Command Line Interface (lemonldap-ng-cli) examples

This page shows some examples of LL::NG Command Line Interface. See how to use the command.

Configure HTTPS

When setting HTTPS, you first need to modify Apache/Nginx configuration, then you must configure LL::NG to change portal URL, Handler redirections, cookie settings, …

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set portal https://auth.example.com https 1 securedCookie 1

Configure sessions backend

For production, it is recommended to use Browseable session backend. Once tables are created with columns corresponding to index, the following commands can be executed to set all the session backends.

In this example we have:

  • Backend: PostGreSQL
  • DB user: lemonldaplogin
  • DB password: lemonldappw
  • Database: lemonldapdb
  • Host: pg.example.com
  • SSO sessions:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 delKey globalStorageOptions Directory globalStorageOptions LockDirectory
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set globalStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey globalStorageOptions DataSource 'DBI:Pg:database=lemonldapdb;host=pg.example.com' globalStorageOptions UserName 'lemonldaplogin' globalStorageOptions Password 'lemonldappw' globalStorageOptions Commit 1 globalStorageOptions Index 'ipAddr _whatToTrace user' globalStorageOptions TableName 'sessions'
  • Persistent sessions:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 delKey persistentStorageOptions Directory persistentStorageOptions LockDirectory
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set persistentStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey persistentStorageOptions DataSource 'DBI:Pg:database=lemonldapdb;host=pg.example.com' persistentStorageOptions UserName 'lemonldaplogin' persistentStorageOptions Password 'lemonldappw' persistentStorageOptions Commit 1 persistentStorageOptions Index '_session_uid' persistentStorageOptions TableName 'psessions'
  • CAS sessions
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set casStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey casStorageOptions DataSource 'DBI:Pg:database=lemonldapdb;host=pg.example.com' casStorageOptions UserName 'lemonldaplogin' casStorageOptions Password 'lemonldappw' casStorageOptions Commit 1 casStorageOptions Index '_cas_id' casStorageOptions TableName 'cassessions'
  • SAML sessions
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set samlStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey samlStorageOptions DataSource 'DBI:Pg:database=lemonldapdb;host=pg.example.com' samlStorageOptions UserName 'lemonldaplogin' samlStorageOptions Password 'lemonldappw' samlStorageOptions Commit 1 samlStorageOptions Index '_saml_id ProxyID _nameID _assert_id _art_id _session_id' samlStorageOptions TableName 'samlsessions'
  • OpenID Connect sessions
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set oidcStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcStorageOptions DataSource 'DBI:Pg:database=lemonldapdb;host=pg.example.com' oidcStorageOptions UserName 'lemonldaplogin' oidcStorageOptions Password 'lemonldappw' oidcStorageOptions Commit 1 oidcStorageOptions TableName 'oidcsessions'

Configure virtual host

A virtual host must be defined in Apache/Nginx and access rules and exported headers must be configured in LL::NG.

In this example we have:

  • host: test.example.com
  • Access rules:
    • default ⇒ accept
    • Logout: ^/logout\.php ⇒ logout_sso
  • Headers:
    • Auth-User: $uid
    • Auth-Mail: $mail
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey 'locationRules/test.example.com' 'default' 'accept' 'locationRules/test.example.com' '(?#Logout)^/logout\.php' 'logout_sso' 'exportedHeaders/test.example.com' 'Auth-User' '$uid' 'exportedHeaders/test.example.com' 'Auth-Mail' '$mail'

Configure LDAP authentication backend

In this example we use:

  • LDAP Bind DN : cn=lemonldapng,ou=dsa,dc=example,dc=com
  • LDAP Bind PW: changeit
  • LDAP search base: ou=users,dc=example,dc=com
  • LDAP attributes:
    • uid ⇒ uid
    • cn ⇒ cn
    • mail ⇒ mail
    • sn ⇒ sn
    • givenName ⇒ givenName
    • mobile ⇒ mobile
  • LDAP group base: ou=groups,dc=example,dc=com
  • Use recursive search for groups
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set authentication LDAP userDB LDAP passwordDB LDAP ldapServer 'ldap://ldap.example.com' managerDn 'cn=lemonldapng,ou=dsa,dc=example,dc=com' managerPassword 'changeit' ldapBase 'ou=users,dc=example,dc=com'
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey ldapExportedVars uid uid ldapExportedVars cn cn ldapExportedVars sn sn ldapExportedVars mobile mobile ldapExportedVars mail mail ldapExportedVars givenName givenName 
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set ldapGroupBase 'ou=groups,dc=example,dc=com' ldapGroupObjectClass groupOfNames ldapGroupAttributeName member ldapGroupAttributeNameGroup dn ldapGroupAttributeNameSearch cn ldapGroupAttributeNameUser dn ldapGroupRecursive 1

Configure SAML Identity Provider

Activate the SAML Issuer:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set issuerDBSAMLActivation 1

You can then generate a private key and a self-signed certificate with these commands;

openssl genrsa -out saml.key 4096
openssl req -new -key saml.key -out saml.csr
openssl x509 -req -days 3650 -in saml.csr -signkey saml.key -out saml.pem

Import them in configuration:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set samlServicePrivateKeySig "`cat saml.key`" samlServicePublicKeySig "`cat saml.pem`"

You can also define organization name and URL for SAML metadata:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set samlOrganizationName 'ACME' samlOrganizationDisplayName 'ACME Corporation' samlOrganizationURL 'http://www.acme.com'

Register an SAML Service Provider

In this example we have:

  • SP configuration key: testsp
  • SP metadata file: metadata-testsp.xml
  • SP exported attribute: EmailAdress (filled with mail session key)
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey samlSPMetaDataXML/testsp samlSPMetaDataXML "`cat metadata-testsp.xml`" samlSPMetaDataExportedAttributes/testsp mail '1;EmailAddress'

Configure OpenID Connect Identity Provider

Activate the OpenID Connect Issuer and set issuer name (equal to portal URL):

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set issuerDBOpenIDConnectActivation 1 oidcServiceMetaDataIssuer http://auth.example.com

Generate keys:

openssl genrsa -out oidc.key 4096
openssl rsa -pubout -in oidc.key -out oidc_pub.key

Import them:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set oidcServicePrivateKeySig "`cat oidc.key`" oidcServicePublicKeySig "`cat oidc_pub.key`" oidcServiceKeyIdSig "`genpasswd`"

If needed you can allow implicit and hybrid flows:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set oidcServiceAllowImplicitFlow 1 oidcServiceAllowHybridFlow 1

Register an OpenID Connect Relying Party

In this example we have:

  • Exported attributes:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataExportedVars/testrp email mail oidcRPMetaDataExportedVars/testrp family_name sn oidcRPMetaDataExportedVars/testrp name cn
  • Credentials:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientID testclientid oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientSecret testclientsecret
  • Redirection:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsRedirectUris 'https://testrp.example.com/?callback=1' oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsPostLogoutRedirectUris 'https://testrp.example.com/'
  • Signature and token expiration:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp  oidcRPMetaDataOptionsIDTokenSignAlg RS512 oidcRPMetaDataOptions/testrp  oidcRPMetaDataOptionsIDTokenExpiration 3600 oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600

Categories and applications in menu

Create the category “applications”: ``` /usr/share/lemonldap-ng/bin/lemonldap-ng-cli addKey applicationList/applications type category applicationList/applications catname Applications ```

Create the application “sample” inside category “applications”: ``` /usr/share/lemonldap-ng/bin/lemonldap-ng-cli addKey applicationList/applications/sample type application applicationList/applications/sample/options description “A sample application” applicationList/applications/sample/options display “auto” applicationList/applications/sample/options logo “tux.png” applicationList/applications/sample/options name “Sample application” applicationList/applications/sample/options uri “https://sample.example.com/” ```