ipsilon-server-install - Man Page

Configure an Ipsilon Identity Provider instance

Synopsis

ipsilon-server-install [OPTION]...

Description

Configure an Ipsilon instance to provide identity services using any of the supported and enabled protocols.

Ipsilon uses a plugable framework so some options may not be available, depending on what plugins have been installed.

Ipsilon supports three types of plugins:

1. Authentication provider plugins - implements an authentication protocol such as SAML 2, OpenID or Persona. At least one needs to be enabled.
2. Login plugins - mechanisms for authenticating including GSSAPI, LDAP, PAM, etc. At least one should be enabled.
3. Info plugins - sources where additional attributes of the user may be obtained.

There are also environment helper options which aid in configuring the Identity Provider for a particular environment, such as a FreeIPA domain.

The installation details are logged to /var/log/ipsilon-install.log.

Databases

Ipsilon stores configuration and session information in database tables. By default, a set of sqlite databases are used. If a full RDBMS is desired then the --database-url and/or *-dburi options can be used to provide the database URIs. This should probably be used in load-balanced situations so all servers can use the same database.

An example of a specific URI is
--users_dburi=postgresql://@dbserver.example.com:45432/users

The templatized version would be
--database-url=postgresql://@dbserver.example.com:45432/%(dbname)s

Options

Basic Options

-h, ā€‰--help

Show this help message and exit

--version

Show program's version number and exit

-o LM_ORDER, --login-managers-order LM_ORDER

Comma separated list of login managers

--hostname HOSTNAME

The hostname used by clients to reach this instance. This is used to determine the URLs provided in SAML metadata

--instance INSTANCE

Ipsilon instance name

--system-user SYSTEM_USER

User account used to run the server

--admin-user ADMIN_USER

User account that is assigned Ipsilon admin privileges

--database-url DATABASE_URL

The (templatized) database URL to use

--secure

Boolean to turn on all security checks

--server-debugging

Enable debugging

--uninstall

Uninstall the server and all data

--yes

Always answer yes

--admin-dburi ADMIN_DBURI

Configuration database URI (override template)

--users-dburi USERS_DBURI

User configuration database URI (override template)

--transaction-dburi TRANSACTION_DBURI

Transaction database URI (override template)

Authentication Provider Options

--openid

Configure OpenID Provider

--openid-dburi OPENID_DBURI

OpenID database URI (override template)

--saml2

Configure SAML2 Provider

--saml2-metadata-validity SAML2_METADATA_VALIDITY

Metadata validity period in days (default - 1825)

Login Manager Options

--form

Configure External Form authentication

--form-service FORM_SERVICE

PAM service name to use for authentication

--fas

Configure FAS (Fedora Authentication System) authentication

--ldap

Configure LDAP authentication

--ldap-server-url LDAP_SERVER_URL

LDAP Server Url

--ldap-bind-dn-template LDAP_BIND_DN_TEMPLATE

LDAP Bind DN Template

--ldap-tls-level LDAP_TLS_LEVEL

LDAP TLS level

--ldap-base-dn LDAP_BASE_DN

LDAP Base DN

--krb

Configure Kerberos authentication

--krb-httpd-keytab KRB_HTTPD_KEYTAB

Kerberos keytab location for HTTPD

--pam

Configure PAM authentication

--pam-service PAM_SERVICE

PAM service name to use for authentication

--testauth

Configure testing environment authentication

Info Provider Options

--info-ldap Use LDAP to populate user attrs

--info-ldap-server-url INFO_LDAP_SERVER_URL

LDAP Server Url

--info-ldap-bind-dn INFO_LDAP_BIND_DN

LDAP Bind DN

--info-ldap-bind-pwd INFO_LDAP_BIND_PWD

LDAP Bind Password

--info-ldap-user-dn-template INFO_LDAP_USER_DN_TEMPLATE

LDAP User DN Template

--info-ldap-base-dn INFO_LDAP_BASE_DN

LDAP Base DN

--info-nss

Use passwd data to populate user attrs

--info-sssd

Use DBus to populate user attrs from SSSD. SSSD must be pre-configured for at least one domain.

--info-sssd-domain INFO_SSSD_DOMAIN

SSSD domain to enable for attribute passthrough (default is all)

Environment Helper Options

--ipa Helper for IPA joined machines. This configures Ipsilon for Kerberos authentication.

Exit Status

0 if the installation was successful

1 if an error occurred

See Also

ipsilon(7), ipsilon-client-install(1)

Referenced By

ipsilon(7), ipsilon.conf(5).

3.0.1 Ipsilon Manual Pages