# Kanidm — Modern Identity Management Built in Rust > Kanidm is an identity management server written in Rust, designed as a secure and developer-friendly alternative to LDAP and Active Directory. It provides OAuth2, OIDC, LDAP compatibility, UNIX integration, WebAuthn passkey support, and RADIUS authentication in a single self-contained binary. ## Install Save in your project root: # Kanidm — Modern Identity Management Built in Rust ## Quick Use ```bash # Run with Docker docker run -p 8443:8443 kanidm/server:latest # Or install the CLI tools cargo install kanidm_tools # Create your first admin account kanidm login --name admin ``` ## Introduction Kanidm is a modern identity management platform written in Rust that aims to replace legacy LDAP directories and Active Directory for authentication and authorization. It provides a secure-by-default design with built-in support for modern standards like OAuth2, OIDC, WebAuthn passkeys, and RADIUS, all in a single binary. ## What Kanidm Does - Manages users, groups, and service accounts through a web UI or CLI - Provides OAuth2 and OpenID Connect for web application single sign-on - Offers LDAP compatibility for legacy applications that require directory access - Supports WebAuthn and passkeys for passwordless authentication - Integrates with UNIX systems via PAM and NSS for SSH and local login ## Architecture Overview Kanidm is a single Rust binary containing the identity server, a built-in embedded database, and a web interface. It stores data in an append-only, copy-on-write B-tree database for crash resilience. The server exposes a REST API consumed by the web UI and CLI tools. Authentication flows support PKCE-enabled OAuth2, TOTP, WebAuthn, and backup codes. Replication between Kanidm instances uses a pull-based model for multi-site deployments. ## Self-Hosting & Configuration - Deploy via Docker or as a standalone binary on Linux - Configure TLS certificates and domain name in server.toml - Set up OAuth2 resource servers for each application needing SSO - Enable LDAP gateway for legacy applications that require bind operations - Use kanidm CLI tools for user provisioning and group management ## Key Features - Secure by default with mandatory TLS and modern cryptographic defaults - WebAuthn passkey support enables passwordless login across all integrated services - UNIX integration via PAM/NSS eliminates the need for a separate LDAP client stack - Built-in RADIUS server for Wi-Fi and VPN authentication - Written in Rust for memory safety and high performance under concurrent load ## Comparison with Similar Tools - **Keycloak** — Java-based, heavier deployment; Kanidm is a single Rust binary with UNIX integration - **Authentik** — Python/Django stack with broader UI; Kanidm focuses on security-first design - **FreeIPA** — LDAP+Kerberos suite; Kanidm offers OAuth2/OIDC natively without Kerberos complexity - **LLDAP** — Lightweight LDAP server; Kanidm adds OAuth2, WebAuthn, and RADIUS beyond LDAP - **Zitadel** — Cloud-native Go identity platform; Kanidm is designed for on-premise UNIX-centric environments ## FAQ **Q: Can Kanidm replace Active Directory?** A: For Linux and web-application authentication, yes. Windows domain-joined machines still require AD or Samba for Group Policy and Kerberos ticket integration. **Q: Does Kanidm support multi-factor authentication?** A: Yes. Kanidm supports TOTP, WebAuthn security keys, passkeys, and backup codes as second factors. **Q: How does replication work?** A: Kanidm uses a pull-based replication model where secondary servers pull changes from the primary. This simplifies network configuration and NAT traversal. **Q: Is Kanidm production-ready?** A: Kanidm is used in production by multiple organizations. The project follows semantic versioning and provides stable release channels. ## Sources - https://github.com/kanidm/kanidm - https://kanidm.github.io/kanidm/stable/ --- Source: https://tokrepo.com/en/workflows/asset-009699d9 Author: AI Open Source