Centos 7 Installation

tfc · June 19, 2019, 2:10pm

Hi,
I try to Install privacyidea to Centos 7 by exactly using https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/
In freeradius3 test part I get an error

echo “User-Name=user, User-Password=password” | radclient -sx 127.0.0.1 auth testing123

result:

rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config: 
rlm_perl: Default URL https://127.0.0.1/validate/check 
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: user
rlm_perl: realm sent to privacyidea: 
rlm_perl: resolver sent to privacyidea: 
rlm_perl: client sent to privacyidea: 
rlm_perl: state sent to privacyidea: 
rlm_perl: urlparam pass  
rlm_perl: urlparam user  
rlm_perl: Request timeout: 10 
rlm_perl: Not verifying SSL certificate!
rlm_perl: elapsed time for privacyidea call: 2.024525
rlm_perl: privacyIDEA request failed: 400 BAD REQUEST
rlm_perl: privacyIDEA Result status is false!
rlm_perl: ERR904: The user can not be found in any resolver in this realm!
rlm_perl: privacyIDEA failed to handle the request
rlm_perl: return RLM_MODULE_NOTFOUND

rlm_perl.ini is:

[Default]
URL = https://127.0.0.1/validate/check
#REALM = someRealm
#RESCONF = someResolver
SSL_CHECK = false
#DEBUG = true

another is, why I cannot connect to web page. There is only one error in httpd log

[Wed Jun 19 17:03:35.513415 2019] [:error] [pid 6123] /opt/privacyIDEA/lib/python2.7/site-packages/sqlalchemy/sql/sqltypes.py:286: SAWarning: Unicode type received non-unicode bind param value ‘127.0.0.1’. (this warning may be suppressed after 10 occurrences)

In directive, there is no information about that i think.
Regards…

cornelinux · June 19, 2019, 3:29pm

You really need to be a bit more specific!

tfc · June 21, 2019, 12:15pm

My platform is Centos 7 and IP address: 10.40.1.250 Altough,do all diretives in that article when I type https://10.40.1.250 in browser I get only index page:
Selection_004

The I look at the httpd error logs there is no error. And ssl_access_log is:

[21/Jun/2019:14:53:41 +0300] "GET / HTTP/1.1" 200 481

I check several times the article that what i miss, but cant see any missing configuration.
Honestly, really dont know what kind of information you need to point.

cornelinux · June 22, 2019, 4:59pm

This looks like that wsgi is not active!
So check that the wsgi module is loaded in apache and
that the WSGI is configured.

github.com

privacyidea/privacyidea/blob/master/deploy/apache/sites-available/privacyidea.conf#L23




        # Yubico servers use /wsapi/2.0/verify as the path in the
        # validation URL. Some tools (e.g. Kolab 2fa) let the 
        # user/admin change the api host, but not the rest of
        # the URL. Uncomment the following two lines to reroute 
        # the api URL internally to privacyideas /ttype/yubikey.
        #RewriteEngine  on
        #RewriteRule    "^/wsapi/2.0/verify"  "/ttype/yubikey" [PT]


	# We can run several instances on different paths with different configurations
	WSGIScriptAlias /      /etc/privacyidea/privacyideaapp.wsgi
	#WSGIScriptAlias /instance1      /home/cornelius/src/privacyidea/deploy/privacyideaapp1.wsgi
	#WSGIScriptAlias /instance2      /home/cornelius/src/privacyidea/deploy/privacyideaapp2.wsgi
	#WSGIScriptAlias /instance3      /home/cornelius/src/privacyidea/deploy/privacyideaapp3.wsgi
	#
	# The daemon is running as user 'privacyidea'
	# This user should have access to the encKey database encryption file
	WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
	WSGIProcessGroup privacyidea
	WSGIPassAuthorization On

https://privacyidea.readthedocs.io/en/latest/installation/system/wsgiscript.html

tfc · June 24, 2019, 7:59am

I think sites-enabled concept is belong to debian and its derivatives.
Those configs are stored /etc/httpd/privacyidea.conf file in Centos 7
my config is:

TraceEnable off
ServerSignature Off
ServerTokens Prod
WSGIPythonHome /opt/privacyIDEA
WSGISocketPrefix /var/run/wsgi

<VirtualHost _default_:80>
  ServerAdmin webmaster@localhost
  ServerName localhost
  RewriteEngine On
  RewriteCond %{HTTPS} !=On
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

<VirtualHost _default_:443>
  ServerAdmin webmaster@localhost
  ServerName localhost
  DocumentRoot /var/www
  <Directory />
    Require all granted
    Options FollowSymLinks
    AllowOverride None
  </Directory>
  # The daemon is running as user 'privacyidea'
  # This user should have access to the encKey database encryption file
  WSGIDaemonProcess privacyidea python-path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages processes=1 threads=15 display-name=%{GROUP} user=privacyidea
  WSGIProcessGroup privacyidea
  WSGIPassAuthorization On
  WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
  SSLEngine On
  SSLProtocol All -SSLv2 -SSLv3
  SSLHonorCipherOrder On
  SSLCipherSuite EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
  SSLCertificateFile /etc/pki/tls/certs/privacyideaserver.pem
  SSLCertificateKeyFile /etc/pki/tls/private/privacyideaserver.key
</VirtualHost>

cornelinux · June 25, 2019, 5:33am

Go and find out why your WSGI is not loading.
Check the log files and the error logs.
You need to be active yourself!

This config file looks good, there has to be another reason. I could only start guessing here.
Maybe you did not load mod_wsgi.
But I will stop guessing at this point!
I wish you success!

tfc · June 25, 2019, 2:44pm

Thnx Cornelinux.
I solve the problem that bec of different pathnames.
Now I can login the admin page.
Now I need an article to create sqlresolver to store my users.