Command Line Interface (lemonldap-ng-cli) examples

This page shows some examples of LL::NG Command Line Interface. See how to use the command.

Save/restore configuration

Save:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli save >config.json

Restore:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli restore config.json
# Or
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli restore - <config.json

Configure HTTPS

When setting HTTPS, you first need to modify Apache/Nginx configuration, then you must configure LL::NG to change portal URL, Handler redirections, cookie settings, ...

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    set \
        portal https://auth.example.com \
        mailUrl https://auth.example.com/resetpwd \
        registerUrl https://auth.example.com/register \
        https 1 \
        securedCookie 1

Configure sessions backend

For production, it is recommended to use Browseable session backend. Once tables are created with columns corresponding to index, the following commands can be executed to set all the session backends.

In this example we have:

  • Backend: PostGreSQL
  • DB user: lemonldaplogin
  • DB password: lemonldappw
  • Database: lemonldapdb
  • Host: pg.example.com
  • SSO sessions:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    delKey \
        globalStorageOptions Directory \
        globalStorageOptions LockDirectory

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    set \
        globalStorage Apache::Session::Browseable::Postgres

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        globalStorageOptions DataSource 'DBI:Pg:database=lemonldapdb;host=pg.example.com' \
        globalStorageOptions UserName 'lemonldaplogin' \
        globalStorageOptions Password 'lemonldappw' \
        globalStorageOptions Commit 1 \
        globalStorageOptions Index 'ipAddr _whatToTrace user' \
        globalStorageOptions TableName 'sessions'
  • Persistent sessions:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    delKey \
        persistentStorageOptions Directory \
        persistentStorageOptions LockDirectory

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    set \
        persistentStorage Apache::Session::Browseable::Postgres

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        persistentStorageOptions DataSource 'DBI:Pg:database=lemonldapdb;host=pg.example.com' \
        persistentStorageOptions UserName 'lemonldaplogin' \
        persistentStorageOptions Password 'lemonldappw' \
        persistentStorageOptions Commit 1 \
        persistentStorageOptions Index '_session_uid' \
        persistentStorageOptions TableName 'psessions'
  • CAS sessions
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    set \
        casStorage Apache::Session::Browseable::Postgres

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        casStorageOptions DataSource 'DBI:Pg:database=lemonldapdb;host=pg.example.com' \
        casStorageOptions UserName 'lemonldaplogin' \
        casStorageOptions Password 'lemonldappw' \
        casStorageOptions Commit 1 \
        casStorageOptions Index '_cas_id' \
        casStorageOptions TableName 'cassessions'
  • SAML sessions
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    set \
        samlStorage Apache::Session::Browseable::Postgres

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
       samlStorageOptions DataSource 'DBI:Pg:database=lemonldapdb;host=pg.example.com' \
       samlStorageOptions UserName 'lemonldaplogin' \
       samlStorageOptions Password 'lemonldappw' \
       samlStorageOptions Commit 1 \
       samlStorageOptions Index '_saml_id ProxyID _nameID _assert_id _art_id _session_id' \
       samlStorageOptions TableName 'samlsessions'
  • OpenID Connect sessions
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    set \
       oidcStorage Apache::Session::Browseable::Postgres

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
       oidcStorageOptions DataSource 'DBI:Pg:database=lemonldapdb;host=pg.example.com' \
       oidcStorageOptions UserName 'lemonldaplogin' \
       oidcStorageOptions Password 'lemonldappw' \
       oidcStorageOptions Commit 1 \
       oidcStorageOptions TableName 'oidcsessions'

Configure virtual host

A virtual host must be defined in Apache/Nginx and access rules and exported headers must be configured in LL::NG.

In this example we have:

  • host: test.example.com
  • Access rules:
    • default => accept
    • Logout: ^/logout\.php => logout_sso
  • Headers:
    • Auth-User: $uid
    • Auth-Mail: $mail
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        'locationRules/test.example.com' 'default' 'accept' \
        'locationRules/test.example.com' '(?#Logout)^/logout\.php' 'logout_sso' \
        'exportedHeaders/test.example.com' 'Auth-User' '$uid' \
        'exportedHeaders/test.example.com' 'Auth-Mail' '$mail'

Configure LDAP authentication backend

In this example we use:

  • LDAP Bind DN : cn=lemonldapng,ou=dsa,dc=example,dc=com
  • LDAP Bind PW: changeit
  • LDAP search base: ou=users,dc=example,dc=com
  • LDAP attributes:
    • uid => uid
    • cn => cn
    • mail => mail
    • sn => sn
    • givenName => givenName
    • mobile => mobile
  • LDAP group base: ou=groups,dc=example,dc=com
  • Use recursive search for groups
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    set \
        authentication LDAP \
        userDB LDAP \
        passwordDB LDAP \
        ldapServer 'ldap://ldap.example.com' \
        managerDn 'cn=lemonldapng,ou=dsa,dc=example,dc=com' \
        managerPassword 'changeit' \
        ldapBase 'ou=users,dc=example,dc=com'

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        ldapExportedVars uid uid \
        ldapExportedVars cn cn \
        ldapExportedVars sn sn \
        ldapExportedVars mobile mobile \
        ldapExportedVars mail mail \
        ldapExportedVars givenName givenName 

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    set \
        ldapGroupBase 'ou=groups,dc=example,dc=com' \
        ldapGroupObjectClass groupOfNames \
        ldapGroupAttributeName member \
        ldapGroupAttributeNameGroup dn \
        ldapGroupAttributeNameSearch cn \
        ldapGroupAttributeNameUser dn \
        ldapGroupRecursive 1

Configure SAML Identity Provider

You can then generate a private key and a self-signed certificate with these commands;

openssl req -new -newkey rsa:4096 -keyout saml.key -nodes  -out saml.pem -x509 -days 3650

Import them in configuration:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    set \
        samlServicePrivateKeySig "`cat saml.key`" \
        samlServicePublicKeySig "`cat saml.pem`"

Activate the SAML Issuer:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    set \
        issuerDBSAMLActivation 1

You can also define organization name and URL for SAML metadata:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    set \
        samlOrganizationName 'ACME' \
        samlOrganizationDisplayName 'ACME Corporation' \
        samlOrganizationURL 'http://www.acme.com'

Register an SAML Service Provider

In this example we have:

  • SP configuration key: testsp
  • SP metadata file: metadata-testsp.xml
  • SP exported attribute: EmailAdress (filled with mail session key)
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        samlSPMetaDataXML/testsp samlSPMetaDataXML "`cat metadata-testsp.xml`" \
        samlSPMetaDataExportedAttributes/testsp mail '1;EmailAddress'

Configure OpenID Connect Identity Provider

Activate the OpenID Connect Issuer and set issuer name (equal to portal URL):

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    set \
        issuerDBOpenIDConnectActivation 1 \
        oidcServiceMetaDataIssuer http://auth.example.com

Generate keys:

openssl genrsa -out oidc.key 4096
openssl rsa -pubout -in oidc.key -out oidc_pub.key

Import them:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    set \
        oidcServicePrivateKeySig "`cat oidc.key`" \
        oidcServicePublicKeySig "`cat oidc_pub.key`" \
        oidcServiceKeyIdSig "`genpasswd`"

If needed you can allow implicit and hybrid flows:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    set \
        oidcServiceAllowImplicitFlow 1 \
        oidcServiceAllowHybridFlow 1

Register an OpenID Connect Relying Party

In this example we have:

  • Exported attributes:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        oidcRPMetaDataExportedVars/testrp email mail \
        oidcRPMetaDataExportedVars/testrp family_name sn \
        oidcRPMetaDataExportedVars/testrp name cn
  • Credentials:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientID testclientid \
        oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientSecret testclientsecret
  • Redirection:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsRedirectUris 'https://testrp.example.com/?callback=1' \
        oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsPostLogoutRedirectUris 'https://testrp.example.com/'
  • Signature and token expiration:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        oidcRPMetaDataOptions/testrp  oidcRPMetaDataOptionsIDTokenSignAlg RS512 \
        oidcRPMetaDataOptions/testrp  oidcRPMetaDataOptionsIDTokenExpiration 3600 \
        oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600

Categories and applications in menu

Create the category “applications”:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        applicationList/applications type category \
        applicationList/applications catname Applications

Create the application “sample” inside category “applications”:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        applicationList/applications/sample type application \
        applicationList/applications/sample/options description "A sample application" \
        applicationList/applications/sample/options display "auto" \
        applicationList/applications/sample/options logo "tux.png" \
        applicationList/applications/sample/options name "Sample application" \
        applicationList/applications/sample/options uri "https://sample.example.com/"