ipsilon-server-install (1) Linux Manual Page
ipsilon-server-install – Configure an Ipsilon Identity Provider instance
Synopsis
ipsilon-server-install [OPTION]…Description
Configure an Ipsilon instance to provide identity services using any of the supported and enabled protocols.Ipsilon uses a plugable framework so some options may not be available, depending on what plugins have been installed.
Ipsilon supports three types of plugins:
1. Authentication provider plugins – implements an authentication protocol such as SAML 2, OpenID or Persona. At least one needs to be enabled.
2. Login plugins – mechanisms for authenticating including GSSAPI, LDAP, PAM, etc. At least one should be enabled.
3. Info plugins – sources where additional attributes of the user may be obtained.
There are also environment helper options which aid in configuring the Identity Provider for a particular environment, such as a FreeIPA domain.
The installation details are logged to /var/log/ipsilon-install.log.
Databases
Ipsilon stores configuration and session information in database tables. By default, a set of sqlite databases are used. If a full RDBMS is desired then the –database-url and/or *-dburi options can be used to provide the database URIs. This should probably be used in load-balanced situations so all servers can use the same database. An example of a specific URI is
–users_dburi=postgresql://@dbserver.example.com:45432/users
The templatized version would be
–database-url=postgresql://@dbserver.example.com:45432/%(dbname)s
Options
Basic Options
- -h, –help
- Show this help message and exit
- –version
- Show program’s version number and exit
- -o LM_ORDER, –login-managers-order LM_ORDER
- Comma separated list of login managers
- –hostname HOSTNAME
- The hostname used by clients to reach this instance. This is used to determine the URLs provided in SAML metadata
- –instance INSTANCE
- Ipsilon instance name
- –system-user SYSTEM_USER
- User account used to run the server
–admin-user ADMIN_USER
- User account used to run the server
- User account that is assigned Ipsilon admin privileges
- –database-url DATABASE_URL
- The (templatized) database URL to use
- –secure
- Boolean to turn on all security checks
- –server-debugging
- Enable debugging
- –uninstall
- Uninstall the server and all data
- –yes
- Always answer yes
- –admin-dburi ADMIN_DBURI
- Configuration database URI (override template)
- –users-dburi USERS_DBURI
- User configuration database URI (override template)
- –transaction-dburi TRANSACTION_DBURI
- Transaction database URI (override template)
Authentication Provider Options
- –openid
- Configure OpenID Provider
- –openid-dburi OPENID_DBURI
- OpenID database URI (override template)
- –persona
- Configure Persona Provider
- –saml2
- Configure SAML2 Provider
- –saml2-metadata-validity SAML2_METADATA_VALIDITY
- Metadata validity period in days (default – 1825)
Login Manager Options
- –form
- Configure External Form authentication
- –form-service FORM_SERVICE
- PAM service name to use for authentication
- –fas
- Configure FAS (Fedora Authentication System) authentication
- –ldap
- Configure LDAP authentication
- –ldap-server-url LDAP_SERVER_URL
- LDAP Server Url
- –ldap-bind-dn-template LDAP_BIND_DN_TEMPLATE
- LDAP Bind DN Template
- –ldap-tls-level LDAP_TLS_LEVEL
- LDAP TLS level
- –ldap-base-dn LDAP_BASE_DN
- LDAP Base DN
- –krb
- Configure Kerberos authentication
- –krb-httpd-keytab KRB_HTTPD_KEYTAB
- Kerberos keytab location for HTTPD
- –pam
- Configure PAM authentication
- –pam-service PAM_SERVICE
- PAM service name to use for authentication
- –testauth
- Configure testing environment authentication
Info Provider Options
–info-ldap Use LDAP to populate user attrs- –info-ldap-server-url INFO_LDAP_SERVER_URL
- LDAP Server Url
- –info-ldap-bind-dn INFO_LDAP_BIND_DN
- LDAP Bind DN
- –info-ldap-bind-pwd INFO_LDAP_BIND_PWD
- LDAP Bind Password
- –info-ldap-user-dn-template INFO_LDAP_USER_DN_TEMPLATE
- LDAP User DN Template
- –info-ldap-base-dn INFO_LDAP_BASE_DN
- LDAP Base DN
- –info-nss
- Use passwd data to populate user attrs
- –info-sssd
- Use mod_lookup_identity and SSSD to populate user attrs. SSSD must be pre-configured for at least one domain.
–info-sssd-domain INFO_SSSD_DOMAIN
- Use mod_lookup_identity and SSSD to populate user attrs. SSSD must be pre-configured for at least one domain.
- SSSD domain to enable mod_lookup_identity for (default is all)
Environment Helper Options
–ipa Helper for IPA joined machines. This configures Ipsilon for Kerberos authentication.Exit Status
0 if the installation was successful 1 if an error occurred