lemonldap-ngΒΆ
Configure an OpenID Connect Identity Provider, to be used with an OpenID Connect Relying Party e.g. libapache2-mod-auth-openidc.
Test install for bullseye/buster/stretch:
# /usr/share/doc/lemonldap-ng/README.Debian
apt install openid-connect-provider \
apache2 libapache2-mod-perl2 libapache2-mod-fcgid \
libfcgi-perl libstring-random-perl libmime-tools-perl libemail-sender-perl \
libgd-securityimage-perl libimage-magick-perl libmouse-perl
cat /etc/lemonldap-ng/for_etc_hosts >> /etc/hosts
# IdP: manager.example.com auth.example.com reload.example.com
# RP: test1.example.com test2.example.com
a2enmod perl fcgid rewrite headers
a2ensite portal-apache2.conf manager-apache2.conf handler-apache2.conf
# bullseye: new cache directory to pre-create
mkdir /var/lib/lemonldap-ng/cache
chown www-data: /var/lib/lemonldap-ng/cache
service apache2 restart
# http://auth.example.com/
# dwho:dwho rtyler:rtyler msmith:msmith
# OpenID Connect Identity Provider
# https://lemonldap-ng.org/documentation/latest/cli_examples#configure-openid-connect-identity-provider
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
issuerDBOpenIDConnectActivation 1
cd /etc/lemonldap-ng/
openssl genrsa -out oidc.key 4096
openssl rsa -pubout -in oidc.key -out oidc_pub.key
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
oidcServicePrivateKeySig "`cat oidc.key`" \
oidcServicePublicKeySig "`cat oidc_pub.key`" \
oidcServiceKeyIdSig "randomstring"
service apache2 restart
curl http://auth.example.com/.well-known/openid-configuration
# stretch, fix-up obsolete syntax in generated Perl conf:
sed -i -e 's|keys \($portal->{oidcServiceMetaDataAuthnContext}\)|keys %{\1}|' /var/lib/lemonldap-ng/portal/openid-configuration.pl
# TODO: lemonldap-ng/stretch doesn't seem to handle libapache2-mod-auth-openidc
# (stretch or buster); lemondlap-ng/buster works though
Copyright (C) 2025, 2026 Sylvain Beucler