fix(kanidm): force shortname for uid/gid attr map on unixd v2 #495

Closed

lytedev wants to merge 1 commit from fix-kanidm-uid-attr-map into main

pull from: fix-kanidm-uid-attr-map

merge into: lytedev:main

lytedev:main

lytedev:fix-foxtrot-kanidm

lytedev:voxtype-per-host-model

lytedev:push-kanidm-opt-in

lytedev:push-voxtype-flake-fix

lytedev:push-uvqqknxvqlvy

lytedev:push-qrqsxkmlrevert

lytedev:align-daniel-uid

lytedev:fix-hibernate

lytedev:nix-on-droid

lytedev:agent-runners

lytedev:self-hosted-dns

lytedev:fix-runner-tmpfs-revert

lytedev:github-mirror

lytedev:beefcake-email

lytedev:beefcake-immich

lytedev:firefox-nightly-devedition

lytedev:fix-bun-baseline

lytedev:fix-user-env-manifest-perms

lytedev:cleanup-home-manager

lytedev:stale-symlink-cleanup

lytedev:flab-stuff

lytedev:printer-sftp

lytedev:dragon-vr-monado

lytedev:clever-vr-game-clamshell-mode-detection

lytedev:wireguard-mesh

Conversation 0 Commits 1 Files changed 1 +4

lytedev commented 2026-04-18 00:16:02 -05:00

Owner

Copy link

Summary

Kanidm 1.10's unixd config v2 changed the default uid_attr_map / gid_attr_map from name to spn, so users started resolving as daniel@idm.h.lyte.dev instead of daniel. This broke local tooling assuming the bare shortname.

Pin both to "name" at the top level of unixSettings (they're top-level fields in v2; only pam_allowed_login_groups sits under [kanidm]). Verified against the kanidm source at the pinned commit c070a411 (v1.10.0-dev).

Test plan

• Deploy to thinker
• id daniel and getent passwd daniel resolve the kanidm user as bare daniel
• SSH login as daniel still works

## Summary Kanidm 1.10's `unixd` config v2 changed the default `uid_attr_map` / `gid_attr_map` from `name` to `spn`, so users started resolving as `daniel@idm.h.lyte.dev` instead of `daniel`. This broke local tooling assuming the bare shortname. Pin both to `"name"` at the top level of `unixSettings` (they're top-level fields in v2; only `pam_allowed_login_groups` sits under `[kanidm]`). Verified against the kanidm source at the pinned commit `c070a411` (v1.10.0-dev). ## Test plan - [ ] Deploy to thinker - [ ] `id daniel` and `getent passwd daniel` resolve the kanidm user as bare `daniel` - [ ] SSH login as `daniel` still works

lytedev added 1 commit 2026-04-18 00:16:02 -05:00

fix(kanidm): force shortname for uid/gid attr map on kanidm 1.10 unixd v2 ... 6bc26dd084

Kanidm 1.10's unixd config v2 changed the default uid_attr_map/gid_attr_map
to "spn", causing users to resolve as "name@idm.h.lyte.dev" instead of
"name". Pin both to "name" to restore pre-upgrade behavior.

lytedev referenced this pull request 2026-04-18 08:09:08 -05:00

fix(users): align daniel uid/gid with kanidm (uid=1000, gid=1000) #496

lytedev referenced this pull request from a commit 2026-04-18 12:22:07 -05:00

feat(users): migrate daniel to kanidm-only identity

lytedev referenced this pull request 2026-04-18 14:13:46 -05:00

feat(users): migrate daniel to kanidm-only identity #498

lytedev closed this pull request 2026-04-20 10:54:52 -05:00

Some checks failed

Hide all checks

/ build (push) Waiting to run

Required

Details

/ check-format (push) Has been cancelled

Required

Details

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something is wrong

  

enhancement

New feature

  

question

Awaiting information

  

scary

Potentially problematic change

  

upstream

Awaiting upstream changes

No labels

bug

enhancement

question

scary

upstream

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lytedev/nix!495

No description provided.