Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Installation

Prerequisites

  • Rust toolchain 1.80 or later (install via rustup)
  • OpenSSL 3.x development headers (required by native-ossl and synta-certificate)
  • MIT Kerberos development libraries (required by ahdapa-gssapi)
  • OpenLDAP client development libraries (required by ahdapa-ldap)

Fedora / RHEL

sudo dnf install openssl-devel krb5-devel openldap-devel

To build with PAM support (--features pam), also install:

sudo dnf install pam-devel

The varlink userdb backend (--features varlink) requires no additional system packages; its dependencies are pure-Rust.

Debian / Ubuntu

sudo apt install libssl-dev libkrb5-dev libldap-dev

To build with PAM support (--features pam), also install:

sudo apt install libpam0g-dev

The varlink userdb backend (--features varlink) requires no additional system packages; its dependencies are pure-Rust.

Checking out the source

git clone <ahdapa-repo> ahdapa

All synta dependencies are fetched from crates.io automatically.

Building from source

The repository is a Cargo workspace. Its members include the ahdapa server binary, the ahdapactl admin CLI, and five library crates (ahdapa-gssapi, ahdapa-jose, ahdapa-ldap, ahdapa-varlink, ahdapa-pam).

cd ahdapa
cargo build --release

The server binary is placed at target/release/ahdapa. The admin CLI is placed at target/release/ahdapactl.

To build only the server or only the CLI:

cargo build --bin ahdapa --release
cargo build --bin ahdapactl --release

To enable the optional PAM and varlink authentication backends (recommended for production deployments on systemd-based hosts):

cargo build --bin ahdapa --release --features pam,varlink

Both features are enabled by default in the RPM package.

Building the WebUI

The WebUI is a separate build step. It requires Node.js 20 or later and npm.

cd webui
npm install
npm run build

The built assets are placed at webui/dist/. Point webui.static_dir in the config to this directory.

Verifying the build

./target/release/ahdapa --help

The binary accepts the configuration file path as an optional positional argument, falling back to the AHDAPA_CONFIG environment variable, and finally to /etc/ahdapa/ahdapa.toml. Pass --check to validate the config without starting the server.

Installing

sudo install -m 0755 target/release/ahdapa /usr/local/bin/ahdapa
sudo install -d /etc/ahdapa /var/lib/ahdapa
sudo install -m 0644 webui/dist -r /usr/share/ahdapa/webui

systemd service

Production-grade unit files are provided in contrib/systemd/ in the repository (and installed by the RPM package). Copy them to create a manual installation:

sudo install -m 0644 contrib/systemd/ahdapa.service \
    /etc/systemd/system/ahdapa.service
sudo install -m 0644 contrib/systemd/ahdapa.socket \
    /etc/systemd/system/ahdapa.socket

ahdapa.service passes the configuration file path as a positional argument and includes a full set of hardening directives. ahdapa.socket enables socket activation — see Systemd socket activation for details on when to use it.

A minimal service unit for reference:

[Unit]
Description=Ahdapa OAuth2/OIDC identity provider
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=ahdapa
Group=ahdapa
WorkingDirectory=/var/lib/ahdapa
ExecStart=/usr/local/bin/ahdapa /etc/ahdapa/ahdapa.toml
Restart=on-failure
RestartSec=5s
Environment=RUST_LOG=info

NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
StateDirectory=ahdapa
ConfigurationDirectory=ahdapa
LogsDirectory=ahdapa

[Install]
WantedBy=multi-user.target

Enable and start:

sudo systemctl daemon-reload
sudo systemctl enable --now ahdapa