.

2024-11-01 - Kanidm 1.4.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.

You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.

Before upgrading you should review
our upgrade documentation

1.4.0 Important Changes

• The web user interface has been rewritten and now supports theming. You will notice that your
  domain displayname is included in a number of locations on upgrade, and that you can set
  your own domain and OAuth2 client icons.
• OAuth2 strict redirect uri is now required. Ensure you have read
  our upgrade documentation.
  and taken the needed steps before upgrading.

1.4.0 Release Highlights

• Improve handling of client timeouts when the server is under high load
• Resolve a minor issue preventing some credential updates from saving
• PAM/NSS unixd now allow non-Kanidm backends - more to come soon
• Mail attributes have substring indexing added
• Access controls for mail servers to read mail attributes
• Admin CLI tools support instance profiles allowing admin of multiple sites to be easier
• Resolve a minor issue in OAuth2 introspection which returned the wrong claim for token_type
• Resolve an issue where memberOf should imply dynamicMemberOf in access controls
• Allow configuration of custom domain icons
• Internal representation of attributes changed to an enum to reduce memory consumption
• Add CreatedAt and ModifiedAt timestamps to entries
• Expose RFC7009 and RFC7662 via OIDC metadata discovery
• Improve pipe handling for CLI tools
• Large techdebt cleanups
• PAM/NSS unixd can provide system users, replacing pam_unix
• Account policy supports LDAP password fallback to main password
• PAM/NSS unixd can extend a system group with members from remote sources (such as Kanidm)
• Resolve a potential issue in replication on upgrade where migrated entries cause a referential
  integrity conflict leading to a forced initialisation
• Display credential reset token expiry time when created on CLI
• Reload certificates and private keys on SIGHUP
• Remove a large number of dependencies that were either not needed or could be streamlined
• SCIM foundations for getting and modifying entries, reference handling, and complex attribute
  display. Much more to come in this space!
• Rewrite the entire web frontend to be simpler and faster, allowing more features to be added
  in the future. Greatly improves user experience as the pages are now very fast to load!

2024-11-05 - Kanidm 1.4.1 Patch

• Resolve incorrect CSP header definition that prevented TOTP entry in some cases.
• Fix erroneous PAM_CONV_ERR when PAM Service Info field requirements were not met.

2024-11-01 - Kanidm 1.4.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.

You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.

Before upgrading you should review
our upgrade documentation

1.4.0 Important Changes

• The web user interface has been rewritten and now supports theming. You will notice that your
  domain displayname is included in a number of locations on upgrade, and that you can set
  your own domain and OAuth2 client icons.
• OAuth2 strict redirect uri is now required. Ensure you have read
  our upgrade documentation.
  and taken the needed steps before upgrading.

1.4.0 Release Highlights

• Improve handling of client timeouts when the server is under high load
• Resolve a minor issue preventing some credential updates from saving
• PAM/NSS unixd now allow non-Kanidm backends - more to come soon
• Mail attributes have substring indexing added
• Access controls for mail servers to read mail attributes
• Admin CLI tools support instance profiles allowing admin of multiple sites to be easier
• Resolve a minor issue in OAuth2 introspection which returned the wrong claim for token_type
• Resolve an issue where memberOf should imply dynamicMemberOf in access controls
• Allow configuration of custom domain icons
• Internal representation of attributes changed to an enum to reduce memory consumption
• Add CreatedAt and ModifiedAt timestamps to entries
• Expose RFC7009 and RFC7662 via OIDC metadata discovery
• Improve pipe handling for CLI tools
• Large techdebt cleanups
• PAM/NSS unixd can provide system users, replacing pam_unix
• Account policy supports LDAP password fallback to main password
• PAM/NSS unixd can extend a system group with members from remote sources (such as Kanidm)
• Resolve a potential issue in replication on upgrade where migrated entries cause a referential
  integrity conflict leading to a forced initialisation
• Display credential reset token expiry time when created on CLI
• Reload certificates and private keys on SIGHUP
• Remove a large number of dependencies that were either not needed or could be streamlined
• SCIM foundations for getting and modifying entries, reference handling, and complex attribute
  display. Much more to come in this space!
• Rewrite the entire web frontend to be simpler and faster, allowing more features to be added
  in the future. Greatly improves user experience as the pages are now very fast to load!

2024-11-01 - Kanidm 1.4.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.

You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.

Before upgrading you should review
our upgrade documentation

1.4.0 Important Changes

• The web user interface has been rewritten and now supports theming. You will notice that your
  domain displayname is included in a number of locations on upgrade, and that you can set
  your own domain and OAuth2 client icons.
• OAuth2 strict redirect uri is now required. Ensure you have read
  our upgrade documentation.
  and taken the needed steps before upgrading.

1.4.0 Release Highlights

• Improve handling of client timeouts when the server is under high load
• Resolve a minor issue preventing some credential updates from saving
• PAM/NSS unixd now allow non-Kanidm backends - more to come soon
• Mail attributes have substring indexing added
• Access controls for mail servers to read mail attributes
• Admin CLI tools support instance profiles allowing admin of multiple sites to be easier
• Resolve a minor issue in OAuth2 introspection which returned the wrong claim for token_type
• Resolve an issue where memberOf should imply dynamicMemberOf in access controls
• Allow configuration of custom domain icons
• Internal representation of attributes changed to an enum to reduce memory consumption
• Add CreatedAt and ModifiedAt timestamps to entries
• Expose RFC7009 and RFC7662 via OIDC metadata discovery
• Improve pipe handling for CLI tools
• Large techdebt cleanups
• PAM/NSS unixd can provide system users, replacing pam_unix
• Account policy supports LDAP password fallback to main password
• PAM/NSS unixd can extend a system group with members from remote sources (such as Kanidm)
• Resolve a potential issue in replication on upgrade where migrated entries cause a referential
  integrity conflict leading to a forced initialisation
• Display credential reset token expiry time when created on CLI
• Reload certificates and private keys on SIGHUP
• Remove a large number of dependencies that were either not needed or could be streamlined
• SCIM foundations for getting and modifying entries, reference handling, and complex attribute
  display. Much more to come in this space!
• Rewrite the entire web frontend to be simpler and faster, allowing more features to be added
  in the future. Greatly improves user experience as the pages are now very fast to load!

Commits

• c8b3b62: Cache buster buster (#3091) (James Hodgkinson) #3091

2024-08-20 - Kanidm 1.3.3 Patch

• A required re-index of the database was not correctly executed when upgrading from 1.2.x to 1.3.x. This triggers the re-index to occur on next server restart.
• Substring indexes on mail attributes via ldap matched no entries.

2024-08-10 - Kanidm 1.3.2 Patch (Security)

• Newer versions of Rust/LLVM would optimise-out a call to pam_get_user due to a library using const incorrectly on a pointer. This could result in a username not being set with an invalid fall through condition. In some cases this COULD CAUSE UNAUTHENTICATED system access.
  • Affected versions: 1.3.0 and 1.3.1.
• Reduce logging of client_requests in INFO for unix resolver.
• Security key migrations had an incorrect migration warning displayed.

2024-08-08 - Kanidm 1.3.1 Patch

• Resolve incorrect logic in kanidm cli which prevented valid credential update sessions from being committed

2024-08-07 - Kanidm 1.3.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation
as this may have important effects on your distribution or upgrades in future.

Before upgrading you should review our upgrade documentation

1.3.0 Important Changes

• New GID number constraints are now enforced in this version. To upgrade from 1.2.0 all accounts
  and groups must adhere to these rules. See our upgrade documentation.
  about tools to help you detect and correct affected entries.
• OAuth2 URIs require stricter matching rules to be applied from 1.4.0.
• Security Keys will be removed as a second factor alternative to TOTP from accounts in 1.4.0. It
  has not been possible to register a new security for more than 1 year. Security Keys are surpassed
  by PassKeys which give a better user experience.
• Kanidm now supports FreeBSD and Illumos in addition to Linux

1.3.0 Release Highlights

• TOTP update user interface improvements
• Improved error messages when a load balancer is failing
• Reduced server log noise to improve event clarity
• Replace jemalloc with mimalloc
• User session storage can optionally use cookies
• Strictly enforce same-version for backup/restore processes
• Allow name self-write to be withheld
• Add support for LDAP Compare operations
• Upgrade Axum HTTP framework to the latest stable
• Reduced memory usage
• Improved update flow when changing from dev to stable server versions
• PIV authentication foundations
• Significant improvements to performance for write and search operations
• Support Illumos
• Begin rewrite of the webui
• OAuth2 allows multiple origins
• Lengthen replication MTLS certificate lifetime
• UNIX daemon allows home paths to be in an external mount folder
• Strict redirect URI enforcement in OAuth2
• Substring indexing for improved search performance

2024-08-10 - Kanidm 1.3.2 Patch (Security)

• Newer versions of Rust/LLVM would optimise-out a call to pam_get_user due to a library using const incorrectly on a pointer. This could result in a username not being set with an invalid fall through condition. In some cases this COULD CAUSE UNAUTHENTICATED system access.
  • Affected versions: 1.3.0 and 1.3.1.
• Reduce logging of client_requests in INFO for unix resolver.
• Security key migrations had an incorrect migration warning displayed.

2024-08-08 - Kanidm 1.3.1 Patch

• Resolve incorrect logic in kanidm cli which prevented valid credential update sessions from being committed

2024-08-07 - Kanidm 1.3.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation
as this may have important effects on your distribution or upgrades in future.

Before upgrading you should review our upgrade documentation

1.3.0 Important Changes

• New GID number constraints are now enforced in this version. To upgrade from 1.2.0 all accounts
  and groups must adhere to these rules. See our upgrade documentation.
  about tools to help you detect and correct affected entries.
• OAuth2 URIs require stricter matching rules to be applied from 1.4.0.
• Security Keys will be removed as a second factor alternative to TOTP from accounts in 1.4.0. It
  has not been possible to register a new security for more than 1 year. Security Keys are surpassed
  by PassKeys which give a better user experience.
• Kanidm now supports FreeBSD and Illumos in addition to Linux

1.3.0 Release Highlights

• TOTP update user interface improvements
• Improved error messages when a load balancer is failing
• Reduced server log noise to improve event clarity
• Replace jemalloc with mimalloc
• User session storage can optionally use cookies
• Strictly enforce same-version for backup/restore processes
• Allow name self-write to be withheld
• Add support for LDAP Compare operations
• Upgrade Axum HTTP framework to the latest stable
• Reduced memory usage
• Improved update flow when changing from dev to stable server versions
• PIV authentication foundations
• Significant improvements to performance for write and search operations
• Support Illumos
• Begin rewrite of the webui
• OAuth2 allows multiple origins
• Lengthen replication MTLS certificate lifetime
• UNIX daemon allows home paths to be in an external mount folder
• Strict redirect URI enforcement in OAuth2
• Substring indexing for improved search performance

2024-08-08 - Kanidm 1.3.1 Patch

• Resolve incorrect logic in kanidm cli which prevented valid credential update sessions from being committed

2024-08-07 - Kanidm 1.3.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation
as this may have important effects on your distribution or upgrades in future.

Before upgrading you should review our upgrade documentation

1.3.0 Important Changes

• New GID number constraints are now enforced in this version. To upgrade from 1.2.0 all accounts
  and groups must adhere to these rules. See our upgrade documentation.
  about tools to help you detect and correct affected entries.
• OAuth2 URIs require stricter matching rules to be applied from 1.4.0.
• Security Keys will be removed as a second factor alternative to TOTP from accounts in 1.4.0. It
  has not been possible to register a new security for more than 1 year. Security Keys are surpassed
  by PassKeys which give a better user experience.
• Kanidm now supports FreeBSD and Illumos in addition to Linux

1.3.0 Release Highlights

• TOTP update user interface improvements
• Improved error messages when a load balancer is failing
• Reduced server log noise to improve event clarity
• Replace jemalloc with mimalloc
• User session storage can optionally use cookies
• Strictly enforce same-version for backup/restore processes
• Allow name self-write to be withheld
• Add support for LDAP Compare operations
• Upgrade Axum HTTP framework to the latest stable
• Reduced memory usage
• Improved update flow when changing from dev to stable server versions
• PIV authentication foundations
• Significant improvements to performance for write and search operations
• Support Illumos
• Begin rewrite of the webui
• OAuth2 allows multiple origins
• Lengthen replication MTLS certificate lifetime
• UNIX daemon allows home paths to be in an external mount folder
• Strict redirect URI enforcement in OAuth2
• Substring indexing for improved search performance

2024-08-07 - Kanidm 1.3.0

This is the latest stable release of the Kanidm Identity Management project. Every release is
the combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.

You should review our
support documentation
as this may have important effects on your distribution or upgrades in future.

Before upgrading you should review our upgrade documentation

1.3.0 Important Changes

• New GID number constraints are now enforced in this version. To upgrade from 1.2.0 all accounts
  and groups must adhere to these rules. See [our upgrade documentation].
  about tools to help you detect and correct affected entries.
• OAuth2 URIs require stricter matching rules to be applied from 1.4.0.
• Security Keys will be removed as a second factor alternative to TOTP from accounts in 1.4.0. It
  has not been possible to register a new security for more than 1 year. Security Keys are surpassed
  by PassKeys which give a better user experience.
• Kanidm now supports FreeBSD and Illumos in addition to Linux

1.3.0 Release Highlights

• TOTP update user interface improvements
• Improved error messages when a load balancer is failing
• Reduced server log noise to improve event clarity
• Replace jemalloc with mimalloc
• User session storage can optionally use cookies
• Strictly enforce same-version for backup/restore processes
• Allow name self-write to be withheld
• Add support for LDAP Compare operations
• Upgrade Axum HTTP framework to the latest stable
• Reduced memory usage
• Improved update flow when changing from dev to stable server versions
• PIV authentication foundations
• Significant improvements to performance for write and search operations
• Support Illumos
• Begin rewrite of the webui
• OAuth2 allows multiple origins
• Lengthen replication MTLS certificate lifetime
• UNIX daemon allows home paths to be in an external mount folder
• Strict redirect URI enforcement in OAuth2
• Substring indexing for improved search performance

2024-06-04 - Kanidm 1.2.3

In 1.2.0 a bug was discovered where the db_path variable was incorrectly handled.

This update corrects setting the db_path.