2018-04-23 14:58:36 +02:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:cli_examples< / title >
< meta name = "generator" content = "DokuWiki" / >
2018-06-07 13:48:21 +02:00
< meta name = "robots" content = "index,follow" / >
2018-04-23 14:58:36 +02:00
< meta name = "keywords" content = "documentation,2.0,cli_examples" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "cli_examples.html" / >
< link rel = "contents" href = "cli_examples.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : c l i _ e x a m p l e s " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script >
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script >
<!-- //endif -->
< / head >
< body >
< div class = "dokuwiki export container" >
<!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#configure_https" > Configure HTTPS< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#configure_sessions_backend" > Configure sessions backend< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#configure_virtual_host" > Configure virtual host< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#configure_ldap_authentication_backend" > Configure LDAP authentication backend< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#configure_saml_identity_provider" > Configure SAML Identity Provider< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#register_an_saml_service_provider" > Register an SAML Service Provider< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#configure_openid_connect_identity_provider" > Configure OpenID Connect Identity Provider< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#register_an_openid_connect_relying_party" > Register an OpenID Connect Relying Party< / a > < / div > < / li >
< / ul >
< / div >
< / div >
<!-- TOC END -->
< h1 class = "sectionedit1" id = "command_line_interface_lemonldap-ng-cli_examples" > Command Line Interface (lemonldap-ng-cli) examples< / h1 >
< div class = "level1" >
< p >
This page shows some examples of < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > Command Line Interface. See < a href = "configlocation.html#command_line_interface_cli" class = "wikilink1" title = "documentation:2.0:configlocation" > how to use the command< / a > .
< / p >
< / div >
<!-- EDIT1 SECTION "Command Line Interface (lemonldap - ng - cli) examples" [1 - 205] -->
< h2 class = "sectionedit2" id = "configure_https" > Configure HTTPS< / h2 >
< div class = "level2" >
< p >
When setting HTTPS, you first need to modify Apache/Nginx configuration, then you must configure < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > to change portal < abbr title = "Uniform Resource Locator" > URL< / abbr > , Handler redirections, cookie settings, …
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set portal https://auth.example.com https 1 securedCookie 1< / pre >
< / div >
<!-- EDIT2 SECTION "Configure HTTPS" [206 - 532] -->
< h2 class = "sectionedit3" id = "configure_sessions_backend" > Configure sessions backend< / h2 >
< div class = "level2" >
< p >
For production, it is recommended to use < a href = "browseablesessionbackend.html" class = "wikilink1" title = "documentation:2.0:browseablesessionbackend" > Browseable session backend< / a > . Once tables are created with columns corresponding to index, the following commands can be executed to set all the session backends.
< / p >
< p >
In this example we have:
< / p >
< ul >
< li class = "level1" > < div class = "li" > Backend: PostGreSQL< / div >
< / li >
< li class = "level1" > < div class = "li" > DB user: lemonldaplogin< / div >
< / li >
< li class = "level1" > < div class = "li" > DB password: lemonldappw< / div >
< / li >
< li class = "level1" > < div class = "li" > Database: lemonldapdb< / div >
< / li >
< li class = "level1" > < div class = "li" > Host: pg.example.com< / div >
< / li >
< / ul >
< ul >
< li class = "level1" > < div class = "li" > < abbr title = "Single Sign On" > SSO< / abbr > sessions:< / div >
< / li >
< / ul >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 delKey globalStorageOptions Directory globalStorageOptions LockDirectory
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set globalStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey globalStorageOptions DataSource ' DBI:Pg:database=lemonldapdb;host=pg.example.com' globalStorageOptions UserName ' lemonldaplogin' globalStorageOptions Password ' lemonldappw' globalStorageOptions Commit 1 globalStorageOptions Index ' ipAddr _whatToTrace user' globalStorageOptions TableName ' sessions' < / pre >
< ul >
< li class = "level1" > < div class = "li" > Persistent sessions:< / div >
< / li >
< / ul >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 delKey persistentStorageOptions Directory persistentStorageOptions LockDirectory
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set persistentStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey persistentStorageOptions DataSource ' DBI:Pg:database=lemonldapdb;host=pg.example.com' persistentStorageOptions UserName ' lemonldaplogin' persistentStorageOptions Password ' lemonldappw' persistentStorageOptions Commit 1 persistentStorageOptions Index ' _session_uid' persistentStorageOptions TableName ' psessions' < / pre >
< ul >
< li class = "level1" > < div class = "li" > < abbr title = "Central Authentication Service" > CAS< / abbr > sessions< / div >
< / li >
< / ul >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set casStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey casStorageOptions DataSource ' DBI:Pg:database=lemonldapdb;host=pg.example.com' casStorageOptions UserName ' lemonldaplogin' casStorageOptions Password ' lemonldappw' casStorageOptions Commit 1 casStorageOptions Index ' _cas_id' casStorageOptions TableName ' cassessions' < / pre >
< ul >
< li class = "level1" > < div class = "li" > < abbr title = "Security Assertion Markup Language" > SAML< / abbr > sessions< / div >
< / li >
< / ul >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set samlStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey samlStorageOptions DataSource ' DBI:Pg:database=lemonldapdb;host=pg.example.com' samlStorageOptions UserName ' lemonldaplogin' samlStorageOptions Password ' lemonldappw' samlStorageOptions Commit 1 samlStorageOptions Index ' _saml_id ProxyID _nameID _assert_id _art_id _session_id' samlStorageOptions TableName ' samlsessions' < / pre >
< ul >
< li class = "level1" > < div class = "li" > OpenID Connect sessions< / div >
< / li >
< / ul >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set oidcStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcStorageOptions DataSource ' DBI:Pg:database=lemonldapdb;host=pg.example.com' oidcStorageOptions UserName ' lemonldaplogin' oidcStorageOptions Password ' lemonldappw' oidcStorageOptions Commit 1 oidcStorageOptions TableName ' oidcsessions' < / pre >
< / div >
<!-- EDIT3 SECTION "Configure sessions backend" [533 - 3673] -->
< h2 class = "sectionedit4" id = "configure_virtual_host" > Configure virtual host< / h2 >
< div class = "level2" >
< p >
A virtual host must be defined in Apache/Nginx and access rules and exported headers must be configured in < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > .
< / p >
< p >
In this example we have:
< / p >
< ul >
< li class = "level1" > < div class = "li" > host: test.example.com< / div >
< / li >
< li class = "level1" > < div class = "li" > Access rules:< / div >
< ul >
< li class = "level2" > < div class = "li" > default ⇒ accept< / div >
< / li >
< li class = "level2" > < div class = "li" > Logout: ^/logout\.php ⇒ logout_sso< / div >
< / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > Headers:< / div >
< ul >
< li class = "level2" > < div class = "li" > Auth-User: $uid< / div >
< / li >
< li class = "level2" > < div class = "li" > Auth-Mail: $mail< / div >
< / li >
< / ul >
< / li >
< / ul >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey ' locationRules/test.example.com' ' default' ' accept' ' locationRules/test.example.com' ' (?#Logout)^/logout\.php' ' logout_sso' ' exportedHeaders/test.example.com' ' Auth-User' ' $uid' ' exportedHeaders/test.example.com' ' Auth-Mail' ' $mail' < / pre >
< / div >
<!-- EDIT4 SECTION "Configure virtual host" [3674 - 4328] -->
< h2 class = "sectionedit5" id = "configure_ldap_authentication_backend" > Configure LDAP authentication backend< / h2 >
< div class = "level2" >
< p >
In this example we use:
< / p >
< ul >
< li class = "level1" > < div class = "li" > LDAP server: < a href = "cli_examples.html" class = "urlextern" title = "ldap://ldap.example.com" rel = "nofollow" > ldap://ldap.example.com< / a > < / div >
< / li >
< li class = "level1" > < div class = "li" > LDAP Bind < abbr title = "Distinguished Name" > DN< / abbr > : cn=lemonldapng,ou=dsa,dc=example,dc=com< / div >
< / li >
< li class = "level1" > < div class = "li" > LDAP Bind PW: changeit< / div >
< / li >
< li class = "level1" > < div class = "li" > LDAP search base: ou=users,dc=example,dc=com< / div >
< / li >
< li class = "level1" > < div class = "li" > LDAP attributes:< / div >
< ul >
< li class = "level2" > < div class = "li" > uid ⇒ uid< / div >
< / li >
< li class = "level2" > < div class = "li" > cn ⇒ cn< / div >
< / li >
< li class = "level2" > < div class = "li" > mail ⇒ mail< / div >
< / li >
< li class = "level2" > < div class = "li" > sn ⇒ sn< / div >
< / li >
< li class = "level2" > < div class = "li" > givenName ⇒ givenName< / div >
< / li >
< li class = "level2" > < div class = "li" > mobile ⇒ mobile< / div >
< / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > LDAP group base: ou=groups,dc=example,dc=com< / div >
< / li >
< li class = "level1" > < div class = "li" > Use recursive search for groups< / div >
< / li >
< / ul >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set authentication LDAP userDB LDAP passwordDB LDAP ldapServer ' ldap://ldap.example.com' managerDn ' cn=lemonldapng,ou=dsa,dc=example,dc=com' managerPassword ' changeit' ldapBase ' ou=users,dc=example,dc=com'
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey ldapExportedVars uid uid ldapExportedVars cn cn ldapExportedVars sn sn ldapExportedVars mobile mobile ldapExportedVars mail mail ldapExportedVars givenName givenName
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set ldapGroupBase ' ou=groups,dc=example,dc=com' ldapGroupObjectClass groupOfNames ldapGroupAttributeName member ldapGroupAttributeNameGroup dn ldapGroupAttributeNameSearch cn ldapGroupAttributeNameUser dn ldapGroupRecursive 1< / pre >
< / div >
<!-- EDIT5 SECTION "Configure LDAP authentication backend" [4329 - 5582] -->
< h2 class = "sectionedit6" id = "configure_saml_identity_provider" > Configure SAML Identity Provider< / h2 >
< div class = "level2" >
< p >
Activate the < abbr title = "Security Assertion Markup Language" > SAML< / abbr > Issuer:
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set issuerDBSAMLActivation 1< / pre >
< p >
You can then generate a private key and a self-signed certificate with these commands;
< / p >
< pre class = "code" > openssl genrsa -out saml.key 4096
openssl req -new -key saml.key -out saml.csr
openssl x509 -req -days 3650 -in saml.csr -signkey saml.key -out saml.pem< / pre >
< p >
Import them in configuration:
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set samlServicePrivateKeySig " `cat saml.key`" samlServicePublicKeySig " `cat saml.pem`" < / pre >
< p >
You can also define organization name and < abbr title = "Uniform Resource Locator" > URL< / abbr > for < abbr title = "Security Assertion Markup Language" > SAML< / abbr > metadata:
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set samlOrganizationName ' ACME' samlOrganizationDisplayName ' ACME Corporation' samlOrganizationURL ' http://www.acme.com' < / pre >
< / div >
<!-- EDIT6 SECTION "Configure SAML Identity Provider" [5583 - 6446] -->
< h2 class = "sectionedit7" id = "register_an_saml_service_provider" > Register an SAML Service Provider< / h2 >
< div class = "level2" >
< p >
In this example we have:
< / p >
< ul >
< li class = "level1" > < div class = "li" > SP configuration key: testsp< / div >
< / li >
< li class = "level1" > < div class = "li" > SP metadata file: metadata-testsp.xml< / div >
< / li >
< li class = "level1" > < div class = "li" > SP exported attribute: EmailAdress (filled with mail session key)< / div >
< / li >
< / ul >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey samlSPMetaDataXML/testsp samlSPMetaDataXML " `cat metadata-testsp.xml`" samlSPMetaDataExportedAttributes/testsp mail ' 1;EmailAddress' < / pre >
< / div >
<!-- EDIT7 SECTION "Register an SAML Service Provider" [6447 - 6873] -->
< h2 class = "sectionedit8" id = "configure_openid_connect_identity_provider" > Configure OpenID Connect Identity Provider< / h2 >
< div class = "level2" >
< p >
Activate the OpenID Connect Issuer and set issuer name (equal to portal < abbr title = "Uniform Resource Locator" > URL< / abbr > ):
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set issuerDBOpenIDConnectActivation 1 oidcServiceMetaDataIssuer http://auth.example.com< / pre >
< p >
Generate keys:
< / p >
< pre class = "code" > openssl genrsa -out oidc.key 4096
openssl rsa -pubout -in oidc.key -out oidc_pub.key< / pre >
< p >
Import them:
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set oidcServicePrivateKeySig " `cat oidc.key`" oidcServicePublicKeySig " `cat oidc_pub.key`" oidcServiceKeyIdSig " `genpasswd`" < / pre >
< p >
If needed you can allow implicit and hybrid flows:
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set oidcServiceAllowImplicitFlow 1 oidcServiceAllowHybridFlow 1< / pre >
< / div >
<!-- EDIT8 SECTION "Configure OpenID Connect Identity Provider" [6874 - 7669] -->
< h2 class = "sectionedit9" id = "register_an_openid_connect_relying_party" > Register an OpenID Connect Relying Party< / h2 >
< div class = "level2" >
< p >
In this example we have:
< / p >
< ul >
< li class = "level1" > < div class = "li" > RP configuration key: testrp< / div >
< / li >
< li class = "level1" > < div class = "li" > Client ID : testclientid< / div >
< / li >
< li class = "level1" > < div class = "li" > Client secret : testclientsecret< / div >
< / li >
2018-05-17 21:42:46 +02:00
< li class = "level1" > < div class = "li" > Allowed redirection < abbr title = "Uniform Resource Locator" > URL< / abbr > :< / div >
< ul >
< li class = "level2" > < div class = "li" > For login: < a href = "https://testrp.example.com/?callback=1" class = "urlextern" title = "https://testrp.example.com/?callback=1" rel = "nofollow" > https://testrp.example.com/?callback=1< / a > < / div >
< / li >
< li class = "level2" > < div class = "li" > For logout: < a href = "https://testrp.example.com/" class = "urlextern" title = "https://testrp.example.com/" rel = "nofollow" > https://testrp.example.com/< / a > < / div >
< / li >
< / ul >
2018-04-23 14:58:36 +02:00
< / li >
< li class = "level1" > < div class = "li" > Exported attributes:< / div >
< ul >
< li class = "level2" > < div class = "li" > email ⇒ mail< / div >
< / li >
< li class = "level2" > < div class = "li" > familiy_name ⇒ sn< / div >
< / li >
< li class = "level2" > < div class = "li" > name ⇒ cn< / div >
< / li >
< / ul >
< / li >
< / ul >
< ul >
< li class = "level1" > < div class = "li" > Exported attributes:< / div >
< / li >
< / ul >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataExportedVars/testrp email mail oidcRPMetaDataExportedVars/testrp family_name sn oidcRPMetaDataExportedVars/testrp name cn< / pre >
< ul >
< li class = "level1" > < div class = "li" > Credentials:< / div >
< / li >
< / ul >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientID testclientid oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientSecret testclientsecret< / pre >
< ul >
< li class = "level1" > < div class = "li" > Redirection:< / div >
< / li >
< / ul >
2018-05-17 21:42:46 +02:00
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsRedirectUris ' https://testrp.example.com/?callback=1' oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsPostLogoutRedirectUris ' https://testrp.example.com/' < / pre >
2018-04-23 14:58:36 +02:00
< ul >
< li class = "level1" > < div class = "li" > Signature and token expiration:< / div >
< / li >
< / ul >
2018-05-17 21:42:46 +02:00
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsIDTokenSignAlg RS512 oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsIDTokenExpiration 3600 oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600< / pre >
2018-04-23 14:58:36 +02:00
< / div >
<!-- EDIT9 SECTION "Register an OpenID Connect Relying Party" [7670 - ] --> < / div >
< / body >
< / html >