Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:latest:cli_examples [2019/05/17 14:53]
coudot [Configure SAML Identity Provider]
documentation:latest:cli_examples [2019/06/28 10:58]
Line 1: Line 1:
-====== Command Line Interface (lemonldap-ng-cli) examples ====== 
- 
-This page shows some examples of LL::NG Command Line Interface. See [[configlocation#​command_line_interface_cli|how to use the command]]. 
- 
-===== Configure HTTPS ===== 
- 
-When setting HTTPS, you first need to modify Apache/​Nginx configuration,​ then you must configure LL::NG to change portal URL, Handler redirections,​ cookie settings, ... 
- 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    set \ 
-        portal https://​auth.example.com \ 
-        https 1 \ 
-        securedCookie 1 
-</​code>​ 
- 
-===== Configure sessions backend ===== 
- 
-For production, it is recommended to use [[browseablesessionbackend|Browseable session backend]]. Once tables are created with columns corresponding to index, the following commands can be executed to set all the session backends. 
- 
-In this example we have: 
-  * Backend: PostGreSQL 
-  * DB user: lemonldaplogin 
-  * DB password: lemonldappw 
-  * Database: lemonldapdb 
-  * Host: pg.example.com 
- 
-  * SSO sessions: 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    delKey \ 
-        globalStorageOptions Directory \ 
-        globalStorageOptions LockDirectory 
- 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    set \ 
-        globalStorage Apache::​Session::​Browseable::​Postgres 
- 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    addKey \ 
-        globalStorageOptions DataSource '​DBI:​Pg:​database=lemonldapdb;​host=pg.example.com'​ \ 
-        globalStorageOptions UserName '​lemonldaplogin'​ \ 
-        globalStorageOptions Password '​lemonldappw'​ \ 
-        globalStorageOptions Commit 1 \ 
-        globalStorageOptions Index '​ipAddr _whatToTrace user' \ 
-        globalStorageOptions TableName '​sessions'​ 
- 
-</​code>​ 
-  * Persistent sessions: 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    delKey \ 
-        persistentStorageOptions Directory \ 
-        persistentStorageOptions LockDirectory 
- 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    set \ 
-        persistentStorage Apache::​Session::​Browseable::​Postgres 
- 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    addKey \ 
-        persistentStorageOptions DataSource '​DBI:​Pg:​database=lemonldapdb;​host=pg.example.com'​ \ 
-        persistentStorageOptions UserName '​lemonldaplogin'​ \ 
-        persistentStorageOptions Password '​lemonldappw'​ \ 
-        persistentStorageOptions Commit 1 \ 
-        persistentStorageOptions Index '​_session_uid'​ \ 
-        persistentStorageOptions TableName '​psessions'​ 
-</​code>​ 
-  * CAS sessions 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    set \ 
-        casStorage Apache::​Session::​Browseable::​Postgres 
- 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    addKey \ 
-        casStorageOptions DataSource '​DBI:​Pg:​database=lemonldapdb;​host=pg.example.com'​ \ 
-        casStorageOptions UserName '​lemonldaplogin'​ \ 
-        casStorageOptions Password '​lemonldappw'​ \ 
-        casStorageOptions Commit 1 \ 
-        casStorageOptions Index '​_cas_id'​ \ 
-        casStorageOptions TableName '​cassessions'​ 
-</​code>​ 
-  * SAML sessions 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    set \ 
-        samlStorage Apache::​Session::​Browseable::​Postgres 
- 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    addKey \ 
-       ​samlStorageOptions DataSource '​DBI:​Pg:​database=lemonldapdb;​host=pg.example.com'​ \ 
-       ​samlStorageOptions UserName '​lemonldaplogin'​ \ 
-       ​samlStorageOptions Password '​lemonldappw'​ \ 
-       ​samlStorageOptions Commit 1 \ 
-       ​samlStorageOptions Index '​_saml_id ProxyID _nameID _assert_id _art_id _session_id'​ \ 
-       ​samlStorageOptions TableName '​samlsessions'​ 
-</​code>​ 
-  * OpenID Connect sessions 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    set \ 
-       ​oidcStorage Apache::​Session::​Browseable::​Postgres 
- 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    addKey \ 
-       ​oidcStorageOptions DataSource '​DBI:​Pg:​database=lemonldapdb;​host=pg.example.com'​ \ 
-       ​oidcStorageOptions UserName '​lemonldaplogin'​ \ 
-       ​oidcStorageOptions Password '​lemonldappw'​ \ 
-       ​oidcStorageOptions Commit 1 \ 
-       ​oidcStorageOptions TableName '​oidcsessions'​ 
-</​code>​ 
- 
-===== Configure virtual host ===== 
- 
-A virtual host must be defined in Apache/​Nginx and access rules and exported headers must be configured in LL::NG. 
- 
-In this example we have: 
-  * host: test.example.com 
-  * Access rules: 
-    * default => accept 
-    * Logout: ^/​logout\.php => logout_sso 
-  * Headers: 
-    * Auth-User: $uid 
-    * Auth-Mail: $mail 
- 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    addKey \ 
-        '​locationRules/​test.example.com'​ '​default'​ '​accept'​ \ 
-        '​locationRules/​test.example.com'​ '​(?#​Logout)^/​logout\.php'​ '​logout_sso'​ \ 
-        '​exportedHeaders/​test.example.com'​ '​Auth-User'​ '​$uid'​ \ 
-        '​exportedHeaders/​test.example.com'​ '​Auth-Mail'​ '​$mail'​ 
-</​code>​ 
- 
-===== Configure LDAP authentication backend ===== 
- 
-In this example we use: 
-  * LDAP server: ldap://​ldap.example.com 
-  * LDAP Bind DN : cn=lemonldapng,​ou=dsa,​dc=example,​dc=com 
-  * LDAP Bind PW: changeit 
-  * LDAP search base: ou=users,​dc=example,​dc=com 
-  * LDAP attributes: 
-    * uid => uid 
-    * cn => cn 
-    * mail => mail 
-    * sn => sn 
-    * givenName => givenName 
-    * mobile => mobile 
-  * LDAP group base: ou=groups,​dc=example,​dc=com 
-  * Use recursive search for groups 
- 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    set \ 
-        authentication LDAP \ 
-        userDB LDAP \ 
-        passwordDB LDAP \ 
-        ldapServer '​ldap://​ldap.example.com'​ \ 
-        managerDn '​cn=lemonldapng,​ou=dsa,​dc=example,​dc=com'​ \ 
-        managerPassword '​changeit'​ \ 
-        ldapBase '​ou=users,​dc=example,​dc=com'​ 
- 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    addKey \ 
-        ldapExportedVars uid uid \ 
-        ldapExportedVars cn cn \ 
-        ldapExportedVars sn sn \ 
-        ldapExportedVars mobile mobile \ 
-        ldapExportedVars mail mail \ 
-        ldapExportedVars givenName givenName ​ 
- 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    set \ 
-        ldapGroupBase '​ou=groups,​dc=example,​dc=com'​ \ 
-        ldapGroupObjectClass groupOfNames \ 
-        ldapGroupAttributeName member \ 
-        ldapGroupAttributeNameGroup dn \ 
-        ldapGroupAttributeNameSearch cn \ 
-        ldapGroupAttributeNameUser dn \ 
-        ldapGroupRecursive 1 
-</​code>​ 
- 
-===== Configure SAML Identity Provider ===== 
- 
-You can then generate a private key and a self-signed certificate with these commands; 
-<​code>​ 
-openssl req -new -newkey rsa:4096 -keyout saml.key -nodes ​ -out saml.pem -x509 -days 3650 
-</​code>​ 
- 
-Import them in configuration:​ 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    set \ 
-        samlServicePrivateKeySig "`cat saml.key`"​ \ 
-        samlServicePublicKeySig "`cat saml.pem`"​ 
-</​code>​ 
- 
-Activate the SAML Issuer: 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    set \ 
-        issuerDBSAMLActivation 1 
-</​code>​ 
- 
-You can also define organization name and URL for SAML metadata: 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    set \ 
-        samlOrganizationName '​ACME'​ \ 
-        samlOrganizationDisplayName 'ACME Corporation'​ \ 
-        samlOrganizationURL '​http://​www.acme.com'​ 
-</​code>​ 
- 
-===== Register an SAML Service Provider ===== 
- 
-In this example we have: 
-  * SP configuration key: testsp 
-  * SP metadata file: metadata-testsp.xml 
-  * SP exported attribute: EmailAdress (filled with mail session key) 
- 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    addKey \ 
-        samlSPMetaDataXML/​testsp samlSPMetaDataXML "`cat metadata-testsp.xml`"​ \ 
-        samlSPMetaDataExportedAttributes/​testsp mail '​1;​EmailAddress'​ 
-</​code> ​ 
- 
-===== Configure OpenID Connect Identity Provider ===== 
- 
- 
-Activate the OpenID Connect Issuer and set issuer name (equal to portal URL): 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    set \ 
-        issuerDBOpenIDConnectActivation 1 \ 
-        oidcServiceMetaDataIssuer http://​auth.example.com 
-</​code>​ 
- 
-Generate keys: 
-<​code>​ 
-openssl genrsa -out oidc.key 4096 
-openssl rsa -pubout -in oidc.key -out oidc_pub.key 
-</​code>​ 
- 
-Import them: 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    set \ 
-        oidcServicePrivateKeySig "`cat oidc.key`"​ \ 
-        oidcServicePublicKeySig "`cat oidc_pub.key`"​ \ 
-        oidcServiceKeyIdSig "​`genpasswd`"​ 
-</​code>​ 
- 
-If needed you can allow implicit and hybrid flows: 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    set \ 
-        oidcServiceAllowImplicitFlow 1 \ 
-        oidcServiceAllowHybridFlow 1 
-</​code>​ 
- 
-===== Register an OpenID Connect Relying Party ===== 
- 
-In this example we have: 
-  * RP configuration key: testrp 
-  * Client ID : testclientid 
-  * Client secret : testclientsecret 
-  * Allowed redirection URL: 
-    * For login: https://​testrp.example.com/?​callback=1 
-    * For logout: https://​testrp.example.com/​ 
-  * Exported attributes: 
-    * email => mail 
-    * familiy_name => sn 
-    * name => cn 
- 
-  * Exported attributes: 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    addKey \ 
-        oidcRPMetaDataExportedVars/​testrp email mail \ 
-        oidcRPMetaDataExportedVars/​testrp family_name sn \ 
-        oidcRPMetaDataExportedVars/​testrp name cn 
-</​code>​ 
-  * Credentials:​ 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    addKey \ 
-        oidcRPMetaDataOptions/​testrp oidcRPMetaDataOptionsClientID testclientid \ 
-        oidcRPMetaDataOptions/​testrp oidcRPMetaDataOptionsClientSecret testclientsecret 
-</​code>​ 
-  * Redirection:​ 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    addKey \ 
-        oidcRPMetaDataOptions/​testrp oidcRPMetaDataOptionsRedirectUris '​https://​testrp.example.com/?​callback=1'​ \ 
-        oidcRPMetaDataOptions/​testrp oidcRPMetaDataOptionsPostLogoutRedirectUris '​https://​testrp.example.com/'​ 
-</​code>​ 
-  * Signature and token expiration: 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    addKey \ 
-        oidcRPMetaDataOptions/​testrp ​ oidcRPMetaDataOptionsIDTokenSignAlg RS512 \ 
-        oidcRPMetaDataOptions/​testrp ​ oidcRPMetaDataOptionsIDTokenExpiration 3600 \ 
-        oidcRPMetaDataOptions/​testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600 
-</​code>​ 
- 
- 
-===== Categories and applications in menu ===== 
- 
-Create the category "​applications":​ 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    addKey \ 
-        applicationList/​applications type category \ 
-        applicationList/​applications catname Applications 
-</​code>​ 
- 
-Create the application "​sample"​ inside category "​applications":​ 
-<​code>​ 
-/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \ 
-    addKey \ 
-        applicationList/​applications/​sample type application \ 
-        applicationList/​applications/​sample/​options description "A sample application"​ \ 
-        applicationList/​applications/​sample/​options display "​auto"​ \ 
-        applicationList/​applications/​sample/​options logo "​tux.png"​ \ 
-        applicationList/​applications/​sample/​options name "​Sample application"​ \ 
-        applicationList/​applications/​sample/​options uri "​https://​sample.example.com/"​ 
-</​code>​