The LogMeOnce Command Line Interface (CLI) is a unified tool to manage your LogMeOnce services. The LogMeOnce CLI uses all security features of LogMeOnce and is based on Zero-Knowledge technology.
This feature is available as part of the LogMeOnce Enterprise Edition. You can manage your LogMeOnce services from the command line and automate them through scripts. The LogMeOnce CLI enables you to start running commands that implement functionality equivalent to that provided by the browser-based LogMeOnce Password and Identity Management solution from the command prompt in your favorite terminal program:
- Linux shells – Use common shell programs such as bash, zsh, and tcsh to run commands in Linux.
- Windows command line – On Windows, run commands at the Windows command prompt or in PowerShell.
Download & Installation
The installation of the LogMeOnce Command Line Interface (LMO CLI) on the supported operating systems are covered below. The installation of the LMO CLI does not require the installation of Python.
Windows LMO CLI Installation
Download Link: Download LogMeOnce CLI
Setup/Configuration:
- Unzip the file into the desired location (For example “C:\Program Files\LogmeOnce” folder)
- Modify and add the executable location “C:\Program Files\LogmeOnce\lmocli” to the PATH variable in windows.
- Press the Windows key and enter environment variables
- Choose Edit environment variables for your account.
- Choose PATH, and then choose Edit.
- Add the path to the Variable value field. For example: C:\Program Files\LogmeOnce\lmocli
- To confirm the installation, use the lmo -version command at a command prompt (open the Start menu and search for cmd to start a command prompt). If version details are not displayed, please make sure the PATH variable is configured properly.
Linux LMO CLI Installation
Download Link: Download LogMeOnce CLI
Setup/Configuration:
- Download the LMO CLI ZIP file.
- Unzip the file into the desired location (For example “/usr/local/bin” folder)
- Modify and add the executable location “/usr/local/bin” to the $PATH variable in windows.
- To confirm the installation, use the lmo -version command at a command prompt. If version details are not displayed, please make sure the $PATH variable is configured properly.
Permissions and Roles
LogMeOnce implements Least-privilege access control as default, The LogMeOnce CLI is not enabled as default, you can enable this feature by assigning LMO CLI role to specific users that require to run this feature. All operations by this user are logged for the audit trail. It is recommended to create a separate valid LogMeOnce user with a valid email address and assign an LMO CLI role.
In order to create a role that allows CLI access:
- In Users Management edit a user and go to the Role tab
- Click “+ Add Role” - enter your new role name
- From “Unassigned Permission” list select “CommandLineInterface: Access” and move it to left
- Change “Access” to “User” and click “Save Changes”
Trusting Your IP and Device
As part of LogMeOnce security, a request from an unknown IP or device for a specific user should be trusted first in order to use any of the LogMeOnce commands. You will receive an email that needs to be validated.
Two Factor Authentication (2FA)
LogMeOnce supports Two Factor Authentication (2FA) with CLI using the X.509 certificate 2FA method. In order to enable this feature, select the X.509 Certificate from the Two Factor Authentication Setting page for the selected user with CLI permission. The LogMeOnce CLI will use your X.509 certificate file and a password that protects your certificate file to secure CLI authentication.
- Please refer to this article to setup X.509 Certificate for user with CLI permission. Click here
- Please download PKCS#12 certificate.
- Copy the .p12 file to the location where the config fie is stored
- Enter the current location of the .p12 file.
LogMeOnce Username [wXXXX]:
LogMeOnce Password [XXXXXXXX]:
LogMeOnce Domain [wXXXX]:
LogMeOnce PKCS#12 (.p12) Certificate Path [wXXXX]: Enter file path for .p12 file for example mycert.p12
LogMeOnce PKCS#12 (.p12) Certificate Password [XXXXXXXX]:
Quick Getting Started
To get started quickly, please follow the steps;
- Install LogMeOnce CLI
- Validate if the installation is successful
> Lmo -version - Check LogMeOnce CLI version
- Configure CLI by adding your credentials and optionally add an X.509 certificate
> Lmo config - Configure CLI and add your credential and certificate
> Lmo config show - Check your credentials and certificate
- Validate if your configuration is complete
> Lmo config validate - Validate if credential is entered and works properly
- Check your email and Trust IP and device
> Lmo config validate - Validate if credential is entered and works properly
- Perform a quick test
> Lmo sites - Display all your sites
LogMeOnce CLI Reference Guide
Description:
The LogMeOnce Command Line Interface is a unified tool to manage your LogMeOnce services.
Synopsis:
Lmo [options] <command> <subcommand> [parameters]
Use lmo command help for information on a specific command. Use lmo help topics to view a list of available help topics. Optional parameters are shown in square brackets.
Usage: lmo <command>[-h] [-profile PROFILE] [-username USERNAME] [-password PASSWORD] [-domain DOMAIN] [-search] [-update] [-create] [-file FILE] [-delete] [-debug] [-version] [-help] [-decrypt] [-encrypt] [-certificate CERTIFICATE] [-certificate_pass CERTIFICATE_PASS]
Arguments:
command Use commands like config, sites, notes, storage, groups, users, events (default: None)
Optional arguments:
- -h, --help Show this help message and exit
- -profile PROFILE Enter Profile Name (default: None)
- -username USERNAME Enter Username. (default: None)
- -password PASSWORD Enter Password. (default: None)
- -domain DOMAIN Enter Name of Domain (default: None)
- -search Search for an item
- -update Use for update data (default: 0)
- -create Use for create data (default: 0)
- -file FILE Enter file Name (default: None)
- -delete Use for delete data (default: 0)
- -debug Display debug messages (default: False)
- -version Display CLI version (default: False)
- -help For help (default: False)
- -decrypt Use for decrypt credential (default: 0)
- -encrypt Use for encrypt credential (default: 0)
- -certificate CERTIFICATE Enter certificate filename (default: None)
- -certificate_pass CERTIFICATE_PASS Enter certificate password (default: None)
Configure Command
Configure [show | validate] [-profile <profilename>]
This command is run with no arguments, you will be prompted for configuration values such as your LogMeOnce username, password, domain, certificate file path, and certificate password. It is highly recommended to create a separate user when using this feature so all logging and audit trail is enabled and easily can be viewed in the Activity Log.
If your config file does not exist (the default location is <default-user-home>/.lmo/credential.cfg), the LogMeOnce CLI will create it for you. To keep an existing value, hit enter when prompted for the value. When you are prompted for information, the current value will be displayed in [brackets] except the password. If the config item has no value, it is displayed as [None].
Note: the values you provide for the LogMeOnce credential will be written to the credentials file (~/.lmo/credential.cfg).
The credential is encrypted and data is protected:
[Section1]
username = AT0oInhv1MqGu12cZIOLI48MggZD5J6irc9IhN64ESS4LdllMUIVYy2JzZ3fM+CX2JYrUj6PZtb1yMlSttUzuJkVZI7su
password = AdZ/CYVhni9d/tRGxiHS7zVyqy5uYm/Y66OvxO4BrUdKei8qyn9q8RjOJ9t0Zjj9FDQuhd3u1F+yul-+x6TZ7dGBfEoN
domain = AdsIcq2CgnbPgwer4f!tnT3Qw6lMdm4zjePmemrt@YLYCiWhVge9Vq+OAcpTZVr+fxhpbynR3mT46x6GZVBNnfQmERaL9p
certificate = AYW19W2vzjTS0VI5IXOEcTq3XuuBhNpWkYjYnoXKoCR7oF5PzJ1dMrP+Wd3Diirnv3TLjmRn43tpxvTGwSVenzWACXVGFKReLnv+aOhpBPV5EwhUcw== certificate_password = AcEpCYZbGG+f2psKatXAtoX2iayyXMu+zNLzK+A5EG4VdQADFKRJM3s3DmJhXgSY++uVjsu2Pck=
Examples:
Windows configuration file location: C:\Users\mike\.lmo\credential.cfg
Linux configuration file location: ~\.lmo\credential.cfg
>lmo config or lmo config -profile service2.cfg
LogMeOnce Username [None]: marketing@logmeonce.com
LogMeOnce Password [None]: <Your-password-for-this-account>
LogMeOnce Domain [None]: <yourdomain>.logmeonce.com
LogMeOnce Certificate [None]: <Your-two-factor-authentication-X.509-certificate> LogMeOnce Certificate Password [None]: <Your-two-factor-authentication-X.509-certificate-password>
>lmo config show or lmo config show -profile service2.cfg
>lmo config validate or lmo config validate -profile service2.cfg
The only difference is with LogMeOnce CLI it requires a password and PasswordLess operations are not permitted.
Sites Command
Sites [site_ID] [-profile name]
This command is run with no arguments, you will be prompted for configuration values such as your LogMeOnce username, password, and domain. It is highly recommended to create a separate user when using this feature so all logging and audit trail is enabled.
Getting a list of sites
Additional parameters
- search - filters the list of sites by search phrase
> lmo sites -search Facebook
> lmo sites -search “two words”
- decrypt - decrypts input values
> lmo sites -decrypt
Examples:
{
"sites": [
{
"id": 1749398,
"name": "Google",
"updated": 1586452560,
"flags": 293,
"image": "https://logmeonce-sites.s3.amazonaws.com/256_google_175x175.png",
"icon": "https://logmeonce-sites.s3.amazonaws.com/256_google_16x16.png",
"used": 0,
"login": {
"Url": "https://accounts.google.com/ServiceLogin?continue=http://www.google.com/",
"regex": "^(ftp|http|https)://([^/]+\\.)?google.com.*",
"inputs": [
{
"flags": 3,
"name": "[\"identifier\", \"Email\"]",
"type": "text",
"value": "Adh/fgxV90+BoMboA+DojRSxAb7BhGpz26IrF+Nxj49QPOjc5f8swFBcpgLBKG3rRasAkf0="
},
{
"flags": 5,
"name": "[\"password\", \"Passwd\"]",
"type": "password",
"value": "Adh/fgzAxSBxlmvPL/tV+50rS1F5y5fLyp4I8zPoq+rYsR0JFFOuvlhkciNzh/ahT8pshh8="
}
],
"match": {
"username": "#profileIdentifier, #email-display",
"trim": "@gmail.com"
},
"action": {
"submit": "#identifierNext, #passwordNext"
}
}
}
}
Getting a single site
> lmo sites [SITE_ID]
You can get a single site data by providing site ID.
> lmo sites 1749398
Additional parameters
- decrypt - decrypts input values
> lmo sites 1749398 -decrypt
Creating a new site
> lmo sites -create -file <FILE_PATH>
This is another version of sites command. With help of the “create” parameter, you can create new sites. The information on the new site should be available in JSON file.
JSON file format:
{
"url": "https://www.facebook.com/",
"name": "Facebook (john)",
"inputs": [{
"type": "text",
"value": "john.doe@gmail.com"
}, {
"type": "password",
"value": "secret_password",
}]
}
Site data format:
- URL - Login page URL (required)
- name - The name of the site (optional)
- inputs - The array of inputs - at least a single password must be present (required)
- note - The site note (optional)
- flags - The numeric value that defines SSO and SLO (bitwise operation)
- 1 - SSO - Automatic Login
- 2 - SLO - Automatic Logout
By default only SSO is enabled, possible values are:
- 0 - Both SSO, SLO disabled
- 1 - SSO enabled, SLO disabled
- 2 - SSO disabled, SLO enabled
- 3 - Both SSO, SLO enabled
Input data format:
- type - default is text
- flags - The numeric value that defines input properties (bitwise operation)
- 1 - required - this input is required to be found on the login page, all required inputs must be found in order for the site to be detected
- 2 - username - this input is marked as Username (only 1 input can be marked as username, but there can be more non-password inputs)
- 4 - password - this input is marked as Password (only 1 input can be marked as password, but there can be more inputs with type password)
- 8 - used internally by some sites from the catalog
- 16 - only for inputs that are “checkbox” type - when this bit is set it means checkbox is checked, when this bit is not set checkbox is unchecked
- value - the value of the input - must be encrypted
Additional parameters
- encrypt - encrypting input values are note
> lmo sites -create -encrypt -file file somefile.json
Updating existing site
> lmo sites [SITE_ID] -update -file <FILE_PATH>
With help of the update parameter of sites, you can update existing sites. The information on the new site should be available in file or parameter.
The data format for the input JSON file is exactly the same as explained above in the create section. If you only want to update one or two parameters without passing all data - instead of passing the parameters in JSON file - you can pass it as arguments, like:
> lmo sites 1749398 -update -name “Facebook (changed)”
> lmo sites 1749398 -update -name “Facebook (changed)” -url https://facebook.com
All parameters can be passed as arguments or in JSON file format - but it is recommended to use the JSON file.
Deleting site
> lmo sites [ID] -delete
A site can be deleted by providing an existing site ID.
Users Command
Get a list of users
> lmo users
Sample response:
{
"users": [
{
"id": 1,
"username": "michaelm@logmeonce.com",
"email": "michaelm@logmeonce.com",
"firstname": "Michael",
"lastname": "Miller",
"picture": "http://m-s3.logmeonce.com/48.jpg",
"active": true,
"confirmed": false,
"license": 102,
"roles": [],
"birthdate": "1950-01-01",
"gender": "m",
"address": "Address",
"city": "City",
"zip": "11-222",
"country": "US",
"phone": "+1123",
"company": "LogMeOnce",
"website": "https://LogMeOnce.com"
}
]
}
Response properties:
- users – This an array of users
- Id
- Username - Username
- Email – Primary email address
- Picture – Picture URL
- Active – Boolean if the user is active
- Confirmed – Boolean if user confirmed his account (and set up his account after invitation email)
- License
- Roles – Array of roles
- Firstname - First Name
- Lastname - Last name
- Birthdate – Birthdate
- Gender – Gender
- Address – Address
- City – Address
- State – Address
- Zip – Address
- Phone – Phone
- Company – Company Name
- Jobtitle – Job Title
- Website – Website URL
Get a single user
> lmo users [USER_ID]
You can get user data by providing the user ID.
Create a new user
> lmo users -create --username [USERNAME] --firstname [FIRSTNAME]
Additional parameters
If the user is to be activated and invitation email sent, then additionally, activate – value must be 1.
- firstName
- lastName
- birthdate
- gender
- address
- city
- state
- zip
- country
- phone
- company
- jobTitle
- website
- activate - “1” - user will be activated and invitation email sent
With the help of the create parameter, you can create another user by providing double dash type body parameters. Now, a single dash parameter is reserved for CLI and the double dash parameter is for CLI API.
Update existing user
This command is used to update the attributes of an existing user.
> lmo users [USER_ID] -update
Additional parameters can be passed the same as the above example.
Delete user
This command is used to delete an existing user.
> lmo users [USER_ID] –delete
Activating user
This command is used to activate a user.
> lmo users [USER_ID] activate –update
Deactivating user
This command is used to deactivate/disable an existing user.
> lmo users [USER_ID] deactivate –update
List of users for a specific group
This command is used to find a list of users in an existing group.
> lmo groups [GROUP_ID] users
Adding and/or removing users into a specific group
This command is used to add or remove a user from an existing group.
> lmo groups [GROUP_ID] users –update --add [USER_ID] --remove [USER_ID]
Adding and/or removing multiple users into a specific group
This command is used to add or remove multiple users from an existing group.
> lmo groups [GROUP_ID] users –update --add [USER_ID_1] --add [USER_ID_2] --add [USER_ID_3] --remove [USER_ID_1] --remove [USER_ID_2]
Groups Command
Get a list of groups
This command is used to get a list of all groups.
> lmo groups
Sample response:
{
"groups": [
{
"id": 5717,
"name": "Canada2"
},
{
"id": 5719,
"name": "Arizona"
},
{
"id": 8762,
"name": "AAA"
}
]
}
Response properties:
- groups – This array of groups
- id - Group ID
- parent – Parent group id
- name - Group Name
- description - Group Description
Get a single group
This command is used to get details of a single group.
> lmo groups [GROUP_ID]
The response is the same as above
Create a new group
This command is used to create a new group.
> lmo groups –create --name [GROUP_NAME] --description [GROUP_DESCRIPTION]
Additional parameters same as above
- name
- description
Update existing group
This command is used to update an existing group.
> lmo groups [GROUP_ID] -update
Additional parameters same as above
Delete group
This command is used to delete an existing group.
> lmo groups [GROUP_ID] -delete
List of groups for a user
This command is used to list all groups of an existing user.
> lmo users [USER_ID] groups
Joining and/or leaving a group for a specific user
This command is used to assign a user to a group or remove a user from a group.
> lmo users [USER_ID] groups –update --join [GROUP_ID] -- leave [GROUP_ID]
Joining and/or leaving multiple groups for a specific user
This command is used to assign, multiple users, to a group or remove multiple users from a group.
> lmo users [USER_ID] groups –update --join [GROUP_ID_1] --join [GROUP_ID_2] --join [GROUP_ID_3] -- leave [GROUP_ID_1] --leave [GROUP_ID_2]
Events Command
Get a list of events
This command is used to get a list of events generated in your account. This can be used to be exported to Splunk or other Security information and event management (SIEM) solutions.
> lmo events
Additional parameters
- order – To sort the retrieved events in either ascending or descending orders.
> lmo events –-order asc
> lmo events –-order desc
- limit – Limit number of events to be displayed in one-page
> lmo events –-limit 20
- page – Display events of specific page
> lmo events –-page 5
- datetime – Display events were ‘events > datetime’. Here datetime is Epoch timestamp.
> lmo events –-date time 1601193600
Examples:
{
"events": [
{
"id": 13138427,
"user": 5124099494,
"type": "login",
"created": 1601193395,
"ip": "100.1.25.100",
"device": 98030,
"browser": {
"type": 12,
"version": "2.0"
}
},
{
"id": 13138426,
"user": 531249494,
"type": "login",
"created": 1601193391,
"ip": "192.168.61.87",
"device": 98030,
"browser": {
"type": 12,
"version": "2.0"
}
},
{
"id": 13138322,
"user": 512569494,
"type": "login",
"created": 1601192321,
"ip": "192.168.2.100",
"device": 98030,
"browser": {
"type": 12,
"version": "2.0"
}
},
{
"id": 13138321,
"user": 1235659494,
"type": "login",
"created": 1601192318,
"ip": "149.234.61.87",
"device": 98030,
"browser": {
"type": 12,
"version": "2.0"
}
},
{
"id": 13138319,
"user": 1230959494,
"type": "login",
"created": 1601192267,
"ip": "192.100.2.100",
"device": 98030,
"browser": {
"type": 12,
"version": "2.0"
}
},
{
"id": 13138318,
"user": 19267159494,
"type": "login",
"created": 1601192262,
"ip": "100.234.61.87",
"device": 98030,
"browser": {
"type": 12,
"version": "2.0"
}
},
{
"id": 13138307,
"user": 1270959494,
"type": "login",
"created": 1601192119,
"ip": "200.100.2.100",
"device": 98030,
"browser": {
"type": 12,
"version": "2.0"
}
},
{
"id": 13138306,
"user": 871592194,
"type": "login",
"created": 1601192116,
"ip": "249.324.61.87",
"device": 98030,
"browser": {
"type": 12,
"version": "2.0"
}
},
{
"id": 13138305,
"user": 109259444,
"type": "login",
"created": 1601192042,
"ip": "210.120.2.100",
"device": 98030,
"browser": {
"type": 12,
"version": "2.0"
}
},
{
"id": 13138303,
"user": 23559494,
"type": "login",
"created": 1601192037,
"ip": "129.134.61.87",
"device": 98030,
"browser": {
"type": 12,
"version": "2.0"
}
}
],
"limit": 10,
"page": 1,
"total": 852
}
Comments
Article is closed for comments.