Kanidm — Modern Identity Management Built in Rust

Introduction

Kanidm is a modern identity management platform written in Rust that aims to replace legacy LDAP directories and Active Directory for authentication and authorization. It provides a secure-by-default design with built-in support for modern standards like OAuth2, OIDC, WebAuthn passkeys, and RADIUS, all in a single binary.

What Kanidm Does

• Manages users, groups, and service accounts through a web UI or CLI
• Provides OAuth2 and OpenID Connect for web application single sign-on
• Offers LDAP compatibility for legacy applications that require directory access
• Supports WebAuthn and passkeys for passwordless authentication
• Integrates with UNIX systems via PAM and NSS for SSH and local login

Architecture Overview

Kanidm is a single Rust binary containing the identity server, a built-in embedded database, and a web interface. It stores data in an append-only, copy-on-write B-tree database for crash resilience. The server exposes a REST API consumed by the web UI and CLI tools. Authentication flows support PKCE-enabled OAuth2, TOTP, WebAuthn, and backup codes. Replication between Kanidm instances uses a pull-based model for multi-site deployments.

Self-Hosting & Configuration

• Deploy via Docker or as a standalone binary on Linux
• Configure TLS certificates and domain name in server.toml
• Set up OAuth2 resource servers for each application needing SSO
• Enable LDAP gateway for legacy applications that require bind operations
• Use kanidm CLI tools for user provisioning and group management

Key Features

• Secure by default with mandatory TLS and modern cryptographic defaults
• WebAuthn passkey support enables passwordless login across all integrated services
• UNIX integration via PAM/NSS eliminates the need for a separate LDAP client stack
• Built-in RADIUS server for Wi-Fi and VPN authentication
• Written in Rust for memory safety and high performance under concurrent load

Comparison with Similar Tools

• Keycloak — Java-based, heavier deployment; Kanidm is a single Rust binary with UNIX integration
• Authentik — Python/Django stack with broader UI; Kanidm focuses on security-first design
• FreeIPA — LDAP+Kerberos suite; Kanidm offers OAuth2/OIDC natively without Kerberos complexity
• LLDAP — Lightweight LDAP server; Kanidm adds OAuth2, WebAuthn, and RADIUS beyond LDAP
• Zitadel — Cloud-native Go identity platform; Kanidm is designed for on-premise UNIX-centric environments

FAQ

Q: Can Kanidm replace Active Directory? A: For Linux and web-application authentication, yes. Windows domain-joined machines still require AD or Samba for Group Policy and Kerberos ticket integration.

Q: Does Kanidm support multi-factor authentication? A: Yes. Kanidm supports TOTP, WebAuthn security keys, passkeys, and backup codes as second factors.

Q: How does replication work? A: Kanidm uses a pull-based replication model where secondary servers pull changes from the primary. This simplifies network configuration and NAT traversal.

Q: Is Kanidm production-ready? A: Kanidm is used in production by multiple organizations. The project follows semantic versioning and provides stable release channels.

Sources

• https://github.com/kanidm/kanidm
• https://kanidm.github.io/kanidm/stable/