Kanidm is a simple and secure identity management platform, which provides services to allow other systems and application to authenticate against. The project aims for the highest levels of reliability, security and ease of use.

The goal of this project is to be a complete identity management provider, covering the broadest possible set of requirements and integrations. You should not need any other components (like Keycloak) when you use Kanidm. We want to create a project that will be suitable for everything from personal home deployments, to the largest enterprise needs.

To achieve this we rely heavily on strict defaults, simple configuration, and self-healing components.

The project is still growing and some areas are developing at a fast pace. The core of the server however is reliable and we make all effort to ensure upgrades will always work.

Kanidm supports:

• Oauth2/OIDC Authentication provider for web SSO
• Read only LDAPS gateway
• Linux/Unix integration (with offline authentication)
• SSH key distribution to Linux/Unix systems
• RADIUS for network authentication
• Passkeys / Webauthn for secure cryptographic authentication
• A self service web ui
• Complete CLI tooling for administration

If you want to host your own centralised authentication service, then Kanidm is for you!

If you want to deploy Kanidm to see what it can do, you should read the Kanidm book.

• Kanidm book (Latest stable)
• Kanidm book (Latest commit)

We also publish support guidelines for what the project will support.

See our code of conduct

See our documentation on rights and ethics

We have a gitter community channel where we can talk. Firstyear is also happy to answer questions via email, which can be found on their github profile.

LLDAP is a similar project aiming for a small and easy to administer LDAP server with a web administration portal. Both projects use the Kanidm LDAP bindings, and have many similar ideas.

The primary benefit of Kanidm over LLDAP is that Kanidm offers a broader set of "built in" features like Oauth2 and OIDC. To use these from LLDAP you need an external portal like Keycloak, where in Kanidm they are "built in". However that is also a strength of LLDAP is that is offers "less" which may make it easier to administer and deploy for you.

If Kanidm is too complex for your needs, you should check out LLDAP as a smaller alternative. If you want a project which has a broader feature set out of the box, then Kanidm might be a better fit.

Both 389-ds and OpenLDAP are generic LDAP servers. This means they only provide LDAP and you need to bring your own IDM configuration on top.

If you need the highest levels of customisation possible from your LDAP deployment, then these are probably better alternatives. If you want a service that is easier to setup and focused on IDM, then Kanidm is a better choice.

Kanidm was originally inspired by many elements of both 389-ds and OpenLDAP. Already Kanidm is as fast as (or faster than) 389-ds for performance and scaling.

FreeIPA is another identity management service for Linux/Unix, and ships a huge number of features from LDAP, Kerberos, DNS, Certificate Authority, and more.

FreeIPA however is a complex system, with a huge amount of parts and configuration. This adds a lot of resource overhead and difficulty for administration.

Kanidm aims to have the features richness of FreeIPA, but without the resource and administration overheads. If you want a complete IDM package, but in a lighter footprint and easier to manage, then Kanidm is probably for you. In testing with 3000 users + 1500 groups, Kanidm is 3 times faster for search operations and 5 times faster for modification and addition of entries (your results may differ however, but generally Kanidm is much faster than FreeIPA).

If you want to develop on the server, there is a getting started guide for developers. IDM is a diverse topic and we encourage contributions of many kinds in the project, from people of all backgrounds.

The original project name was rsidm while it was a thought experiment. Now that it's growing and developing, we gave it a better project name. Kani is Japanese for "crab". Rust's mascot is a crab. IDM is the common industry term for identity management services.