obviously, don't let people have usernames that would conflict with anything internal (i.e. "email", "infra*", etc.) and are only alphanumeric ```sh kanidm login --name idm_admin kanidm person create --name idm_admin "" kanidm person credential create-reset-token --name idm_admin # allow them to set a unix/ldap password kanidm person posix set --name idm_admin kanidm person posix set --name idm_admin --shell /bin/zsh # give them email access (need unix access) kanidm person update --legalname "" --mail @hatecomputers.club kanidm group add-members mail ```