-
Notifications
You must be signed in to change notification settings - Fork 327
LemonLDAP::NG
Xavier Bachelot edited this page Jul 23, 2024
·
2 revisions
LemonLDAP::NG is a free SSO and Access Management software working as OpenID Connect Provider with mod_auth_openidc.
LemonLDAP::NG must be configured as OIDC provider. This can be done with these commands.
You should then be able to see the OIDC metadata on http://auth.example.com/.well-known/openid-configuration
The configuration of mod_auth_openidc is standard, for example:
OIDCProviderMetadataURL http://auth.example.com/.well-known/openid-configuration
OIDCClientID openidc
OIDCClientSecret secret
OIDCRedirectURI http://openidc.example.com/redirect_uri
OIDCCryptoPassphrase test
You need to register mod_auth_openidc as OIDC RP in LemonLDAP::NG, this can be done with these commands.
For example:
# /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey \
oidcRPMetaDataExportedVars/testrp email mail \
oidcRPMetaDataExportedVars/testrp family_name sn \
oidcRPMetaDataExportedVars/testrp name cn
# /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey \
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientID openidc \
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientSecret secret
# /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey \
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsRedirectUris 'http://openidc.example.com/redirect_uri' \
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsPostLogoutRedirectUris 'http://openidc.example.com/'
# /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey \
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsIDTokenSignAlg RS512 \
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsIDTokenExpiration 3600 \
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600