kanidm-expert_skill

This skill helps you design and deploy secure Kanidm identity solutions, including OAuth2/OIDC, LDAP, SSH, and WebAuthn workflows.
  • Shell

25

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill martinholovsky/claude-skills-generator --skill kanidm-expert

  • SKILL.md46.1 KB

Overview

This skill is an expert guide for designing, deploying, and operating Kanidm-based identity management solutions. It focuses on secure user and group management, modern authentication (OAuth2/OIDC, WebAuthn, TOTP), LDAP/RADIUS integration, SSH key and PAM workflows, and high-availability operations. Use it to build production-ready, auditable identity platforms with strong credential and access policies.

How this skill works

The skill inspects and advises on Kanidm configuration and operational patterns: account lifecycle, OAuth2/OIDC client registration and scopes, LDAP schema and bind accounts, RADIUS clients, SSH key distribution and certificate authority setup, and audit/logging. It prescribes TDD-driven verification steps, connection pooling and token caching patterns, and hardening actions like PKCE, TLS everywhere, credential policies, and replication/backup strategies.

When to use it

  • Implementing single sign-on or OAuth2/OIDC provider functionality for applications
  • Migrating or integrating legacy LDAP-based systems with a modern identity platform
  • Designing secure authentication for privileged accounts (WebAuthn-first, TOTP fallback)
  • Managing SSH keys and SSH certificate authorities for infrastructure access
  • Configuring RADIUS for network access (wireless, VPN) and centralized logging

Best practices

  • Adopt TDD: write automated integration tests for OAuth2, LDAPS, and user/group flows before changes
  • Enforce least privilege: minimal LDAP bind privileges, scoped OAuth2 clients, and service accounts for automation
  • Use WebAuthn for privileged users and strong password/TOTP policies for backups
  • Enable TLS everywhere, rotate client secrets and RADIUS shared secrets regularly
  • Optimize performance with connection pooling, token caching, and scoped LDAP searches
  • Audit everything: log authentication attempts, token usage, and privileged operations

Example use cases

  • Registering an OAuth2 client with PKCE, redirect URIs, and scope mappings for a web app
  • Creating LDAP bind service accounts with restricted search bases and LDAPS connections
  • Distributing SSH public keys and issuing short-lived SSH certificates via Kanidm
  • Configuring RADIUS clients with group-based authorization for wireless access
  • Automating verification using pytest and shell integration tests for end-to-end checks

FAQ

Make WebAuthn/FIDO2 the primary factor for privileged users, require TOTP backups, enforce strong password policies, and monitor authentication anomalies.

What steps ensure LDAP compatibility with legacy apps?

Map Kanidm attributes to the legacy schema, create minimal bind accounts, restrict search bases, use LDAPS, and validate with LDAP integration tests.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
kanidm-expert skill by martinholovsky/claude-skills-generator | VeilStrat