Kanidm is a centralized identity management server designed to handle authentication, authorization, and directory services across distributed infrastructure. It provides a comprehensive framework for managing human and service accounts, utilizing a schema-driven database to store identity records, group memberships, and system attributes. The platform supports a wide range of authentication methods, including passkeys, passwords, and standard protocols like OAuth2, OIDC, LDAP, and RADIUS.
The system distinguishes itself through a granular access control engine that enforces security policies based on user, group, and resource attributes. It incorporates advanced security features such as privilege access mode enforcement, which requires reauthentication for sensitive operations, and high-privilege group tainting to prevent lateral movement. Administrators can delegate management tasks for specific entries or groups, ensuring that permissions remain tightly scoped while maintaining operational flexibility.
Beyond core identity functions, the platform includes robust tools for system maintenance, including automated backup scheduling, database consistency verification, and multi-node replication to ensure high availability. It also provides deep integration with host operating systems through pluggable authentication modules and supports infrastructure access provisioning by managing SSH keys and POSIX attributes.
The project provides a suite of command-line utilities for administrative tasks, session management, and server configuration. Documentation and installation resources are available to guide the deployment of the server and its associated client tools.
