AW: Re: Re: ImportError: No module named privacyidea.app

You need e.g. to set wsgipythonhome.
Kind regards Cornelius

Cornelius Kölbel +49 151 2960 1417
NetKnights GmbHHttp://NetKnights. It
+49 561 3166 797

virtualenv. I followed the steps in your guide, mixed with an old one from howtoforge. I documented all the steps since I want to write a Debian 8 howto:

  • aptitude install libjpeg-dev zlib1g-dev python-dev \ libffi-dev libssl-dev libxslt1-dev virtualenv gcc \ mysql-server freeradius libconfig-inifiles-perl \ libdata-dump-perl libtry-tiny-perl libconfig-json-perl \ libjson-perl libmysqlclient-dev apache2 libapache2-mod-wsgi- virtualenv /opt/privacyidea- cd /opt/privacyidea- source bin/activate- pip install privacyidea- pip install MySQL-python- pip install click- mysql -u root -p create database pi; grant all privileges on pi.* to “pi”@“localhost” identified by “XXX”; flush privileges; quit;- mkdir /etc/privacyidea- useradd -r privacyidea- cp etc/privacyidea/* /etc/privacyidea/- vi /etc/privacyidea/pi.cfgimport logging# The realm, where users are allowed to login as administratorsSUPERUSER_REALM = [‘super’]# Your database#SQLALCHEMY_DATABASE_URI = ‘sqlite:////etc/privacyidea/data.sqlite’# This is used to encrypt the auth_token#SECRET_KEY = ‘t0p s3cr3t’# This is used to encrypt the admin passwords#PI_PEPPER = “Never know…”# This is used to encrypt the token data and token passwordsPI_ENCFILE = ‘/etc/privacyidea/enckey’# This is used to sign the audit log# This is the dummy base class#PI_AUDIT_MODULE = ‘privacyidea.lib.auditmodules.base’# This is the default#PI_AUDIT_MODULE = ‘privacyidea.lib.auditmodules.sqlaudit’# This is used to sign the audit logPI_AUDIT_KEY_PRIVATE = '/etc/privacyidea/private.pem’PI_AUDIT_KEY_PUBLIC = '/etc/privacyidea/public.pem’PI_LOGFILE = '/var/log/privacyidea/privacyidea.log’PI_LOGLEVEL = logging.INFO
    PI_PEPPER = 'X’SECRET_KEY = 'X’SQLALCHEMY_DATABASE_URI = ‘mysql://pi:XXX@localhost/pi’

  • pi-manage create_enckey- pi-manage create_audit_keys- pi-manage createdb- pi-manage admin add admin@localhost- privacyidea-fix-access-rights -f /etc/privacyidea/pi.cfg -u privacyidea

  • a2enmod ssl

  • vi /etc/apache2/sites-available/privacyidea.conf
    ServerAdmin webmaster@localhost # You might want to change this ServerName localhost
    DocumentRoot /var/www # For Apache 2.4 you need to set this: Require all granted Options FollowSymLinks AllowOverride None
    # Yubico servers use /wsapi/2.0/verify as the path in the # validation URL. Some tools (e.g. Kolab 2fa) let the # user/admin change the api host, but not the rest of # the URL. Uncomment the following two lines to reroute # the api URL internally to privacyideas /ttype/yubikey. #RewriteEngine on #RewriteRule “^/wsapi/2.0/verify” “/ttype/yubikey” [PT]
    # We can run several instances on different paths with different configurations WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi #WSGIScriptAlias /instance1 /home/cornelius/src/privacyidea/deploy/privacyideaapp1.wsgi #WSGIScriptAlias /instance2 /home/cornelius/src/privacyidea/deploy/privacyideaapp2.wsgi #WSGIScriptAlias /instance3 /home/cornelius/src/privacyidea/deploy/privacyideaapp3.wsgi # # The daemon is running as user ‘privacyidea’ # This user should have access to the encKey database encryption file WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea WSGIProcessGroup privacyidea WSGIPassAuthorization On
    ErrorLog /var/log/apache2/error.log
    LogLevel warn # Do not use %q! This will reveal all parameters, including setting PINs and Keys! # Using SSL_CLINET_S_DN_CN will show you, which administrator did what task LogFormat “%h %l %u %t %>s “%m %U %H” %b “%{Referer}i” “%{User-agent}i”” privacyIDEA CustomLog /var/log/apache2/ssl_access.log privacyIDEA
    # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite HIGH:!aNULL:!MD5

      #   If both key and certificate are stored in the same file, only the        #   SSLCertificateFile directive is needed.        SSLCertificateFile    /etc/ssl/certs/privacyideaserver.pem        SSLCertificateKeyFile /etc/ssl/private/privacyideaserver.key
      <FilesMatch "\.(cgi|shtml|phtml|php)$">                SSLOptions +StdEnvVars        </FilesMatch>        <Directory /usr/lib/cgi-bin>                SSLOptions +StdEnvVars        </Directory>        BrowserMatch ".*MSIE.*" \                nokeepalive ssl-unclean-shutdown \                downgrade-1.0 force-response-1.0
    
# If you want to forward http request to https enable the# following virtual host.## # This will enable the Rewrite capabilities# RewriteEngine On## # This checks to make sure the connection is not already HTTPS# RewriteCond %{HTTPS} !=on# RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]# cd /etc/apache2/sites-enabled/rm -f 000-default.confln -s ../sites-available/privacyidea.conf .

mkdir /home/privacyideachown -R privacyidea /home/privacyidea/chown -R privacyidea /etc/privacyidea/
The part with user privacyidea is not within your guide, so there could be a problem but I don’t get it.

ThanksMichael

Cornelius Kölbel +49 151 2960 1417
NetKnights GmbHHttp://NetKnights. It
+49 561 3166 797

Hi,
I installed PI 2.13 via PiP on a fresh Debian 8 and have the same issue here. Running via py-manage runserver I can access the system, but via apache / wsgi I get:
[Wed Jul 06 14:12:55.024738 2016] [wsgi:error] [pid 17269:tid 139826853345024] [remote X:59909] mod_wsgi (pid=17269): Target WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.[Wed Jul 06 14:12:55.024797 2016] [wsgi:error] [pid 17269:tid 139826853345024] [remote X:59909] mod_wsgi (pid=17269): Exception occurred processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.[Wed Jul 06 14:12:55.024837 2016] [wsgi:error] [pid 17269:tid 139826853345024] [remote X:59909] Traceback (most recent call last):[Wed Jul 06 14:12:55.024875 2016] [wsgi:error] [pid 17269:tid 139826853345024] [remote X:59909] File “/etc/privacyidea/privacyideaapp.wsgi”, line 3, in [Wed Jul 06 14:12:55.024929 2016] [wsgi:error] [pid 17269:tid 139826853345024] [remote X:59909] from privacyidea.app import create_app[Wed Jul 06 14:12:55.024964 2016] [wsgi:error] [pid 17269:tid 139826853345024] [remote X:59909] ImportError: No module named privacyidea.app[Wed Jul 06 14:12:55.125165 2016] [wsgi:error] [pid 17269:tid 139826937272064] [remote X:59909] mod_wsgi (pid=17269): Target WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.[Wed Jul 06 14:12:55.125198 2016] [wsgi:error] [pid 17269:tid 139826937272064] [remote X:59909] mod_wsgi (pid=17269): Exception occurred processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.[Wed Jul 06 14:12:55.125231 2016] [wsgi:error] [pid 17269:tid 139826937272064] [remote X:59909] Traceback (most recent call last):[Wed Jul 06 14:12:55.125263 2016] [wsgi:error] [pid 17269:tid 139826937272064] [remote X:59909] File “/etc/privacyidea/privacyideaapp.wsgi”, line 3, in [Wed Jul 06 14:12:55.125309 2016] [wsgi:error] [pid 17269:tid 139826937272064] [remote X:59909] from privacyidea.app import create_app[Wed Jul 06 14:12:55.125341 2016] [wsgi:error] [pid 17269:tid 139826937272064] [remote X:59909] ImportError: No module named privacyidea.app
ThanksMichael

the “privacyidea.app” in fact indicates that there is something wrong

with your python setup. In certain cases the WSGI process does not find

the complete python environment.

Which howto did you use to install?

-> This is the change to improve the documentation :slight_smile:

We do not need to take a look at FreeRADIUS now, since your privacyIDEA

installation seems messed up.

Kind regards

Cornelius-------- Ursprüngliche Nachricht --------Von: Michael Muenz m.muenz@gmail.com Datum: 06.07.16 14:35 (GMT+01:00) An: privacyidea privacyidea@googlegroups.com Cc: m.muenz@gmail.com Betreff: Re: [privacyidea] Re: ImportError: No module named privacyidea.app
Am Mittwoch, 6. Juli 2016 14:25:04 UTC+2 schrieb Cornelius Kölbel:Pip in root or virtual environment? Config?
-------- Ursprüngliche Nachricht --------Von: Michael Muenz m.m...@gmail.com Datum: 06.07.16 14:17 (GMT+01:00) An: privacyidea priva...@googlegroups.com Betreff: [privacyidea] Re: ImportError: No module named privacyidea.app
Am Montag, 11. Januar 2016 17:47:15 UTC+1 schrieb Cornelius Kölbel:Hello John,

Am Montag, den 11.01.2016, 07:58 -0800 schrieb John Whitten:

Hello Cornelius,

  1. How does the

file /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi look like?

[root@MyHost privacyidea]#

cat /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi

import sys

sys.stdout = sys.stderr

from privacyidea.app import create_app

Now we can select the config file:

application = create_app(config_name=“production”,

config_file="/etc/privacyidea/pi.cfg")

  1. When I run it via Apache I get a “500 Server Error” and the error

log contains the message about the “privacyidea.app” issue:

==> /var/log/httpd/error.log <==

[Sun Jan 10 01:25:29 2016] [error] [client 192.168.3.204] mod_wsgi

(pid=24859): Target WSGI script

‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’ cannot be

loaded as Python module.

[Sun Jan 10 01:25:29 2016] [error] [client 192.168.3.204] mod_wsgi

(pid=24859): Exception occurred processing WSGI script

‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’.

[Sun Jan 10 01:25:29 2016] [error] Traceback (most recent call last):

[Sun Jan 10 01:25:29 2016] [error] File

“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Sun Jan 10 01:25:29 2016] [error] from privacyidea.app import

create_app

[Sun Jan 10 01:25:29 2016] [error] ImportError: No module named

privacyidea.app

When I run it (via the “pi-manage runserver” method which is set to

operate on port 5000), it logs me in and I get a “token/list” url and

a page which should be showing me tokens, but for some reason it does

not show any listed. There should be two tokens registered for the

username I’m using. Here is the command line I’m using:

pi-manage runserver -h MyHost -p 5000 -d -r

  1. This is what I get from the privacyidea.log:

[2016-01-11

10:29:28,768][25056][140316471326464][DEBUG][privacyidea.api.lib.utils:235] Can not get param: No JSON object could be decoded

  1. Post output of Freeradius -X

Request:

[root@MyHost FreeRADIUS]# echo "User-Name=SomeUser@SomeRealm,

Password=SomePassword" | radclient -sx localhost auth ‘OurSecret’

Sending Access-Request of id 89 to 127.0.0.1 port 1812

    User-Name = "SomeUser@SomeRealm"
    Password = "SomePassword"

rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=89,

length=75

    Reply-Message = "privacyIDEA request failed: 500 Internal

Server Error"

       Total approved auths:  0
         Total denied auths:  1
           Total lost auths:  0

Debug Output:

rad_recv: Access-Request packet from host 127.0.0.1 port 54525, id=89,

length=55

    User-Name = "SomeUser@SomeRealm"
    User-Password = "SomePassword"

Executing section authorize from

file /etc/raddb/sites-enabled/privacyidea

+group authorize {

++[preprocess] = ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] Looking up realm “SomeRealm” for User-Name =

“SomeUser@SomeRealm”

[suffix] No such realm “SomeRealm”

++[suffix] = noop

[eap] No EAP-Message, not doing EAP

++[eap] = noop

[files] users: Matched entry DEFAULT at line 183

++[files] = ok

++[expiration] = noop

++[logintime] = noop

[pap] WARNING! No “known good” password found for the user.

Authentication may fail because of this.

++[pap] = noop

+} # group authorize = ok

Found Auth-Type = perl

Executing group from file /etc/raddb/sites-enabled/privacyidea

+group authenticate {

rlm_perl: Config File not found!

rlm_perl: Default URL https://127.0.0.1/validate/check

rlm_perl: Looking for config for auth-type perl

rlm_perl: Warning:

rlm_perl: Auth-Type: perl

rlm_perl: url: https://127.0.0.1/validate/check

rlm_perl: user sent to privacyidea: SomeUser@SomeRealm

rlm_perl: realm sent to privacyidea:

rlm_perl: resolver sent to privacyidea:

rlm_perl: client sent to privacyidea: 127.0.0.1

rlm_perl: state sent to privacyidea:

rlm_perl: urlparam client

rlm_perl: urlparam pass

rlm_perl: urlparam user

rlm_perl: Not verifying SSL certificate!

rlm_perl: privacyIDEA request failed: 500 Internal Server Error

rlm_perl: return RLM_MODULE_FAIL

rlm_perl: Added pair User-Name = SomeUser@SomeRealm

rlm_perl: Added pair User-Password = SomePassword

rlm_perl: Added pair NAS-IP-Address = 127.0.0.1

rlm_perl: Added pair Reply-Message = privacyIDEA request failed: 500

Internal Server Error

rlm_perl: Added pair Auth-Type = perl

++[perl] = fail

+} # group authenticate = fail

Failed to authenticate the user.

Delaying reject of request 15 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 15

Sending Access-Reject of id 89 to 127.0.0.1 port 54525

    Reply-Message = "privacyIDEA request failed: 500 Internal

Server Error"

Waking up in 4.9 seconds.

Cleaning up request 15 ID 89 with timestamp +409247

Ready to process requests.

You didn’t ask, but here is my Apache config:

[root@MyHost conf.d]# cat privacyidea.conf

TraceEnable on

ServerSignature Off

ServerTokens Prod

WSGIPythonHome /opt/privacyIDEA

WSGISocketPrefix /var/run/wsgi

#############################################

Redirect All Port 80 Accesses to Port 443

#############################################

#

ServerAdmin webmaster@localhost

ServerName localhost

RewriteEngine On

RewriteCond %{HTTPS} !=On

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

#

#############################################

Handle Port 443 Accesses

#############################################

#

<VirtualHost *:443>

    ServerAdmin webmaster@localhost
    ServerName localhost
    DocumentRoot /var/www
    <Directory />

Require all granted

            Allow from all
            Options FollowSymLinks
            AllowOverride None
    </Directory>

WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi

WSGIScriptAlias / /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi

    # The daemon is running as user 'privacyidea'
    # This user should have access to the encKey database

encryption file

    WSGIDaemonProcess privacyidea

python-path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages processes=1 threads=15 display-name=%{GROUP} user=privacyidea

    WSGIProcessGroup privacyidea
    WSGIPassAuthorization On
    ## Logging
    ErrorLog /var/log/httpd/error.log
    LogLevel warn
    # Do not use %q! This will reveal all parameters, including

setting PINs and Keys!

    # Using SSL_CLINET_S_DN_CN will show you, which administrator

did what task

    #LogFormat "%h %l %u %t %>s \"%m %U %H\"  %b \"%{Referer}i\"

“%{User-agent}i”" privacyIDEA

    LogFormat "%h %l %u %t %>s \"%m %U %H\"  %b \"%{Referer}i\"

“%{User-agent}i” %q" privacyIDEA

    CustomLog /var/log/httpd/ssl_access.log privacyIDEA
    SSLEngine On
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCipherSuite EECDH+AES256:DHE+AES256:EECDH+AES:EDH

+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!

LOW:!MD5

    SSLCertificateFile /etc/pki/tls/certs/privacyideaserver.pem

SSLCertificateKeyFile /etc/pki/tls/private/privacyideaserver.key

IMO, while I may very well have other issues in the setup, the biggest

problem always seems to come back to this one item:

[Sat Jan 09 01:25:22 2016] [error] File

“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Sat Jan 09 01:25:22 2016] [error] from privacyidea.app import

create_app

[Sat Jan 09 01:25:22 2016] [error] ImportError: No module named

privacyidea.app

Thanks for all of your kind assistance! I really appreciate your help.

John

On Friday, January 8, 2016 at 3:54:43 PM UTC-5, Cornelius Kölbel wrote:

    Hello John, 
    1. Check the configuration 
    The httpd error log says 
    Target WSGI script 
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' cannot
    be loaded 
    as Python module 
    a) How does the 
    file /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi look
    like? 
    b) How does your apache config look like? 
    I suspect that that you have two different configurations, one
    that 
    works when accessing the UI and on that does not work and is
    accessed 
    when issuing the authentication request. 
    2. Check the API without the FreeRADIUS 
    Please execute 
    https://yourhost/validate/check?user=....&pass=... 
    in your browser and take a look at the result. 
    Or course you must not use the port 5000 unless you are
    running the 
    Apache SSL on 5000. 
    3. Check the log file 
    The FreeRADIUS reply message says: 
    rad_recv: Access-Reject packet from host 127.0.0.1 port 1812,
    id=127, 
    length=75 
            Reply-Message = "privacyIDEA request failed: 500
    Internal Server 
    Error" 
    So please check the privacyIDEA log. 
    4. Debug 
    You enabled DEBUG=true in the your rlm_perl.ini. 
    So you should get more privacyIDEA specific output when
    running 
     freeradius -X 
    You did not post this. Can you do so? 
    Kind regards 
    Cornelius 
    Am Freitag, den 08.01.2016, 06:02 -0800 schrieb John Whitten: 
    > Hi Cornelius, 
    > 
    > 
    > Thanks for the quick reply. 
    > 
    > 
    > Yes, you were correct that my "rlm_perl.ini" file was
    missing. But, 
    > sadly, adding the file and adjusting the params did not
    resolve the 
    > issue. In fact, the problem remains the same: 
    > 
    > 
    > [root@myhost FreeRADIUS]# echo "User-Name=user,
    Password=pin123456" | 
    > radclient -sx localhost auth 'OURSECRET' 
    > Sending Access-Request of id 127 to 127.0.0.1 port 1812 
    >         User-Name = "user" 
    >         Password = "pin123456" 
    > 
    > 
    > ==> /var/log/httpd/error.log <== 
    > [Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1]
    mod_wsgi 
    > (pid=24859): Target WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'
    cannot be 
    > loaded as Python module. 
    > [Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1]
    mod_wsgi 
    > (pid=24859): Exception occurred processing WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'. 
    > [Fri Jan 08 08:53:23 2016] [error] Traceback (most recent
    call last): 
    > [Fri Jan 08 08:53:23 2016] [error]   File 
    > "/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi", line
    3, in 
    > <module> 
    > [Fri Jan 08 08:53:23 2016] [error]     from privacyidea.app
    import 
    > create_app 
    > [Fri Jan 08 08:53:23 2016] [error] ImportError: No module
    named 
    > privacyidea.app 
    > 
    > 
    > ==> /var/log/httpd/ssl_access.log <== 
    > 127.0.0.1 - - [08/Jan/2016:08:53:23 -0500] 500
    "POST /validate/check 
    > HTTP/1.1"  599 "-" "libwww-perl/6.15" 
    > rad_recv: Access-Reject packet from host 127.0.0.1 port
    1812, id=127, 
    > length=75 
    >         Reply-Message = "privacyIDEA request failed: 500
    Internal 
    > Server Error" 
    > 
    > 
    >            Total approved auths:  0 
    >              Total denied auths:  1 
    >                Total lost auths:  0 
    > --- 
    > 
    > 
    > 
    > Here is what the "rlm_perl.ini" file now contains: 
    > 
    > 
    > [Default] 
    > URL = https://myhost:5000/validate/check 
    > REALM = myrealm 
    > #RESCONF = someResolver 
    > #SSL_CHECK = true 
    > SSL_CHECK = false 
    > DEBUG = true 
    > --- 
    > 
    > 
    > BTW, the result is the same with or without the port 5000
    part. I 
    > tried removing it and it is still bombing with the import
    error. It is 
    > apparently looking for something called "privacyidea.app"
    and there is 
    > nothing with that name on my system, or available on your
    site as far 
    > as I can tell. At least not directly. 
    > 
    > 
    > It feels to me like I am very close to getting this thing up
    and 
    > running! So I am hopeful! ;-) 
    > 
    > 
    > John 
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    > On Friday, January 8, 2016 at 2:31:59 AM UTC-5, Cornelius Kölbel  wrote: 
    >         Hello John, 
    >         
    >         thanks for the feedback regarding the installation 
    >         instructions. 
    >         This is the official instruction 
    >
    http://privacyidea.readthedocs.org/en/latest/installation/index.html 
    >         I will add a note, that it needs python 2.7. 
    >         
    >         Good news: If you are able to access the web ui, 
    >         authenticating with 
    >         FreeRADIUS will also work in a moment. 
    >         
    >         I assume you are accessing the webui at an URL like 
    >         
    >         https://yourserver/ 
    >         
    >         i.e. in the root directory? 
    >         
    >         Then the FreeRADIUS would have to call 
    >         
    >         https://yourserver/validate/check 
    >         
    >         I think the FreeRADIUS privacyIDEA plugin is just
    not 
    >         completely 
    >         configured yet. 
    >         See 
    >
    http://privacyidea.readthedocs.org/en/latest/application_plugins/radius.html?highlight=freeradius 
    >         
    >         Have you created any /opt/privacyidea/rlm_perl.ini
    file yet? 
    >         
    >         I recommend creating a file 
    >         /etc/privacyidea/rlm_perl.ini 
    >         with the following content: 
    >         
    >         [Default] 
    >         URL = https://your.server/validate/check 
    >         SSL_CHECK = false 
    >         DEBUG = true 
    >         
    >         adapt the URL accordingly. 
    >         You should change SSL_CHECK to true, later. I.e. you
    need to 
    >         get a 
    >         trusted certificate, if privacyIDEA is running on
    another 
    >         server than 
    >         freeradius. 
    >         
    >         Starting with DEBUG=true gives you some good ideas
    about whats 
    >         going on. 
    >         
    >         Please tell, if it was your rlm_perl.ini that was
    missing. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Donnerstag, den 07.01.2016, 22:24 -0800 schrieb
    John 
    >         Whitten: 
    >         > 
    >         > Hello, 
    >         > 
    >         > 
    >         > I have been working to get this PrivacyIDEA
    software 
    >         installed on a 
    >         > CentOS 6.5 system, along with FreeRADIUS. 
    >         > 
    >         > 
    >         > I have been mostly following the directions in
    these three 
    >         documents 
    >         > (none of them appears to be entirely accurate): 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > CentOS install: 
    >         > 
    >
    https://www.howtoforge.com/two-factor-authentication-with-otp-using-privacyidea-and-freeradius-on-centos 
    >         > 
    >         > 
    >         > 
    >         > Python Install: 
    >         > 
    >
    https://privacyidea.readthedocs.org/en/latest/installation/pip.html#python-package-index 
    >         > 
    >         > 
    >         > 
    >         > PrivacyIdea Documentation Latest: 
    >         > https://privacyidea.readthedocs.org/en/latest/ 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > Between the various documents though, and a whole
    lot of 
    >         trial and 
    >         > error, I have gotten it mostly working I think.
    The actual 
    >         > installation files are from using the "Python PIP
    Install" 
    >         method, so 
    >         > are whichever version are available that way. (I'm
    not a 
    >         Python guy). 
    >         >  Also I should mention that I figured out that it
    doesn't 
    >         work with 
    >         > Python 2.6 and have installed Python 2.7. As soon
    as I did 
    >         that, the 
    >         > install went very smoothly. You should probably
    note that 
    >         someplace in 
    >         > the documents and save people a whole lot of
    time. 
    >         > 
    >         > 
    >         > Anyway, I have come to the part where I'm hooking
    up 
    >         FreeRADIUS and it 
    >         > keeps bombing with the following message: 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > ==> /var/log/httpd/error.log <== 
    >         > [Thu Jan 07 23:27:48 2016] [error] [client
    10.200.1.10] 
    >         mod_wsgi 
    >         > (pid=24859): Target WSGI script 
    >         >
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' 
    >         cannot be 
    >         > loaded as Python module. 
    >         > [Thu Jan 07 23:27:48 2016] [error] [client
    10.200.1.10] 
    >         mod_wsgi 
    >         > (pid=24859): Exception occurred processing WSGI
    script 
    >         >
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'. 
    >         > [Thu Jan 07 23:27:48 2016] [error] Traceback (most
    recent 
    >         call last): 
    >         > [Thu Jan 07 23:27:48 2016] [error]   File 
    >         >
    "/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi", line 
    >         3, in 
    >         > <module> 
    >         > [Thu Jan 07 23:27:48 2016] [error]     from
    privacyidea.app 
    >         import 
    >         > create_app 
    >         > [Thu Jan 07 23:27:48 2016] [error] ImportError: No
    module 
    >         named 
    >         > privacyidea.app 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > RADIUS itself seems to be working fine. I had it
    set up 
    >         originally and 
    >         > tested it with the test radius client and it all
    seemed to 
    >         work fine. 
    >         > I now have it configured to call the
    "privacyidea_radius.pm" 
    >         module 
    >         > from /etc/raddb/modules/perl. I had to correct the
    path as 
    >         below: 
    >         > 
    >         > 
    >         > perl { 
    >         > #       module
    = /opt/privacyIDEA/privacyidea_radius.pm 
    >         >         module 
    >         > 
    >
    = /opt/privacyIDEA/lib/privacyidea/authmodules/FreeRADIUS/privacyidea_radius.pm 
    >         >         } 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > When I try to authenticate using the test client
    now, I get 
    >         the above 
    >         > error message, apparently looking for something
    called 
    >         > "privacyidea.app". There is nothing on my system
    anywhere 
    >         with that 
    >         > name, and I cannot find any good reference to it
    online 
    >         apart from a 
    >         > brief mention here and there with respect to the
    "perl" file 
    >         in the 
    >         > RADIUS modules directory. 
    >         > 
    >         > 
    >         > Can you assist me? I am under the gun to get this
    worked out 
    >         and I'm 
    >         > having a heck of a time getting everything set up
    and 
    >         working. 
    >         > 
    >         > 
    >         > 
    >         > I have gotten the PrivacyIDEA web portion itself
    worked out. 
    >         I have 
    >         > been able to login as Admin, set up a Realm,
    connect it to 
    >         our Active 
    >         > Directory and whatnot, and all that seems to work.
    I also 
    >         was able to 
    >         > login to the PrivacyIDEA as a user and enroll
    myself a 
    >         token. I got 
    >         > the FreeOTP Android App for my smartphone from
    Google Play, 
    >         and used 
    >         > the QR feature to set up the token into the
    FreeOTP app. All 
    >         of that 
    >         > went very smoothly and without much problem. 
    >         > 
    >         > 
    >         > But when I go to try to authenticate with it, I
    run into the 
    >         problem 
    >         > above. 
    >         > 
    >         > 
    >         > Thanks for any assistance you can provide! 
    >         > 
    >         > 
    >         > John Whitten 
    >         > -- 
    >         > You received this message because you are
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/d7f639b0-bfcd-403a-a6c8-c176e7d66519%40googlegroups.com. 
    >         > For more options, visit
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/2e9e6914-9e02-458d-9656-e73d5613e152%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 

You received this message because you are subscribed to the Google

Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to privacyidea...@googlegroups.com.

To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/107f7393-dd39-4671-b0be-5908b9b5a5c5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel

corneliu…@netknights.it

+49 151 2960 1417

NetKnights GmbH

http://www.netknights.it

Landgraf-Karl-Str. 19, 34131 Kassel, Germany

Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405

Geschäftsführer: Cornelius Kölbel

Please read the blog post about getting help

https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor authentication please visit

https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:

https://netknights.it/en/leistungen/service-level-agreements/


You received this message because you are subscribed to the Google Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.

To post to this group, send email to priva...@googlegroups.com.

Visit this group at https://groups.google.com/group/privacyidea.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/bfcaacaa-3167-473c-b360-17bf4b9e93b5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Please read the blog post about getting help

https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor authentication please visit

https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:

https://netknights.it/en/leistungen/service-level-agreements/


You received this message because you are subscribed to the Google Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea+unsubscribe@googlegroups.com.

To post to this group, send email to privacyidea@googlegroups.com.

Visit this group at https://groups.google.com/group/privacyidea.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/1e31225b-6c48-4abd-91f2-d42f7fac8925%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Alternatively take a look here


Cornelius Kölbel +49 151 2960 1417
NetKnights GmbHHttp://NetKnights. It
+49 561 3166 797

virtualenv. I followed the steps in your guide, mixed with an old one from howtoforge. I documented all the steps since I want to write a Debian 8 howto:

  • aptitude install libjpeg-dev zlib1g-dev python-dev \ libffi-dev libssl-dev libxslt1-dev virtualenv gcc \ mysql-server freeradius libconfig-inifiles-perl \ libdata-dump-perl libtry-tiny-perl libconfig-json-perl \ libjson-perl libmysqlclient-dev apache2 libapache2-mod-wsgi- virtualenv /opt/privacyidea- cd /opt/privacyidea- source bin/activate- pip install privacyidea- pip install MySQL-python- pip install click- mysql -u root -p create database pi; grant all privileges on pi.* to “pi”@“localhost” identified by “XXX”; flush privileges; quit;- mkdir /etc/privacyidea- useradd -r privacyidea- cp etc/privacyidea/* /etc/privacyidea/- vi /etc/privacyidea/pi.cfgimport logging# The realm, where users are allowed to login as administratorsSUPERUSER_REALM = [‘super’]# Your database#SQLALCHEMY_DATABASE_URI = ‘sqlite:////etc/privacyidea/data.sqlite’# This is used to encrypt the auth_token#SECRET_KEY = ‘t0p s3cr3t’# This is used to encrypt the admin passwords#PI_PEPPER = “Never know…”# This is used to encrypt the token data and token passwordsPI_ENCFILE = ‘/etc/privacyidea/enckey’# This is used to sign the audit log# This is the dummy base class#PI_AUDIT_MODULE = ‘privacyidea.lib.auditmodules.base’# This is the default#PI_AUDIT_MODULE = ‘privacyidea.lib.auditmodules.sqlaudit’# This is used to sign the audit logPI_AUDIT_KEY_PRIVATE = '/etc/privacyidea/private.pem’PI_AUDIT_KEY_PUBLIC = '/etc/privacyidea/public.pem’PI_LOGFILE = '/var/log/privacyidea/privacyidea.log’PI_LOGLEVEL = logging.INFO
    PI_PEPPER = 'X’SECRET_KEY = 'X’SQLALCHEMY_DATABASE_URI = ‘mysql://pi:XXX@localhost/pi’

  • pi-manage create_enckey- pi-manage create_audit_keys- pi-manage createdb- pi-manage admin add admin@localhost- privacyidea-fix-access-rights -f /etc/privacyidea/pi.cfg -u privacyidea

  • a2enmod ssl

  • vi /etc/apache2/sites-available/privacyidea.conf
    ServerAdmin webmaster@localhost # You might want to change this ServerName localhost
    DocumentRoot /var/www # For Apache 2.4 you need to set this: Require all granted Options FollowSymLinks AllowOverride None
    # Yubico servers use /wsapi/2.0/verify as the path in the # validation URL. Some tools (e.g. Kolab 2fa) let the # user/admin change the api host, but not the rest of # the URL. Uncomment the following two lines to reroute # the api URL internally to privacyideas /ttype/yubikey. #RewriteEngine on #RewriteRule “^/wsapi/2.0/verify” “/ttype/yubikey” [PT]
    # We can run several instances on different paths with different configurations WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi #WSGIScriptAlias /instance1 /home/cornelius/src/privacyidea/deploy/privacyideaapp1.wsgi #WSGIScriptAlias /instance2 /home/cornelius/src/privacyidea/deploy/privacyideaapp2.wsgi #WSGIScriptAlias /instance3 /home/cornelius/src/privacyidea/deploy/privacyideaapp3.wsgi # # The daemon is running as user ‘privacyidea’ # This user should have access to the encKey database encryption file WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea WSGIProcessGroup privacyidea WSGIPassAuthorization On
    ErrorLog /var/log/apache2/error.log
    LogLevel warn # Do not use %q! This will reveal all parameters, including setting PINs and Keys! # Using SSL_CLINET_S_DN_CN will show you, which administrator did what task LogFormat “%h %l %u %t %>s “%m %U %H” %b “%{Referer}i” “%{User-agent}i”” privacyIDEA CustomLog /var/log/apache2/ssl_access.log privacyIDEA
    # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite HIGH:!aNULL:!MD5

      #   If both key and certificate are stored in the same file, only the        #   SSLCertificateFile directive is needed.        SSLCertificateFile    /etc/ssl/certs/privacyideaserver.pem        SSLCertificateKeyFile /etc/ssl/private/privacyideaserver.key
      <FilesMatch "\.(cgi|shtml|phtml|php)$">                SSLOptions +StdEnvVars        </FilesMatch>        <Directory /usr/lib/cgi-bin>                SSLOptions +StdEnvVars        </Directory>        BrowserMatch ".*MSIE.*" \                nokeepalive ssl-unclean-shutdown \                downgrade-1.0 force-response-1.0
    
# If you want to forward http request to https enable the# following virtual host.## # This will enable the Rewrite capabilities# RewriteEngine On## # This checks to make sure the connection is not already HTTPS# RewriteCond %{HTTPS} !=on# RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]# cd /etc/apache2/sites-enabled/rm -f 000-default.confln -s ../sites-available/privacyidea.conf .

mkdir /home/privacyideachown -R privacyidea /home/privacyidea/chown -R privacyidea /etc/privacyidea/
The part with user privacyidea is not within your guide, so there could be a problem but I don’t get it.

ThanksMichael

Cornelius Kölbel +49 151 2960 1417
NetKnights GmbHHttp://NetKnights. It
+49 561 3166 797

Hi,
I installed PI 2.13 via PiP on a fresh Debian 8 and have the same issue here. Running via py-manage runserver I can access the system, but via apache / wsgi I get:
[Wed Jul 06 14:12:55.024738 2016] [wsgi:error] [pid 17269:tid 139826853345024] [remote X:59909] mod_wsgi (pid=17269): Target WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.[Wed Jul 06 14:12:55.024797 2016] [wsgi:error] [pid 17269:tid 139826853345024] [remote X:59909] mod_wsgi (pid=17269): Exception occurred processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.[Wed Jul 06 14:12:55.024837 2016] [wsgi:error] [pid 17269:tid 139826853345024] [remote X:59909] Traceback (most recent call last):[Wed Jul 06 14:12:55.024875 2016] [wsgi:error] [pid 17269:tid 139826853345024] [remote X:59909] File “/etc/privacyidea/privacyideaapp.wsgi”, line 3, in [Wed Jul 06 14:12:55.024929 2016] [wsgi:error] [pid 17269:tid 139826853345024] [remote X:59909] from privacyidea.app import create_app[Wed Jul 06 14:12:55.024964 2016] [wsgi:error] [pid 17269:tid 139826853345024] [remote X:59909] ImportError: No module named privacyidea.app[Wed Jul 06 14:12:55.125165 2016] [wsgi:error] [pid 17269:tid 139826937272064] [remote X:59909] mod_wsgi (pid=17269): Target WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.[Wed Jul 06 14:12:55.125198 2016] [wsgi:error] [pid 17269:tid 139826937272064] [remote X:59909] mod_wsgi (pid=17269): Exception occurred processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.[Wed Jul 06 14:12:55.125231 2016] [wsgi:error] [pid 17269:tid 139826937272064] [remote X:59909] Traceback (most recent call last):[Wed Jul 06 14:12:55.125263 2016] [wsgi:error] [pid 17269:tid 139826937272064] [remote X:59909] File “/etc/privacyidea/privacyideaapp.wsgi”, line 3, in [Wed Jul 06 14:12:55.125309 2016] [wsgi:error] [pid 17269:tid 139826937272064] [remote X:59909] from privacyidea.app import create_app[Wed Jul 06 14:12:55.125341 2016] [wsgi:error] [pid 17269:tid 139826937272064] [remote X:59909] ImportError: No module named privacyidea.app
ThanksMichael

the “privacyidea.app” in fact indicates that there is something wrong

with your python setup. In certain cases the WSGI process does not find

the complete python environment.

Which howto did you use to install?

-> This is the change to improve the documentation :slight_smile:

We do not need to take a look at FreeRADIUS now, since your privacyIDEA

installation seems messed up.

Kind regards

Cornelius-------- Ursprüngliche Nachricht --------Von: Michael Muenz m.muenz@gmail.com Datum: 06.07.16 14:35 (GMT+01:00) An: privacyidea privacyidea@googlegroups.com Cc: m.muenz@gmail.com Betreff: Re: [privacyidea] Re: ImportError: No module named privacyidea.app
Am Mittwoch, 6. Juli 2016 14:25:04 UTC+2 schrieb Cornelius Kölbel:Pip in root or virtual environment? Config?
-------- Ursprüngliche Nachricht --------Von: Michael Muenz m.m...@gmail.com Datum: 06.07.16 14:17 (GMT+01:00) An: privacyidea priva...@googlegroups.com Betreff: [privacyidea] Re: ImportError: No module named privacyidea.app
Am Montag, 11. Januar 2016 17:47:15 UTC+1 schrieb Cornelius Kölbel:Hello John,

Am Montag, den 11.01.2016, 07:58 -0800 schrieb John Whitten:

Hello Cornelius,

  1. How does the

file /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi look like?

[root@MyHost privacyidea]#

cat /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi

import sys

sys.stdout = sys.stderr

from privacyidea.app import create_app

Now we can select the config file:

application = create_app(config_name=“production”,

config_file="/etc/privacyidea/pi.cfg")

  1. When I run it via Apache I get a “500 Server Error” and the error

log contains the message about the “privacyidea.app” issue:

==> /var/log/httpd/error.log <==

[Sun Jan 10 01:25:29 2016] [error] [client 192.168.3.204] mod_wsgi

(pid=24859): Target WSGI script

‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’ cannot be

loaded as Python module.

[Sun Jan 10 01:25:29 2016] [error] [client 192.168.3.204] mod_wsgi

(pid=24859): Exception occurred processing WSGI script

‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’.

[Sun Jan 10 01:25:29 2016] [error] Traceback (most recent call last):

[Sun Jan 10 01:25:29 2016] [error] File

“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Sun Jan 10 01:25:29 2016] [error] from privacyidea.app import

create_app

[Sun Jan 10 01:25:29 2016] [error] ImportError: No module named

privacyidea.app

When I run it (via the “pi-manage runserver” method which is set to

operate on port 5000), it logs me in and I get a “token/list” url and

a page which should be showing me tokens, but for some reason it does

not show any listed. There should be two tokens registered for the

username I’m using. Here is the command line I’m using:

pi-manage runserver -h MyHost -p 5000 -d -r

  1. This is what I get from the privacyidea.log:

[2016-01-11

10:29:28,768][25056][140316471326464][DEBUG][privacyidea.api.lib.utils:235] Can not get param: No JSON object could be decoded

  1. Post output of Freeradius -X

Request:

[root@MyHost FreeRADIUS]# echo "User-Name=SomeUser@SomeRealm,

Password=SomePassword" | radclient -sx localhost auth ‘OurSecret’

Sending Access-Request of id 89 to 127.0.0.1 port 1812

    User-Name = "SomeUser@SomeRealm"
    Password = "SomePassword"

rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=89,

length=75

    Reply-Message = "privacyIDEA request failed: 500 Internal

Server Error"

       Total approved auths:  0
         Total denied auths:  1
           Total lost auths:  0

Debug Output:

rad_recv: Access-Request packet from host 127.0.0.1 port 54525, id=89,

length=55

    User-Name = "SomeUser@SomeRealm"
    User-Password = "SomePassword"

Executing section authorize from

file /etc/raddb/sites-enabled/privacyidea

+group authorize {

++[preprocess] = ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] Looking up realm “SomeRealm” for User-Name =

“SomeUser@SomeRealm”

[suffix] No such realm “SomeRealm”

++[suffix] = noop

[eap] No EAP-Message, not doing EAP

++[eap] = noop

[files] users: Matched entry DEFAULT at line 183

++[files] = ok

++[expiration] = noop

++[logintime] = noop

[pap] WARNING! No “known good” password found for the user.

Authentication may fail because of this.

++[pap] = noop

+} # group authorize = ok

Found Auth-Type = perl

Executing group from file /etc/raddb/sites-enabled/privacyidea

+group authenticate {

rlm_perl: Config File not found!

rlm_perl: Default URL https://127.0.0.1/validate/check

rlm_perl: Looking for config for auth-type perl

rlm_perl: Warning:

rlm_perl: Auth-Type: perl

rlm_perl: url: https://127.0.0.1/validate/check

rlm_perl: user sent to privacyidea: SomeUser@SomeRealm

rlm_perl: realm sent to privacyidea:

rlm_perl: resolver sent to privacyidea:

rlm_perl: client sent to privacyidea: 127.0.0.1

rlm_perl: state sent to privacyidea:

rlm_perl: urlparam client

rlm_perl: urlparam pass

rlm_perl: urlparam user

rlm_perl: Not verifying SSL certificate!

rlm_perl: privacyIDEA request failed: 500 Internal Server Error

rlm_perl: return RLM_MODULE_FAIL

rlm_perl: Added pair User-Name = SomeUser@SomeRealm

rlm_perl: Added pair User-Password = SomePassword

rlm_perl: Added pair NAS-IP-Address = 127.0.0.1

rlm_perl: Added pair Reply-Message = privacyIDEA request failed: 500

Internal Server Error

rlm_perl: Added pair Auth-Type = perl

++[perl] = fail

+} # group authenticate = fail

Failed to authenticate the user.

Delaying reject of request 15 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 15

Sending Access-Reject of id 89 to 127.0.0.1 port 54525

    Reply-Message = "privacyIDEA request failed: 500 Internal

Server Error"

Waking up in 4.9 seconds.

Cleaning up request 15 ID 89 with timestamp +409247

Ready to process requests.

You didn’t ask, but here is my Apache config:

[root@MyHost conf.d]# cat privacyidea.conf

TraceEnable on

ServerSignature Off

ServerTokens Prod

WSGIPythonHome /opt/privacyIDEA

WSGISocketPrefix /var/run/wsgi

#############################################

Redirect All Port 80 Accesses to Port 443

#############################################

#

ServerAdmin webmaster@localhost

ServerName localhost

RewriteEngine On

RewriteCond %{HTTPS} !=On

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

#

#############################################

Handle Port 443 Accesses

#############################################

#

<VirtualHost *:443>

    ServerAdmin webmaster@localhost
    ServerName localhost
    DocumentRoot /var/www
    <Directory />

Require all granted

            Allow from all
            Options FollowSymLinks
            AllowOverride None
    </Directory>

WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi

WSGIScriptAlias / /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi

    # The daemon is running as user 'privacyidea'
    # This user should have access to the encKey database

encryption file

    WSGIDaemonProcess privacyidea

python-path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages processes=1 threads=15 display-name=%{GROUP} user=privacyidea

    WSGIProcessGroup privacyidea
    WSGIPassAuthorization On
    ## Logging
    ErrorLog /var/log/httpd/error.log
    LogLevel warn
    # Do not use %q! This will reveal all parameters, including

setting PINs and Keys!

    # Using SSL_CLINET_S_DN_CN will show you, which administrator

did what task

    #LogFormat "%h %l %u %t %>s \"%m %U %H\"  %b \"%{Referer}i\"

“%{User-agent}i”" privacyIDEA

    LogFormat "%h %l %u %t %>s \"%m %U %H\"  %b \"%{Referer}i\"

“%{User-agent}i” %q" privacyIDEA

    CustomLog /var/log/httpd/ssl_access.log privacyIDEA
    SSLEngine On
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCipherSuite EECDH+AES256:DHE+AES256:EECDH+AES:EDH

+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!

LOW:!MD5

    SSLCertificateFile /etc/pki/tls/certs/privacyideaserver.pem

SSLCertificateKeyFile /etc/pki/tls/private/privacyideaserver.key

IMO, while I may very well have other issues in the setup, the biggest

problem always seems to come back to this one item:

[Sat Jan 09 01:25:22 2016] [error] File

“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Sat Jan 09 01:25:22 2016] [error] from privacyidea.app import

create_app

[Sat Jan 09 01:25:22 2016] [error] ImportError: No module named

privacyidea.app

Thanks for all of your kind assistance! I really appreciate your help.

John

On Friday, January 8, 2016 at 3:54:43 PM UTC-5, Cornelius Kölbel wrote:

    Hello John, 
    1. Check the configuration 
    The httpd error log says 
    Target WSGI script 
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' cannot
    be loaded 
    as Python module 
    a) How does the 
    file /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi look
    like? 
    b) How does your apache config look like? 
    I suspect that that you have two different configurations, one
    that 
    works when accessing the UI and on that does not work and is
    accessed 
    when issuing the authentication request. 
    2. Check the API without the FreeRADIUS 
    Please execute 
    https://yourhost/validate/check?user=....&pass=... 
    in your browser and take a look at the result. 
    Or course you must not use the port 5000 unless you are
    running the 
    Apache SSL on 5000. 
    3. Check the log file 
    The FreeRADIUS reply message says: 
    rad_recv: Access-Reject packet from host 127.0.0.1 port 1812,
    id=127, 
    length=75 
            Reply-Message = "privacyIDEA request failed: 500
    Internal Server 
    Error" 
    So please check the privacyIDEA log. 
    4. Debug 
    You enabled DEBUG=true in the your rlm_perl.ini. 
    So you should get more privacyIDEA specific output when
    running 
     freeradius -X 
    You did not post this. Can you do so? 
    Kind regards 
    Cornelius 
    Am Freitag, den 08.01.2016, 06:02 -0800 schrieb John Whitten: 
    > Hi Cornelius, 
    > 
    > 
    > Thanks for the quick reply. 
    > 
    > 
    > Yes, you were correct that my "rlm_perl.ini" file was
    missing. But, 
    > sadly, adding the file and adjusting the params did not
    resolve the 
    > issue. In fact, the problem remains the same: 
    > 
    > 
    > [root@myhost FreeRADIUS]# echo "User-Name=user,
    Password=pin123456" | 
    > radclient -sx localhost auth 'OURSECRET' 
    > Sending Access-Request of id 127 to 127.0.0.1 port 1812 
    >         User-Name = "user" 
    >         Password = "pin123456" 
    > 
    > 
    > ==> /var/log/httpd/error.log <== 
    > [Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1]
    mod_wsgi 
    > (pid=24859): Target WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'
    cannot be 
    > loaded as Python module. 
    > [Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1]
    mod_wsgi 
    > (pid=24859): Exception occurred processing WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'. 
    > [Fri Jan 08 08:53:23 2016] [error] Traceback (most recent
    call last): 
    > [Fri Jan 08 08:53:23 2016] [error]   File 
    > "/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi", line
    3, in 
    > <module> 
    > [Fri Jan 08 08:53:23 2016] [error]     from privacyidea.app
    import 
    > create_app 
    > [Fri Jan 08 08:53:23 2016] [error] ImportError: No module
    named 
    > privacyidea.app 
    > 
    > 
    > ==> /var/log/httpd/ssl_access.log <== 
    > 127.0.0.1 - - [08/Jan/2016:08:53:23 -0500] 500
    "POST /validate/check 
    > HTTP/1.1"  599 "-" "libwww-perl/6.15" 
    > rad_recv: Access-Reject packet from host 127.0.0.1 port
    1812, id=127, 
    > length=75 
    >         Reply-Message = "privacyIDEA request failed: 500
    Internal 
    > Server Error" 
    > 
    > 
    >            Total approved auths:  0 
    >              Total denied auths:  1 
    >                Total lost auths:  0 
    > --- 
    > 
    > 
    > 
    > Here is what the "rlm_perl.ini" file now contains: 
    > 
    > 
    > [Default] 
    > URL = https://myhost:5000/validate/check 
    > REALM = myrealm 
    > #RESCONF = someResolver 
    > #SSL_CHECK = true 
    > SSL_CHECK = false 
    > DEBUG = true 
    > --- 
    > 
    > 
    > BTW, the result is the same with or without the port 5000
    part. I 
    > tried removing it and it is still bombing with the import
    error. It is 
    > apparently looking for something called "privacyidea.app"
    and there is 
    > nothing with that name on my system, or available on your
    site as far 
    > as I can tell. At least not directly. 
    > 
    > 
    > It feels to me like I am very close to getting this thing up
    and 
    > running! So I am hopeful! ;-) 
    > 
    > 
    > John 
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    > On Friday, January 8, 2016 at 2:31:59 AM UTC-5, Cornelius Kölbel  wrote: 
    >         Hello John, 
    >         
    >         thanks for the feedback regarding the installation 
    >         instructions. 
    >         This is the official instruction 
    >
    http://privacyidea.readthedocs.org/en/latest/installation/index.html 
    >         I will add a note, that it needs python 2.7. 
    >         
    >         Good news: If you are able to access the web ui, 
    >         authenticating with 
    >         FreeRADIUS will also work in a moment. 
    >         
    >         I assume you are accessing the webui at an URL like 
    >         
    >         https://yourserver/ 
    >         
    >         i.e. in the root directory? 
    >         
    >         Then the FreeRADIUS would have to call 
    >         
    >         https://yourserver/validate/check 
    >         
    >         I think the FreeRADIUS privacyIDEA plugin is just
    not 
    >         completely 
    >         configured yet. 
    >         See 
    >
    http://privacyidea.readthedocs.org/en/latest/application_plugins/radius.html?highlight=freeradius 
    >         
    >         Have you created any /opt/privacyidea/rlm_perl.ini
    file yet? 
    >         
    >         I recommend creating a file 
    >         /etc/privacyidea/rlm_perl.ini 
    >         with the following content: 
    >         
    >         [Default] 
    >         URL = https://your.server/validate/check 
    >         SSL_CHECK = false 
    >         DEBUG = true 
    >         
    >         adapt the URL accordingly. 
    >         You should change SSL_CHECK to true, later. I.e. you
    need to 
    >         get a 
    >         trusted certificate, if privacyIDEA is running on
    another 
    >         server than 
    >         freeradius. 
    >         
    >         Starting with DEBUG=true gives you some good ideas
    about whats 
    >         going on. 
    >         
    >         Please tell, if it was your rlm_perl.ini that was
    missing. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Donnerstag, den 07.01.2016, 22:24 -0800 schrieb
    John 
    >         Whitten: 
    >         > 
    >         > Hello, 
    >         > 
    >         > 
    >         > I have been working to get this PrivacyIDEA
    software 
    >         installed on a 
    >         > CentOS 6.5 system, along with FreeRADIUS. 
    >         > 
    >         > 
    >         > I have been mostly following the directions in
    these three 
    >         documents 
    >         > (none of them appears to be entirely accurate): 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > CentOS install: 
    >         > 
    >
    https://www.howtoforge.com/two-factor-authentication-with-otp-using-privacyidea-and-freeradius-on-centos 
    >         > 
    >         > 
    >         > 
    >         > Python Install: 
    >         > 
    >
    https://privacyidea.readthedocs.org/en/latest/installation/pip.html#python-package-index 
    >         > 
    >         > 
    >         > 
    >         > PrivacyIdea Documentation Latest: 
    >         > https://privacyidea.readthedocs.org/en/latest/ 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > Between the various documents though, and a whole
    lot of 
    >         trial and 
    >         > error, I have gotten it mostly working I think.
    The actual 
    >         > installation files are from using the "Python PIP
    Install" 
    >         method, so 
    >         > are whichever version are available that way. (I'm
    not a 
    >         Python guy). 
    >         >  Also I should mention that I figured out that it
    doesn't 
    >         work with 
    >         > Python 2.6 and have installed Python 2.7. As soon
    as I did 
    >         that, the 
    >         > install went very smoothly. You should probably
    note that 
    >         someplace in 
    >         > the documents and save people a whole lot of
    time. 
    >         > 
    >         > 
    >         > Anyway, I have come to the part where I'm hooking
    up 
    >         FreeRADIUS and it 
    >         > keeps bombing with the following message: 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > ==> /var/log/httpd/error.log <== 
    >         > [Thu Jan 07 23:27:48 2016] [error] [client
    10.200.1.10] 
    >         mod_wsgi 
    >         > (pid=24859): Target WSGI script 
    >         >
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' 
    >         cannot be 
    >         > loaded as Python module. 
    >         > [Thu Jan 07 23:27:48 2016] [error] [client
    10.200.1.10] 
    >         mod_wsgi 
    >         > (pid=24859): Exception occurred processing WSGI
    script 
    >         >
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'. 
    >         > [Thu Jan 07 23:27:48 2016] [error] Traceback (most
    recent 
    >         call last): 
    >         > [Thu Jan 07 23:27:48 2016] [error]   File 
    >         >
    "/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi", line 
    >         3, in 
    >         > <module> 
    >         > [Thu Jan 07 23:27:48 2016] [error]     from
    privacyidea.app 
    >         import 
    >         > create_app 
    >         > [Thu Jan 07 23:27:48 2016] [error] ImportError: No
    module 
    >         named 
    >         > privacyidea.app 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > RADIUS itself seems to be working fine. I had it
    set up 
    >         originally and 
    >         > tested it with the test radius client and it all
    seemed to 
    >         work fine. 
    >         > I now have it configured to call the
    "privacyidea_radius.pm" 
    >         module 
    >         > from /etc/raddb/modules/perl. I had to correct the
    path as 
    >         below: 
    >         > 
    >         > 
    >         > perl { 
    >         > #       module
    = /opt/privacyIDEA/privacyidea_radius.pm 
    >         >         module 
    >         > 
    >
    = /opt/privacyIDEA/lib/privacyidea/authmodules/FreeRADIUS/privacyidea_radius.pm 
    >         >         } 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > When I try to authenticate using the test client
    now, I get 
    >         the above 
    >         > error message, apparently looking for something
    called 
    >         > "privacyidea.app". There is nothing on my system
    anywhere 
    >         with that 
    >         > name, and I cannot find any good reference to it
    online 
    >         apart from a 
    >         > brief mention here and there with respect to the
    "perl" file 
    >         in the 
    >         > RADIUS modules directory. 
    >         > 
    >         > 
    >         > Can you assist me? I am under the gun to get this
    worked out 
    >         and I'm 
    >         > having a heck of a time getting everything set up
    and 
    >         working. 
    >         > 
    >         > 
    >         > 
    >         > I have gotten the PrivacyIDEA web portion itself
    worked out. 
    >         I have 
    >         > been able to login as Admin, set up a Realm,
    connect it to 
    >         our Active 
    >         > Directory and whatnot, and all that seems to work.
    I also 
    >         was able to 
    >         > login to the PrivacyIDEA as a user and enroll
    myself a 
    >         token. I got 
    >         > the FreeOTP Android App for my smartphone from
    Google Play, 
    >         and used 
    >         > the QR feature to set up the token into the
    FreeOTP app. All 
    >         of that 
    >         > went very smoothly and without much problem. 
    >         > 
    >         > 
    >         > But when I go to try to authenticate with it, I
    run into the 
    >         problem 
    >         > above. 
    >         > 
    >         > 
    >         > Thanks for any assistance you can provide! 
    >         > 
    >         > 
    >         > John Whitten 
    >         > -- 
    >         > You received this message because you are
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/d7f639b0-bfcd-403a-a6c8-c176e7d66519%40googlegroups.com. 
    >         > For more options, visit
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/2e9e6914-9e02-458d-9656-e73d5613e152%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 

You received this message because you are subscribed to the Google

Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to privacyidea...@googlegroups.com.

To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/107f7393-dd39-4671-b0be-5908b9b5a5c5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel

corneliu…@netknights.it

+49 151 2960 1417

NetKnights GmbH

http://www.netknights.it

Landgraf-Karl-Str. 19, 34131 Kassel, Germany

Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405

Geschäftsführer: Cornelius Kölbel

Please read the blog post about getting help

https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor authentication please visit

https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:

https://netknights.it/en/leistungen/service-level-agreements/


You received this message because you are subscribed to the Google Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.

To post to this group, send email to priva...@googlegroups.com.

Visit this group at https://groups.google.com/group/privacyidea.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/bfcaacaa-3167-473c-b360-17bf4b9e93b5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Please read the blog post about getting help

https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor authentication please visit

https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:

https://netknights.it/en/leistungen/service-level-agreements/


You received this message because you are subscribed to the Google Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea+unsubscribe@googlegroups.com.

To post to this group, send email to privacyidea@googlegroups.com.

Visit this group at https://groups.google.com/group/privacyidea.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/1e31225b-6c48-4abd-91f2-d42f7fac8925%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.