- Home
- Skills
- Martinholovsky
- Claude Skills Generator
- Kanidm Expert
kanidm-expert_skill
- Shell
25
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill martinholovsky/claude-skills-generator --skill kanidm-expert- SKILL.md46.1 KB
Overview
This skill is an expert guide for designing, deploying, and operating Kanidm-based identity management solutions. It focuses on secure user and group management, modern authentication (OAuth2/OIDC, WebAuthn, TOTP), LDAP/RADIUS integration, SSH key and PAM workflows, and high-availability operations. Use it to build production-ready, auditable identity platforms with strong credential and access policies.
How this skill works
The skill inspects and advises on Kanidm configuration and operational patterns: account lifecycle, OAuth2/OIDC client registration and scopes, LDAP schema and bind accounts, RADIUS clients, SSH key distribution and certificate authority setup, and audit/logging. It prescribes TDD-driven verification steps, connection pooling and token caching patterns, and hardening actions like PKCE, TLS everywhere, credential policies, and replication/backup strategies.
When to use it
- Implementing single sign-on or OAuth2/OIDC provider functionality for applications
- Migrating or integrating legacy LDAP-based systems with a modern identity platform
- Designing secure authentication for privileged accounts (WebAuthn-first, TOTP fallback)
- Managing SSH keys and SSH certificate authorities for infrastructure access
- Configuring RADIUS for network access (wireless, VPN) and centralized logging
Best practices
- Adopt TDD: write automated integration tests for OAuth2, LDAPS, and user/group flows before changes
- Enforce least privilege: minimal LDAP bind privileges, scoped OAuth2 clients, and service accounts for automation
- Use WebAuthn for privileged users and strong password/TOTP policies for backups
- Enable TLS everywhere, rotate client secrets and RADIUS shared secrets regularly
- Optimize performance with connection pooling, token caching, and scoped LDAP searches
- Audit everything: log authentication attempts, token usage, and privileged operations
Example use cases
- Registering an OAuth2 client with PKCE, redirect URIs, and scope mappings for a web app
- Creating LDAP bind service accounts with restricted search bases and LDAPS connections
- Distributing SSH public keys and issuing short-lived SSH certificates via Kanidm
- Configuring RADIUS clients with group-based authorization for wireless access
- Automating verification using pytest and shell integration tests for end-to-end checks
FAQ
Make WebAuthn/FIDO2 the primary factor for privileged users, require TOTP backups, enforce strong password policies, and monitor authentication anomalies.
What steps ensure LDAP compatibility with legacy apps?
Map Kanidm attributes to the legacy schema, create minimal bind accounts, restrict search bases, use LDAPS, and validate with LDAP integration tests.