v1.1.0-alpha.12

2023-02-01 - Kanidm 1.1.0-alpha12

This is the twelfth alpha series release of the Kanidm Identity Management project. Alpha releases
are to help get feedback and ideas from the community on how we can continue to make this project
better for a future supported release.

The project is shaping up very nicely, and a beta will be coming soon! The main reason we haven't
done so yet is we haven't decided if we want to commit to the current API layout and freeze it yet.
There are still things we want to change there. Otherwise the server is stable and reliable for
production usage.

Release Highlights

• Allow full server content replication in testing (yes we're finally working on replication!)
• Improve oauth2 to allow scoped members to see RS they can access for UI flows
• Performance improvement by reducing clones
• Track credential uuid used for session authentication in the session
• Remove the legacy webauthn types for newer attributes
• Improve the logo to recurse
• Add privilege separation and re-authentication for time limited access
• Improve builds on windows
• Cleanup source tree layout to make it easier for new contributors
• Improve exit codes of unixd tools
• Restrict valid chars in some string contexts in entries
• Allow configuration of ldap basedn
• Extend oauth2 session lifetimes, add refresh token support
• Improve user experience of credential updates via intent tokens
• Consolidate unix tools
• Add exclusive process lock to daemon
• Allow dns/rdns in ldap search contexts

v1.1.0-alpha.11

2023-02-01 - Kanidm 1.1.0-alpha11

This is the eleventh alpha series release of the Kanidm Identity Management project. Alpha releases are
to help get feedback and ideas from the community on how we can continue to make this project better
for a future supported release.

The project is shaping up very nicely, and a beta will be coming soon! The main reason we haven't done
so yet is we haven't decided if we want to commit to the current API layout and freeze it yet. There
are still things we want to change there. Otherwise the server is stable and reliable.

Release Highlights

• Support /etc/skel home dir templates in kanidm-unixd
• Improve warning messages for openssl when a cryptographic routine is not supported
• Support windows for server tests
• Add a kanidm tools container
• Initial support for live sync/import of users and groups from FreeIPA
• Oauth2 session logout and global logout support
• UI polish based on hint flags to dynamically enable/disable elements
• Oauth2 single sign on application portal
• Support dn=token for ldap client binds
• Trap more signals for daemons
• Mail read permission group
• Oauth2 add a groups claim
• LDAP support for mail primary and alternate address selectors in queries
• Fix handling of virtual attrs with '*' searches in ldap
• Support multiple TOTP on accounts
• Add kanidmd healthcheck for containers
• Improve the access control module to evaluate access in a clearer way
• Allow synced users to correct modify their local sessions

v1.1.0-alpha.10

2022-11-01 - Kanidm 1.1.0-alpha10

This is the tenth alpha series release of the Kanidm Identity Management
project. Alpha releases are to help get feedback and ideas from the community
on how we can continue to make this project better for a future supported release.

The project is shaping up very nicely, and a beta will be coming soon!

Upgrade Note!

This version will require TLS on all servers, even if behind a load balancer or
TLS terminating proxy. You should be ready for this change when you upgrade to the
latest version.

Release Highlights

• Management and tracking of authenticated sessions
• Make upgrade migrations more robust when upgrading over multiple versions
• Add support for service account tokens via ldap for extended read permissions
• Unix password management in web ui for posix accounts
• Support internal dynamic group entries
• Allow selection of name/spn in oidc claims
• Admin UI wireframes and basic elements
• TLS enforced as a requirement for all servers
• Support API service account tokens
• Make name rules stricter due to issues found in production
• Improve Oauth2 PKCE testing
• Add support for new password import hashes
• Allow configuration of trusting x forward for headers
• Components for account permission elevation modes
• Make pam_unix more robust in high latency environments
• Add proc macros for test cases
• Improve authentication requests with cookie/token seperation
• Cleanup of expired authentication sessions
• Improved administration of password badlists

v1.1.0-alpha.9

2022-08-02 - Kanidm 1.1.0-alpha9

This is the ninth alpha series release of the Kanidm Identity Management
project. Alpha releases are to help get feedback and ideas from the community
on how we can continue to make this project better for a future supported release.

The project is shaping up very nicely, and a beta will be coming soon!

Release Highlights

• Inclusion of a Python3 API library
• Improve orca usability
• Improved content security hashes of js/wasm elements
• Performance improvements in builds
• Windows development and service support
• WebUI polish and improvements
• Consent is remembered in oauth2 improving access flows
• Replication changelog foundations
• Compression middleware for static assests to reduce load times
• User on boarding now possible with self service credential reset
• TOTP and Webauthn/Passkey support in self service credential reset
• CTAP2+ support in Webauthn via CLI
• Radius supports EAP TLS identities in addition to EAP PEAP

v1.1.0-alpha.8

2022-05-01 - Kanidm 1.1.0-alpha8

This is the eighth alpha series release of the Kanidm Identity Management
project. Alpha releases are to help get feedback and ideas from the community
on how we can continue to make this project better for a future supported release.

Release Highlights

• Foundations for cryptographic trusted device authentication
• Foundations for new user onboarding and credential reset
• Improve acis for administration of radius secrets
• Simplify initial server setup related to domain naming
• Improve authentication performance during high load
• Developer documentation improvements
• Resolve issues with client tool outputs not being displayed
• Show more errors on api failures
• Extend the features of account person set
• Link pam with pkg-config allowing more portable builds
• Allow self-service email addresses to be delegated
• Highlight that the WebUI is in alpha to prevent confusion
• Remove sync only client paths

v1.1.0-alpha.7

What's Changed

• Added num-enum support for runtime enums by @QnnOkabayashi in #585
• 509 scope mapping by @Firstyear in #586
• Small fixes by @Firstyear in #589
• Update outputs for "group" commands by @yaleman in #591
• Integrated compiled-uuid into kanidmd/src/lib/constants/uuids.rs by @QnnOkabayashi in #593
• updates pam module in docs by @yaleman in #596
• Adding some extra fields to logging on-request by @yaleman in #595
• changing errors to errors by @yaleman in #599
• Fix state parameter to be string by @Firstyear in #602
• Setup for testing webauthn subdomain support by @Firstyear in #598
• updating docs because I wasn't the only one confused 😄 by @yaleman in #606
• 20211010 rfc7662 token introspect by @Firstyear in #607
• 278 603 OIDC implementation by @Firstyear in #608
• Make sure that effective domain actually is descendant of rp_id by @erictapen in #618
• Improve book and errors related to domain name and origin mismatch by @Firstyear in #617
• add logging for oauth2 errors by @yaleman in #620
• adding notes about OIDCRemoteUserClaim to the oauth2 book chapter by @yaleman in #621
• Check before rename for #622 by @yaleman in #624
• Add rinstall file by @Firstyear in #625
• 256 business attributs by @Firstyear in #626
• 20211216 tracing cleanup by @Firstyear in #627
• Temp use env filter by @Firstyear in #628
• Finalise email changes by @Firstyear in #629
• Improve autofocus to oauth2 by @Firstyear in #630
• Pre-release update and cleanup by @Firstyear in #631

New Contributors

• @erictapen made their first contribution in #618

Full Changelog: v1.1.0-alpha.6...v1.1.0-alpha.7

v1.1.0-alpha.6

2021-10-01 - Kanidm 1.1.0-alpha6

This is the sixth alpha series release of the Kanidm Identity Management
project. Alpha releases are to help get feedback and ideas from the community
on how we can continue to make this project better for a future supported release.

It's also a special release as Kanidm has just turned 3 years old! Thank you all
for helping to bring the project this far! 🎉 🦀

Release Highlights

• Support backup codes as MFA in case of lost TOTP/Webauthn
• Dynamic menus on CLI for usernames when multiple sessions exist
• Dynamic menus on CLI for auth factors when choices exist
• Better handle missing resources for web ui elements at server startup
• Add WAL checkpointing to improve disk usage
• Oauth2 user interface flows for simple authorisation scenarioes
• Improve entry memory usage based on valueset rewrite
• Allow online backups to be scheduled and taken
• Reliability improvements for unixd components with missing sockets
• Error message improvements for humans
• Improve client address logging for auditing
• Add strict HTTP resource headers for incoming/outgoing requests
• Replace rustls with openssl for HTTPS endpoint
• Remove auditscope in favour of the new tracing logging subsystem
• Reduce server memory usage with entry tracking improvements
• Improvements to performance with high cache sizes
• Session tokens persist over a session restart

v1.1.0-alpha.3

Release Highlights

• Account "valid from" and "expiry" times.
• Rate limiting and softlocking of account credentials to prevent bruteforcing.
• Foundations of webauthn and multiple credential support.
• Rewrite of json authentication protocol components.
• Unixd will cache "non-existant" items to improve nss/pam latency.

v1.1.0-alpha.2

This is the second alpha series release of the Kanidm Identity Management
project. Alpha releases are to help get feedback and ideas from the community
on how we can continue to make this project better for a future supported release.

Release Highlights

• SIMD key lookups in container builds for datastructures
• Server and Client hardening warnings for running users and file permissions
• Search limits and denial of unindexed searches to prevent denial-of-service
• Dynamic Rounds for PBKDF2 based on CPU performance
• Radius module upgraded to python 3
• On-login PW upgrade, allowing weaker hashes to be re-computed to stronger variants on login.
• Replace actix with tide and async
• Reduction in memory footprint during searches
• Change authentication from cookies to auth-bearer tokens

v1.1.0-alpha

Release Prep (#283)