dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8aa153d775
lemonldap-ng/po-doc/fr/pages/documentation/current/cli_examples.html
Xavier Guimard a8cdb046da Update doc
2018-05-17 21:42:46 +02:00

380 lines
18 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="fr" dir="ltr">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="utf-8" />
<title>documentation:2.0:cli_examples</title><!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else --><!-- //endif -->
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,cli_examples"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="cli_examples.html"/>
<link rel="contents" href="cli_examples.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:cli_examples","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script><!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script><!-- //endif --><!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script><!-- //endif -->
</head>
<body>
<div class="dokuwiki export container"><!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#configure_https">Configure HTTPS</a></div></li>
<li class="level1"><div class="li"><a href="#configure_sessions_backend">Configure sessions backend</a></div></li>
<li class="level1"><div class="li"><a href="#configure_virtual_host">Configure virtual host</a></div></li>
<li class="level1"><div class="li"><a href="#configure_ldap_authentication_backend">Configure LDAP authentication backend</a></div></li>
<li class="level1"><div class="li"><a href="#configure_saml_identity_provider">Configure SAML Identity Provider</a></div></li>
<li class="level1"><div class="li"><a href="#register_an_saml_service_provider">Register an SAML Service Provider</a></div></li>
<li class="level1"><div class="li"><a href="#configure_openid_connect_identity_provider">Configure OpenID Connect Identity Provider</a></div></li>
<li class="level1"><div class="li"><a href="#register_an_openid_connect_relying_party">Register an OpenID Connect Relying Party</a></div></li>
</ul>
</div>
</div><!-- TOC END -->
<h1 class="sectionedit1" id="command_line_interface_lemonldap-ng-cli_examples">Command Line Interface (lemonldap-ng-cli) examples</h1>
<div class="level1">
<p>
This page shows some examples of <abbr title="LemonLDAP::NG">LL::NG</abbr> Command Line Interface. See <a href="configlocation.html#command_line_interface_cli" class="wikilink1" title="documentation:2.0:configlocation">how to use the command</a>.
</p>
</div><!-- EDIT1 SECTION "Command Line Interface (lemonldap-ng-cli) examples" [1-205] -->
<h2 class="sectionedit2" id="configure_https">Configure HTTPS</h2>
<div class="level2">
<p>
When setting HTTPS, you first need to modify Apache/Nginx configuration, then you must configure <abbr title="LemonLDAP::NG">LL::NG</abbr> to change portal <abbr title="Uniform Resource Locator">URL</abbr>, Handler redirections, cookie settings, …
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set portal https://auth.example.com https 1 securedCookie 1</pre>
</div><!-- EDIT2 SECTION "Configure HTTPS" [206-532] -->
<h2 class="sectionedit3" id="configure_sessions_backend">Configure sessions backend</h2>
<div class="level2">
<p>
For production, it is recommended to use <a href="browseablesessionbackend.html" class="wikilink1" title="documentation:2.0:browseablesessionbackend">Browseable session backend</a>. Once tables are created with columns corresponding to index, the following commands can be executed to set all the session backends.
</p>
<p>
In this example we have:
</p>
<ul>
<li class="level1"><div class="li"> Backend: PostGreSQL</div>
</li>
<li class="level1"><div class="li"> DB user: lemonldaplogin</div>
</li>
<li class="level1"><div class="li"> DB password: lemonldappw</div>
</li>
<li class="level1"><div class="li"> Database: lemonldapdb</div>
</li>
<li class="level1"><div class="li"> Host: pg.example.com</div>
</li>
</ul>
<ul>
<li class="level1"><div class="li"> <abbr title="Authentification unique (Single Sign On)">SSO</abbr> sessions:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 delKey globalStorageOptions Directory globalStorageOptions LockDirectory
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set globalStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey globalStorageOptions DataSource 'DBI:Pg:database=lemonldapdb;host=pg.example.com' globalStorageOptions UserName 'lemonldaplogin' globalStorageOptions Password 'lemonldappw' globalStorageOptions Commit 1 globalStorageOptions Index 'ipAddr _whatToTrace user' globalStorageOptions TableName 'sessions'</pre>
<ul>
<li class="level1"><div class="li"> Persistent sessions:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 delKey persistentStorageOptions Directory persistentStorageOptions LockDirectory
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set persistentStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey persistentStorageOptions DataSource 'DBI:Pg:database=lemonldapdb;host=pg.example.com' persistentStorageOptions UserName 'lemonldaplogin' persistentStorageOptions Password 'lemonldappw' persistentStorageOptions Commit 1 persistentStorageOptions Index '_session_uid' persistentStorageOptions TableName 'psessions'</pre>
<ul>
<li class="level1"><div class="li"> <abbr title="Central Authentication Service">CAS</abbr> sessions</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set casStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey casStorageOptions DataSource 'DBI:Pg:database=lemonldapdb;host=pg.example.com' casStorageOptions UserName 'lemonldaplogin' casStorageOptions Password 'lemonldappw' casStorageOptions Commit 1 casStorageOptions Index '_cas_id' casStorageOptions TableName 'cassessions'</pre>
<ul>
<li class="level1"><div class="li"> <abbr title="Security Assertion Markup Language">SAML</abbr> sessions</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set samlStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey samlStorageOptions DataSource 'DBI:Pg:database=lemonldapdb;host=pg.example.com' samlStorageOptions UserName 'lemonldaplogin' samlStorageOptions Password 'lemonldappw' samlStorageOptions Commit 1 samlStorageOptions Index '_saml_id ProxyID _nameID _assert_id _art_id _session_id' samlStorageOptions TableName 'samlsessions'</pre>
<ul>
<li class="level1"><div class="li"> OpenID Connect sessions</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set oidcStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcStorageOptions DataSource 'DBI:Pg:database=lemonldapdb;host=pg.example.com' oidcStorageOptions UserName 'lemonldaplogin' oidcStorageOptions Password 'lemonldappw' oidcStorageOptions Commit 1 oidcStorageOptions TableName 'oidcsessions'</pre>
</div><!-- EDIT3 SECTION "Configure sessions backend" [533-3673] -->
<h2 class="sectionedit4" id="configure_virtual_host">Configure virtual host</h2>
<div class="level2">
<p>
A virtual host must be defined in Apache/Nginx and access rules and exported headers must be configured in <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</p>
<p>
In this example we have:
</p>
<ul>
<li class="level1"><div class="li"> host: test.example.com</div>
</li>
<li class="level1"><div class="li"> Access rules:</div>
<ul>
<li class="level2"><div class="li"> default ⇒ accept</div>
</li>
<li class="level2"><div class="li"> Logout: ^/logout\.php ⇒ logout_sso</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> Headers:</div>
<ul>
<li class="level2"><div class="li"> Auth-User: $uid</div>
</li>
<li class="level2"><div class="li"> Auth-Mail: $mail</div>
</li>
</ul>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey 'locationRules/test.example.com' 'default' 'accept' 'locationRules/test.example.com' '(?#Logout)^/logout\.php' 'logout_sso' 'exportedHeaders/test.example.com' 'Auth-User' '$uid' 'exportedHeaders/test.example.com' 'Auth-Mail' '$mail'</pre>
</div><!-- EDIT4 SECTION "Configure virtual host" [3674-4328] -->
<h2 class="sectionedit5" id="configure_ldap_authentication_backend">Configure LDAP authentication backend</h2>
<div class="level2">
<p>
In this example we use:
</p>
<ul>
<li class="level1"><div class="li"> LDAP server: <a href="cli_examples.html" class="urlextern" title="ldap://ldap.example.com" rel="nofollow">ldap://ldap.example.com</a></div>
</li>
<li class="level1"><div class="li"> LDAP Bind <abbr title="Distinguished Name">DN</abbr> : cn=lemonldapng,ou=dsa,dc=example,dc=com</div>
</li>
<li class="level1"><div class="li"> LDAP Bind PW: changeit</div>
</li>
<li class="level1"><div class="li"> LDAP search base: ou=users,dc=example,dc=com</div>
</li>
<li class="level1"><div class="li"> LDAP attributes:</div>
<ul>
<li class="level2"><div class="li"> uid ⇒ uid</div>
</li>
<li class="level2"><div class="li"> cn ⇒ cn</div>
</li>
<li class="level2"><div class="li"> mail ⇒ mail</div>
</li>
<li class="level2"><div class="li"> sn ⇒ sn</div>
</li>
<li class="level2"><div class="li"> givenName ⇒ givenName</div>
</li>
<li class="level2"><div class="li"> mobile ⇒ mobile</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> LDAP group base: ou=groups,dc=example,dc=com</div>
</li>
<li class="level1"><div class="li"> Use recursive search for groups</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set authentication LDAP userDB LDAP passwordDB LDAP ldapServer 'ldap://ldap.example.com' managerDn 'cn=lemonldapng,ou=dsa,dc=example,dc=com' managerPassword 'changeit' ldapBase 'ou=users,dc=example,dc=com'
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey ldapExportedVars uid uid ldapExportedVars cn cn ldapExportedVars sn sn ldapExportedVars mobile mobile ldapExportedVars mail mail ldapExportedVars givenName givenName
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set ldapGroupBase 'ou=groups,dc=example,dc=com' ldapGroupObjectClass groupOfNames ldapGroupAttributeName member ldapGroupAttributeNameGroup dn ldapGroupAttributeNameSearch cn ldapGroupAttributeNameUser dn ldapGroupRecursive 1</pre>
</div><!-- EDIT5 SECTION "Configure LDAP authentication backend" [4329-5582] -->
<h2 class="sectionedit6" id="configure_saml_identity_provider">Configure SAML Identity Provider</h2>
<div class="level2">
<p>
Activate the <abbr title="Security Assertion Markup Language">SAML</abbr> Issuer:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set issuerDBSAMLActivation 1</pre>
<p>
You can then generate a private key and a self-signed certificate with these commands;
</p>
<pre class="code">openssl genrsa -out saml.key 4096
openssl req -new -key saml.key -out saml.csr
openssl x509 -req -days 3650 -in saml.csr -signkey saml.key -out saml.pem</pre>
<p>
Import them in configuration:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set samlServicePrivateKeySig "`cat saml.key`" samlServicePublicKeySig "`cat saml.pem`"</pre>
<p>
You can also define organization name and <abbr title="Uniform Resource Locator">URL</abbr> for <abbr title="Security Assertion Markup Language">SAML</abbr> metadata:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set samlOrganizationName 'ACME' samlOrganizationDisplayName 'ACME Corporation' samlOrganizationURL 'http://www.acme.com'</pre>
</div><!-- EDIT6 SECTION "Configure SAML Identity Provider" [5583-6446] -->
<h2 class="sectionedit7" id="register_an_saml_service_provider">Register an SAML Service Provider</h2>
<div class="level2">
<p>
In this example we have:
</p>
<ul>
<li class="level1"><div class="li"> SP configuration key: testsp</div>
</li>
<li class="level1"><div class="li"> SP metadata file: metadata-testsp.xml</div>
</li>
<li class="level1"><div class="li"> SP exported attribute: EmailAdress (filled with mail session key)</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey samlSPMetaDataXML/testsp samlSPMetaDataXML "`cat metadata-testsp.xml`" samlSPMetaDataExportedAttributes/testsp mail '1;EmailAddress'</pre>
</div><!-- EDIT7 SECTION "Register an SAML Service Provider" [6447-6873] -->
<h2 class="sectionedit8" id="configure_openid_connect_identity_provider">Configure OpenID Connect Identity Provider</h2>
<div class="level2">
<p>
Activate the OpenID Connect Issuer and set issuer name (equal to portal <abbr title="Uniform Resource Locator">URL</abbr>):
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set issuerDBOpenIDConnectActivation 1 oidcServiceMetaDataIssuer http://auth.example.com</pre>
<p>
Generate keys:
</p>
<pre class="code">openssl genrsa -out oidc.key 4096
openssl rsa -pubout -in oidc.key -out oidc_pub.key</pre>
<p>
Import them:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set oidcServicePrivateKeySig "`cat oidc.key`" oidcServicePublicKeySig "`cat oidc_pub.key`" oidcServiceKeyIdSig "`genpasswd`"</pre>
<p>
If needed you can allow implicit and hybrid flows:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set oidcServiceAllowImplicitFlow 1 oidcServiceAllowHybridFlow 1</pre>
</div><!-- EDIT8 SECTION "Configure OpenID Connect Identity Provider" [6874-7669] -->
<h2 class="sectionedit9" id="register_an_openid_connect_relying_party">Register an OpenID Connect Relying Party</h2>
<div class="level2">
<p>
In this example we have:
</p>
<ul>
<li class="level1"><div class="li"> RP configuration key: testrp</div>
</li>
<li class="level1"><div class="li"> Client ID : testclientid</div>
</li>
<li class="level1"><div class="li"> Client secret : testclientsecret</div>
</li>
<li class="level1"><div class="li"> Allowed redirection <abbr title="Uniform Resource Locator">URL</abbr>:</div>
<ul>
<li class="level2"><div class="li"> For login: <a href="https://testrp.example.com/?callback=1" class="urlextern" title="https://testrp.example.com/?callback=1" rel="nofollow">https://testrp.example.com/?callback=1</a></div>
</li>
<li class="level2"><div class="li"> For logout: <a href="https://testrp.example.com/" class="urlextern" title="https://testrp.example.com/" rel="nofollow">https://testrp.example.com/</a></div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> Exported attributes:</div>
<ul>
<li class="level2"><div class="li"> email ⇒ mail</div>
</li>
<li class="level2"><div class="li"> familiy_name ⇒ sn</div>
</li>
<li class="level2"><div class="li"> name ⇒ cn</div>
</li>
</ul>
</li>
</ul>
<ul>
<li class="level1"><div class="li"> Exported attributes:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataExportedVars/testrp email mail oidcRPMetaDataExportedVars/testrp family_name sn oidcRPMetaDataExportedVars/testrp name cn</pre>
<ul>
<li class="level1"><div class="li"> Credentials:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientID testclientid oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientSecret testclientsecret</pre>
<ul>
<li class="level1"><div class="li"> Redirection:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsRedirectUris 'https://testrp.example.com/?callback=1' oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsPostLogoutRedirectUris 'https://testrp.example.com/'</pre>
<ul>
<li class="level1"><div class="li"> Signature and token expiration:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsIDTokenSignAlg RS512 oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsIDTokenExpiration 3600 oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600</pre>
</div><!-- EDIT9 SECTION "Register an OpenID Connect Relying Party" [7670-] -->
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink