# COPR Ligenix's spec file for kanidm # # Copyright (c) 2026-2026 Jean-Marc Liger # # Forked from: # # spec file for package kanidm # # Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # ExcludeArch: %{ix86} %bcond_without check %global url https://github.com/kanidm %global crate kanidm %global shortversion 1.10.2 %global commit f3dc9ef1f364e2fe5de6a37001de1c56ed6f4f54 #global committag 1 %global commitversion %{?committag:%{commit}}%{?!committag:%{shortversion}} %global shortcommitversion %{?committag:%(c=%{commit}; echo ${c:0:7})}%{?!committag:%{shortversion}} %global commitdatestring 2026-05-14 08:16:29 +0200 %global commitdate 20260514 %global commitgit %{?committag:^git%{commitdate}.%(c=%{commit}; echo ${c:0:7})} Name: %{crate} Version: %{shortversion}%{commitgit} Release: 1%{?dist} Summary: A identity management service and clients. # Main sources are GPLv3+, rest are rust licenses License: ( Apache-2.0 OR BSL-1.0 ) AND ( Apache-2.0 OR ISC OR MIT ) AND ( Apache-2.0 OR MIT ) AND ( Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT ) AND ( CC0-1.0 OR Apache-2.0 ) AND ( MIT OR Apache-2.0 OR Zlib ) AND ( Unlicense OR MIT ) AND ( Zlib OR Apache-2.0 OR MIT ) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND CC0-1.0 AND ISC AND MIT AND MPL-2.0 AND MPL-2.0+ URL: %{url}/%{crate} Source0: %{url}/%{crate}/archive/refs/tags/%{commitversion}/%{crate}-%{shortcommitversion}.tar.gz # To create the below sources: # * git clone %%{url}/%%{crate}.git at the specified commit # * cargo vendor > %%{crate}-%%{shortcommitversion}-vendor-config.toml # * tar -pczf %%{crate}-%%{shortcommitversion}-vendor.tar.xz vendor Source1: %{crate}-%{shortcommitversion}-vendor.tar.xz # * mv %%{crate}-%%{shortcommitversion}-vendor-config.toml .. Source2: %{crate}-%{shortcommitversion}-vendor-config.toml # From https://github.com/jcrawfordor/kanidm-fedora/archive/refs/heads/main.tar.gz Source3: %{crate}-fedora.tar.xz BuildRequires: cargo-rpm-macros >= 26 BuildRequires: rustc >= 1.93.0 BuildRequires: cargo BuildRequires: clang BuildRequires: libselinux-devel BuildRequires: libudev-devel BuildRequires: pam-devel BuildRequires: sqlite-devel BuildRequires: tpm2-tss-devel BuildRequires: systemd %{?systemd_requires} %description An identity management platform written in rust that supports RADIUS, SSH Key management and more. %package clients Summary: Client tools for interacting with Kanidm License: MPL-2.0 Requires: %{name}%{?_isa} = %{version}-%{release} %description clients Client utilities for interactive with kanidm servers %package server Summary: Kanidm server and related tools License: MPL-2.0 Requires: %{name}-clients%{?_isa} = %{version}-%{release} %description server Server for kanidm providing the main authentication and identity service %package unixd-clients Summary: Client nsswitch/pam/ssh integration for consuming kanidm License: MPL-2.0 Requires: %{name}-clients%{?_isa} = %{version}-%{release} Requires: tpm2-tools Requires: tpm2-tss %description unixd-clients A localhost resolver and libraries that allow a system to resolve posix identities to a kanidm instance. %package docs Summary: Documentation for Kanidm Administration License: MPL-2.0 %description docs Documentation for using and configuring Kanidm. %prep %autosetup -n %{crate}-%{commitversion} -p1 -a1 %cargo_prep -N # Check if .cargo/config.toml exists if [ -f .cargo/config.toml ]; then # If it exists, append the contents of %%{SOURCE2} to .cargo/config.toml cat %{SOURCE2} >> .cargo/config.toml echo "Appended %{SOURCE2} to .cargo/config.toml" else # If it does not exist, append the contents of %%{SOURCE2} to .cargo/config cat %{SOURCE2} >> .cargo/config echo "Appended %{SOURCE2} to .cargo/config" fi tar -xf %{SOURCE3} %build # Set our build profile, this will autodetect our cpu flags export KANIDM_BUILD_PROFILE=release_linux # Show linking info for debugging # export RUSTC_LOG='rustc_codegen_ssa::back::link=info' # Dump the target features of this cpu. rustc --print target-cpus # Set vergen environment variables export VERGEN_GIT_COMMIT_DATE="date --utc '%{commitdatestring}'" export VERGEN_GIT_SHA="%{commit}" %{cargo_build} --features=kanidm_unix_int/tpm,kanidm_unix_int/selinux %{cargo_license_summary} %{cargo_license} > LICENSE.dependencies %{cargo_vendor_manifest} sed 's/\(.*\) (.*#\(.*\))/\1+git\2/' -i cargo-vendor.txt sed 's/^\([^+]*\)+.*+\([^+]*\)$/\1+\2/' -i cargo-vendor.txt %install install -D -d -m 0755 %{buildroot}%{_sysconfdir} install -D -d -m 0755 %{buildroot}%{_sysconfdir}/zsh_completion.d install -D -d -m 0755 %{buildroot}%{_sysconfdir}/bash_completion.d install -D -d -m 0755 %{buildroot}%{_sysconfdir}/%{name} install -D -d -m 0755 %{buildroot}%{_unitdir} install -D -d -m 0755 %{buildroot}%{_sbindir} install -D -d -m 0755 %{buildroot}%{_bindir} install -D -d -m 0755 %{buildroot}%{_libdir} install -D -d -m 0755 %{buildroot}/%_lib/security install -D -d -m 0755 %{buildroot}%{_datadir}/%{name} install -D -d -m 0755 %{buildroot}%{_datadir}/%{name}/ui/ install -D -d -m 0755 %{buildroot}%{_docdir}/%{name} install -m 0755 %{_builddir}/%{name}-%{version}/target/release/kanidmd %{buildroot}%{_sbindir}/kanidmd install -m 0755 %{_builddir}/%{name}-%{version}/target/release/kanidm %{buildroot}%{_bindir}/kanidm install -m 0755 %{_builddir}/%{name}-%{version}/target/release/kanidm-unix %{buildroot}%{_sbindir}/kanidm-unix install -m 0755 %{_builddir}/%{name}-%{version}/target/release/kanidm_ssh_authorizedkeys %{buildroot}%{_sbindir}/kanidm_ssh_authorizedkeys install -m 0755 %{_builddir}/%{name}-%{version}/target/release/kanidm_ssh_authorizedkeys_direct %{buildroot}%{_sbindir}/kanidm_ssh_authorizedkeys_direct install -m 0755 %{_builddir}/%{name}-%{version}/target/release/kanidm_unixd %{buildroot}%{_sbindir}/kanidm_unixd install -m 0755 %{_builddir}/%{name}-%{version}/target/release/kanidm_unixd_tasks %{buildroot}%{_sbindir}/kanidm_unixd_tasks install -m 0644 %{_builddir}/%{name}-%{version}/target/release/libnss_kanidm.so %{buildroot}%{_libdir}/libnss_kanidm.so.2 install -m 0644 %{_builddir}/%{name}-%{version}/target/release/libpam_kanidm.so %{buildroot}/%_lib/security/pam_kanidm.so install -m 0644 %{_builddir}/%{name}-%{version}/platform/fedora/kanidmd.service %{buildroot}%{_unitdir}/kanidmd.service install -m 0644 %{_builddir}/%{name}-%{version}/platform/fedora/kanidm-unixd.service %{buildroot}%{_unitdir}/kanidm-unixd.service install -m 0644 %{_builddir}/%{name}-%{version}/platform/fedora/kanidm-unixd.service %{buildroot}%{_unitdir}/kanidm-ipa-sync.service install -m 0644 %{_builddir}/%{name}-%{version}/platform/fedora/kanidm-unixd-tasks.service %{buildroot}%{_unitdir}/kanidm-unixd-tasks.service install -m 0644 %{_builddir}/%{name}-%{version}/examples/server.toml %{buildroot}%{_sysconfdir}/%{name}/server.toml install -m 0755 %{_builddir}/%{name}-%{version}/target/release/build/completions/_kanidmd %{buildroot}%{_sysconfdir}/zsh_completion.d/_kanidmd install -m 0755 %{_builddir}/%{name}-%{version}/target/release/build/completions/_kanidm %{buildroot}%{_sysconfdir}/zsh_completion.d/_kanidm install -m 0755 %{_builddir}/%{name}-%{version}/target/release/build/completions/_kanidm_ssh_authorizedkeys_direct %{buildroot}%{_sysconfdir}/zsh_completion.d/_kanidm_ssh_authorizedkeys_direct install -m 0755 %{_builddir}/%{name}-%{version}/target/release/build/completions/_kanidm_unix %{buildroot}%{_sysconfdir}/zsh_completion.d/_kanidm_unix install -m 0755 %{_builddir}/%{name}-%{version}/target/release/build/completions/_kanidm_ssh_authorizedkeys %{buildroot}%{_sysconfdir}/zsh_completion.d/_kanidm_ssh_authorizedkeys install -m 0755 %{_builddir}/%{name}-%{version}/target/release/build/completions/kanidmd.bash %{buildroot}%{_sysconfdir}/bash_completion.d/kanidmd.sh install -m 0755 %{_builddir}/%{name}-%{version}/target/release/build/completions/kanidm.bash %{buildroot}%{_sysconfdir}/bash_completion.d/kanidm.sh install -m 0755 %{_builddir}/%{name}-%{version}/target/release/build/completions/kanidm_ssh_authorizedkeys_direct.bash %{buildroot}%{_sysconfdir}/bash_completion.d/kanidm_ssh_authorizedkeys_direct.sh install -m 0755 %{_builddir}/%{name}-%{version}/target/release/build/completions/kanidm_unix.bash %{buildroot}%{_sysconfdir}/bash_completion.d/kanidm_unix.sh install -m 0755 %{_builddir}/%{name}-%{version}/target/release/build/completions/kanidm_ssh_authorizedkeys.bash %{buildroot}%{_sysconfdir}/bash_completion.d/kanidm_ssh_authorizedkeys.sh cp -r %{_builddir}/%{name}-%{version}/server/core/static %{buildroot}%{_datadir}/%{name}/ui/hpkg cp -r %{_builddir}/%{name}-%{version}/book/src/ %{buildroot}%{_docdir}/%{name}/ %check %if %{with check} # Set vergen environment variables export VERGEN_GIT_COMMIT_DATE="date --utc '%{commitdatestring}'" export VERGEN_GIT_SHA="%{commit}" %cargo_test %endif %post server %systemd_post kanidmd.service %preun server %systemd_preun kanidmd.service %postun server %systemd_postun_with_restart kanidmd.service %post unixd-clients %systemd_post kanidm-unixd.service %systemd_post kanidm-unixd-tasks.service %preun unixd-clients %systemd_preun kanidm-unixd.service %systemd_preun kanidm-unixd-tasks.service %postun unixd-clients %systemd_postun_with_restart kanidm-unixd.service %systemd_postun_with_restart kanidm-unixd-tasks.service %files %license LICENSE.md %license LICENSE.dependencies %license cargo-vendor.txt %doc README.md RELEASE_NOTES.md SECURITY.md %dir %{_sysconfdir}/zsh_completion.d %dir %{_sysconfdir}/bash_completion.d %files clients %{_bindir}/kanidm %{_sysconfdir}/zsh_completion.d/_kanidm %{_sysconfdir}/bash_completion.d/kanidm.sh %files server %{_sbindir}/kanidmd %{_unitdir}/kanidmd.service %{_unitdir}/kanidm-ipa-sync.service %dir %{_datadir}/%{name} %dir %{_datadir}/%{name}/ui %dir %{_datadir}/%{name}/ui/hpkg %dir %{_datadir}/%{name}/ui/hpkg/external %{_datadir}/%{name}/ui/hpkg/* %dir %{_sysconfdir}/%{name} %config(noreplace) %{_sysconfdir}/%{name}/server.toml %{_sysconfdir}/zsh_completion.d/_kanidmd %{_sysconfdir}/bash_completion.d/kanidmd.sh %files unixd-clients %{_libdir}/libnss_kanidm.so.2 /%{_lib}/security/pam_kanidm.so %{_sbindir}/kanidm-unix %{_sbindir}/kanidm_ssh_authorizedkeys %{_sbindir}/kanidm_ssh_authorizedkeys_direct %{_sbindir}/kanidm_unixd %{_sbindir}/kanidm_unixd_tasks %{_unitdir}/kanidm-unixd.service %{_unitdir}/kanidm-unixd-tasks.service %{_sysconfdir}/zsh_completion.d/_kanidm_ssh_authorizedkeys_direct %{_sysconfdir}/zsh_completion.d/_kanidm_ssh_authorizedkeys %{_sysconfdir}/zsh_completion.d/_kanidm_unix %{_sysconfdir}/bash_completion.d/kanidm_ssh_authorizedkeys_direct.sh %{_sysconfdir}/bash_completion.d/kanidm_ssh_authorizedkeys.sh %{_sysconfdir}/bash_completion.d/kanidm_unix.sh %files docs %doc %{_docdir}/%{name} %changelog * Sun May 03 2026 Jean-Marc Liger - 1.10.2-1 - Update to 1.10.2 . Security - Critical: Any authenticated user is able to modify the attributes of any entry they have read permissions over. This is due to a logic flaw in modification access control application. Since all authenticated users are able to read all groups and group members, any authenticated user is able to add themself to any privileged group resulting in complete compromise of the servers security boundaries. . Revert client_id header in JWTs used in OAuth2/OIDC - this is due to incorrect behaviour of some OAuth2 clients rejecting content of the protected header. . Disable OIDC prompt=login - a number of issues were identified in this flow that are unable to be trivially fixed until a future release. . Remove debug-symbols from release builds to reduce container image sizes. - Changelog 1.10.1 . Resolve an incorrect javascript encoding of some fields that prevents new Webauthn enrolments from completing . Correct incorrect text in TOTP CLI credential updates * Sun May 03 2026 Jean-Marc Liger - 1.10.0-1 - Initial package based on SUSE and J.B. Crawford Fedora packaging - Important 1.10.0 Changes : . OpenSSL is no longer required as a dependency. All cryptographic paths have been replaced by RustCrypto or Rustls using aws-lc-rs. . Kanidm-unixd now supports bind mounts as an alternative to symlinks for home mapping. . Account recovery can be enabled as a feature allowing a user to prove knowledge of their own email, and then have a credential reset email sent to them. . Administrators can also trigger account recovery emails to be sent to users.