Maintenance release to allow building on all supported versions of Rust, and to update the Makefile so we don't miss publishing crate updates.

2025-08-15 - Kanidm 1.7.3 Patch

• Correctly handle IP address SAN's in certificate issuance for replication
• Clearly describe some replication misconfiguration in warning messages.
• Resolve unixd/tasks from dropping tasks that are queued (initial fix was incomplete)

2025-08-15 - Kanidm 1.7.2 Patch

• Improve argon2id parameter search speed
• Make it clearer why a unixd user can't login
• Disable and enable of break-glass accounts
• Resolve unixd/tasks from dropping tasks that are queued
• Correct a defect in show replication cert which would wait indefinitely

Known Issues

• Repeat calls to recover-account contains an edge case that causes the command to fail. You should call disable-account then recover-account in sequence if you see a failure during recover-account

2025-08-01 - Kanidm 1.7.1 Patch

• Incorrect handling of SEC1 formatted ECDSA private keys prevented server startup
• Update tracing libraries to allow publishing of crates

2025-08-01 - Kanidm 1.7.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.7.0 Release Highlights

• Darkmode UI colour and style improvements (#3593, #3660)
• OpenSSL removal in favour of rust-cryptography and rustls (#3594, #3687, )
• OAuth2 client IDs always process as lowercase (#3605)
• Test for corrupt unicode in SSH keys (#3618)
• Accept SSH keys with variable salt lengths (#3629)
• Move unixd shadow/passwd handling into the tasks daemon (#3631)
• Reload schema before db verify to prevent incorrect warnings (#3643)
• Improve unixd and tasks daemon startup coupling (#3638)
• Reduce unixd memory usage (#3651, #3645, #3754)
• SCIM API implementation (#3535, #3700, #3725, #3741, #3748)
• Fix parsing of passwd files with comments in them (#3673)
• Reduce unixd logging verbosity (#3680)
• Only allow server side password generation for service accounts (#3688)
• Fix UI confusion when unix password validation fails (#3719, #3720)
• Web UI for users to self manage RADIUS passwords (#3728)

2025-08-15 - Kanidm 1.7.2 Patch

• Improve argon2id parameter search speed
• Make it clearer why a unixd user can't login
• Disable and enable of break-glass accounts
• Resolve unixd/tasks from dropping tasks that are queued
• Correct a defect in show replication cert which would wait indefinitely

Known Issues

• Repeat calls to recover-account contains an edge case that causes the command to fail. You should call disable-account then recover-account in sequence if you see a failure during recover-account

2025-08-01 - Kanidm 1.7.1 Patch

• Incorrect handling of SEC1 formatted ECDSA private keys prevented server startup
• Update tracing libraries to allow publishing of crates

2025-08-01 - Kanidm 1.7.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.7.0 Release Highlights

• Darkmode UI colour and style improvements (#3593, #3660)
• OpenSSL removal in favour of rust-cryptography and rustls (#3594, #3687, )
• OAuth2 client IDs always process as lowercase (#3605)
• Test for corrupt unicode in SSH keys (#3618)
• Accept SSH keys with variable salt lengths (#3629)
• Move unixd shadow/passwd handling into the tasks daemon (#3631)
• Reload schema before db verify to prevent incorrect warnings (#3643)
• Improve unixd and tasks daemon startup coupling (#3638)
• Reduce unixd memory usage (#3651, #3645, #3754)
• SCIM API implementation (#3535, #3700, #3725, #3741, #3748)
• Fix parsing of passwd files with comments in them (#3673)
• Reduce unixd logging verbosity (#3680)
• Only allow server side password generation for service accounts (#3688)
• Fix UI confusion when unix password validation fails (#3719, #3720)
• Web UI for users to self manage RADIUS passwords (#3728)

2025-08-01 - Kanidm 1.7.1 Patch

• Incorrect handling of SEC1 formatted ECDSA private keys prevented server startup
• Update tracing libraries to allow publishing of crates

2025-08-01 - Kanidm 1.7.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.7.0 Release Highlights

• Darkmode UI colour and style improvements (#3593, #3660)
• OpenSSL removal in favour of rust-cryptography and rustls (#3594, #3687, )
• OAuth2 client IDs always process as lowercase (#3605)
• Test for corrupt unicode in SSH keys (#3618)
• Accept SSH keys with variable salt lengths (#3629)
• Move unixd shadow/passwd handling into the tasks daemon (#3631)
• Reload schema before db verify to prevent incorrect warnings (#3643)
• Improve unixd and tasks daemon startup coupling (#3638)
• Reduce unixd memory usage (#3651, #3645, #3754)
• SCIM API implementation (#3535, #3700, #3725, #3741, #3748)
• Fix parsing of passwd files with comments in them (#3673)
• Reduce unixd logging verbosity (#3680)
• Only allow server side password generation for service accounts (#3688)
• Fix UI confusion when unix password validation fails (#3719, #3720)
• Web UI for users to self manage RADIUS passwords (#3728)

2025-08-01 - Kanidm 1.7.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.7.0 Release Highlights

• Darkmode UI colour and style improvements (#3593, #3660)
• OpenSSL removal in favour of rust-cryptography and rustls (#3594, #3687, )
• OAuth2 client IDs always process as lowercase (#3605)
• Test for corrupt unicode in SSH keys (#3618)
• Accept SSH keys with variable salt lengths (#3629)
• Move unixd shadow/passwd handling into the tasks daemon (#3631)
• Reload schema before db verify to prevent incorrect warnings (#3643)
• Improve unixd and tasks daemon startup coupling (#3638)
• Reduce unixd memory usage (#3651, #3645, #3754)
• SCIM API implementation (#3535, #3700, #3725, #3741, #3748)
• Fix parsing of passwd files with comments in them (#3673)
• Reduce unixd logging verbosity (#3680)
• Only allow server side password generation for service accounts (#3688)
• Fix UI confusion when unix password validation fails (#3719, #3720)
• Web UI for users to self manage RADIUS passwords (#3728)

2025-06-11 - Kanidm 1.6.4 Patch

• Reduce log noise in unixd
• Dark mode improvements
• Fix handling of passwd/group when comments are present (such as freebsd)
• Reduce memory consumption of unixd
• Improve the coupling of unixd and unixd-tasks on startup to prevent spurious failures
• Reload schema before verify so that verification succeeds.
• Prevent a possible panic during some ldap imports

2025-05-14 - Kanidm 1.6.3 Patch

• Resolve an issue where some legacy configurations would not parse due to incorrect version parsing
• Unixd - Resolve a potential race/stall condition when the tasks daemon is busy processing files causing home directories to not be created.
• Resolve environment only configuration by not specifying the config path in the container
• Allowing importing of SSHA variants from LDAP servers with different salt lengths
• Resolve a flaw in SSH public key parsing when trailing whitespace exists and no comment is present on the key
• Clarify how ip's are handled with the new trust x-forward-for and proxyv2 configurations
• Allow CIDR ranges in the trust x-forward-for and proxyv2 configurations
• Reduce replication logging verbosity.

2025-05-08 - Kanidm 1.6.2 Patch

• Resolve an issue with parsing some replication certificates on startup
• Assert JWKS order to ensure the latest key is first for some OIDC client applications
• Resolve an issue where the OAuth2 KeyID that was used for signing was not the same KeyID as used for lookup in verification

2025-05-08 - Kanidm 1.6.1 Patch

• Resolve a major issue where on startup OAuth2 clients were not loaded due to a flaw in startup event ordering.

2025-05-01 - Kanidm 1.6.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.

You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.

Before upgrading you should review
our upgrade documentation

1.6.0 Important Changes

• The kanidmd server configuration now supports versions. You should review the example server configuration and update to version = "2".

1.6.0 Release Highlights

• Drop fernet in favour of JWE for OAuth2 tokens (#3577)
• Allow spaces in ssh key comments
• Support HAProxy PROXY protocol v2 (#3542)
• Preserve ssh key content on form validation error (#3574)
• Harden pam unix resolver to prevent a token update race (#3553)
• Improve db klock handling (#3551)
• Unix pam unix config parser (#3533)
• Improve handling of systemd notify (#3540)
• Allow versioning of server configs (#3515)
• Remove the protected plugin in favour of access framework (#3504)
• Add max_ber_size to freeipa sync tool (#3530)
• Make schema indexing a boolean rather than index type (#3517)
• Add set-description to group cli (#3511)
• pam kanidm now acts as a pam unix replacement (#3501)
• Support rfc2307 in ldap import/sync (#3466)
• Handle incorrect OAuth2 clients that ignore response modes (#3467)
• Improve idx validation performance (#3459)
• Improve migration and bootstrapper (#3432)
• Reduce size of docker container (#3452)
• Add limits to maximum queryable ldap attributes (#3431)
• Accept more formats of ldap pwd hashes (#3444, #3458)
• TOTP Label validation (#3419)
• Harden denied names against accidental lockouts (#3429)
• OAuth2 supports redirect uri's with query parameters (#3422)

2025-05-14 - Kanidm 1.6.3 Patch

• Resolve an issue where some legacy configurations would not parse due to incorrect version parsing
• Unixd - Resolve a potential race/stall condition when the tasks daemon is busy processing files causing home directories to not be created.
• Resolve environment only configuration by not specifying the config path in the container
• Allowing importing of SSHA variants from LDAP servers with different salt lengths
• Resolve a flaw in SSH public key parsing when trailing whitespace exists and no comment is present on the key
• Clarify how ip's are handled with the new trust x-forward-for and proxyv2 configurations
• Allow CIDR ranges in the trust x-forward-for and proxyv2 configurations
• Reduce replication logging verbosity.

2025-05-08 - Kanidm 1.6.2 Patch

• Resolve an issue with parsing some replication certificates on startup
• Assert JWKS order to ensure the latest key is first for some OIDC client applications
• Resolve an issue where the OAuth2 KeyID that was used for signing was not the same KeyID as used for lookup in verification

2025-05-08 - Kanidm 1.6.1 Patch

• Resolve a major issue where on startup OAuth2 clients were not loaded due to a flaw in startup event ordering.

2025-05-01 - Kanidm 1.6.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.

You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.

Before upgrading you should review
our upgrade documentation

1.6.0 Important Changes

• The kanidmd server configuration now supports versions. You should review the example server configuration and update to version = "2".

1.6.0 Release Highlights

• Drop fernet in favour of JWE for OAuth2 tokens (#3577)
• Allow spaces in ssh key comments
• Support HAProxy PROXY protocol v2 (#3542)
• Preserve ssh key content on form validation error (#3574)
• Harden pam unix resolver to prevent a token update race (#3553)
• Improve db klock handling (#3551)
• Unix pam unix config parser (#3533)
• Improve handling of systemd notify (#3540)
• Allow versioning of server configs (#3515)
• Remove the protected plugin in favour of access framework (#3504)
• Add max_ber_size to freeipa sync tool (#3530)
• Make schema indexing a boolean rather than index type (#3517)
• Add set-description to group cli (#3511)
• pam kanidm now acts as a pam unix replacement (#3501)
• Support rfc2307 in ldap import/sync (#3466)
• Handle incorrect OAuth2 clients that ignore response modes (#3467)
• Improve idx validation performance (#3459)
• Improve migration and bootstrapper (#3432)
• Reduce size of docker container (#3452)
• Add limits to maximum queryable ldap attributes (#3431)
• Accept more formats of ldap pwd hashes (#3444, #3458)
• TOTP Label validation (#3419)
• Harden denied names against accidental lockouts (#3429)
• OAuth2 supports redirect uri's with query parameters (#3422)

a### 2025-05-08 - Kanidm 1.6.2 Patch

• Resolve an issue with parsing some replication certificates on startup
• Assert JWKS order to ensure the latest key is first for some OIDC client applications
• Resolve an issue where the OAuth2 KeyID that was used for signing was not the same KeyID as used for lookup in verification

2025-05-08 - Kanidm 1.6.1 Patch

• Resolve a major issue where on startup OAuth2 clients were not loaded due to a flaw in startup event ordering.

2025-05-01 - Kanidm 1.6.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.

You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.

Before upgrading you should review
our upgrade documentation

1.6.0 Important Changes

• The kanidmd server configuration now supports versions. You should review the example server configuration and update to version = "2".

1.6.0 Release Highlights

• Drop fernet in favour of JWE for OAuth2 tokens (#3577)
• Allow spaces in ssh key comments
• Support HAProxy PROXY protocol v2 (#3542)
• Preserve ssh key content on form validation error (#3574)
• Harden pam unix resolver to prevent a token update race (#3553)
• Improve db klock handling (#3551)
• Unix pam unix config parser (#3533)
• Improve handling of systemd notify (#3540)
• Allow versioning of server configs (#3515)
• Remove the protected plugin in favour of access framework (#3504)
• Add max_ber_size to freeipa sync tool (#3530)
• Make schema indexing a boolean rather than index type (#3517)
• Add sd

2025-05-08 - Kanidm 1.6.1 Patch

• Resolve a major issue where on startup OAuth2 clients were not loaded due to a flaw in startup event ordering.

2025-05-01 - Kanidm 1.6.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.

You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.

Before upgrading you should review
our upgrade documentation

1.6.0 Important Changes

• The kanidmd server configuration now supports versions. You should review the example server configuration and update to version = "2".

1.6.0 Release Highlights

• Drop fernet in favour of JWE for OAuth2 tokens (#3577)
• Allow spaces in ssh key comments
• Support HAProxy PROXY protocol v2 (#3542)
• Preserve ssh key content on form validation error (#3574)
• Harden pam unix resolver to prevent a token update race (#3553)
• Improve db klock handling (#3551)
• Unix pam unix config parser (#3533)
• Improve handling of systemd notify (#3540)
• Allow versioning of server configs (#3515)
• Remove the protected plugin in favour of access framework (#3504)
• Add max_ber_size to freeipa sync tool (#3530)
• Make schema indexing a boolean rather than index type (#3517)
• Add set-description to group cli (#3511)
• pam kanidm now acts as a pam unix replacement (#3501)
• Support rfc2307 in ldap import/sync (3466)
• Handle incorrect OAuth2 clients that ignore response modes (#3467)
• Improve idx validation performance (#3459)
• Improve migration and bootstrapper (#3432)
• Reduce size of docker container (#3452)
• Add limits to maximum queryable ldap attributes (#3431)
• Accept more formats of ldap pwd hashes (#3444, 3458)
• TOTP Label validation (#3419)
• Harden denied names against accidental lockouts (#3429)
• OAuth2 supports redirect uri's with query parameters (#3422)

2025-05-01 - Kanidm 1.6.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the
combined effort of our community and we appreciate their invaluable contributions, comments,
questions, feedback and support.

You should review our
support documentation as this
may have important effects on your distribution or upgrades in future.

Before upgrading you should review
our upgrade documentation

1.6.0 Important Changes

• The kanidmd server configuration now supports versions. You should review the example server configuration and update to version = "2".

1.6.0 Release Highlights

• Drop fernet in favour of JWE for OAuth2 tokens (#3577)
• Allow spaces in ssh key comments
• Support HAProxy PROXY protocol v2 (#3542)
• Preserve ssh key content on form validation error (#3574)
• Harden pam unix resolver to prevent a token update race (#3553)
• Improve db klock handling (#3551)
• Unix pam unix config parser (#3533)
• Improve handling of systemd notify (#3540)
• Allow versioning of server configs (#3515)
• Remove the protected plugin in favour of access framework (#3504)
• Add max_ber_size to freeipa sync tool (#3530)
• Make schema indexing a boolean rather than index type (#3517)
• Add set-description to group cli (#3511)
• pam kanidm now acts as a pam unix replacement (#3501)
• Support rfc2307 in ldap import/sync (#3466)
• Handle incorrect OAuth2 clients that ignore response modes (#3467)
• Improve idx validation performance (#3459)
• Improve migration and bootstrapper (#3432)
• Reduce size of docker container (#3452)
• Add limits to maximum queryable ldap attributes (#3431)
• Accept more formats of ldap pwd hashes (#3444, #3458)
• TOTP Label validation (#3419)
• Harden denied names against accidental lockouts (#3429)
• OAuth2 supports redirect uri's with query parameters (#3422)