2026-02-10 - Kanidm 1.8.6 Patch ☀️

NOTE: This update prevents a server crash which may occur in some circumstances. This affects all prior versions of Kanidm. It is strongly recommended you update to at least 1.8.6.

• Update concread to prevent a possible crash. The crash can occur if the servers cache size is set too, and high levels of database activity occurs. As the server normally automatically tunes it's cache, this crash is rare if at all.
• Update two rust-crypto dependencies that may prevent compilation in some cases.

2025-12-13 - Kanidm 1.8.5 Patch 🎄

• Address an issue where webauthn updates were not properly brought in by cargo
• Fix CSP headers on a route that was not applying them correctly
• Resolve time-travel glitch in the release notes.

2025-11-28 - Kanidm 1.8.4 Patch 🎄

• Handle concurrent pam sessions
• Improve handling of some compression options during restores
• Handle webauthn keys from Chromium which omitted an option.

2025-11-28 - Kanidm 1.8.3 Patch

• Resolve a possible infinite loop in cli tools during reauth that prevented server administration.

2025-11-28 - Kanidm 1.8.2 Patch (Security: Low)

• Security: A flaw in data migration could allow a builtin group's CredentialTypeMinimum policy to be downgraded from Passkey/AttestedPasskey to MFA. Inversely, after lowering this policy to Any, it would be raised to MFA on an upgrade. This only affected the groups such as idm_all_accounts or idm_all_persons. User made groups are not affected. You should review the account policy on these two groups and assert it is what you expect it to be.
• Report correct client IP's in logs, and improve proxy/x-forwarded logging
• Ensure that service-account sessions which have direct privilege grants have synchronised expiry times between the privs and the token life.
• Resolve a flaw in upgrades where skip migrations may not be correctly denied from proceeding.
• Prevent lib-crypto from depending on proto
• Resolve a potential issue with kanidm_client libraries which are missing build profiles

2025-11-17 - Kanidm 1.8.1 Patch

• Resolve a bug in form handling due to incorrect optional type handling
• Resolve a bug in connection initialisation which could cause some clients to fail to connect
• Update unixd home aliases atomically
• Improve oauth2 logging messages
• Fix typos in documentation

2025-10-07 - Kanidm 1.8.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.8.0 Important Changes

• For distribution package users, systemd-notify reload has been removed due to ongoing bugs with the
  feature from the systemd side which would cause kanidmd to be killed ungracefully. If you rely on
  this to perform "systemctl reload kanidmd" actions, you should instead use "systemctl restart" or
  send a SIGHUP directly to the kanidmd process.
• Users of http_client_address_info and/or ldap_client_address_info on Linux should note that we now canonicalise the incoming IP address correctly meaning that IPv4 in IPv6 mapping addresses such as ::ffff:172.20.1.1 should be rewritten to their IPv4 format ( 172.20.1.1 ).

1.8.0 Release Highlights

• Reduce logging verbosity (#3906)
• Add support for PROXYv1 protocol (#3935)
• Persist unixd connections in nss to improve response times (#3921)
• Improve offline authentication with unixd for road-warriors (#3934)
• Support listening on multiple sockets (#3933)
• Fix a bug with replication certificate renewal that could cause a temporary replication freeze
• Prevent users saving credentials if they would remove all credentials (#3805)
• Fix a bug in an easter egg.
• Remove systemd-notify reload support (#3885)
• Support reference entries (#3863)
• Allow group shortnames in OIDC claims (#3879)
• Improve client address display by canonicalising v4 in v6 addrs (#3874)
• Support client secret post for OAuth2 (#3833)
• Skip UAT prevalidation in some routes (#3865)
• Allow compression of backups (#3821)
• Improve unixd performance (#3846)
• Prevent memory exhaustion during FreeBSD builds (#3818)
• Allow replication to operate with IP addresses (#3807)
• Update email validation regex per whatwg (#3797)
• Fix replication show-cert bug with rustls (#3792)
• Improve IPC between unixd and other components (#3789)
• Allow disabling of the "break-glass" accounts (#3780)
• Improve messaging around why a user can't authenticate with unixd (#3778)
• Improve argon2id parameter search speed (#3768)
• Properly drop the "remember me" cookie when set to off (#3770)
• Fix handling of SEC1 Private Keys (#3769)
• Improve order of operations in Kanidm Unixd Tasks (#3762)
• Fix an issue with RADIUS service account access controls (#3759)

2025-12-13 - Kanidm 1.8.5 Patch 🎄

• Address an issue where webauthn updates were not properly brought in by cargo
• Fix CSP headers on a route that was not applying them correctly
• Resolve time-travel glitch in the release notes.

2025-11-28 - Kanidm 1.8.4 Patch 🎄

• Handle concurrent pam sessions
• Improve handling of some compression options during restores
• Handle webauthn keys from Chromium which omitted an option.

2025-11-28 - Kanidm 1.8.3 Patch

• Resolve a possible infinite loop in cli tools during reauth that prevented server administration.

2025-11-28 - Kanidm 1.8.2 Patch (Security: Low)

• Security: A flaw in data migration could allow a builtin group's CredentialTypeMinimum policy to be downgraded from Passkey/AttestedPasskey to MFA. Inversely, after lowering this policy to Any, it would be raised to MFA on an upgrade. This only affected the groups such as idm_all_accounts or idm_all_persons. User made groups are not affected. You should review the account policy on these two groups and assert it is what you expect it to be.
• Report correct client IP's in logs, and improve proxy/x-forwarded logging
• Ensure that service-account sessions which have direct privilege grants have synchronised expiry times between the privs and the token life.
• Resolve a flaw in upgrades where skip migrations may not be correctly denied from proceeding.
• Prevent lib-crypto from depending on proto
• Resolve a potential issue with kanidm_client libraries which are missing build profiles

2025-11-17 - Kanidm 1.8.1 Patch

• Resolve a bug in form handling due to incorrect optional type handling
• Resolve a bug in connection initialisation which could cause some clients to fail to connect
• Update unixd home aliases atomically
• Improve oauth2 logging messages
• Fix typos in documentation

2025-10-07 - Kanidm 1.8.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.8.0 Important Changes

• For distribution package users, systemd-notify reload has been removed due to ongoing bugs with the
  feature from the systemd side which would cause kanidmd to be killed ungracefully. If you rely on
  this to perform "systemctl reload kanidmd" actions, you should instead use "systemctl restart" or
  send a SIGHUP directly to the kanidmd process.
• Users of http_client_address_info and/or ldap_client_address_info on Linux should note that we now canonicalise the incoming IP address correctly meaning that IPv4 in IPv6 mapping addresses such as ::ffff:172.20.1.1 should be rewritten to their IPv4 format ( 172.20.1.1 ).

1.8.0 Release Highlights

• Reduce logging verbosity (#3906)
• Add support for PROXYv1 protocol (#3935)
• Persist unixd connections in nss to improve response times (#3921)
• Improve offline authentication with unixd for road-warriors (#3934)
• Support listening on multiple sockets (#3933)
• Fix a bug with replication certificate renewal that could cause a temporary replication freeze
• Prevent users saving credentials if they would remove all credentials (#3805)
• Fix a bug in an easter egg.
• Remove systemd-notify reload support (#3885)
• Support reference entries (#3863)
• Allow group shortnames in OIDC claims (#3879)
• Improve client address display by canonicalising v4 in v6 addrs (#3874)
• Support client secret post for OAuth2 (#3833)
• Skip UAT prevalidation in some routes (#3865)
• Allow compression of backups (#3821)
• Improve unixd performance (#3846)
• Prevent memory exhaustion during FreeBSD builds (#3818)
• Allow replication to operate with IP addresses (#3807)
• Update email validation regex per whatwg (#3797)
• Fix replication show-cert bug with rustls (#3792)
• Improve IPC between unixd and other components (#3789)
• Allow disabling of the "break-glass" accounts (#3780)
• Improve messaging around why a user can't authenticate with unixd (#3778)
• Improve argon2id parameter search speed (#3768)
• Properly drop the "remember me" cookie when set to off (#3770)
• Fix handling of SEC1 Private Keys (#3769)
• Improve order of operations in Kanidm Unixd Tasks (#3762)
• Fix an issue with RADIUS service account access controls (#3759)

2025-12-28 - Kanidm 1.8.4 Patch 🎄

• Handle concurrent pam sessions
• Improve handling of some compression options during restores
• Handle webauthn keys from Chromium which omitted an option.

2025-11-28 - Kanidm 1.8.3 Patch

• Resolve a possible infinite loop in cli tools during reauth that prevented server administration.

2025-11-28 - Kanidm 1.8.2 Patch (Security: Low)

• Security: A flaw in data migration could allow a builtin group's CredentialTypeMinimum policy to be downgraded from Passkey/AttestedPasskey to MFA. Inversely, after lowering this policy to Any, it would be raised to MFA on an upgrade. This only affected the groups such as idm_all_accounts or idm_all_persons. User made groups are not affected. You should review the account policy on these two groups and assert it is what you expect it to be.
• Report correct client IP's in logs, and improve proxy/x-forwarded logging
• Ensure that service-account sessions which have direct privilege grants have synchronised expiry times between the privs and the token life.
• Resolve a flaw in upgrades where skip migrations may not be correctly denied from proceeding.
• Prevent lib-crypto from depending on proto
• Resolve a potential issue with kanidm_client libraries which are missing build profiles

2025-11-17 - Kanidm 1.8.1 Patch

• Resolve a bug in form handling due to incorrect optional type handling
• Resolve a bug in connection initialisation which could cause some clients to fail to connect
• Update unixd home aliases atomically
• Improve oauth2 logging messages
• Fix typos in documentation

2025-10-07 - Kanidm 1.8.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.8.0 Important Changes

• For distribution package users, systemd-notify reload has been removed due to ongoing bugs with the
  feature from the systemd side which would cause kanidmd to be killed ungracefully. If you rely on
  this to perform "systemctl reload kanidmd" actions, you should instead use "systemctl restart" or
  send a SIGHUP directly to the kanidmd process.
• Users of http_client_address_info and/or ldap_client_address_info on Linux should note that we now canonicalise the incoming IP address correctly meaning that IPv4 in IPv6 mapping addresses such as ::ffff:172.20.1.1 should be rewritten to their IPv4 format ( 172.20.1.1 ).

1.8.0 Release Highlights

• Reduce logging verbosity (#3906)
• Add support for PROXYv1 protocol (#3935)
• Persist unixd connections in nss to improve response times (#3921)
• Improve offline authentication with unixd for road-warriors (#3934)
• Support listening on multiple sockets (#3933)
• Fix a bug with replication certificate renewal that could cause a temporary replication freeze
• Prevent users saving credentials if they would remove all credentials (#3805)
• Fix a bug in an easter egg.
• Remove systemd-notify reload support (#3885)
• Support reference entries (#3863)
• Allow group shortnames in OIDC claims (#3879)
• Improve client address display by canonicalising v4 in v6 addrs (#3874)
• Support client secret post for OAuth2 (#3833)
• Skip UAT prevalidation in some routes (#3865)
• Allow compression of backups (#3821)
• Improve unixd performance (#3846)
• Prevent memory exhaustion during FreeBSD builds (#3818)
• Allow replication to operate with IP addresses (#3807)
• Update email validation regex per whatwg (#3797)
• Fix replication show-cert bug with rustls (#3792)
• Improve IPC between unixd and other components (#3789)
• Allow disabling of the "break-glass" accounts (#3780)
• Improve messaging around why a user can't authenticate with unixd (#3778)
• Improve argon2id parameter search speed (#3768)
• Properly drop the "remember me" cookie when set to off (#3770)
• Fix handling of SEC1 Private Keys (#3769)
• Improve order of operations in Kanidm Unixd Tasks (#3762)
• Fix an issue with RADIUS service account access controls (#3759)

2025-11-28 - Kanidm 1.8.3 Patch

• Resolve a possible infinite loop in cli tools during reauth that prevented server administration.

2025-11-28 - Kanidm 1.8.2 Patch (Security: Low)

• Security: A flaw in data migration could allow a builtin group's CredentialTypeMinimum policy to be downgraded from Passkey/AttestedPasskey to MFA. Inversely, after lowering this policy to Any, it would be raised to MFA on an upgrade. This only affected the groups such as idm_all_accounts or idm_all_persons. User made groups are not affected. You should review the account policy on these two groups and assert it is what you expect it to be.
• Report correct client IP's in logs, and improve proxy/x-forwarded logging
• Ensure that service-account sessions which have direct privilege grants have synchronised expiry times between the privs and the token life.
• Resolve a flaw in upgrades where skip migrations may not be correctly denied from proceeding.
• Prevent lib-crypto from depending on proto
• Resolve a potential issue with kanidm_client libraries which are missing build profiles

2025-11-17 - Kanidm 1.8.1 Patch

• Resolve a bug in form handling due to incorrect optional type handling
• Resolve a bug in connection initialisation which could cause some clients to fail to connect
• Update unixd home aliases atomically
• Improve oauth2 logging messages
• Fix typos in documentation

2025-10-07 - Kanidm 1.8.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.8.0 Important Changes

• For distribution package users, systemd-notify reload has been removed due to ongoing bugs with the
  feature from the systemd side which would cause kanidmd to be killed ungracefully. If you rely on
  this to perform "systemctl reload kanidmd" actions, you should instead use "systemctl restart" or
  send a SIGHUP directly to the kanidmd process.
• Users of http_client_address_info and/or ldap_client_address_info on Linux should note that we now canonicalise the incoming IP address correctly meaning that IPv4 in IPv6 mapping addresses such as ::ffff:172.20.1.1 should be rewritten to their IPv4 format ( 172.20.1.1 ).

1.8.0 Release Highlights

• Reduce logging verbosity (#3906)
• Add support for PROXYv1 protocol (#3935)
• Persist unixd connections in nss to improve response times (#3921)
• Improve offline authentication with unixd for road-warriors (#3934)
• Support listening on multiple sockets (#3933)
• Fix a bug with replication certificate renewal that could cause a temporary replication freeze
• Prevent users saving credentials if they would remove all credentials (#3805)
• Fix a bug in an easter egg.
• Remove systemd-notify reload support (#3885)
• Support reference entries (#3863)
• Allow group shortnames in OIDC claims (#3879)
• Improve client address display by canonicalising v4 in v6 addrs (#3874)
• Support client secret post for OAuth2 (#3833)
• Skip UAT prevalidation in some routes (#3865)
• Allow compression of backups (#3821)
• Improve unixd performance (#3846)
• Prevent memory exhaustion during FreeBSD builds (#3818)
• Allow replication to operate with IP addresses (#3807)
• Update email validation regex per whatwg (#3797)
• Fix replication show-cert bug with rustls (#3792)
• Improve IPC between unixd and other components (#3789)
• Allow disabling of the "break-glass" accounts (#3780)
• Improve messaging around why a user can't authenticate with unixd (#3778)
• Improve argon2id parameter search speed (#3768)
• Properly drop the "remember me" cookie when set to off (#3770)
• Fix handling of SEC1 Private Keys (#3769)
• Improve order of operations in Kanidm Unixd Tasks (#3762)
• Fix an issue with RADIUS service account access controls (#3759)

2025-11-28 - Kanidm 1.8.2 Patch (Security: Low)

• Security: A flaw in data migration could allow a builtin group's CredentialTypeMinimum policy to be downgraded from Passkey/AttestedPasskey to MFA. Inversely, after lowering this policy to Any, it would be raised to MFA on an upgrade. This only affected the groups such as idm_all_accounts or idm_all_persons. User made groups are not affected. You should review the account policy on these two groups and assert it is what you expect it to be.
• Report correct client IP's in logs, and improve proxy/x-forwarded logging
• Ensure that service-account sessions which have direct privilege grants have synchronised expiry times between the privs and the token life.
• Resolve a flaw in upgrades where skip migrations may not be correctly denied from proceeding.
• Prevent lib-crypto from depending on proto
• Resolve a potential issue with kanidm_client libraries which are missing build profiles

2025-11-17 - Kanidm 1.8.1 Patch

• Resolve a bug in form handling due to incorrect optional type handling
• Resolve a bug in connection initialisation which could cause some clients to fail to connect
• Update unixd home aliases atomically
• Improve oauth2 logging messages
• Fix typos in documentation

2025-10-07 - Kanidm 1.8.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.8.0 Important Changes

• For distribution package users, systemd-notify reload has been removed due to ongoing bugs with the
  feature from the systemd side which would cause kanidmd to be killed ungracefully. If you rely on
  this to perform "systemctl reload kanidmd" actions, you should instead use "systemctl restart" or
  send a SIGHUP directly to the kanidmd process.
• Users of http_client_address_info and/or ldap_client_address_info on Linux should note that we now canonicalise the incoming IP address correctly meaning that IPv4 in IPv6 mapping addresses such as ::ffff:172.20.1.1 should be rewritten to their IPv4 format ( 172.20.1.1 ).

1.8.0 Release Highlights

• Reduce logging verbosity (#3906)
• Add support for PROXYv1 protocol (#3935)
• Persist unixd connections in nss to improve response times (#3921)
• Improve offline authentication with unixd for road-warriors (#3934)
• Support listening on multiple sockets (#3933)
• Fix a bug with replication certificate renewal that could cause a temporary replication freeze
• Prevent users saving credentials if they would remove all credentials (#3805)
• Fix a bug in an easter egg.
• Remove systemd-notify reload support (#3885)
• Support reference entries (#3863)
• Allow group shortnames in OIDC claims (#3879)
• Improve client address display by canonicalising v4 in v6 addrs (#3874)
• Support client secret post for OAuth2 (#3833)
• Skip UAT prevalidation in some routes (#3865)
• Allow compression of backups (#3821)
• Improve unixd performance (#3846)
• Prevent memory exhaustion during FreeBSD builds (#3818)
• Allow replication to operate with IP addresses (#3807)
• Update email validation regex per whatwg (#3797)
• Fix replication show-cert bug with rustls (#3792)
• Improve IPC between unixd and other components (#3789)
• Allow disabling of the "break-glass" accounts (#3780)
• Improve messaging around why a user can't authenticate with unixd (#3778)
• Improve argon2id parameter search speed (#3768)
• Properly drop the "remember me" cookie when set to off (#3770)
• Fix handling of SEC1 Private Keys (#3769)
• Improve order of operations in Kanidm Unixd Tasks (#3762)
• Fix an issue with RADIUS service account access controls (#3759)

2025-11-17 - Kanidm 1.8.1 Patch

• Resolve a bug in form handling due to incorrect optional type handling
• Resolve a bug in connection initialisation which could cause some clients to fail to connect
• Update unixd home aliases atomically
• Improve oauth2 logging messages
• Fix typos in documentation

2025-10-07 - Kanidm 1.8.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.8.0 Important Changes

• For distribution package users, systemd-notify reload has been removed due to ongoing bugs with the
  feature from the systemd side which would cause kanidmd to be killed ungracefully. If you rely on
  this to perform "systemctl reload kanidmd" actions, you should instead use "systemctl restart" or
  send a SIGHUP directly to the kanidmd process.
• Users of http_client_address_info and/or ldap_client_address_info on Linux should note that we now canonicalise the incoming IP address correctly meaning that IPv4 in IPv6 mapping addresses such as ::ffff:172.20.1.1 should be rewritten to their IPv4 format ( 172.20.1.1 ).

1.8.0 Release Highlights

• Reduce logging verbosity (#3906)
• Add support for PROXYv1 protocol (#3935)
• Persist unixd connections in nss to improve response times (#3921)
• Improve offline authentication with unixd for road-warriors (#3934)
• Support listening on multiple sockets (#3933)
• Fix a bug with replication certificate renewal that could cause a temporary replication freeze
• Prevent users saving credentials if they would remove all credentials (#3805)
• Fix a bug in an easter egg.
• Remove systemd-notify reload support (#3885)
• Support reference entries (#3863)
• Allow group shortnames in OIDC claims (#3879)
• Improve client address display by canonicalising v4 in v6 addrs (#3874)
• Support client secret post for OAuth2 (#3833)
• Skip UAT prevalidation in some routes (#3865)
• Allow compression of backups (#3821)
• Improve unixd performance (#3846)
• Prevent memory exhaustion during FreeBSD builds (#3818)
• Allow replication to operate with IP addresses (#3807)
• Update email validation regex per whatwg (#3797)
• Fix replication show-cert bug with rustls (#3792)
• Improve IPC between unixd and other components (#3789)
• Allow disabling of the "break-glass" accounts (#3780)
• Improve messaging around why a user can't authenticate with unixd (#3778)
• Improve argon2id parameter search speed (#3768)
• Properly drop the "remember me" cookie when set to off (#3770)
• Fix handling of SEC1 Private Keys (#3769)
• Improve order of operations in Kanidm Unixd Tasks (#3762)
• Fix an issue with RADIUS service account access controls (#3759)

2025-10-07 - Kanidm 1.8.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.8.0 Important Changes

• For distribution package users, systemd-notify reload has been removed due to ongoing bugs with the
  feature from the systemd side which would cause kanidmd to be killed ungracefully. If you rely on
  this to perform "systemctl reload kanidmd" actions, you should instead use "systemctl restart" or
  send a SIGHUP directly to the kanidmd process.
• Users of http_client_address_info and/or ldap_client_address_info on Linux should note that we now canonicalise the incoming IP address correctly meaning that IPv4 in IPv6 mapping addresses such as ::ffff:172.20.1.1 should be rewritten to their IPv4 format ( 172.20.1.1 ).

1.8.0 Release Highlights

• Reduce logging verbosity (#3906)
• Add support for PROXYv1 protocol (#3935)
• Persist unixd connections in nss to improve response times (#3921)
• Improve offline authentication with unixd for road-warriors (#3934)
• Support listening on multiple sockets (#3933)
• Fix a bug with replication certificate renewal that could cause a temporary replication freeze
• Prevent users saving credentials if they would remove all credentials (#3805)
• Fix a bug in an easter egg.
• Remove systemd-notify reload support (#3885)
• Support reference entries (#3863)
• Allow group shortnames in OIDC claims (#3879)
• Improve client address display by canonicalising v4 in v6 addrs (#3874)
• Support client secret post for OAuth2 (#3833)
• Skip UAT prevalidation in some routes (#3865)
• Allow compression of backups (#3821)
• Improve unixd performance (#3846)
• Prevent memory exhaustion during FreeBSD builds (#3818)
• Allow replication to operate with IP addresses (#3807)
• Update email validation regex per whatwg (#3797)
• Fix replication show-cert bug with rustls (#3792)
• Improve IPC between unixd and other components (#3789)
• Allow disabling of the "break-glass" accounts (#3780)
• Improve messaging around why a user can't authenticate with unixd (#3778)
• Improve argon2id parameter search speed (#3768)
• Properly drop the "remember me" cookie when set to off (#3770)
• Fix handling of SEC1 Private Keys (#3769)
• Improve order of operations in Kanidm Unixd Tasks (#3762)
• Fix an issue with RADIUS service account access controls (#3759)

Maintenance release to allow building on all supported versions of Rust, and to update the Makefile so we don't miss publishing crate updates.

2025-08-15 - Kanidm 1.7.3 Patch

• Correctly handle IP address SAN's in certificate issuance for replication
• Clearly describe some replication misconfiguration in warning messages.
• Resolve unixd/tasks from dropping tasks that are queued (initial fix was incomplete)

2025-08-15 - Kanidm 1.7.2 Patch

• Improve argon2id parameter search speed
• Make it clearer why a unixd user can't login
• Disable and enable of break-glass accounts
• Resolve unixd/tasks from dropping tasks that are queued
• Correct a defect in show replication cert which would wait indefinitely

Known Issues

• Repeat calls to recover-account contains an edge case that causes the command to fail. You should call disable-account then recover-account in sequence if you see a failure during recover-account

2025-08-01 - Kanidm 1.7.1 Patch

• Incorrect handling of SEC1 formatted ECDSA private keys prevented server startup
• Update tracing libraries to allow publishing of crates

2025-08-01 - Kanidm 1.7.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.7.0 Release Highlights

• Darkmode UI colour and style improvements (#3593, #3660)
• OpenSSL removal in favour of rust-cryptography and rustls (#3594, #3687, )
• OAuth2 client IDs always process as lowercase (#3605)
• Test for corrupt unicode in SSH keys (#3618)
• Accept SSH keys with variable salt lengths (#3629)
• Move unixd shadow/passwd handling into the tasks daemon (#3631)
• Reload schema before db verify to prevent incorrect warnings (#3643)
• Improve unixd and tasks daemon startup coupling (#3638)
• Reduce unixd memory usage (#3651, #3645, #3754)
• SCIM API implementation (#3535, #3700, #3725, #3741, #3748)
• Fix parsing of passwd files with comments in them (#3673)
• Reduce unixd logging verbosity (#3680)
• Only allow server side password generation for service accounts (#3688)
• Fix UI confusion when unix password validation fails (#3719, #3720)
• Web UI for users to self manage RADIUS passwords (#3728)

2025-08-15 - Kanidm 1.7.2 Patch

• Improve argon2id parameter search speed
• Make it clearer why a unixd user can't login
• Disable and enable of break-glass accounts
• Resolve unixd/tasks from dropping tasks that are queued
• Correct a defect in show replication cert which would wait indefinitely

Known Issues

• Repeat calls to recover-account contains an edge case that causes the command to fail. You should call disable-account then recover-account in sequence if you see a failure during recover-account

2025-08-01 - Kanidm 1.7.1 Patch

• Incorrect handling of SEC1 formatted ECDSA private keys prevented server startup
• Update tracing libraries to allow publishing of crates

2025-08-01 - Kanidm 1.7.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.7.0 Release Highlights

• Darkmode UI colour and style improvements (#3593, #3660)
• OpenSSL removal in favour of rust-cryptography and rustls (#3594, #3687, )
• OAuth2 client IDs always process as lowercase (#3605)
• Test for corrupt unicode in SSH keys (#3618)
• Accept SSH keys with variable salt lengths (#3629)
• Move unixd shadow/passwd handling into the tasks daemon (#3631)
• Reload schema before db verify to prevent incorrect warnings (#3643)
• Improve unixd and tasks daemon startup coupling (#3638)
• Reduce unixd memory usage (#3651, #3645, #3754)
• SCIM API implementation (#3535, #3700, #3725, #3741, #3748)
• Fix parsing of passwd files with comments in them (#3673)
• Reduce unixd logging verbosity (#3680)
• Only allow server side password generation for service accounts (#3688)
• Fix UI confusion when unix password validation fails (#3719, #3720)
• Web UI for users to self manage RADIUS passwords (#3728)