As you may know, LXD can both be used locally on your machine or remotely using its secure REST API.

In that mode, the default authentication method is an SSH-like private/public key exchange combined with an (optional) trust password that’s configured on the remote server to make adding new trusted clients easier.

Adding a trusted client involves either an administrator providing its public key for LXD to trust it or, more commonly, the administrator having set a trust password which is then used by the client to add itself to the trust store.

This works well when you have a limited number of clients and don’t need to add or revoke access very often.

But what if you’re in a more organized environment where you have a number of people and services that need access to a number of LXD servers and you need to be able to easily grant or revoke access, ideally by just managing group memberships in a central authentication system?

Well, that’s what LXD’s external authentication support through Candid is for.

It allows to setup an authentication gateway (candid) which connects your LXD servers to your existing authentication system.