Releases: kanidm/kanidm
Releases Β· kanidm/kanidm
v1.6.3
2025-05-14 - Kanidm 1.6.3 Patch
- Resolve an issue where some legacy configurations would not parse due to incorrect version parsing
- Unixd - Resolve a potential race/stall condition when the tasks daemon is busy processing files causing home directories to not be created.
- Resolve environment only configuration by not specifying the config path in the container
- Allowing importing of SSHA variants from LDAP servers with different salt lengths
- Resolve a flaw in SSH public key parsing when trailing whitespace exists and no comment is present on the key
- Clarify how ip's are handled with the new trust x-forward-for and proxyv2 configurations
- Allow CIDR ranges in the trust x-forward-for and proxyv2 configurations
- Reduce replication logging verbosity.
2025-05-08 - Kanidm 1.6.2 Patch
- Resolve an issue with parsing some replication certificates on startup
- Assert JWKS order to ensure the latest key is first for some OIDC client applications
- Resolve an issue where the OAuth2 KeyID that was used for signing was not the same KeyID as used for lookup in verification
2025-05-08 - Kanidm 1.6.1 Patch
- Resolve a major issue where on startup OAuth2 clients were not loaded due to a flaw in startup event ordering.
2025-05-01 - Kanidm 1.6.0
This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.
You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.
Before upgrading you should review
our upgrade documentation
1.6.0 Important Changes
- The kanidmd server configuration now supports versions. You should review the example server configuration and update to
version = "2".
1.6.0 Release Highlights
- Drop fernet in favour of JWE for OAuth2 tokens (#3577)
- Allow spaces in ssh key comments
- Support HAProxy PROXY protocol v2 (#3542)
- Preserve ssh key content on form validation error (#3574)
- Harden pam unix resolver to prevent a token update race (#3553)
- Improve db klock handling (#3551)
- Unix pam unix config parser (#3533)
- Improve handling of systemd notify (#3540)
- Allow versioning of server configs (#3515)
- Remove the protected plugin in favour of access framework (#3504)
- Add
max_ber_sizeto freeipa sync tool (#3530) - Make schema indexing a boolean rather than index type (#3517)
- Add set-description to group cli (#3511)
- pam kanidm now acts as a pam unix replacement (#3501)
- Support rfc2307 in ldap import/sync (#3466)
- Handle incorrect OAuth2 clients that ignore response modes (#3467)
- Improve idx validation performance (#3459)
- Improve migration and bootstrapper (#3432)
- Reduce size of docker container (#3452)
- Add limits to maximum queryable ldap attributes (#3431)
- Accept more formats of ldap pwd hashes (#3444, #3458)
- TOTP Label validation (#3419)
- Harden denied names against accidental lockouts (#3429)
- OAuth2 supports redirect uri's with query parameters (#3422)
v1.6.2
a### 2025-05-08 - Kanidm 1.6.2 Patch
- Resolve an issue with parsing some replication certificates on startup
- Assert JWKS order to ensure the latest key is first for some OIDC client applications
- Resolve an issue where the OAuth2 KeyID that was used for signing was not the same KeyID as used for lookup in verification
2 10000 025-05-08 - Kanidm 1.6.1 Patch
- Resolve a major issue where on startup OAuth2 clients were not loaded due to a flaw in startup event ordering.
2025-05-01 - Kanidm 1.6.0
This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.
You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.
Before upgrading you should review
our upgrade documentation
1.6.0 Important Changes
- The kanidmd server configuration now supports versions. You should review the example server configuration and update to
version = "2".
1.6.0 Release Highlights
- Drop fernet in favour of JWE for OAuth2 tokens (#3577)
- Allow spaces in ssh key comments
- Support HAProxy PROXY protocol v2 (#3542)
- Preserve ssh key content on form validation error (#3574)
- Harden pam unix resolver to prevent a token update race (#3553)
- Improve db klock handling (#3551)
- Unix pam unix config parser (#3533)
- Improve handling of systemd notify (#3540)
- Allow versioning of server configs (#3515)
- Remove the protected plugin in favour of access framework (#3504)
- Add
max_ber_sizeto freeipa sync tool (#3530) - Make schema indexing a boolean rather than index type (#3517)
- Add sd
v1.6.1
2025-05-08 - Kanidm 1.6.1 Patch
- Resolve a major issue where on startup OAuth2 clients were not loaded due to a flaw in startup event ordering.
2025-05-01 - Kanidm 1.6.0
This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.
You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.
Before upgrading you should review
our upgrade documentation
1.6.0 Important Changes
- The kanidmd server configuration now supports versions. You should review the example server configuration and update to
version = "2".
1.6.0 Release Highlights
- Drop fernet in favour of JWE for OAuth2 tokens (#3577)
- Allow spaces in ssh key comments
- Support HAProxy PROXY protocol v2 (#3542)
- Preserve ssh key content on form validation error (#3574)
- Harden pam unix resolver to prevent a token update race (#3553)
- Improve db klock handling (#3551)
- Unix pam unix config parser (#3533)
- Improve handling of systemd notify (#3540)
- Allow versioning of server configs (#3515)
- Remove the protected plugin in favour of access framework (#3504)
- Add
max_ber_sizeto freeipa sync tool (#3530) - Make schema indexing a boolean rather than index type (#3517)
- Add set-description to group cli (#3511)
- pam kanidm now acts as a pam unix replacement (#3501)
- Support rfc2307 in ldap import/sync (3466)
- Handle incorrect OAuth2 clients that ignore response modes (#3467)
- Improve idx validation performance (#3459)
- Improve migration and bootstrapper (#3432)
- Reduce size of docker container (#3452)
- Add limits to maximum queryable ldap attributes (#3431)
- Accept more formats of ldap pwd hashes (#3444, 3458)
- TOTP Label validation (#3419)
- Harden denied names against accidental lockouts (#3429)
- OAuth2 supports redirect uri's with query parameters (#3422)
v1.6.0
2025-05-01 - Kanidm 1.6.0
This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.
You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.
Before upgrading you should review
our upgrade documentation
1.6.0 Important Changes
- The kanidmd server configuration now supports versions. You should review the example server configuration and update to
version = "2".
1.6.0 Release Highlights
- Drop fernet in favour of JWE for OAuth2 tokens (#3577)
- Allow spaces in ssh key comments
- Support HAProxy PROXY protocol v2 (#3542)
- Preserve ssh key content on form validation error (#3574)
- Harden pam unix resolver to prevent a token update race (#3553)
- Improve db klock handling (#3551)
- Unix pam unix config parser (#3533)
- Improve handling of systemd notify (#3540)
- Allow versioning of server configs (#3515)
- Remove the protected plugin in favour of access framework (#3504)
- Add
max_ber_sizeto freeipa sync tool (#3530) - Make schema indexing a boolean rather than index type (#3517)
- Add set-description to group cli (#3511)
- pam kanidm now acts as a pam unix replacement (#3501)
- Support rfc2307 in ldap import/sync (#3466)
- Handle incorrect OAuth2 clients that ignore response modes (#3467)
- Improve idx validation performance (#3459)
- Improve migration and bootstrapper (#3432)
- Reduce size of docker container (#3452)
- Add limits to maximum queryable ldap attributes (#3431)
- Accept more formats of ldap pwd hashes (#3444, #3458)
- TOTP Label validation (#3419)
- Harden denied names against accidental lockouts (#3429)
- OAuth2 supports redirect uri's with query parameters (#3422)
v1.5.0
d9f4dbd
This commit was signed with the committerβs verified signature.
8000
2025-02-09 - Kanidm 1.5.0
This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our community and we appreciate their invaluable contributions, comments, questions, feedback and support.
You should review our support documentation as this may have important effects on your distribution or upgrades in future.
Before upgrading you should review our upgrade documentation.
1.5.0 Important Changes
- There has been a lot of tweaks to how cookies are handled in this release, if you're having issues with the login flow please clear all cookies as an initial troubleshooting step.
1.5.0 Release Highlights
- Many updates to the UI!
- SSH Keys in Credentials Update (#3027)
- Improved error message when PassKey is missing PIN (mainly for Firefox) (#3403)
- Fix the password reset form and possible resolver issue (#3398)
- Fixed unrecoverable error page doesn't include logo or domain name (#3352)
- Add support for prefers-color-scheme using Bootstrap classes. Dark mode! (#3327)
- Automatically trigger passkeys on login view (#3307)
- Two new operating systems!
- Many SCIM-related improvements
- OAuth2 Things
- Allowing SPN query with non-SPN structured data in LDAP (#3400)
- Correctly return that uuid2spn changed on domain rename (#3402)
- RADIUS startup fixing (#3388)
- Repaired systemd reload notifications (#3355)
- Add
ssh_publickeysas a claim for OAuth2 (#3346) - Allow modification of password minimum length (#3345)
- PAM on Debian, enable use_first_pass by default (#3326)
- Allow opt-in of easter eggs (#3308)
- Allow reseting account policy values to defaults (#3306)
- Ignore system users for UPG synthesiseation (#3297)
- Allow group managers to modify entry-managed-by (#3272)
And many more!
v1.4.6
2024-01-24 - Kanidm 1.4.6 Patch
- Resolve an issue with cookie clearing due to incorrect domain
- Rename TOTP to be more accessible in login flow
- Deny anonymous in oauth2 read access which may affect deployments that assigned scope maps to
idm_all_accounts - Resolve issue where account password min length couldn't be set on system protected objects
- UI updates to rename so values and remove dead js.
2024-12-21 - Kanidm 1.4.5 Patch
- Upgrade fido-mds-tool (again) to support latest FIDO (undocumented) MDS format
- Add CORS headers to jwks and userinfo
- Autofill password/totp during reauth flows
- Use specific errors for intent token revoked
- Limit OAuth2 resumption to session cookies
- Ignore system users for UPG synthesiseation
- SCIM Sync Missing Annotation
- SCIM Sync Incorrect member name in groups
- Allow reseting account policy values to defaults
- Improve Cookie Removal due to axum cookie limits
- Re-add enrol another device flow
- Automatically trigger passkeys on login view
- Further SCIM sync testing, minor fixes
- nss/pam resolver should reauth faster
2024-12-03 - Kanidm 1.4.4 Patch
- Resolve replication partner DNS each connection rather than once at startup
- Work around possible systemd race condition with reloads
- Clear invalid tokens from unixd resolver
- Improve handling of oauth2 loopbacks for some client applications
- Display domain display name on login forms
- Display account_id in success/failure messages of unixd during auth
- Fix v2/v1 assistance to allow none groups.
- Upgrade fido-mds-tool to support latest FIDO (undocumented) MDS format
2024-11-22 - Kanidm 1.4.3 Patch
- Warn when v2 options are used in v1 unixd config to assist users with features like
map_group - Resolve UI Auth Loop with OAuth2 when an invalid cookie remains in the browser
- Harden transport in pam unixd to handle when a network drops connections quickly
- Improve warning around invalid JWT deserialisation in the server and it's causes
- Update and fix server config files in examples.
- Change CLI oauth2 command from set-display-name to set-displayname for consistency
- Add docs on customising Kanidm
- Correct spelling of occurred
- Optimise the autofocus for logins with passkeys to limit clicks
- Sort login mechs by strength during authentication
- Fix some cookies to persist between browser restarts
- Prevent Invalid MFA Registration States
- Change CSS for applications so SVG scales nicely in Firefox.
- Change OAuth2 handling of OIDC max_age to prevent incorrect deserialisation
2024-11-05 - Kanidm 1.4.2 Patch (Security: Low)
- A flaw in the servers internal database migrations prevented removal of attributes from some access controls. This led to some access controls which should have had permissions removed, being tainted by the state of the older database versions original access control. The most obvious impact of this was on the
idm_acp_people_self_name_writewhich incorrectly retainedidm_all_personsas an acp recipient. This meant that removalidm_all_personsfrom theidm_people_self_name_writegroup did not have the admins intended affect and users would be able to continue to self-modify name attributes. All other access controls were examined and no other potential issues were found. This patch corrects the migration path to force the value set states to be asserted correctly for access controls, and forces all access controls to be re-migrated to ensure they match their static definitions. This may be considered a security risk in some circumstances which is why we have designated it with low severity.
2024-11-05 - Kanidm 1.4.1 Patch
- Resolve incorrect CSP header definition that prevented TOTP entry in some cases.
- Fix erroneous
PAM_CONV_ERRwhen PAM Service Info field requirements were not met.
2024-11-01 - Kanidm 1.4.0
This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.
You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.
Before upgrading you should review
our upgrade documentation
1.4.0 Important Changes
- The web user interface has been rewritten and now supports theming. You will notice that your
domain displayname is included in a number of locations on upgrade, and that you can set
your own domain and OAuth2 client icons. - OAuth2 strict redirect uri is now required. Ensure you have read
our upgrade documentation.
and taken the needed steps before upgrading.
1.4.0 Release Highlights
- Improve handling of client timeouts when the server is under high load
- Resolve a minor issue preventing some credential updates from saving
- PAM/NSS unixd now allow non-Kanidm backends - more to come soon
- Mail attributes have substring indexing added
- Access controls for mail servers to read mail attributes
- Admin CLI tools support instance profiles allowing admin of multiple sites to be easier
- Resolve a minor issue in OAuth2 introspection which returned the wrong claim for
token_type - Resolve an issue where memberOf should imply dynamicMemberOf in access controls
- Allow configuration of custom domain icons
- Internal representation of attributes changed to an enum to reduce memory consumption
- Add CreatedAt and ModifiedAt timestamps to entries
- Expose RFC7009 and RFC7662 via OIDC metadata discovery
- Improve pipe handling for CLI tools
- Large techdebt cleanups
- PAM/NSS unixd can provide system users, replacing
pam_unix - Account policy supports LDAP password fallback to main password
- PAM/NSS unixd can extend a system group with members from remote sources (such as Kanidm)
- Resolve a potential issue in replication on upgrade where migrated entries cause a referential
integrity conflict leading to a forced initialisation - Display credential reset token expiry time when created on CLI
- Reload certificates and private keys on SIGHUP
- Remove a large number of dependencies that were either not needed or could be streamlined
- SCIM foundations for getting and modifying entries, reference handling, and complex attribute
display. Much more to come in this space! - Rewrite the entire web frontend to be simpler and faster, allowing more features to be added
in the future. Greatly improves user experience as the pages are now very fast to load!
v1.4.5
2024-12-21 - Kanidm 1.4.5 Patch
- Upgrade fido-mds-tool (again) to support latest FIDO (undocumented) MDS format
- Add CORS headers to jwks and userinfo
- Autofill password/totp during reauth flows
- Use specific errors for intent token revoked
- Limit OAuth2 resumption to session cookies
- Ignore system users for UPG synthesiseation
- SCIM Sync Missing Annotation
- SCIM Sync Incorrect member name in groups
- Allow reseting account policy values to defaults
- Improve Cookie Removal due to axum cookie limits
- Re-add enrol another device flow
- Automatically trigger passkeys on login view
- Further SCIM sync testing, minor fixes
- nss/pam resolver should reauth faster
2024-12-03 - Kanidm 1.4.4 Patch
- Resolve replication partner DNS each connection rather than once at startup
- Work around possible systemd race condition with reloads
- Clear invalid tokens from unixd resolver
- Improve handling of oauth2 loopbacks for some client applications
- Display domain display name on login forms
- Display account_id in success/failure messages of unixd during auth
- Fix v2/v1 assistance to allow none groups.
- Upgrade fido-mds-tool to support latest FIDO (undocumented) MDS format
2024-11-22 - Kanidm 1.4.3 Patch
- Warn when v2 options are used in v1 unixd config to assist users with features like
map_group - Resolve UI Auth Loop with OAuth2 when an invalid cookie remains in the browser
- Harden transport in pam unixd to handle when a network drops connections quickly
- Improve warning around invalid JWT deserialisation in the server and it's causes
- Update and fix server config files in examples.
- Change CLI oauth2 command from set-display-name to set-displayname for consistency
- Add docs on customising Kanidm
- Correct spelling of occurred
- Optimise the autofocus for logins with passkeys to limit clicks
- Sort login mechs by strength during authentication
- Fix some cookies to persist between browser restarts
- Prevent Invalid MFA Registration States
- Change CSS for applications so SVG scales nicely in Firefox.
- Change OAuth2 handling of OIDC max_age to prevent incorrect deserialisation
2024-11-05 - Kanidm 1.4.2 Patch (Security: Low)
- A flaw in the servers internal database migrations prevented removal of attributes from some access controls. This led to some access controls which should have had permissions removed, being tainted by the state of the older database versions original access control. The most obvious impact of this was on the
idm_acp_people_self_name_writewhich incorrectly retainedidm_all_personsas an acp recipient. This meant that removalidm_all_personsfrom theidm_people_self_name_writegroup did not have the admins intended affect and users would be able to continue to self-modify name attributes. All other access controls were examined and no other potential issues were found. This patch corrects the migration path to force the value set states to be asserted correctly for access controls, and forces all access controls to be re-migrated to ensure they match their static definitions. This may be considered a security risk in some circumstances which is why we have designated it with low severity.
2024-11-05 - Kanidm 1.4.1 Patch
- Resolve incorrect CSP header definition that prevented TOTP entry in some cases.
- Fix erroneous
PAM_CONV_ERRwhen PAM Service Info field requirements were not met.
2024-11-01 - Kanidm 1.4.0
This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.
You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.
Before upgrading you should review
our upgrade documentation
1.4.0 Important Changes
- The web user interface has been rewritten and now supports theming. You will notice that your
domain displayname is included in a number of locations on upgrade, and that you can set
your own domain and OAuth2 client icons. - OAuth2 strict redirect uri is now required. Ensure you have read
our upgrade documentation.
and taken the needed steps before upgrading.
1.4.0 Release Highlights
- Improve handling of client timeouts when the server is under high load
- Resolve a minor issue preventing some credential updates from saving
- PAM/NSS unixd now allow non-Kanidm backends - more to come soon
- Mail attributes have substring indexing added
- Access controls for mail servers to read mail attributes
- Admin CLI tools support instance profiles allowing admin of multiple sites to be easier
- Resolve a minor issue in OAuth2 introspection which returned the wrong claim for
token_type - Resolve an issue where memberOf should imply dynamicMemberOf in access controls
- Allow configuration of custom domain icons
- Internal representation of attributes changed to an enum to reduce memory consumption
- Add CreatedAt and ModifiedAt timestamps to entries
- Expose RFC7009 and RFC7662 via OIDC metadata discovery
- Improve pipe handling for CLI tools
- Large techdebt cleanups
- PAM/NSS unixd can provide system users, replacing
pam_unix - Account policy supports LDAP password fallback to main password
- PAM/NSS unixd can extend a system group with members from remote sources (such as Kanidm)
- Resolve a potential issue in replication on upgrade where migrated entries cause a referential
integrity conflict leading to a forced initialisation - Display credential reset token expiry time when created on CLI
- Reload certificates and private keys on SIGHUP
- Remove a large number of dependencies that were either not needed or could be streamlined
- SCIM foundations for getting and modifying entries, reference handling, and complex attribute
display. Much more to come in this space! - Rewrite the entire web frontend to be simpler and faster, allowing more features to be added
in the future. Greatly improves user experience as the pages are now very fast to load!
v1.4.4
2024-12-03 - Kanidm 1.4.4 Patch
- Resolve replication partner DNS each connection rather than once at startup
- Work around possible systemd race condition with reloads
- Clear invalid tokens from unixd resolver
- Improve handling of oauth2 loopbacks for some client applications
- Display domain display name on login forms
- Display account_id in success/failure messages of unixd during auth
- Fix v2/v1 assistance to allow none groups.
- Upgrade fido-mds-tool to support latest FIDO (undocumented) MDS format
2024-11-22 - Kanidm 1.4.3 Patch
- Warn when v2 options are used in v1 unixd config to assist users with features like
map_group - Resolve UI Auth Loop with OAuth2 when an invalid cookie remains in the browser
- Harden transport in pam unixd to handle when a network drops connections quickly
- Improve warning around invalid JWT deserialisation in the server and it's causes
- Update and fix server config files in examples.
- Change CLI oauth2 command from set-display-name to set-displayname for consistency
- Add docs on customising Kanidm
- Correct spelling of occurred
- Optimise the autofocus for logins with passkeys to limit clicks
- Sort login mechs by strength during authentication
- Fix some cookies to persist between browser restarts
- Prevent Invalid MFA Registration States
- Change CSS for applications so SVG scales nicely in Firefox.
- Change OAuth2 handling of OIDC max_age to prevent incorrect deserialisation
2024-11-05 - Kanidm 1.4.2 Patch (Security: Low)
- A flaw in the servers internal database migrations prevented removal of attributes from some access controls. This led to some access controls which should have had permissions removed, being tainted by the state of the older database versions original access control. The most obvious impact of this was on the
idm_acp_people_self_name_writewhich incorrectly retainedidm_all_personsas an acp recipient. This meant that removalidm_all_personsfrom theidm_people_self_name_writegroup did not have the admins intended affect and users would be able to continue to self-modify name attributes. All other access controls were examined and no other potential issues were found. This patch corrects the migration path to force the value set states to be asserted correctly for access controls, and forces all access controls to be re-migrated to ensure they match their static definitions. This may be considered a security risk in some circumstances which is why we have designated it with low severity.
2024-11-05 - Kanidm 1.4.1 Patch
- Resolve incorrect CSP header definition that prevented TOTP entry in some cases.
- Fix erroneous
PAM_CONV_ERRwhen PAM Service Info field requirements were not met.
2024-11-01 - Kanidm 1.4.0
This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.
You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.
Before upgrading you should review
our upgrade documentation
1.4.0 Important Changes
- The web user interface has been rewritten and now supports theming. You will notice that your
domain displayname is included in a number of locations on upgrade, and that you can set
your own domain and OAuth2 client icons. - OAuth2 strict redirect uri is now required. Ensure you have read
our upgrade documentation.
and taken the needed steps before upgrading.
1.4.0 Release Highlights
- Improve handling of client timeouts when the server is under high load
- Resolve a minor issue preventing some credential updates from saving
- PAM/NSS unixd now allow non-Kanidm backends - more to come soon
- Mail attributes have substring indexing added
- Access controls for mail servers to read mail attributes
- Admin CLI tools support instance profiles allowing admin of multiple sites to be easier
- Resolve a minor issue in OAuth2 introspection which returned the wrong claim for
token_type - Resolve an issue where memberOf should imply dynamicMemberOf in access controls
- Allow configuration of custom domain icons
- Internal representation of attributes changed to an enum to reduce memory consumption
- Add CreatedAt and ModifiedAt timestamps to entries
- Expose RFC7009 and RFC7662 via OIDC metadata discovery
- Improve pipe handling for CLI tools
- Large techdebt cleanups
- PAM/NSS unixd can provide system users, replacing
pam_unix - Account policy supports LDAP password fallback to main password
- PAM/NSS unixd can extend a system group with members from remote sources (such as Kanidm)
- Resolve a potential issue in replication on upgrade where migrated entries cause a referential
integrity conflict leading to a forced initialisation - Display credential reset token expiry time when created on CLI
- Reload certificates and private keys on SIGHUP
- Remove a large number of dependencies that were either not needed or could be streamlined
- SCIM foundations for getting and modifying entries, reference handling, and complex attribute
display. Much more to come in this space! - Rewrite the entire web frontend to be simpler and faster, allowing more features to be added
in the future. Greatly improves user experience as the pages are now very fast to load!
v1.4.3
2024-11-22 - Kanidm 1.4.3 Patch
- Warn when v2 options are used in v1 unixd config to assist users with features like
map_group - Resolve UI Auth Loop with OAuth2 when an invalid cookie remains in the browser
- Harden transport in pam unixd to handle when a network drops connections quickly
- Improve warning around invalid JWT deserialisation in the server and it's causes
- Update and fix server config files in examples.
- Change CLI oauth2 command from set-display-name to set-displayname for consistency
- Add docs on customising Kanidm
- Correct spelling of occurred
- Optimise the autofocus for logins with passkeys to limit clicks
- Sort login mechs by strength during authentication
- Fix some cookies to persist between browser restarts
- Prevent Invalid MFA Registration States
- Change CSS for applications so SVG scales nicely in Firefox.
- Change OAuth2 handling of OIDC max_age to prevent incorrect deserialisation
2024-11-05 - Kanidm 1.4.2 Patch (Security: Low)
- A flaw in the servers internal database migrations prevented removal of attributes from some access controls. This led to some access controls which should have had permissions removed, being tainted by the state of the older database versions original access control. The most obvious impact of this was on the
idm_acp_people_self_name_writewhich incorrectly retainedidm_all_personsas an acp recipient. This meant that removalidm_all_personsfrom theidm_people_self_name_writegroup did not have the admins intended affect and users would be able to continue to self-modify name attributes. All other access controls were examined and no other potential issues were found. This patch corrects the migration path to force the value set states to be asserted correctly for access controls, and forces all access controls to be re-migrated to ensure they match their static definitions. This may be considered a security risk in some circumstances which is why we have designated it with low severity.
2024-11-05 - Kanidm 1.4.1 Patch
- Resolve incorrect CSP header definition that prevented TOTP entry in some cases.
- Fix erroneous
PAM_CONV_ERRwhen PAM Service Info field requirements were not met.
2024-11-01 - Kanidm 1.4.0
This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.
You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.
Before upgrading you should review
our upgrade documentation
1.4.0 Important Changes
- The web user interface has been rewritten and now supports theming. You will notice that your
domain displayname is included in a number of locations on upgrade, and that you can set
your own domain and OAuth2 client icons. - OAuth2 strict redirect uri is now required. Ensure you have read
our upgrade documentation.
and taken the needed steps before upgrading.
1.4.0 Release Highlights
- Improve handling of client timeouts when the server is under high load
- Resolve a minor issue preventing some credential updates from saving
- PAM/NSS unixd now allow non-Kanidm backends - more to come soon
- Mail attributes have substring indexing added
- Access controls for mail servers to read mail attributes
- Admin CLI tools support instance profiles allowing admin of multiple sites to be easier
- Resolve a minor issue in OAuth2 introspection which returned the wrong claim for
token_type - Resolve an issue where memberOf should imply dynamicMemberOf in access controls
- Allow configuration of custom domain icons
- Internal representation of attributes changed to an enum to reduce memory consumption
- Add CreatedAt and ModifiedAt timestamps to entries
- Expose RFC7009 and RFC7662 via OIDC metadata discovery
- Improve pipe handling for CLI tools
- Large techdebt cleanups
- PAM/NSS unixd can provide system users, replacing
pam_unix - Account policy supports LDAP password fallback to main password
- PAM/NSS unixd can extend a system group with members from remote sources (such as Kanidm)
- Resolve a potential issue in replication on upgrade where migrated entries cause a referential
integrity conflict leading to a forced initialisation - Display credential reset token expiry time when created on CLI
- Reload certificates and private keys on SIGHUP
- Remove a large number of dependencies that were either not needed or could be streamlined
- SCIM foundations for getting and modifying entries, reference handling, and complex attribute
display. Much more to come in this space! - Rewrite the entire web frontend to be simpler and faster, allowing more features to be added
in the future. Greatly improves user experience as the pages are now very fast to load!
v1.4.2
2024-11-05 - Kanidm 1.4.2 Patch (Security: Low)
- A flaw in the servers internal database migrations prevented removal of attributes from some access controls. This led to some access controls which should have had permissions removed, being tainted by the state of the older database versions original access control. The most obvious impact of this was on the
idm_acp_people_self_name_writewhich incorrectly retainedidm_all_personsas an acp recipient. This meant that removalidm_all_personsfrom theidm_people_self_name_writegroup did not have the admins intended affect and users would be able to continue to self-modify name attributes. All other access controls were examined and no other potential issues were found. This patch corrects the migration path to force the value set states to be asserted correctly for access controls, and forces all access controls to be re-migrated to ensure they match their static definitions. This may be considered a security risk in some circumstances which is why we have designated it with low severity.
2024-11-05 - Kanidm 1.4.1 Patch
- Resolve incorrect CSP header definition that prevented TOTP entry in some cases.
- Fix erroneous
PAM_CONV_ERRwhen PAM Service Info field requirements were not met.
2024-11-01 - Kanidm 1.4.0
This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.
You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.
Before upgrading you should review
our upgrade documentation
1.4.0 Important Changes
- The web user interface has been rewritten and now supports theming. You will notice that your
domain displayname is included in a number of locations on upgrade, and that you can set
your own domain and OAuth2 client icons. - OAuth2 strict redirect uri is now required. Ensure you have read
our upgrade documentation.
and taken the needed steps before upgrading.
1.4.0 Release Highlights
- Improve handling of client timeouts when the server is under high load
- Resolve a minor issue preventing some credential updates from saving
- PAM/NSS unixd now allow non-Kanidm backends - more to come soon
- Mail attributes have substring indexing added
- Access controls for mail servers to read mail attributes
- Admin CLI tools support instance profiles allowing admin of multiple sites to be easier
- Resolve a minor issue in OAuth2 introspection which returned the wrong claim for
token_type - Resolve an issue where memberOf should imply dynamicMemberOf in access controls
- Allow configuration of custom domain icons
- Internal representation of attributes changed to an enum to reduce memory consumption
- Add CreatedAt and ModifiedAt timestamps to entries
- Expose RFC7009 and RFC7662 via OIDC metadata discovery
- Improve pipe handling for CLI tools
- Large techdebt cleanups
- PAM/NSS unixd can provide system users, replacing
pam_unix - Account policy supports LDAP password fallback to main password
- PAM/NSS unixd can extend a system group with members from remote sources (such as Kanidm)
- Resolve a potential issue in replication on upgrade where migrated entries cause a referential
integrity conflict leading to a forced initialisation - Display credential reset token expiry time when created on CLI
- Reload certificates and private keys on SIGHUP
- Remove a large number of dependencies that were either not needed or could be streamlined
- SCIM foundations for getting and modifying entries, reference handling, and complex attribute
display. Much more to come in this space! - Rewrite the entire web frontend to be simpler and faster, allowing more features to be added
in the future. Greatly improves user experience as the pages are now very fast to load!