Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:latest:cli_examples [2019/06/28 10:58]
documentation:latest:cli_examples [2019/11/07 14:04] (current)
Line 1: Line 1:
 +====== Command Line Interface (lemonldap-ng-cli) examples ======
  
 +This page shows some examples of LL::NG Command Line Interface. See [[configlocation#​command_line_interface_cli|how to use the command]].
 +
 +===== Save/​restore configuration =====
 +
 +This part requires LLNG 2.0.5 at least.
 +
 +Save:
 +<code sh>
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli save >​config.json
 +</​code>​
 +
 +Restore:
 +<code shell>
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli restore config.json
 +# Or
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli restore - <​config.json
 +</​code>​
 +
 +===== Configure HTTPS =====
 +
 +When setting HTTPS, you first need to modify Apache/​Nginx configuration,​ then you must configure LL::NG to change portal URL, Handler redirections,​ cookie settings, ...
 +
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    set \
 +        portal https://​auth.example.com \
 +        mailUrl https://​auth.example.com/​resetpwd \
 +        registerUrl https://​auth.example.com/​register \
 +        https 1 \
 +        securedCookie 1
 +</​code>​
 +
 +===== Configure sessions backend =====
 +
 +For production, it is recommended to use [[browseablesessionbackend|Browseable session backend]]. Once tables are created with columns corresponding to index, the following commands can be executed to set all the session backends.
 +
 +In this example we have:
 +  * Backend: PostGreSQL
 +  * DB user: lemonldaplogin
 +  * DB password: lemonldappw
 +  * Database: lemonldapdb
 +  * Host: pg.example.com
 +
 +  * SSO sessions:
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    delKey \
 +        globalStorageOptions Directory \
 +        globalStorageOptions LockDirectory
 +
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    set \
 +        globalStorage Apache::​Session::​Browseable::​Postgres
 +
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    addKey \
 +        globalStorageOptions DataSource '​DBI:​Pg:​database=lemonldapdb;​host=pg.example.com'​ \
 +        globalStorageOptions UserName '​lemonldaplogin'​ \
 +        globalStorageOptions Password '​lemonldappw'​ \
 +        globalStorageOptions Commit 1 \
 +        globalStorageOptions Index '​ipAddr _whatToTrace user' \
 +        globalStorageOptions TableName '​sessions'​
 +
 +</​code>​
 +  * Persistent sessions:
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    delKey \
 +        persistentStorageOptions Directory \
 +        persistentStorageOptions LockDirectory
 +
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    set \
 +        persistentStorage Apache::​Session::​Browseable::​Postgres
 +
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    addKey \
 +        persistentStorageOptions DataSource '​DBI:​Pg:​database=lemonldapdb;​host=pg.example.com'​ \
 +        persistentStorageOptions UserName '​lemonldaplogin'​ \
 +        persistentStorageOptions Password '​lemonldappw'​ \
 +        persistentStorageOptions Commit 1 \
 +        persistentStorageOptions Index '​_session_uid'​ \
 +        persistentStorageOptions TableName '​psessions'​
 +</​code>​
 +  * CAS sessions
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    set \
 +        casStorage Apache::​Session::​Browseable::​Postgres
 +
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    addKey \
 +        casStorageOptions DataSource '​DBI:​Pg:​database=lemonldapdb;​host=pg.example.com'​ \
 +        casStorageOptions UserName '​lemonldaplogin'​ \
 +        casStorageOptions Password '​lemonldappw'​ \
 +        casStorageOptions Commit 1 \
 +        casStorageOptions Index '​_cas_id'​ \
 +        casStorageOptions TableName '​cassessions'​
 +</​code>​
 +  * SAML sessions
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    set \
 +        samlStorage Apache::​Session::​Browseable::​Postgres
 +
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    addKey \
 +       ​samlStorageOptions DataSource '​DBI:​Pg:​database=lemonldapdb;​host=pg.example.com'​ \
 +       ​samlStorageOptions UserName '​lemonldaplogin'​ \
 +       ​samlStorageOptions Password '​lemonldappw'​ \
 +       ​samlStorageOptions Commit 1 \
 +       ​samlStorageOptions Index '​_saml_id ProxyID _nameID _assert_id _art_id _session_id'​ \
 +       ​samlStorageOptions TableName '​samlsessions'​
 +</​code>​
 +  * OpenID Connect sessions
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    set \
 +       ​oidcStorage Apache::​Session::​Browseable::​Postgres
 +
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    addKey \
 +       ​oidcStorageOptions DataSource '​DBI:​Pg:​database=lemonldapdb;​host=pg.example.com'​ \
 +       ​oidcStorageOptions UserName '​lemonldaplogin'​ \
 +       ​oidcStorageOptions Password '​lemonldappw'​ \
 +       ​oidcStorageOptions Commit 1 \
 +       ​oidcStorageOptions TableName '​oidcsessions'​
 +</​code>​
 +
 +===== Configure virtual host =====
 +
 +A virtual host must be defined in Apache/​Nginx and access rules and exported headers must be configured in LL::NG.
 +
 +In this example we have:
 +  * host: test.example.com
 +  * Access rules:
 +    * default => accept
 +    * Logout: ^/​logout\.php => logout_sso
 +  * Headers:
 +    * Auth-User: $uid
 +    * Auth-Mail: $mail
 +
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    addKey \
 +        '​locationRules/​test.example.com'​ '​default'​ '​accept'​ \
 +        '​locationRules/​test.example.com'​ '​(?#​Logout)^/​logout\.php'​ '​logout_sso'​ \
 +        '​exportedHeaders/​test.example.com'​ '​Auth-User'​ '​$uid'​ \
 +        '​exportedHeaders/​test.example.com'​ '​Auth-Mail'​ '​$mail'​
 +</​code>​
 +
 +===== Configure LDAP authentication backend =====
 +
 +In this example we use:
 +  * LDAP server: ldap://​ldap.example.com
 +  * LDAP Bind DN : cn=lemonldapng,​ou=dsa,​dc=example,​dc=com
 +  * LDAP Bind PW: changeit
 +  * LDAP search base: ou=users,​dc=example,​dc=com
 +  * LDAP attributes:
 +    * uid => uid
 +    * cn => cn
 +    * mail => mail
 +    * sn => sn
 +    * givenName => givenName
 +    * mobile => mobile
 +  * LDAP group base: ou=groups,​dc=example,​dc=com
 +  * Use recursive search for groups
 +
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    set \
 +        authentication LDAP \
 +        userDB LDAP \
 +        passwordDB LDAP \
 +        ldapServer '​ldap://​ldap.example.com'​ \
 +        managerDn '​cn=lemonldapng,​ou=dsa,​dc=example,​dc=com'​ \
 +        managerPassword '​changeit'​ \
 +        ldapBase '​ou=users,​dc=example,​dc=com'​
 +
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    addKey \
 +        ldapExportedVars uid uid \
 +        ldapExportedVars cn cn \
 +        ldapExportedVars sn sn \
 +        ldapExportedVars mobile mobile \
 +        ldapExportedVars mail mail \
 +        ldapExportedVars givenName givenName ​
 +
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    set \
 +        ldapGroupBase '​ou=groups,​dc=example,​dc=com'​ \
 +        ldapGroupObjectClass groupOfNames \
 +        ldapGroupAttributeName member \
 +        ldapGroupAttributeNameGroup dn \
 +        ldapGroupAttributeNameSearch cn \
 +        ldapGroupAttributeNameUser dn \
 +        ldapGroupRecursive 1
 +</​code>​
 +
 +===== Configure SAML Identity Provider =====
 +
 +You can then generate a private key and a self-signed certificate with these commands;
 +<​code>​
 +openssl req -new -newkey rsa:4096 -keyout saml.key -nodes ​ -out saml.pem -x509 -days 3650
 +</​code>​
 +
 +Import them in configuration and activate the SAML issuer
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    set \
 +        samlServicePrivateKeySig "`cat saml.key`"​ \
 +        samlServicePublicKeySig "`cat saml.pem`"​ \
 +        issuerDBSAMLActivation 1
 +</​code>​
 +
 +You can also define organization name and URL for SAML metadata:
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    set \
 +        samlOrganizationName '​ACME'​ \
 +        samlOrganizationDisplayName 'ACME Corporation'​ \
 +        samlOrganizationURL '​http://​www.acme.com'​
 +</​code>​
 +
 +===== Register an SAML Service Provider =====
 +
 +In this example we have:
 +  * SP configuration key: testsp
 +  * SP metadata file: metadata-testsp.xml
 +  * SP exported attribute: EmailAdress (filled with mail session key)
 +
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    addKey \
 +        samlSPMetaDataXML/​testsp samlSPMetaDataXML "`cat metadata-testsp.xml`"​ \
 +        samlSPMetaDataExportedAttributes/​testsp mail '​1;​EmailAddress'​
 +</​code> ​
 +
 +===== Configure OpenID Connect Identity Provider =====
 +
 +
 +Activate the OpenID Connect Issuer and set issuer name (equal to portal URL):
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    set \
 +        issuerDBOpenIDConnectActivation 1 \
 +        oidcServiceMetaDataIssuer http://​auth.example.com
 +</​code>​
 +
 +Generate keys:
 +<​code>​
 +openssl genrsa -out oidc.key 4096
 +openssl rsa -pubout -in oidc.key -out oidc_pub.key
 +</​code>​
 +
 +Import them:
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    set \
 +        oidcServicePrivateKeySig "`cat oidc.key`"​ \
 +        oidcServicePublicKeySig "`cat oidc_pub.key`"​ \
 +        oidcServiceKeyIdSig "​`genpasswd`"​
 +</​code>​
 +
 +If needed you can allow implicit and hybrid flows:
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    set \
 +        oidcServiceAllowImplicitFlow 1 \
 +        oidcServiceAllowHybridFlow 1
 +</​code>​
 +
 +===== Register an OpenID Connect Relying Party =====
 +
 +In this example we have:
 +  * RP configuration key: testrp
 +  * Client ID : testclientid
 +  * Client secret : testclientsecret
 +  * Allowed redirection URL:
 +    * For login: https://​testrp.example.com/?​callback=1
 +    * For logout: https://​testrp.example.com/​
 +  * Exported attributes:
 +    * email => mail
 +    * familiy_name => sn
 +    * name => cn
 +
 +  * Exported attributes:
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    addKey \
 +        oidcRPMetaDataExportedVars/​testrp email mail \
 +        oidcRPMetaDataExportedVars/​testrp family_name sn \
 +        oidcRPMetaDataExportedVars/​testrp name cn
 +</​code>​
 +  * Credentials:​
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    addKey \
 +        oidcRPMetaDataOptions/​testrp oidcRPMetaDataOptionsClientID testclientid \
 +        oidcRPMetaDataOptions/​testrp oidcRPMetaDataOptionsClientSecret testclientsecret
 +</​code>​
 +  * Redirection:​
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    addKey \
 +        oidcRPMetaDataOptions/​testrp oidcRPMetaDataOptionsRedirectUris '​https://​testrp.example.com/?​callback=1'​ \
 +        oidcRPMetaDataOptions/​testrp oidcRPMetaDataOptionsPostLogoutRedirectUris '​https://​testrp.example.com/'​
 +</​code>​
 +  * Signature and token expiration:
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    addKey \
 +        oidcRPMetaDataOptions/​testrp ​ oidcRPMetaDataOptionsIDTokenSignAlg RS512 \
 +        oidcRPMetaDataOptions/​testrp ​ oidcRPMetaDataOptionsIDTokenExpiration 3600 \
 +        oidcRPMetaDataOptions/​testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600
 +</​code>​
 +
 +
 +===== Categories and applications in menu =====
 +
 +Create the category "​applications":​
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    addKey \
 +        applicationList/​applications type category \
 +        applicationList/​applications catname Applications
 +</​code>​
 +
 +Create the application "​sample"​ inside category "​applications":​
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    addKey \
 +        applicationList/​applications/​sample type application \
 +        applicationList/​applications/​sample/​options description "A sample application"​ \
 +        applicationList/​applications/​sample/​options display "​auto"​ \
 +        applicationList/​applications/​sample/​options logo "​tux.png"​ \
 +        applicationList/​applications/​sample/​options name "​Sample application"​ \
 +        applicationList/​applications/​sample/​options uri "​https://​sample.example.com/"​
 +</​code>​
 +
 +===== Encryption key =====
 +
 +To update the master encryption key:
 +<​code>​
 +/​usr/​share/​lemonldap-ng/​bin/​lemonldap-ng-cli -yes 1 \
 +    set \
 +        key '​xxxxxxxxxxxxxxx'​
 +</​code>​