Kanidm, an open source IDM written in Rust. It ticks the “fits in tiny places” and “needs few resources” boxes and has Oauth2 support, including OpenID Connect Discovery. It also ticks a lot of my security requirements, including full Passkeys support. But, that’s not all! They have read-only LDAP support, so your legacy systems can auth that way. They have a system to handle Unix accounts with a PAM module. You can also use Kani for SSH public key distribution. It’s got service accounts and each service account can have multiple tokens. Last but not least, they have RADIUS support, so you can use it to authenticate users or devices on the network. It’s honestly a little mind-boggling all the things they support.
Before you get started, keep in mind Kani is still geared towards more technical users. The administration is CLI-only, and the web UI for users is very limited but good enough for what it needs to do. Installation instructions are geared towards running it from containers, but you can build from AUR on Arch Linux or use the scripts in the repo to build Debian packages.
Read the book. It has everything you need. The repository also has some example configurations. I would suggest taking a look at
insecure_server.toml and playing around with that locally a bit first. Or the quickstart if you’re running with containers.
Once you have the hang of how it all works, then move on to a proper production deployment.
In my case, I don’t have a need for LDAP or the PAM integration to provision Unix accounts. At least, not on my cloud services. In that case, you can disable the
anonymous service account:
kanidm service-account validity expire-at anonymous 1970-01-01T00:00:00+00:00 --name idm_admin
Kani mandates TLS everywhere, even between it and your load balancer or proxy. They explain this decision in why TLS. Since that can make experimentation a bit complicated, there is
If you’re running Kani behind a proxy or load balancer, you’ll want to set
trust_x_forward_for in your
true. This ensures Kani can detect the client IP which affects things like rate limiting. Remember to configure the host running Kani to only accept connections to Kani from the proxy or load balancer.
Backup your database. It uses SQLite internally and has a backup feature to create a copy of the database for you. You can then have your backup tool pick up that copy and store it safely.
Kani is a very tiny but very powerful IDM. You don’t need a separate database or other things like a Redis instance. It has a lot of features and has a very well thought out way of doing everything, including its permission hierarchy.
Kani is about to reach a stable release, so now’s as good a time as any to try it out. It’ll take a bit getting used to, but once you’ve done the setup it works flawlessly.