ImportError: No module named privacyidea.app

Hello,

I have been working to get this PrivacyIDEA software installed on a CentOS
6.5 system, along with FreeRADIUS.

I have been mostly following the directions in these three documents (none
of them appears to be entirely accurate):

CentOS install:

Python Install:
https://privacyidea.readthedocs.org/en/latest/installation/pip.html#python-package-index

PrivacyIdea Documentation Latest:
https://privacyidea.readthedocs.org/en/latest/

Between the various documents though, and a whole lot of trial and error, I
have gotten it mostly working I think. The actual installation files are
from using the “Python PIP Install” method, so are whichever version are
available that way. (I’m not a Python guy). Also I should mention that I
figured out that it doesn’t work with Python 2.6 and have installed Python
2.7. As soon as I did that, the install went very smoothly. You should
probably note that someplace in the documents and save people a whole lot
of time.

Anyway, I have come to the part where I’m hooking up FreeRADIUS and it
keeps bombing with the following message:

==> /var/log/httpd/error.log <==
[Thu Jan 07 23:27:48 2016] [error] [client 10.200.1.10] mod_wsgi
(pid=24859): Target WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as
Python module.
[Thu Jan 07 23:27:48 2016] [error] [client 10.200.1.10] mod_wsgi
(pid=24859): Exception occurred processing WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’.
[Thu Jan 07 23:27:48 2016] [error] Traceback (most recent call last):
[Thu Jan 07 23:27:48 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in
[Thu Jan 07 23:27:48 2016] [error] from privacyidea.app import
create_app
[Thu Jan 07 23:27:48 2016] [error] ImportError: No module named
privacyidea.app

RADIUS itself seems to be working fine. I had it set up originally and
tested it with the test radius client and it all seemed to work fine. I now
have it configured to call the “privacyidea_radius.pm” module from
/etc/raddb/modules/perl. I had to correct the path as below:

perl {

module = /opt/privacyIDEA/privacyidea_radius.pm

    module = 

/opt/privacyIDEA/lib/privacyidea/authmodules/FreeRADIUS/privacyidea_radius.pm
}

When I try to authenticate using the test client now, I get the above error
message, apparently looking for something called “privacyidea.app”. There
is nothing on my system anywhere with that name, and I cannot find any good
reference to it online apart from a brief mention here and there with
respect to the “perl” file in the RADIUS modules directory.

Can you assist me? I am under the gun to get this worked out and I’m having
a heck of a time getting everything set up and working.

I have gotten the PrivacyIDEA web portion itself worked out. I have been
able to login as Admin, set up a Realm, connect it to our Active Directory
and whatnot, and all that seems to work. I also was able to login to the
PrivacyIDEA as a user and enroll myself a token. I got the FreeOTP Android
App for my smartphone from Google Play, and used the QR feature to set up
the token into the FreeOTP app. All of that went very smoothly and without
much problem.

But when I go to try to authenticate with it, I run into the problem above.

Thanks for any assistance you can provide!

John Whitten

Hello John,

thanks for the feedback regarding the installation instructions.
This is the official instruction
http://privacyidea.readthedocs.org/en/latest/installation/index.html
I will add a note, that it needs python 2.7.

Good news: If you are able to access the web ui, authenticating with
FreeRADIUS will also work in a moment.

I assume you are accessing the webui at an URL like

https://yourserver/

i.e. in the root directory?

Then the FreeRADIUS would have to call

https://yourserver/validate/check

I think the FreeRADIUS privacyIDEA plugin is just not completely
configured yet.
See
http://privacyidea.readthedocs.org/en/latest/application_plugins/radius.html?highlight=freeradius

Have you created any /opt/privacyidea/rlm_perl.ini file yet?

I recommend creating a file
/etc/privacyidea/rlm_perl.ini
with the following content:

[Default]
URL = https://your.server/validate/check
SSL_CHECK = false
DEBUG = true

adapt the URL accordingly.
You should change SSL_CHECK to true, later. I.e. you need to get a
trusted certificate, if privacyIDEA is running on another server than
freeradius.

Starting with DEBUG=true gives you some good ideas about whats going on.

Please tell, if it was your rlm_perl.ini that was missing.

Kind regards
CorneliusAm Donnerstag, den 07.01.2016, 22:24 -0800 schrieb John Whitten:

Hello,

I have been working to get this PrivacyIDEA software installed on a
CentOS 6.5 system, along with FreeRADIUS.

I have been mostly following the directions in these three documents
(none of them appears to be entirely accurate):

CentOS install:
Two factor authentication with OTP using privacyIDEA and FreeRADIUS on CentOS

Python Install:
2.1. Python Package Index — privacyIDEA 3.8 documentation

PrivacyIdea Documentation Latest:
Welcome to privacyIDEA — privacyIDEA 3.8 documentation

Between the various documents though, and a whole lot of trial and
error, I have gotten it mostly working I think. The actual
installation files are from using the “Python PIP Install” method, so
are whichever version are available that way. (I’m not a Python guy).
Also I should mention that I figured out that it doesn’t work with
Python 2.6 and have installed Python 2.7. As soon as I did that, the
install went very smoothly. You should probably note that someplace in
the documents and save people a whole lot of time.

Anyway, I have come to the part where I’m hooking up FreeRADIUS and it
keeps bombing with the following message:

==> /var/log/httpd/error.log <==
[Thu Jan 07 23:27:48 2016] [error] [client 10.200.1.10] mod_wsgi
(pid=24859): Target WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’ cannot be
loaded as Python module.
[Thu Jan 07 23:27:48 2016] [error] [client 10.200.1.10] mod_wsgi
(pid=24859): Exception occurred processing WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’.
[Thu Jan 07 23:27:48 2016] [error] Traceback (most recent call last):
[Thu Jan 07 23:27:48 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Thu Jan 07 23:27:48 2016] [error] from privacyidea.app import
create_app
[Thu Jan 07 23:27:48 2016] [error] ImportError: No module named
privacyidea.app

RADIUS itself seems to be working fine. I had it set up originally and
tested it with the test radius client and it all seemed to work fine.
I now have it configured to call the “privacyidea_radius.pm” module
from /etc/raddb/modules/perl. I had to correct the path as below:

perl {

module = /opt/privacyIDEA/privacyidea_radius.pm

    module

= /opt/privacyIDEA/lib/privacyidea/authmodules/FreeRADIUS/privacyidea_radius.pm
}

When I try to authenticate using the test client now, I get the above
error message, apparently looking for something called
“privacyidea.app”. There is nothing on my system anywhere with that
name, and I cannot find any good reference to it online apart from a
brief mention here and there with respect to the “perl” file in the
RADIUS modules directory.

Can you assist me? I am under the gun to get this worked out and I’m
having a heck of a time getting everything set up and working.

I have gotten the PrivacyIDEA web portion itself worked out. I have
been able to login as Admin, set up a Realm, connect it to our Active
Directory and whatnot, and all that seems to work. I also was able to
login to the PrivacyIDEA as a user and enroll myself a token. I got
the FreeOTP Android App for my smartphone from Google Play, and used
the QR feature to set up the token into the FreeOTP app. All of that
went very smoothly and without much problem.

But when I go to try to authenticate with it, I run into the problem
above.

Thanks for any assistance you can provide!

John Whitten

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/d7f639b0-bfcd-403a-a6c8-c176e7d66519%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Cornelius,

Thanks for the quick reply.

Yes, you were correct that my “rlm_perl.ini” file was missing. But, sadly,
adding the file and adjusting the params did not resolve the issue. In
fact, the problem remains the same:

[root@myhost FreeRADIUS]# echo “User-Name=user, Password=pin123456” |
radclient -sx localhost auth ‘OURSECRET’
Sending Access-Request of id 127 to 127.0.0.1 port 1812
User-Name = “user”
Password = “pin123456”

==> /var/log/httpd/error.log <==
[Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1] mod_wsgi (pid=24859):
Target WSGI script ‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’
cannot be loaded as Python module.
[Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1] mod_wsgi (pid=24859): Exception
occurred processing WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’.
[Fri Jan 08 08:53:23 2016] [error] Traceback (most recent call last):
[Fri Jan 08 08:53:23 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in
[Fri Jan 08 08:53:23 2016] [error] from privacyidea.app import
create_app
[Fri Jan 08 08:53:23 2016] [error] ImportError: No module named
privacyidea.app

==> /var/log/httpd/ssl_access.log <==
127.0.0.1 - - [08/Jan/2016:08:53:23 -0500] 500 “POST /validate/check
HTTP/1.1” 599 “-” “libwww-perl/6.15”
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=127,
length=75
Reply-Message = “privacyIDEA request failed: 500 Internal Server
Error”

       Total approved auths:  0
         Total denied auths:  1
           Total lost auths:  0---

Here is what the “rlm_perl.ini” file now contains:

[Default]
URL = https://myhost:5000/validate/check
REALM = myrealm
#RESCONF = someResolver
#SSL_CHECK = true
SSL_CHECK = false
DEBUG = true

BTW, the result is the same with or without the port 5000 part. I tried
removing it and it is still bombing with the import error. It is apparently
looking for something called “privacyidea.app” and there is nothing with
that name on my system, or available on your site as far as I can tell. At
least not directly.

It feels to me like I am very close to getting this thing up and running!
So I am hopeful! :wink:

John

On Friday, January 8, 2016 at 2:31:59 AM UTC-5, Cornelius Kölbel wrote:

Hello John,

thanks for the feedback regarding the installation instructions.
This is the official instruction
2. Installation — privacyIDEA 3.8 documentation
I will add a note, that it needs python 2.7.

Good news: If you are able to access the web ui, authenticating with
FreeRADIUS will also work in a moment.

I assume you are accessing the webui at an URL like

https://yourserver/

i.e. in the root directory?

Then the FreeRADIUS would have to call

https://yourserver/validate/check

I think the FreeRADIUS privacyIDEA plugin is just not completely
configured yet.
See

http://privacyidea.readthedocs.org/en/latest/application_plugins/radius.html?highlight=freeradius

Have you created any /opt/privacyidea/rlm_perl.ini file yet?

I recommend creating a file
/etc/privacyidea/rlm_perl.ini
with the following content:

[Default]
URL = https://your.server/validate/check
SSL_CHECK = false
DEBUG = true

adapt the URL accordingly.
You should change SSL_CHECK to true, later. I.e. you need to get a
trusted certificate, if privacyIDEA is running on another server than
freeradius.

Starting with DEBUG=true gives you some good ideas about whats going on.

Please tell, if it was your rlm_perl.ini that was missing.

Kind regards
Cornelius

Am Donnerstag, den 07.01.2016, 22:24 -0800 schrieb John Whitten:

Hello,

I have been working to get this PrivacyIDEA software installed on a
CentOS 6.5 system, along with FreeRADIUS.

I have been mostly following the directions in these three documents
(none of them appears to be entirely accurate):

CentOS install:

Two factor authentication with OTP using privacyIDEA and FreeRADIUS on CentOS

Python Install:

2.1. Python Package Index — privacyIDEA 3.8 documentation

PrivacyIdea Documentation Latest:
Welcome to privacyIDEA — privacyIDEA 3.8 documentation

Between the various documents though, and a whole lot of trial and
error, I have gotten it mostly working I think. The actual
installation files are from using the “Python PIP Install” method, so
are whichever version are available that way. (I’m not a Python guy).
Also I should mention that I figured out that it doesn’t work with
Python 2.6 and have installed Python 2.7. As soon as I did that, the
install went very smoothly. You should probably note that someplace in
the documents and save people a whole lot of time.

Anyway, I have come to the part where I’m hooking up FreeRADIUS and it
keeps bombing with the following message:

==> /var/log/httpd/error.log <==
[Thu Jan 07 23:27:48 2016] [error] [client 10.200.1.10] mod_wsgi
(pid=24859): Target WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’ cannot be
loaded as Python module.
[Thu Jan 07 23:27:48 2016] [error] [client 10.200.1.10] mod_wsgi
(pid=24859): Exception occurred processing WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’.
[Thu Jan 07 23:27:48 2016] [error] Traceback (most recent call last):
[Thu Jan 07 23:27:48 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Thu Jan 07 23:27:48 2016] [error] from privacyidea.app import
create_app
[Thu Jan 07 23:27:48 2016] [error] ImportError: No module named
privacyidea.app

RADIUS itself seems to be working fine. I had it set up originally and
tested it with the test radius client and it all seemed to work fine.
I now have it configured to call the “privacyidea_radius.pm” module
from /etc/raddb/modules/perl. I had to correct the path as below:

perl {

module = /opt/privacyIDEA/privacyidea_radius.pm

    module 

= /opt/privacyIDEA/lib/privacyidea/authmodules/FreeRADIUS/
privacyidea_radius.pm
}

When I try to authenticate using the test client now, I get the above
error message, apparently looking for something called
“privacyidea.app”. There is nothing on my system anywhere with that
name, and I cannot find any good reference to it online apart from a
brief mention here and there with respect to the “perl” file in the
RADIUS modules directory.

Can you assist me? I am under the gun to get this worked out and I’m
having a heck of a time getting everything set up and working.

I have gotten the PrivacyIDEA web portion itself worked out. I have
been able to login as Admin, set up a Realm, connect it to our Active
Directory and whatnot, and all that seems to work. I also was able to
login to the PrivacyIDEA as a user and enroll myself a token. I got
the FreeOTP Android App for my smartphone from Google Play, and used
the QR feature to set up the token into the FreeOTP app. All of that
went very smoothly and without much problem.

But when I go to try to authenticate with it, I run into the problem
above.

Thanks for any assistance you can provide!

John Whitten

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/d7f639b0-bfcd-403a-a6c8-c176e7d66519%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hello John,

  1. Check the configuration

The httpd error log says
Target WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded
as Python module

a) How does the
file /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi look like?

b) How does your apache config look like?
I suspect that that you have two different configurations, one that
works when accessing the UI and on that does not work and is accessed
when issuing the authentication request.

  1. Check the API without the FreeRADIUS

Please execute
https://yourhost/validate/check?user=....&pass=

in your browser and take a look at the result.

Or course you must not use the port 5000 unless you are running the
Apache SSL on 5000.

  1. Check the log file

The FreeRADIUS reply message says:

rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=127,
length=75
Reply-Message = “privacyIDEA request failed: 500 Internal Server
Error”

So please check the privacyIDEA log.

  1. Debug

You enabled DEBUG=true in the your rlm_perl.ini.
So you should get more privacyIDEA specific output when running

freeradius -X

You did not post this. Can you do so?

Kind regards
CorneliusAm Freitag, den 08.01.2016, 06:02 -0800 schrieb John Whitten:

Hi Cornelius,

Thanks for the quick reply.

Yes, you were correct that my “rlm_perl.ini” file was missing. But,
sadly, adding the file and adjusting the params did not resolve the
issue. In fact, the problem remains the same:

[root@myhost FreeRADIUS]# echo “User-Name=user, Password=pin123456” |
radclient -sx localhost auth ‘OURSECRET’
Sending Access-Request of id 127 to 127.0.0.1 port 1812
User-Name = “user”
Password = “pin123456”

==> /var/log/httpd/error.log <==
[Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1] mod_wsgi
(pid=24859): Target WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’ cannot be
loaded as Python module.
[Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1] mod_wsgi
(pid=24859): Exception occurred processing WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’.
[Fri Jan 08 08:53:23 2016] [error] Traceback (most recent call last):
[Fri Jan 08 08:53:23 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Fri Jan 08 08:53:23 2016] [error] from privacyidea.app import
create_app
[Fri Jan 08 08:53:23 2016] [error] ImportError: No module named
privacyidea.app

==> /var/log/httpd/ssl_access.log <==
127.0.0.1 - - [08/Jan/2016:08:53:23 -0500] 500 “POST /validate/check
HTTP/1.1” 599 “-” “libwww-perl/6.15”
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=127,
length=75
Reply-Message = “privacyIDEA request failed: 500 Internal
Server Error”

       Total approved auths:  0
         Total denied auths:  1
           Total lost auths:  0

Here is what the “rlm_perl.ini” file now contains:

[Default]
URL = https://myhost:5000/validate/check
REALM = myrealm
#RESCONF = someResolver
#SSL_CHECK = true
SSL_CHECK = false
DEBUG = true

BTW, the result is the same with or without the port 5000 part. I
tried removing it and it is still bombing with the import error. It is
apparently looking for something called “privacyidea.app” and there is
nothing with that name on my system, or available on your site as far
as I can tell. At least not directly.

It feels to me like I am very close to getting this thing up and
running! So I am hopeful! :wink:

John

On Friday, January 8, 2016 at 2:31:59 AM UTC-5, Cornelius Kölbel wrote:
Hello John,

    thanks for the feedback regarding the installation
    instructions. 
    This is the official instruction 
    http://privacyidea.readthedocs.org/en/latest/installation/index.html 
    I will add a note, that it needs python 2.7. 
    
    Good news: If you are able to access the web ui,
    authenticating with 
    FreeRADIUS will also work in a moment. 
    
    I assume you are accessing the webui at an URL like 
    
    https://yourserver/ 
    
    i.e. in the root directory? 
    
    Then the FreeRADIUS would have to call 
    
    https://yourserver/validate/check 
    
    I think the FreeRADIUS privacyIDEA plugin is just not
    completely 
    configured yet. 
    See 
    http://privacyidea.readthedocs.org/en/latest/application_plugins/radius.html?highlight=freeradius 
    
    Have you created any /opt/privacyidea/rlm_perl.ini file yet? 
    
    I recommend creating a file 
    /etc/privacyidea/rlm_perl.ini 
    with the following content: 
    
    [Default] 
    URL = https://your.server/validate/check 
    SSL_CHECK = false 
    DEBUG = true 
    
    adapt the URL accordingly. 
    You should change SSL_CHECK to true, later. I.e. you need to
    get a 
    trusted certificate, if privacyIDEA is running on another
    server than 
    freeradius. 
    
    Starting with DEBUG=true gives you some good ideas about whats
    going on. 
    
    Please tell, if it was your rlm_perl.ini that was missing. 
    
    Kind regards 
    Cornelius 
    
    Am Donnerstag, den 07.01.2016, 22:24 -0800 schrieb John
    Whitten: 
    > 
    > Hello, 
    > 
    > 
    > I have been working to get this PrivacyIDEA software
    installed on a 
    > CentOS 6.5 system, along with FreeRADIUS. 
    > 
    > 
    > I have been mostly following the directions in these three
    documents 
    > (none of them appears to be entirely accurate): 
    > 
    > 
    > 
    > 
    > CentOS install: 
    >
    https://www.howtoforge.com/two-factor-authentication-with-otp-using-privacyidea-and-freeradius-on-centos 
    > 
    > 
    > 
    > Python Install: 
    >
    https://privacyidea.readthedocs.org/en/latest/installation/pip.html#python-package-index 
    > 
    > 
    > 
    > PrivacyIdea Documentation Latest: 
    > https://privacyidea.readthedocs.org/en/latest/ 
    > 
    > 
    > 
    > 
    > 
    > Between the various documents though, and a whole lot of
    trial and 
    > error, I have gotten it mostly working I think. The actual 
    > installation files are from using the "Python PIP Install"
    method, so 
    > are whichever version are available that way. (I'm not a
    Python guy). 
    >  Also I should mention that I figured out that it doesn't
    work with 
    > Python 2.6 and have installed Python 2.7. As soon as I did
    that, the 
    > install went very smoothly. You should probably note that
    someplace in 
    > the documents and save people a whole lot of time. 
    > 
    > 
    > Anyway, I have come to the part where I'm hooking up
    FreeRADIUS and it 
    > keeps bombing with the following message: 
    > 
    > 
    > 
    > 
    > 
    > ==> /var/log/httpd/error.log <== 
    > [Thu Jan 07 23:27:48 2016] [error] [client 10.200.1.10]
    mod_wsgi 
    > (pid=24859): Target WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'
    cannot be 
    > loaded as Python module. 
    > [Thu Jan 07 23:27:48 2016] [error] [client 10.200.1.10]
    mod_wsgi 
    > (pid=24859): Exception occurred processing WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'. 
    > [Thu Jan 07 23:27:48 2016] [error] Traceback (most recent
    call last): 
    > [Thu Jan 07 23:27:48 2016] [error]   File 
    > "/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi", line
    3, in 
    > <module> 
    > [Thu Jan 07 23:27:48 2016] [error]     from privacyidea.app
    import 
    > create_app 
    > [Thu Jan 07 23:27:48 2016] [error] ImportError: No module
    named 
    > privacyidea.app 
    > 
    > 
    > 
    > 
    > RADIUS itself seems to be working fine. I had it set up
    originally and 
    > tested it with the test radius client and it all seemed to
    work fine. 
    > I now have it configured to call the "privacyidea_radius.pm"
    module 
    > from /etc/raddb/modules/perl. I had to correct the path as
    below: 
    > 
    > 
    > perl { 
    > #       module = /opt/privacyIDEA/privacyidea_radius.pm 
    >         module 
    >
    = /opt/privacyIDEA/lib/privacyidea/authmodules/FreeRADIUS/privacyidea_radius.pm 
    >         } 
    > 
    > 
    > 
    > 
    > When I try to authenticate using the test client now, I get
    the above 
    > error message, apparently looking for something called 
    > "privacyidea.app". There is nothing on my system anywhere
    with that 
    > name, and I cannot find any good reference to it online
    apart from a 
    > brief mention here and there with respect to the "perl" file
    in the 
    > RADIUS modules directory. 
    > 
    > 
    > Can you assist me? I am under the gun to get this worked out
    and I'm 
    > having a heck of a time getting everything set up and
    working. 
    > 
    > 
    > 
    > I have gotten the PrivacyIDEA web portion itself worked out.
    I have 
    > been able to login as Admin, set up a Realm, connect it to
    our Active 
    > Directory and whatnot, and all that seems to work. I also
    was able to 
    > login to the PrivacyIDEA as a user and enroll myself a
    token. I got 
    > the FreeOTP Android App for my smartphone from Google Play,
    and used 
    > the QR feature to set up the token into the FreeOTP app. All
    of that 
    > went very smoothly and without much problem. 
    > 
    > 
    > But when I go to try to authenticate with it, I run into the
    problem 
    > above. 
    > 
    > 
    > Thanks for any assistance you can provide! 
    > 
    > 
    > John Whitten 
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/d7f639b0-bfcd-403a-a6c8-c176e7d66519%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/2e9e6914-9e02-458d-9656-e73d5613e152%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hello John,

the “privacyidea.app” in fact indicates that there is something wrong
with your python setup. In certain cases the WSGI process does not find
the complete python environment.

Which howto did you use to install?
→ This is the change to improve the documentation :slight_smile:

We do not need to take a look at FreeRADIUS now, since your privacyIDEA
installation seems messed up.

Kind regards
CorneliusAm Montag, den 11.01.2016, 07:58 -0800 schrieb John Whitten:

Hello Cornelius,

  1. How does the
    file /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi look like?

[root@MyHost privacyidea]#
cat /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi
import sys
sys.stdout = sys.stderr
from privacyidea.app import create_app

Now we can select the config file:

application = create_app(config_name=“production”,
config_file=“/etc/privacyidea/pi.cfg”)

  1. When I run it via Apache I get a “500 Server Error” and the error
    log contains the message about the “privacyidea.app” issue:

==> /var/log/httpd/error.log <==
[Sun Jan 10 01:25:29 2016] [error] [client 192.168.3.204] mod_wsgi
(pid=24859): Target WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’ cannot be
loaded as Python module.
[Sun Jan 10 01:25:29 2016] [error] [client 192.168.3.204] mod_wsgi
(pid=24859): Exception occurred processing WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’.
[Sun Jan 10 01:25:29 2016] [error] Traceback (most recent call last):
[Sun Jan 10 01:25:29 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Sun Jan 10 01:25:29 2016] [error] from privacyidea.app import
create_app
[Sun Jan 10 01:25:29 2016] [error] ImportError: No module named
privacyidea.app

When I run it (via the “pi-manage runserver” method which is set to
operate on port 5000), it logs me in and I get a “token/list” url and
a page which should be showing me tokens, but for some reason it does
not show any listed. There should be two tokens registered for the
username I’m using. Here is the command line I’m using:

pi-manage runserver -h MyHost -p 5000 -d -r

  1. This is what I get from the privacyidea.log:

[2016-01-11
10:29:28,768][25056][140316471326464][DEBUG][privacyidea.api.lib.utils:235] Can not get param: No JSON object could be decoded

  1. Post output of Freeradius -X

Request:

[root@MyHost FreeRADIUS]# echo “User-Name=SomeUser@SomeRealm,
Password=SomePassword” | radclient -sx localhost auth ‘OurSecret’
Sending Access-Request of id 89 to 127.0.0.1 port 1812
User-Name = “SomeUser@SomeRealm”
Password = “SomePassword”
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=89,
length=75
Reply-Message = “privacyIDEA request failed: 500 Internal
Server Error”

       Total approved auths:  0
         Total denied auths:  1
           Total lost auths:  0

Debug Output:

rad_recv: Access-Request packet from host 127.0.0.1 port 54525, id=89,
length=55
User-Name = “SomeUser@SomeRealm”
User-Password = “SomePassword”

Executing section authorize from

file /etc/raddb/sites-enabled/privacyidea
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm “SomeRealm” for User-Name =
“SomeUser@SomeRealm”
[suffix] No such realm “SomeRealm”
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 183
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No “known good” password found for the user.
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = perl

Executing group from file /etc/raddb/sites-enabled/privacyidea

+group authenticate {
rlm_perl: Config File not found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type perl
rlm_perl: Warning:
rlm_perl: Auth-Type: perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: SomeUser@SomeRealm
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 Internal Server Error
rlm_perl: return RLM_MODULE_FAIL
rlm_perl: Added pair User-Name = SomeUser@SomeRealm
rlm_perl: Added pair User-Password = SomePassword
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Reply-Message = privacyIDEA request failed: 500
Internal Server Error
rlm_perl: Added pair Auth-Type = perl
++[perl] = fail
+} # group authenticate = fail
Failed to authenticate the user.
Delaying reject of request 15 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 15
Sending Access-Reject of id 89 to 127.0.0.1 port 54525
Reply-Message = “privacyIDEA request failed: 500 Internal
Server Error”
Waking up in 4.9 seconds.
Cleaning up request 15 ID 89 with timestamp +409247
Ready to process requests.

You didn’t ask, but here is my Apache config:

[root@MyHost conf.d]# cat privacyidea.conf

TraceEnable on
ServerSignature Off
ServerTokens Prod
WSGIPythonHome /opt/privacyIDEA
WSGISocketPrefix /var/run/wsgi

#############################################

Redirect All Port 80 Accesses to Port 443

#############################################

#

ServerAdmin webmaster@localhost

ServerName localhost

RewriteEngine On

RewriteCond %{HTTPS} !=On

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

#

#############################################

Handle Port 443 Accesses

#############################################

#
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName localhost
DocumentRoot /var/www

    <Directory />

Require all granted

            Allow from all
            Options FollowSymLinks
            AllowOverride None
    </Directory>

WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi

WSGIScriptAlias / /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi
# The daemon is running as user ‘privacyidea’
# This user should have access to the encKey database
encryption file
WSGIDaemonProcess privacyidea
python-path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages processes=1 threads=15 display-name=%{GROUP} user=privacyidea
WSGIProcessGroup privacyidea
WSGIPassAuthorization On

    ## Logging


    ErrorLog /var/log/httpd/error.log


    LogLevel warn
    # Do not use %q! This will reveal all parameters, including

setting PINs and Keys!
# Using SSL_CLINET_S_DN_CN will show you, which administrator
did what task
#LogFormat “%h %l %u %t %>s "%m %U %H" %b "%{Referer}i"
"%{User-agent}i"” privacyIDEA
LogFormat “%h %l %u %t %>s "%m %U %H" %b "%{Referer}i"
"%{User-agent}i" %q” privacyIDEA
CustomLog /var/log/httpd/ssl_access.log privacyIDEA

    SSLEngine On
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCipherSuite EECDH+AES256:DHE+AES256:EECDH+AES:EDH

+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!
LOW:!MD5
SSLCertificateFile /etc/pki/tls/certs/privacyideaserver.pem

SSLCertificateKeyFile /etc/pki/tls/private/privacyideaserver.key

IMO, while I may very well have other issues in the setup, the biggest
problem always seems to come back to this one item:

[Sat Jan 09 01:25:22 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Sat Jan 09 01:25:22 2016] [error] from privacyidea.app import
create_app
[Sat Jan 09 01:25:22 2016] [error] ImportError: No module named
privacyidea.app

Thanks for all of your kind assistance! I really appreciate your help.

John

On Friday, January 8, 2016 at 3:54:43 PM UTC-5, Cornelius Kölbel wrote:
Hello John,

    1. Check the configuration 
    
    The httpd error log says 
    Target WSGI script 
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' cannot
    be loaded 
    as Python module 
    
    a) How does the 
    file /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi look
    like? 
    
    b) How does your apache config look like? 
    I suspect that that you have two different configurations, one
    that 
    works when accessing the UI and on that does not work and is
    accessed 
    when issuing the authentication request. 
    
    2. Check the API without the FreeRADIUS 
    
    Please execute 
    https://yourhost/validate/check?user=....&pass=... 
    
    in your browser and take a look at the result. 
    
    Or course you must not use the port 5000 unless you are
    running the 
    Apache SSL on 5000. 
    
    3. Check the log file 
    
    The FreeRADIUS reply message says: 
    
    rad_recv: Access-Reject packet from host 127.0.0.1 port 1812,
    id=127, 
    length=75 
            Reply-Message = "privacyIDEA request failed: 500
    Internal Server 
    Error" 
    
    So please check the privacyIDEA log. 
    
    4. Debug 
    
    You enabled DEBUG=true in the your rlm_perl.ini. 
    So you should get more privacyIDEA specific output when
    running 
    
     freeradius -X 
    
    You did not post this. Can you do so? 
    
    Kind regards 
    Cornelius 
    
    
    
    
    Am Freitag, den 08.01.2016, 06:02 -0800 schrieb John Whitten: 
    > Hi Cornelius, 
    > 
    > 
    > Thanks for the quick reply. 
    > 
    > 
    > Yes, you were correct that my "rlm_perl.ini" file was
    missing. But, 
    > sadly, adding the file and adjusting the params did not
    resolve the 
    > issue. In fact, the problem remains the same: 
    > 
    > 
    > [root@myhost FreeRADIUS]# echo "User-Name=user,
    Password=pin123456" | 
    > radclient -sx localhost auth 'OURSECRET' 
    > Sending Access-Request of id 127 to 127.0.0.1 port 1812 
    >         User-Name = "user" 
    >         Password = "pin123456" 
    > 
    > 
    > ==> /var/log/httpd/error.log <== 
    > [Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1]
    mod_wsgi 
    > (pid=24859): Target WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'
    cannot be 
    > loaded as Python module. 
    > [Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1]
    mod_wsgi 
    > (pid=24859): Exception occurred processing WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'. 
    > [Fri Jan 08 08:53:23 2016] [error] Traceback (most recent
    call last): 
    > [Fri Jan 08 08:53:23 2016] [error]   File 
    > "/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi", line
    3, in 
    > <module> 
    > [Fri Jan 08 08:53:23 2016] [error]     from privacyidea.app
    import 
    > create_app 
    > [Fri Jan 08 08:53:23 2016] [error] ImportError: No module
    named 
    > privacyidea.app 
    > 
    > 
    > ==> /var/log/httpd/ssl_access.log <== 
    > 127.0.0.1 - - [08/Jan/2016:08:53:23 -0500] 500
    "POST /validate/check 
    > HTTP/1.1"  599 "-" "libwww-perl/6.15" 
    > rad_recv: Access-Reject packet from host 127.0.0.1 port
    1812, id=127, 
    > length=75 
    >         Reply-Message = "privacyIDEA request failed: 500
    Internal 
    > Server Error" 
    > 
    > 
    >            Total approved auths:  0 
    >              Total denied auths:  1 
    >                Total lost auths:  0 
    > --- 
    > 
    > 
    > 
    > Here is what the "rlm_perl.ini" file now contains: 
    > 
    > 
    > [Default] 
    > URL = https://myhost:5000/validate/check 
    > REALM = myrealm 
    > #RESCONF = someResolver 
    > #SSL_CHECK = true 
    > SSL_CHECK = false 
    > DEBUG = true 
    > --- 
    > 
    > 
    > BTW, the result is the same with or without the port 5000
    part. I 
    > tried removing it and it is still bombing with the import
    error. It is 
    > apparently looking for something called "privacyidea.app"
    and there is 
    > nothing with that name on my system, or available on your
    site as far 
    > as I can tell. At least not directly. 
    > 
    > 
    > It feels to me like I am very close to getting this thing up
    and 
    > running! So I am hopeful! ;-) 
    > 
    > 
    > John 
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    > On Friday, January 8, 2016 at 2:31:59 AM UTC-5, Cornelius Kölbel  wrote: 
    >         Hello John, 
    >         
    >         thanks for the feedback regarding the installation 
    >         instructions. 
    >         This is the official instruction 
    >
    http://privacyidea.readthedocs.org/en/latest/installation/index.html 
    >         I will add a note, that it needs python 2.7. 
    >         
    >         Good news: If you are able to access the web ui, 
    >         authenticating with 
    >         FreeRADIUS will also work in a moment. 
    >         
    >         I assume you are accessing the webui at an URL like 
    >         
    >         https://yourserver/ 
    >         
    >         i.e. in the root directory? 
    >         
    >         Then the FreeRADIUS would have to call 
    >         
    >         https://yourserver/validate/check 
    >         
    >         I think the FreeRADIUS privacyIDEA plugin is just
    not 
    >         completely 
    >         configured yet. 
    >         See 
    >
    http://privacyidea.readthedocs.org/en/latest/application_plugins/radius.html?highlight=freeradius 
    >         
    >         Have you created any /opt/privacyidea/rlm_perl.ini
    file yet? 
    >         
    >         I recommend creating a file 
    >         /etc/privacyidea/rlm_perl.ini 
    >         with the following content: 
    >         
    >         [Default] 
    >         URL = https://your.server/validate/check 
    >         SSL_CHECK = false 
    >         DEBUG = true 
    >         
    >         adapt the URL accordingly. 
    >         You should change SSL_CHECK to true, later. I.e. you
    need to 
    >         get a 
    >         trusted certificate, if privacyIDEA is running on
    another 
    >         server than 
    >         freeradius. 
    >         
    >         Starting with DEBUG=true gives you some good ideas
    about whats 
    >         going on. 
    >         
    >         Please tell, if it was your rlm_perl.ini that was
    missing. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Donnerstag, den 07.01.2016, 22:24 -0800 schrieb
    John 
    >         Whitten: 
    >         > 
    >         > Hello, 
    >         > 
    >         > 
    >         > I have been working to get this PrivacyIDEA
    software 
    >         installed on a 
    >         > CentOS 6.5 system, along with FreeRADIUS. 
    >         > 
    >         > 
    >         > I have been mostly following the directions in
    these three 
    >         documents 
    >         > (none of them appears to be entirely accurate): 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > CentOS install: 
    >         > 
    >
    https://www.howtoforge.com/two-factor-authentication-with-otp-using-privacyidea-and-freeradius-on-centos 
    >         > 
    >         > 
    >         > 
    >         > Python Install: 
    >         > 
    >
    https://privacyidea.readthedocs.org/en/latest/installation/pip.html#python-package-index 
    >         > 
    >         > 
    >         > 
    >         > PrivacyIdea Documentation Latest: 
    >         > https://privacyidea.readthedocs.org/en/latest/ 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > Between the various documents though, and a whole
    lot of 
    >         trial and 
    >         > error, I have gotten it mostly working I think.
    The actual 
    >         > installation files are from using the "Python PIP
    Install" 
    >         method, so 
    >         > are whichever version are available that way. (I'm
    not a 
    >         Python guy). 
    >         >  Also I should mention that I figured out that it
    doesn't 
    >         work with 
    >         > Python 2.6 and have installed Python 2.7. As soon
    as I did 
    >         that, the 
    >         > install went very smoothly. You should probably
    note that 
    >         someplace in 
    >         > the documents and save people a whole lot of
    time. 
    >         > 
    >         > 
    >         > Anyway, I have come to the part where I'm hooking
    up 
    >         FreeRADIUS and it 
    >         > keeps bombing with the following message: 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > ==> /var/log/httpd/error.log <== 
    >         > [Thu Jan 07 23:27:48 2016] [error] [client
    10.200.1.10] 
    >         mod_wsgi 
    >         > (pid=24859): Target WSGI script 
    >         >
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' 
    >         cannot be 
    >         > loaded as Python module. 
    >         > [Thu Jan 07 23:27:48 2016] [error] [client
    10.200.1.10] 
    >         mod_wsgi 
    >         > (pid=24859): Exception occurred processing WSGI
    script 
    >         >
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'. 
    >         > [Thu Jan 07 23:27:48 2016] [error] Traceback (most
    recent 
    >         call last): 
    >         > [Thu Jan 07 23:27:48 2016] [error]   File 
    >         >
    "/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi", line 
    >         3, in 
    >         > <module> 
    >         > [Thu Jan 07 23:27:48 2016] [error]     from
    privacyidea.app 
    >         import 
    >         > create_app 
    >         > [Thu Jan 07 23:27:48 2016] [error] ImportError: No
    module 
    >         named 
    >         > privacyidea.app 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > RADIUS itself seems to be working fine. I had it
    set up 
    >         originally and 
    >         > tested it with the test radius client and it all
    seemed to 
    >         work fine. 
    >         > I now have it configured to call the
    "privacyidea_radius.pm" 
    >         module 
    >         > from /etc/raddb/modules/perl. I had to correct the
    path as 
    >         below: 
    >         > 
    >         > 
    >         > perl { 
    >         > #       module
    = /opt/privacyIDEA/privacyidea_radius.pm 
    >         >         module 
    >         > 
    >
    = /opt/privacyIDEA/lib/privacyidea/authmodules/FreeRADIUS/privacyidea_radius.pm 
    >         >         } 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > When I try to authenticate using the test client
    now, I get 
    >         the above 
    >         > error message, apparently looking for something
    called 
    >         > "privacyidea.app". There is nothing on my system
    anywhere 
    >         with that 
    >         > name, and I cannot find any good reference to it
    online 
    >         apart from a 
    >         > brief mention here and there with respect to the
    "perl" file 
    >         in the 
    >         > RADIUS modules directory. 
    >         > 
    >         > 
    >         > Can you assist me? I am under the gun to get this
    worked out 
    >         and I'm 
    >         > having a heck of a time getting everything set up
    and 
    >         working. 
    >         > 
    >         > 
    >         > 
    >         > I have gotten the PrivacyIDEA web portion itself
    worked out. 
    >         I have 
    >         > been able to login as Admin, set up a Realm,
    connect it to 
    >         our Active 
    >         > Directory and whatnot, and all that seems to work.
    I also 
    >         was able to 
    >         > login to the PrivacyIDEA as a user and enroll
    myself a 
    >         token. I got 
    >         > the FreeOTP Android App for my smartphone from
    Google Play, 
    >         and used 
    >         > the QR feature to set up the token into the
    FreeOTP app. All 
    >         of that 
    >         > went very smoothly and without much problem. 
    >         > 
    >         > 
    >         > But when I go to try to authenticate with it, I
    run into the 
    >         problem 
    >         > above. 
    >         > 
    >         > 
    >         > Thanks for any assistance you can provide! 
    >         > 
    >         > 
    >         > John Whitten 
    >         > -- 
    >         > You received this message because you are
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/d7f639b0-bfcd-403a-a6c8-c176e7d66519%40googlegroups.com. 
    >         > For more options, visit
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/2e9e6914-9e02-458d-9656-e73d5613e152%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/107f7393-dd39-4671-b0be-5908b9b5a5c5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hello Cornelius,

  1. How does the file /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi
    look like?

[root@MyHost privacyidea]# cat
/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi
import sys
sys.stdout = sys.stderr
from privacyidea.app import create_app

Now we can select the config file:

application = create_app(config_name=“production”,
config_file=“/etc/privacyidea/pi.cfg”)

  1. When I run it via Apache I get a “500 Server Error” and the error log
    contains the message about the “privacyidea.app” issue:

==> /var/log/httpd/error.log <==
[Sun Jan 10 01:25:29 2016] [error] [client 192.168.3.204] mod_wsgi
(pid=24859): Target WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as
Python module.
[Sun Jan 10 01:25:29 2016] [error] [client 192.168.3.204] mod_wsgi
(pid=24859): Exception occurred processing WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’.
[Sun Jan 10 01:25:29 2016] [error] Traceback (most recent call last):
[Sun Jan 10 01:25:29 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in
[Sun Jan 10 01:25:29 2016] [error] from privacyidea.app import
create_app
[Sun Jan 10 01:25:29 2016] [error] ImportError: No module named
privacyidea.app

When I run it (via the “pi-manage runserver” method which is set to operate
on port 5000), it logs me in and I get a “token/list” url and a page which
should be showing me tokens, but for some reason it does not show any
listed. There should be two tokens registered for the username I’m using.
Here is the command line I’m using:

pi-manage runserver -h MyHost -p 5000 -d -r

  1. This is what I get from the privacyidea.log:

[2016-01-11
10:29:28,768][25056][140316471326464][DEBUG][privacyidea.api.lib.utils:235]
Can not get param: No JSON object could be decoded

  1. Post output of Freeradius -X

Request:

[root@MyHost FreeRADIUS]# echo “User-Name=SomeUser@SomeRealm,
Password=SomePassword” | radclient -sx localhost auth ‘OurSecret’
Sending Access-Request of id 89 to 127.0.0.1 port 1812
User-Name = “SomeUser@SomeRealm”
Password = “SomePassword”
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=89,
length=75
Reply-Message = “privacyIDEA request failed: 500 Internal Server
Error”

       Total approved auths:  0
         Total denied auths:  1
           Total lost auths:  0

Debug Output:

rad_recv: Access-Request packet from host 127.0.0.1 port 54525, id=89,
length=55
User-Name = “SomeUser@SomeRealm”
User-Password = “SomePassword”

Executing section authorize from file /etc/raddb/sites-enabled/privacyidea

+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm “SomeRealm” for User-Name = “SomeUser@SomeRealm”
[suffix] No such realm “SomeRealm”
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 183
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No “known good” password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = perl

Executing group from file /etc/raddb/sites-enabled/privacyidea

+group authenticate {
rlm_perl: Config File not found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type perl
rlm_perl: Warning:
rlm_perl: Auth-Type: perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: SomeUser@SomeRealm
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 Internal Server Error
rlm_perl: return RLM_MODULE_FAIL
rlm_perl: Added pair User-Name = SomeUser@SomeRealm
rlm_perl: Added pair User-Password = SomePassword
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Reply-Message = privacyIDEA request failed: 500
Internal Server Error
rlm_perl: Added pair Auth-Type = perl
++[perl] = fail
+} # group authenticate = fail
Failed to authenticate the user.
Delaying reject of request 15 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 15
Sending Access-Reject of id 89 to 127.0.0.1 port 54525
Reply-Message = “privacyIDEA request failed: 500 Internal Server
Error”
Waking up in 4.9 seconds.
Cleaning up request 15 ID 89 with timestamp +409247
Ready to process requests.

You didn’t ask, but here is my Apache config:

[root@MyHost conf.d]# cat privacyidea.conf

TraceEnable on
ServerSignature Off
ServerTokens Prod
WSGIPythonHome /opt/privacyIDEA
WSGISocketPrefix /var/run/wsgi#############################################

Redirect All Port 80 Accesses to Port 443

#############################################

#

ServerAdmin webmaster@localhost

ServerName localhost

RewriteEngine On

RewriteCond %{HTTPS} !=On

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

#

#############################################

Handle Port 443 Accesses

#############################################

#
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName localhost
DocumentRoot /var/www

    <Directory />

Require all granted

            Allow from all
            Options FollowSymLinks
            AllowOverride None
    </Directory>

WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi

    WSGIScriptAlias / 

/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi
# The daemon is running as user ‘privacyidea’
# This user should have access to the encKey database encryption
file
WSGIDaemonProcess privacyidea
python-path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages
processes=1 threads=15 display-name=%{GROUP} user=privacyidea
WSGIProcessGroup privacyidea
WSGIPassAuthorization On

    ## Logging

    ErrorLog /var/log/httpd/error.log

    LogLevel warn
    # Do not use %q! This will reveal all parameters, including setting 

PINs and Keys!
# Using SSL_CLINET_S_DN_CN will show you, which administrator did
what task
#LogFormat “%h %l %u %t %>s "%m %U %H" %b "%{Referer}i"
"%{User-agent}i"” privacyIDEA
LogFormat “%h %l %u %t %>s "%m %U %H" %b "%{Referer}i"
"%{User-agent}i" %q” privacyIDEA
CustomLog /var/log/httpd/ssl_access.log privacyIDEA

    SSLEngine On
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCipherSuite 

EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
SSLCertificateFile /etc/pki/tls/certs/privacyideaserver.pem
SSLCertificateKeyFile /etc/pki/tls/private/privacyideaserver.key

IMO, while I may very well have other issues in the setup, the biggest
problem always seems to come back to this one item:

[Sat Jan 09 01:25:22 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in
[Sat Jan 09 01:25:22 2016] [error] from privacyidea.app import
create_app
[Sat Jan 09 01:25:22 2016] [error] ImportError: No module named
privacyidea.app

Thanks for all of your kind assistance! I really appreciate your help.

John

On Friday, January 8, 2016 at 3:54:43 PM UTC-5, Cornelius Kölbel wrote:

Hello John,

  1. Check the configuration

The httpd error log says
Target WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded
as Python module

a) How does the
file /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi look like?

b) How does your apache config look like?
I suspect that that you have two different configurations, one that
works when accessing the UI and on that does not work and is accessed
when issuing the authentication request.

  1. Check the API without the FreeRADIUS

Please execute
https://yourhost/validate/check?user=....&pass=

in your browser and take a look at the result.

Or course you must not use the port 5000 unless you are running the
Apache SSL on 5000.

  1. Check the log file

The FreeRADIUS reply message says:

rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=127,
length=75
Reply-Message = “privacyIDEA request failed: 500 Internal Server
Error”

So please check the privacyIDEA log.

  1. Debug

You enabled DEBUG=true in the your rlm_perl.ini.
So you should get more privacyIDEA specific output when running

freeradius -X

You did not post this. Can you do so?

Kind regards
Cornelius

Am Freitag, den 08.01.2016, 06:02 -0800 schrieb John Whitten:

Hi Cornelius,

Thanks for the quick reply.

Yes, you were correct that my “rlm_perl.ini” file was missing. But,
sadly, adding the file and adjusting the params did not resolve the
issue. In fact, the problem remains the same:

[root@myhost FreeRADIUS]# echo “User-Name=user, Password=pin123456” |
radclient -sx localhost auth ‘OURSECRET’
Sending Access-Request of id 127 to 127.0.0.1 port 1812
User-Name = “user”
Password = “pin123456”

==> /var/log/httpd/error.log <==
[Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1] mod_wsgi
(pid=24859): Target WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’ cannot be
loaded as Python module.
[Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1] mod_wsgi
(pid=24859): Exception occurred processing WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’.
[Fri Jan 08 08:53:23 2016] [error] Traceback (most recent call last):
[Fri Jan 08 08:53:23 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Fri Jan 08 08:53:23 2016] [error] from privacyidea.app import
create_app
[Fri Jan 08 08:53:23 2016] [error] ImportError: No module named
privacyidea.app

==> /var/log/httpd/ssl_access.log <==
127.0.0.1 - - [08/Jan/2016:08:53:23 -0500] 500 “POST /validate/check
HTTP/1.1” 599 “-” “libwww-perl/6.15”
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=127,
length=75
Reply-Message = “privacyIDEA request failed: 500 Internal
Server Error”

       Total approved auths:  0 
         Total denied auths:  1 
           Total lost auths:  0 

Here is what the “rlm_perl.ini” file now contains:

[Default]
URL = https://myhost:5000/validate/check
REALM = myrealm
#RESCONF = someResolver
#SSL_CHECK = true
SSL_CHECK = false
DEBUG = true

BTW, the result is the same with or without the port 5000 part. I
tried removing it and it is still bombing with the import error. It is
apparently looking for something called “privacyidea.app” and there is
nothing with that name on my system, or available on your site as far
as I can tell. At least not directly.

It feels to me like I am very close to getting this thing up and
running! So I am hopeful! :wink:

John

On Friday, January 8, 2016 at 2:31:59 AM UTC-5, Cornelius Kölbel wrote:
Hello John,

    thanks for the feedback regarding the installation 
    instructions. 
    This is the official instruction 

2. Installation — privacyIDEA 3.8 documentation

    I will add a note, that it needs python 2.7. 
    
    Good news: If you are able to access the web ui, 
    authenticating with 
    FreeRADIUS will also work in a moment. 
    
    I assume you are accessing the webui at an URL like 
    
    https://yourserver/ 
    
    i.e. in the root directory? 
    
    Then the FreeRADIUS would have to call 
    
    https://yourserver/validate/check 
    
    I think the FreeRADIUS privacyIDEA plugin is just not 
    completely 
    configured yet. 
    See 

http://privacyidea.readthedocs.org/en/latest/application_plugins/radius.html?highlight=freeradius

    Have you created any /opt/privacyidea/rlm_perl.ini file yet? 
    
    I recommend creating a file 
    /etc/privacyidea/rlm_perl.ini 
    with the following content: 
    
    [Default] 
    URL = https://your.server/validate/check 
    SSL_CHECK = false 
    DEBUG = true 
    
    adapt the URL accordingly. 
    You should change SSL_CHECK to true, later. I.e. you need to 
    get a 
    trusted certificate, if privacyIDEA is running on another 
    server than 
    freeradius. 
    
    Starting with DEBUG=true gives you some good ideas about whats 
    going on. 
    
    Please tell, if it was your rlm_perl.ini that was missing. 
    
    Kind regards 
    Cornelius 
    
    Am Donnerstag, den 07.01.2016, 22:24 -0800 schrieb John 
    Whitten: 
    > 
    > Hello, 
    > 
    > 
    > I have been working to get this PrivacyIDEA software 
    installed on a 
    > CentOS 6.5 system, along with FreeRADIUS. 
    > 
    > 
    > I have been mostly following the directions in these three 
    documents 
    > (none of them appears to be entirely accurate): 
    > 
    > 
    > 
    > 
    > CentOS install: 
    > 

Two factor authentication with OTP using privacyIDEA and FreeRADIUS on CentOS

    > 
    > 
    > 
    > Python Install: 
    > 

2.1. Python Package Index — privacyIDEA 3.8 documentation

    > 
    > 
    > 
    > PrivacyIdea Documentation Latest: 
    > https://privacyidea.readthedocs.org/en/latest/ 
    > 
    > 
    > 
    > 
    > 
    > Between the various documents though, and a whole lot of 
    trial and 
    > error, I have gotten it mostly working I think. The actual 
    > installation files are from using the "Python PIP Install" 
    method, so 
    > are whichever version are available that way. (I'm not a 
    Python guy). 
    >  Also I should mention that I figured out that it doesn't 
    work with 
    > Python 2.6 and have installed Python 2.7. As soon as I did 
    that, the 
    > install went very smoothly. You should probably note that 
    someplace in 
    > the documents and save people a whole lot of time. 
    > 
    > 
    > Anyway, I have come to the part where I'm hooking up 
    FreeRADIUS and it 
    > keeps bombing with the following message: 
    > 
    > 
    > 
    > 
    > 
    > ==> /var/log/httpd/error.log <== 
    > [Thu Jan 07 23:27:48 2016] [error] [client 10.200.1.10] 
    mod_wsgi 
    > (pid=24859): Target WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' 
    cannot be 
    > loaded as Python module. 
    > [Thu Jan 07 23:27:48 2016] [error] [client 10.200.1.10] 
    mod_wsgi 
    > (pid=24859): Exception occurred processing WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'. 
    > [Thu Jan 07 23:27:48 2016] [error] Traceback (most recent 
    call last): 
    > [Thu Jan 07 23:27:48 2016] [error]   File 
    > "/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi", line 
    3, in 
    > <module> 
    > [Thu Jan 07 23:27:48 2016] [error]     from privacyidea.app 
    import 
    > create_app 
    > [Thu Jan 07 23:27:48 2016] [error] ImportError: No module 
    named 
    > privacyidea.app 
    > 
    > 
    > 
    > 
    > RADIUS itself seems to be working fine. I had it set up 
    originally and 
    > tested it with the test radius client and it all seemed to 
    work fine. 
    > I now have it configured to call the "privacyidea_radius.pm" 
    module 
    > from /etc/raddb/modules/perl. I had to correct the path as 
    below: 
    > 
    > 
    > perl { 
    > #       module = /opt/privacyIDEA/privacyidea_radius.pm 
    >         module 
    > 
    = /opt/privacyIDEA/lib/privacyidea/authmodules/FreeRADIUS/

privacyidea_radius.pm

    >         } 
    > 
    > 
    > 
    > 
    > When I try to authenticate using the test client now, I get 
    the above 
    > error message, apparently looking for something called 
    > "privacyidea.app". There is nothing on my system anywhere 
    with that 
    > name, and I cannot find any good reference to it online 
    apart from a 
    > brief mention here and there with respect to the "perl" file 
    in the 
    > RADIUS modules directory. 
    > 
    > 
    > Can you assist me? I am under the gun to get this worked out 
    and I'm 
    > having a heck of a time getting everything set up and 
    working. 
    > 
    > 
    > 
    > I have gotten the PrivacyIDEA web portion itself worked out. 
    I have 
    > been able to login as Admin, set up a Realm, connect it to 
    our Active 
    > Directory and whatnot, and all that seems to work. I also 
    was able to 
    > login to the PrivacyIDEA as a user and enroll myself a 
    token. I got 
    > the FreeOTP Android App for my smartphone from Google Play, 
    and used 
    > the QR feature to set up the token into the FreeOTP app. All 
    of that 
    > went very smoothly and without much problem. 
    > 
    > 
    > But when I go to try to authenticate with it, I run into the 
    problem 
    > above. 
    > 
    > 
    > Thanks for any assistance you can provide! 
    > 
    > 
    > John Whitten 
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/d7f639b0-bfcd-403a-a6c8-c176e7d66519%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/2e9e6914-9e02-458d-9656-e73d5613e152%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

This was missing:

chown -R privacyidea /var/log/privacyidea/

vi /etc/apache2/mods-enabled/wsgi.conf
Add “WSGIPythonHome /opt/privacyidea/bin/python2.7” at the end

Thanks Cornelius!Am Mittwoch, 6. Juli 2016 15:04:04 UTC+2 schrieb Cornelius Kölbel:

Alternatively take a look here

https://github.com/NetKnights-GmbH/privacyidea-ucs/tree/master/deploy/apache/sites-available

Cornelius Kölbel
+49 151 2960 1417

NetKnights GmbH
Http://NetKnights. It
+49 561 3166 797

-------- Ursprüngliche Nachricht --------
Von: Michael Muenz <m.m...@gmail.com <javascript:>>
Datum: 06.07.16 14:35 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com <javascript:>>
Cc: m.m...@gmail.com <javascript:>
Betreff: Re: [privacyidea] Re: ImportError: No module named
privacyidea.app

virtualenv.
I followed the steps in your guide, mixed with an old one from howtoforge.
I documented all the steps since I want to write a Debian 8 howto:

  • aptitude install libjpeg-dev zlib1g-dev python-dev
    libffi-dev libssl-dev libxslt1-dev virtualenv gcc
    mysql-server freeradius libconfig-inifiles-perl
    libdata-dump-perl libtry-tiny-perl libconfig-json-perl
    libjson-perl libmysqlclient-dev apache2 libapache2-mod-wsgi
  • virtualenv /opt/privacyidea
  • cd /opt/privacyidea
  • source bin/activate
  • pip install privacyidea
  • pip install MySQL-python
  • pip install click
  • mysql -u root -p
    create database pi;
    grant all privileges on pi.* to “pi”@“localhost” identified by “XXX”;
    flush privileges;
    quit;
  • mkdir /etc/privacyidea
  • useradd -r privacyidea
  • cp etc/privacyidea/* /etc/privacyidea/
  • vi /etc/privacyidea/pi.cfg
    import logging

The realm, where users are allowed to login as administrators

SUPERUSER_REALM = [‘super’]

Your database

#SQLALCHEMY_DATABASE_URI = ‘sqlite:////etc/privacyidea/data.sqlite’

This is used to encrypt the auth_token

#SECRET_KEY = ‘t0p s3cr3t’

This is used to encrypt the admin passwords

#PI_PEPPER = “Never know…”

This is used to encrypt the token data and token passwords

PI_ENCFILE = ‘/etc/privacyidea/enckey’

This is used to sign the audit log

This is the dummy base class

#PI_AUDIT_MODULE = ‘privacyidea.lib.auditmodules.base’

This is the default

#PI_AUDIT_MODULE = ‘privacyidea.lib.auditmodules.sqlaudit’

This is used to sign the audit log

PI_AUDIT_KEY_PRIVATE = ‘/etc/privacyidea/private.pem’
PI_AUDIT_KEY_PUBLIC = ‘/etc/privacyidea/public.pem’
PI_LOGFILE = ‘/var/log/privacyidea/privacyidea.log’
PI_LOGLEVEL = logging.INFO

PI_PEPPER = ‘X’
SECRET_KEY = ‘X’
SQLALCHEMY_DATABASE_URI = ‘mysql://pi:XXX@localhost/pi’

  • pi-manage create_enckey

  • pi-manage create_audit_keys

  • pi-manage createdb

  • pi-manage admin add admin@localhost

  • privacyidea-fix-access-rights -f /etc/privacyidea/pi.cfg -u privacyidea

  • a2enmod ssl

  • vi /etc/apache2/sites-available/privacyidea.conf

ServerAdmin webmaster@localhost # You might want to change this ServerName localhost
    DocumentRoot /var/www
    <Directory />
            # For Apache 2.4 you need to set this:
            Require all granted
            Options FollowSymLinks
            AllowOverride None
    </Directory>

    # Yubico servers use /wsapi/2.0/verify as the path in the
    # validation URL. Some tools (e.g. Kolab 2fa) let the
    # user/admin change the api host, but not the rest of
    # the URL. Uncomment the following two lines to reroute
    # the api URL internally to privacyideas /ttype/yubikey.
    #RewriteEngine  on
    #RewriteRule    "^/wsapi/2.0/verify"  "/ttype/yubikey" [PT]

    # We can run several instances on different paths with different 

configurations
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
#WSGIScriptAlias /instance1
/home/cornelius/src/privacyidea/deploy/privacyideaapp1.wsgi
#WSGIScriptAlias /instance2
/home/cornelius/src/privacyidea/deploy/privacyideaapp2.wsgi
#WSGIScriptAlias /instance3
/home/cornelius/src/privacyidea/deploy/privacyideaapp3.wsgi
#
# The daemon is running as user ‘privacyidea’
# This user should have access to the encKey database encryption
file
WSGIDaemonProcess privacyidea processes=1 threads=15
display-name=%{GROUP} user=privacyidea
WSGIProcessGroup privacyidea
WSGIPassAuthorization On

    ErrorLog /var/log/apache2/error.log

    LogLevel warn
    # Do not use %q! This will reveal all parameters, including 

setting PINs and Keys!
# Using SSL_CLINET_S_DN_CN will show you, which administrator did
what task
LogFormat “%h %l %u %t %>s "%m %U %H" %b "%{Referer}i"
"%{User-agent}i"” privacyIDEA
CustomLog /var/log/apache2/ssl_access.log privacyIDEA

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5


    #   If both key and certificate are stored in the same file, only 

the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/privacyideaserver.pem
SSLCertificateKeyFile /etc/ssl/private/privacyideaserver.key

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
            SSLOptions +StdEnvVars
    </Directory>
    BrowserMatch ".*MSIE.*" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0

If you want to forward http request to https enable the

following virtual host.

#

# This will enable the Rewrite capabilities

RewriteEngine On

# This checks to make sure the connection is not already HTTPS

RewriteCond %{HTTPS} !=on

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

#

cd /etc/apache2/sites-enabled/
rm -f 000-default.conf
ln -s …/sites-available/privacyidea.conf .

mkdir /home/privacyidea
chown -R privacyidea /home/privacyidea/
chown -R privacyidea /etc/privacyidea/

The part with user privacyidea is not within your guide, so there could be
a problem but I don’t get it.

Thanks
Michael

Am Mittwoch, 6. Juli 2016 14:25:04 UTC+2 schrieb Cornelius Kölbel:

Pip in root or virtual environment?
Config?

Cornelius Kölbel
+49 151 2960 1417

NetKnights GmbH
Http://NetKnights http://NetKnights. It
+49 561 3166 797

-------- Ursprüngliche Nachricht --------
Von: Michael Muenz m.m...@gmail.com
Datum: 06.07.16 14:17 (GMT+01:00)
An: privacyidea priva...@googlegroups.com
Betreff: [privacyidea] Re: ImportError: No module named privacyidea.app

Hi,

I installed PI 2.13 via PiP on a fresh Debian 8 and have the same issue
here.
Running via py-manage runserver I can access the system, but via apache /
wsgi I get:

[Wed Jul 06 14:12:55.024738 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] mod_wsgi (pid=17269): Target WSGI script
‘/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.
[Wed Jul 06 14:12:55.024797 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] mod_wsgi (pid=17269): Exception occurred
processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.
[Wed Jul 06 14:12:55.024837 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] Traceback (most recent call last):
[Wed Jul 06 14:12:55.024875 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] File
“/etc/privacyidea/privacyideaapp.wsgi”, line 3, in
[Wed Jul 06 14:12:55.024929 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] from privacyidea.app import create_app
[Wed Jul 06 14:12:55.024964 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] ImportError: No module named
privacyidea.app
[Wed Jul 06 14:12:55.125165 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] mod_wsgi (pid=17269): Target WSGI script
‘/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.
[Wed Jul 06 14:12:55.125198 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] mod_wsgi (pid=17269): Exception occurred
processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.
[Wed Jul 06 14:12:55.125231 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] Traceback (most recent call last):
[Wed Jul 06 14:12:55.125263 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] File
“/etc/privacyidea/privacyideaapp.wsgi”, line 3, in
[Wed Jul 06 14:12:55.125309 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] from privacyidea.app import create_app
[Wed Jul 06 14:12:55.125341 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] ImportError: No module named
privacyidea.app

Thanks
Michael

Am Montag, 11. Januar 2016 17:47:15 UTC+1 schrieb Cornelius Kölbel:

Hello John,

the “privacyidea.app” in fact indicates that there is something wrong
with your python setup. In certain cases the WSGI process does not find
the complete python environment.

Which howto did you use to install?
→ This is the change to improve the documentation :slight_smile:

We do not need to take a look at FreeRADIUS now, since your privacyIDEA
installation seems messed up.

Kind regards
Cornelius

Am Montag, den 11.01.2016, 07:58 -0800 schrieb John Whitten:

Hello Cornelius,

  1. How does the
    file /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi look like?

[root@MyHost privacyidea]#
cat /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi
import sys
sys.stdout = sys.stderr
from privacyidea.app import create_app

Now we can select the config file:

application = create_app(config_name=“production”,
config_file=“/etc/privacyidea/pi.cfg”)

  1. When I run it via Apache I get a “500 Server Error” and the error
    log contains the message about the “privacyidea.app” issue:

==> /var/log/httpd/error.log <==
[Sun Jan 10 01:25:29 2016] [error] [client 192.168.3.204] mod_wsgi
(pid=24859): Target WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’ cannot be
loaded as Python module.
[Sun Jan 10 01:25:29 2016] [error] [client 192.168.3.204] mod_wsgi
(pid=24859): Exception occurred processing WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’.
[Sun Jan 10 01:25:29 2016] [error] Traceback (most recent call last):
[Sun Jan 10 01:25:29 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Sun Jan 10 01:25:29 2016] [error] from privacyidea.app import
create_app
[Sun Jan 10 01:25:29 2016] [error] ImportError: No module named
privacyidea.app

When I run it (via the “pi-manage runserver” method which is set to
operate on port 5000), it logs me in and I get a “token/list” url and
a page which should be showing me tokens, but for some reason it does
not show any listed. There should be two tokens registered for the
username I’m using. Here is the command line I’m using:

pi-manage runserver -h MyHost -p 5000 -d -r

  1. This is what I get from the privacyidea.log:

[2016-01-11

10:29:28,768][25056][140316471326464][DEBUG][privacyidea.api.lib.utils:235]
Can not get param: No JSON object could be decoded

  1. Post output of Freeradius -X

Request:

[root@MyHost FreeRADIUS]# echo “User-Name=SomeUser@SomeRealm,
Password=SomePassword” | radclient -sx localhost auth ‘OurSecret’
Sending Access-Request of id 89 to 127.0.0.1 port 1812
User-Name = “SomeUser@SomeRealm”
Password = “SomePassword”
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=89,
length=75
Reply-Message = “privacyIDEA request failed: 500 Internal
Server Error”

       Total approved auths:  0 
         Total denied auths:  1 
           Total lost auths:  0 

Debug Output:

rad_recv: Access-Request packet from host 127.0.0.1 port 54525, id=89,
length=55
User-Name = “SomeUser@SomeRealm”
User-Password = “SomePassword”

Executing section authorize from

file /etc/raddb/sites-enabled/privacyidea
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm “SomeRealm” for User-Name =
“SomeUser@SomeRealm”
[suffix] No such realm “SomeRealm”
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 183
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No “known good” password found for the user.
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = perl

Executing group from file /etc/raddb/sites-enabled/privacyidea

+group authenticate {
rlm_perl: Config File not found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type perl
rlm_perl: Warning:
rlm_perl: Auth-Type: perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: SomeUser@SomeRealm
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 Internal Server Error
rlm_perl: return RLM_MODULE_FAIL
rlm_perl: Added pair User-Name = SomeUser@SomeRealm
rlm_perl: Added pair User-Password = SomePassword
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Reply-Message = privacyIDEA request failed: 500
Internal Server Error
rlm_perl: Added pair Auth-Type = perl
++[perl] = fail
+} # group authenticate = fail
Failed to authenticate the user.
Delaying reject of request 15 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 15
Sending Access-Reject of id 89 to 127.0.0.1 port 54525
Reply-Message = “privacyIDEA request failed: 500 Internal
Server Error”
Waking up in 4.9 seconds.
Cleaning up request 15 ID 89 with timestamp +409247
Ready to process requests.

You didn’t ask, but here is my Apache config:

[root@MyHost conf.d]# cat privacyidea.conf

TraceEnable on
ServerSignature Off
ServerTokens Prod
WSGIPythonHome /opt/privacyIDEA
WSGISocketPrefix /var/run/wsgi

#############################################

Redirect All Port 80 Accesses to Port 443

#############################################

#

ServerAdmin webmaster@localhost

ServerName localhost

RewriteEngine On

RewriteCond %{HTTPS} !=On

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

#

#############################################

Handle Port 443 Accesses

#############################################

#
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName localhost
DocumentRoot /var/www

    <Directory /> 

Require all granted

            Allow from all 
            Options FollowSymLinks 
            AllowOverride None 
    </Directory> 

WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi

WSGIScriptAlias / /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi
# The daemon is running as user ‘privacyidea’
# This user should have access to the encKey database
encryption file
WSGIDaemonProcess privacyidea

python-path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages
processes=1 threads=15 display-name=%{GROUP} user=privacyidea

    WSGIProcessGroup privacyidea 
    WSGIPassAuthorization On 


    ## Logging 


    ErrorLog /var/log/httpd/error.log 


    LogLevel warn 
    # Do not use %q! This will reveal all parameters, including 

setting PINs and Keys!
# Using SSL_CLINET_S_DN_CN will show you, which administrator
did what task
#LogFormat “%h %l %u %t %>s "%m %U %H" %b "%{Referer}i"
"%{User-agent}i"” privacyIDEA
LogFormat “%h %l %u %t %>s "%m %U %H" %b "%{Referer}i"
"%{User-agent}i" %q” privacyIDEA
CustomLog /var/log/httpd/ssl_access.log privacyIDEA

    SSLEngine On 
    SSLProtocol All -SSLv2 -SSLv3 
    SSLHonorCipherOrder On 
    SSLCipherSuite EECDH+AES256:DHE+AES256:EECDH+AES:EDH 

+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!
LOW:!MD5
SSLCertificateFile /etc/pki/tls/certs/privacyideaserver.pem

SSLCertificateKeyFile /etc/pki/tls/private/privacyideaserver.key

IMO, while I may very well have other issues in the setup, the biggest
problem always seems to come back to this one item:

[Sat Jan 09 01:25:22 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Sat Jan 09 01:25:22 2016] [error] from privacyidea.app import
create_app
[Sat Jan 09 01:25:22 2016] [error] ImportError: No module named
privacyidea.app

Thanks for all of your kind assistance! I really appreciate your help.

John

On Friday, January 8, 2016 at 3:54:43 PM UTC-5, Cornelius Kölbel wrote:
Hello John,

    1. Check the configuration 
    
    The httpd error log says 
    Target WSGI script 
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' cannot 
    be loaded 
    as Python module 
    
    a) How does the 
    file /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi look 
    like? 
    
    b) How does your apache config look like? 
    I suspect that that you have two different configurations, one 
    that 
    works when accessing the UI and on that does not work and is 
    accessed 
    when issuing the authentication request. 
    
    2. Check the API without the FreeRADIUS 
    
    Please execute 
    https://yourhost/validate/check?user=....&pass=... 
    
    in your browser and take a look at the result. 
    
    Or course you must not use the port 5000 unless you are 
    running the 
    Apache SSL on 5000. 
    
    3. Check the log file 
    
    The FreeRADIUS reply message says: 
    
    rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, 
    id=127, 
    length=75 
            Reply-Message = "privacyIDEA request failed: 500 
    Internal Server 
    Error" 
    
    So please check the privacyIDEA log. 
    
    4. Debug 
    
    You enabled DEBUG=true in the your rlm_perl.ini. 
    So you should get more privacyIDEA specific output when 
    running 
    
     freeradius -X 
    
    You did not post this. Can you do so? 
    
    Kind regards 
    Cornelius 
    
    
    
    
    Am Freitag, den 08.01.2016, 06:02 -0800 schrieb John Whitten: 
    > Hi Cornelius, 
    > 
    > 
    > Thanks for the quick reply. 
    > 
    > 
    > Yes, you were correct that my "rlm_perl.ini" file was 
    missing. But, 
    > sadly, adding the file and adjusting the params did not 
    resolve the 
    > issue. In fact, the problem remains the same: 
    > 
    > 
    > [root@myhost FreeRADIUS]# echo "User-Name=user, 
    Password=pin123456" | 
    > radclient -sx localhost auth 'OURSECRET' 
    > Sending Access-Request of id 127 to 127.0.0.1 port 1812 
    >         User-Name = "user" 
    >         Password = "pin123456" 
    > 
    > 
    > ==> /var/log/httpd/error.log <== 
    > [Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1] 
    mod_wsgi 
    > (pid=24859): Target WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' 
    cannot be 
    > loaded as Python module. 
    > [Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1] 
    mod_wsgi 
    > (pid=24859): Exception occurred processing WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'. 
    > [Fri Jan 08 08:53:23 2016] [error] Traceback (most recent 
    call last): 
    > [Fri Jan 08 08:53:23 2016] [error]   File 
    > "/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi", line 
    3, in 
    > <module> 
    > [Fri Jan 08 08:53:23 2016] [error]     from privacyidea.app 
    import 
    > create_app 
    > [Fri Jan 08 08:53:23 2016] [error] ImportError: No module 
    named 
    > privacyidea.app 
    > 
    > 
    > ==> /var/log/httpd/ssl_access.log <== 
    > 127.0.0.1 - - [08/Jan/2016:08:53:23 -0500] 500 
    "POST /validate/check 
    > HTTP/1.1"  599 "-" "libwww-perl/6.15" 
    > rad_recv: Access-Reject packet from host 127.0.0.1 port 
    1812, id=127, 
    > length=75 
    >         Reply-Message = "privacyIDEA request failed: 500 
    Internal 
    > Server Error" 
    > 
    > 
    >            Total approved auths:  0 
    >              Total denied auths:  1 
    >                Total lost auths:  0 
    > --- 
    > 
    > 
    > 
    > Here is what the "rlm_perl.ini" file now contains: 
    > 
    > 
    > [Default] 
    > URL = https://myhost:5000/validate/check 
    > REALM = myrealm 
    > #RESCONF = someResolver 
    > #SSL_CHECK = true 
    > SSL_CHECK = false 
    > DEBUG = true 
    > --- 
    > 
    > 
    > BTW, the result is the same with or without the port 5000 
    part. I 
    > tried removing it and it is still bombing with the import 
    error. It is 
    > apparently looking for something called "privacyidea.app" 
    and there is 
    > nothing with that name on my system, or available on your 
    site as far 
    > as I can tell. At least not directly. 
    > 
    > 
    > It feels to me like I am very close to getting this thing up 
    and 
    > running! So I am hopeful! ;-) 
    > 
    > 
    > John 
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    > On Friday, January 8, 2016 at 2:31:59 AM UTC-5, Cornelius  Kölbel  wrote: 
    >         Hello John, 
    >         
    >         thanks for the feedback regarding the installation 
    >         instructions. 
    >         This is the official instruction 
    > 

2. Installation — privacyIDEA 3.8 documentation

    >         I will add a note, that it needs python 2.7. 
    >         
    >         Good news: If you are able to access the web ui, 
    >         authenticating with 
    >         FreeRADIUS will also work in a moment. 
    >         
    >         I assume you are accessing the webui at an URL like 
    >         
    >         https://yourserver/ 
    >         
    >         i.e. in the root directory? 
    >         
    >         Then the FreeRADIUS would have to call 
    >         
    >         https://yourserver/validate/check 
    >         
    >         I think the FreeRADIUS privacyIDEA plugin is just 
    not 
    >         completely 
    >         configured yet. 
    >         See 
    > 

http://privacyidea.readthedocs.org/en/latest/application_plugins/radius.html?highlight=freeradius

    >         
    >         Have you created any /opt/privacyidea/rlm_perl.ini 
    file yet? 
    >         
    >         I recommend creating a file 
    >         /etc/privacyidea/rlm_perl.ini 
    >         with the following content: 
    >         
    >         [Default] 
    >         URL = https://your.server/validate/check 
    >         SSL_CHECK = false 
    >         DEBUG = true 
    >         
    >         adapt the URL accordingly. 
    >         You should change SSL_CHECK to true, later. I.e. you 
    need to 
    >         get a 
    >         trusted certificate, if privacyIDEA is running on 
    another 
    >         server than 
    >         freeradius. 
    >         
    >         Starting with DEBUG=true gives you some good ideas 
    about whats 
    >         going on. 
    >         
    >         Please tell, if it was your rlm_perl.ini that was 
    missing. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Donnerstag, den 07.01.2016, 22:24 -0800 schrieb 
    John 
    >         Whitten: 
    >         > 
    >         > Hello, 
    >         > 
    >         > 
    >         > I have been working to get this PrivacyIDEA 
    software 
    >         installed on a 
    >         > CentOS 6.5 system, along with FreeRADIUS. 
    >         > 
    >         > 
    >         > I have been mostly following the directions in 
    these three 
    >         documents 
    >         > (none of them appears to be entirely accurate): 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > CentOS install: 
    >         > 
    > 

Two factor authentication with OTP using privacyIDEA and FreeRADIUS on CentOS

    >         > 
    >         > 
    >         > 
    >         > Python Install: 
    >         > 
    > 

2.1. Python Package Index — privacyIDEA 3.8 documentation

    >         > 
    >         > 
    >         > 
    >         > PrivacyIdea Documentation Latest: 
    >         > https://privacyidea.readthedocs.org/en/latest/ 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > Between the various documents though, and a whole 
    lot of 
    >         trial and 
    >         > error, I have gotten it mostly working I think. 
    The actual 
    >         > installation files are from using the "Python PIP 
    Install" 
    >         method, so 
    >         > are whichever version are available that way. (I'm 
    not a 
    >         Python guy). 
    >         >  Also I should mention that I figured out that it 
    doesn't 
    >         work with 
    >         > Python 2.6 and have installed Python 2.7. As soon 
    as I did 
    >         that, the 
    >         > install went very smoothly. You should probably 
    note that 
    >         someplace in 
    >         > the documents and save people a whole lot of 
    time. 
    >         > 
    >         > 
    >         > Anyway, I have come to the part where I'm hooking 
    up 
    >         FreeRADIUS and it 
    >         > keeps bombing with the following message: 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > ==> /var/log/httpd/error.log <== 
    >         > [Thu Jan 07 23:27:48 2016] [error] [client 
    10.200.1.10] 
    >         mod_wsgi 
    >         > (pid=24859): Target WSGI script 
    >         > 
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' 
    >         cannot be 
    >         > loaded as Python module. 
    >         > [Thu Jan 07 23:27:48 2016] [error] [client 
    10.200.1.10] 
    >         mod_wsgi 
    >         > (pid=24859): Exception occurred processing WSGI 
    script 
    >         > 
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'. 
    >         > [Thu Jan 07 23:27:48 2016] [error] Traceback (most 
    recent 
    >         call last): 
    >         > [Thu Jan 07 23:27:48 2016] [error]   File 
    >         > 
    "/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi", line 
    >         3, in 
    >         > <module> 
    >         > [Thu Jan 07 23:27:48 2016] [error]     from 
    privacyidea.app 
    >         import 
    >         > create_app 
    >         > [Thu Jan 07 23:27:48 2016] [error] ImportError: No 
    module 
    >         named 
    >         > privacyidea.app 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > RADIUS itself seems to be working fine. I had it 
    set up 
    >         originally and 
    >         > tested it with the test radius client and it all 
    seemed to 
    >         work fine. 
    >         > I now have it configured to call the 
    "privacyidea_radius.pm" 
    >         module 
    >         > from /etc/raddb/modules/perl. I had to correct the 
    path as 
    >         below: 
    >         > 
    >         > 
    >         > perl { 
    >         > #       module 
    = /opt/privacyIDEA/privacyidea_radius.pm 
    >         >         module 
    >         > 
    > 
    = /opt/privacyIDEA/lib/privacyidea/authmodules/FreeRADIUS/

privacyidea_radius.pm

    >         >         } 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > When I try to authenticate using the test client 
    now, I get 
    >         the above 
    >         > error message, apparently looking for something 
    called 
    >         > "privacyidea.app". There is nothing on my system 
    anywhere 
    >         with that 
    >         > name, and I cannot find any good reference to it 
    online 
    >         apart from a 
    >         > brief mention here and there with respect to the 
    "perl" file 
    >         in the 
    >         > RADIUS modules directory. 
    >         > 
    >         > 
    >         > Can you assist me? I am under the gun to get this 
    worked out 
    >         and I'm 
    >         > having a heck of a time getting everything set up 
    and 
    >         working. 
    >         > 
    >         > 
    >         > 
    >         > I have gotten the PrivacyIDEA web portion itself 
    worked out. 
    >         I have 
    >         > been able to login as Admin, set up a Realm, 
    connect it to 
    >         our Active 
    >         > Directory and whatnot, and all that seems to work. 
    I also 
    >         was able to 
    >         > login to the PrivacyIDEA as a user and enroll 
    myself a 
    >         token. I got 
    >         > the FreeOTP Android App for my smartphone from 
    Google Play, 
    >         and used 
    >         > the QR feature to set up the token into the 
    FreeOTP app. All 
    >         of that 
    >         > went very smoothly and without much problem. 
    >         > 
    >         > 
    >         > But when I go to try to authenticate with it, I 
    run into the 
    >         problem 
    >         > above. 
    >         > 
    >         > 
    >         > Thanks for any assistance you can provide! 
    >         > 
    >         > 
    >         > John Whitten 
    >         > -- 
    >         > You received this message because you are 
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving 
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    > 

https://groups.google.com/d/msgid/privacyidea/d7f639b0-bfcd-403a-a6c8-c176e7d66519%40googlegroups.com.

    >         > For more options, visit 
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/2e9e6914-9e02-458d-9656-e73d5613e152%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/107f7393-dd39-4671-b0be-5908b9b5a5c5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu…@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google Groups
“privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/bfcaacaa-3167-473c-b360-17bf4b9e93b5%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/bfcaacaa-3167-473c-b360-17bf4b9e93b5%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit http https://groups.google.com/d/optout

Hi,

I installed PI 2.13 via PiP on a fresh Debian 8 and have the same issue
here.
Running via py-manage runserver I can access the system, but via apache /
wsgi I get:

[Wed Jul 06 14:12:55.024738 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] mod_wsgi (pid=17269): Target WSGI script
‘/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.
[Wed Jul 06 14:12:55.024797 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] mod_wsgi (pid=17269): Exception occurred
processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.
[Wed Jul 06 14:12:55.024837 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] Traceback (most recent call last):
[Wed Jul 06 14:12:55.024875 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] File
“/etc/privacyidea/privacyideaapp.wsgi”, line 3, in
[Wed Jul 06 14:12:55.024929 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] from privacyidea.app import create_app
[Wed Jul 06 14:12:55.024964 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] ImportError: No module named
privacyidea.app
[Wed Jul 06 14:12:55.125165 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] mod_wsgi (pid=17269): Target WSGI script
‘/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.
[Wed Jul 06 14:12:55.125198 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] mod_wsgi (pid=17269): Exception occurred
processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.
[Wed Jul 06 14:12:55.125231 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] Traceback (most recent call last):
[Wed Jul 06 14:12:55.125263 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] File
“/etc/privacyidea/privacyideaapp.wsgi”, line 3, in
[Wed Jul 06 14:12:55.125309 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] from privacyidea.app import create_app
[Wed Jul 06 14:12:55.125341 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] ImportError: No module named
privacyidea.app

Thanks
MichaelAm Montag, 11. Januar 2016 17:47:15 UTC+1 schrieb Cornelius Kölbel:

Hello John,

the “privacyidea.app” in fact indicates that there is something wrong
with your python setup. In certain cases the WSGI process does not find
the complete python environment.

Which howto did you use to install?
→ This is the change to improve the documentation :slight_smile:

We do not need to take a look at FreeRADIUS now, since your privacyIDEA
installation seems messed up.

Kind regards
Cornelius

Am Montag, den 11.01.2016, 07:58 -0800 schrieb John Whitten:

Hello Cornelius,

  1. How does the
    file /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi look like?

[root@MyHost privacyidea]#
cat /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi
import sys
sys.stdout = sys.stderr
from privacyidea.app import create_app

Now we can select the config file:

application = create_app(config_name=“production”,
config_file=“/etc/privacyidea/pi.cfg”)

  1. When I run it via Apache I get a “500 Server Error” and the error
    log contains the message about the “privacyidea.app” issue:

==> /var/log/httpd/error.log <==
[Sun Jan 10 01:25:29 2016] [error] [client 192.168.3.204] mod_wsgi
(pid=24859): Target WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’ cannot be
loaded as Python module.
[Sun Jan 10 01:25:29 2016] [error] [client 192.168.3.204] mod_wsgi
(pid=24859): Exception occurred processing WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’.
[Sun Jan 10 01:25:29 2016] [error] Traceback (most recent call last):
[Sun Jan 10 01:25:29 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Sun Jan 10 01:25:29 2016] [error] from privacyidea.app import
create_app
[Sun Jan 10 01:25:29 2016] [error] ImportError: No module named
privacyidea.app

When I run it (via the “pi-manage runserver” method which is set to
operate on port 5000), it logs me in and I get a “token/list” url and
a page which should be showing me tokens, but for some reason it does
not show any listed. There should be two tokens registered for the
username I’m using. Here is the command line I’m using:

pi-manage runserver -h MyHost -p 5000 -d -r

  1. This is what I get from the privacyidea.log:

[2016-01-11

10:29:28,768][25056][140316471326464][DEBUG][privacyidea.api.lib.utils:235]
Can not get param: No JSON object could be decoded

  1. Post output of Freeradius -X

Request:

[root@MyHost FreeRADIUS]# echo “User-Name=SomeUser@SomeRealm,
Password=SomePassword” | radclient -sx localhost auth ‘OurSecret’
Sending Access-Request of id 89 to 127.0.0.1 port 1812
User-Name = “SomeUser@SomeRealm”
Password = “SomePassword”
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=89,
length=75
Reply-Message = “privacyIDEA request failed: 500 Internal
Server Error”

       Total approved auths:  0 
         Total denied auths:  1 
           Total lost auths:  0 

Debug Output:

rad_recv: Access-Request packet from host 127.0.0.1 port 54525, id=89,
length=55
User-Name = “SomeUser@SomeRealm”
User-Password = “SomePassword”

Executing section authorize from

file /etc/raddb/sites-enabled/privacyidea
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm “SomeRealm” for User-Name =
“SomeUser@SomeRealm”
[suffix] No such realm “SomeRealm”
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 183
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No “known good” password found for the user.
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = perl

Executing group from file /etc/raddb/sites-enabled/privacyidea

+group authenticate {
rlm_perl: Config File not found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type perl
rlm_perl: Warning:
rlm_perl: Auth-Type: perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: SomeUser@SomeRealm
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 Internal Server Error
rlm_perl: return RLM_MODULE_FAIL
rlm_perl: Added pair User-Name = SomeUser@SomeRealm
rlm_perl: Added pair User-Password = SomePassword
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Reply-Message = privacyIDEA request failed: 500
Internal Server Error
rlm_perl: Added pair Auth-Type = perl
++[perl] = fail
+} # group authenticate = fail
Failed to authenticate the user.
Delaying reject of request 15 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 15
Sending Access-Reject of id 89 to 127.0.0.1 port 54525
Reply-Message = “privacyIDEA request failed: 500 Internal
Server Error”
Waking up in 4.9 seconds.
Cleaning up request 15 ID 89 with timestamp +409247
Ready to process requests.

You didn’t ask, but here is my Apache config:

[root@MyHost conf.d]# cat privacyidea.conf

TraceEnable on
ServerSignature Off
ServerTokens Prod
WSGIPythonHome /opt/privacyIDEA
WSGISocketPrefix /var/run/wsgi

#############################################

Redirect All Port 80 Accesses to Port 443

#############################################

#

ServerAdmin webmaster@localhost

ServerName localhost

RewriteEngine On

RewriteCond %{HTTPS} !=On

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

#

#############################################

Handle Port 443 Accesses

#############################################

#
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName localhost
DocumentRoot /var/www

    <Directory /> 

Require all granted

            Allow from all 
            Options FollowSymLinks 
            AllowOverride None 
    </Directory> 

WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi

WSGIScriptAlias / /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi
# The daemon is running as user ‘privacyidea’
# This user should have access to the encKey database
encryption file
WSGIDaemonProcess privacyidea

python-path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages
processes=1 threads=15 display-name=%{GROUP} user=privacyidea

    WSGIProcessGroup privacyidea 
    WSGIPassAuthorization On 


    ## Logging 


    ErrorLog /var/log/httpd/error.log 


    LogLevel warn 
    # Do not use %q! This will reveal all parameters, including 

setting PINs and Keys!
# Using SSL_CLINET_S_DN_CN will show you, which administrator
did what task
#LogFormat “%h %l %u %t %>s "%m %U %H" %b "%{Referer}i"
"%{User-agent}i"” privacyIDEA
LogFormat “%h %l %u %t %>s "%m %U %H" %b "%{Referer}i"
"%{User-agent}i" %q” privacyIDEA
CustomLog /var/log/httpd/ssl_access.log privacyIDEA

    SSLEngine On 
    SSLProtocol All -SSLv2 -SSLv3 
    SSLHonorCipherOrder On 
    SSLCipherSuite EECDH+AES256:DHE+AES256:EECDH+AES:EDH 

+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!
LOW:!MD5
SSLCertificateFile /etc/pki/tls/certs/privacyideaserver.pem

SSLCertificateKeyFile /etc/pki/tls/private/privacyideaserver.key

IMO, while I may very well have other issues in the setup, the biggest
problem always seems to come back to this one item:

[Sat Jan 09 01:25:22 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Sat Jan 09 01:25:22 2016] [error] from privacyidea.app import
create_app
[Sat Jan 09 01:25:22 2016] [error] ImportError: No module named
privacyidea.app

Thanks for all of your kind assistance! I really appreciate your help.

John

On Friday, January 8, 2016 at 3:54:43 PM UTC-5, Cornelius Kölbel wrote:
Hello John,

    1. Check the configuration 
    
    The httpd error log says 
    Target WSGI script 
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' cannot 
    be loaded 
    as Python module 
    
    a) How does the 
    file /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi look 
    like? 
    
    b) How does your apache config look like? 
    I suspect that that you have two different configurations, one 
    that 
    works when accessing the UI and on that does not work and is 
    accessed 
    when issuing the authentication request. 
    
    2. Check the API without the FreeRADIUS 
    
    Please execute 
    https://yourhost/validate/check?user=....&pass=... 
    
    in your browser and take a look at the result. 
    
    Or course you must not use the port 5000 unless you are 
    running the 
    Apache SSL on 5000. 
    
    3. Check the log file 
    
    The FreeRADIUS reply message says: 
    
    rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, 
    id=127, 
    length=75 
            Reply-Message = "privacyIDEA request failed: 500 
    Internal Server 
    Error" 
    
    So please check the privacyIDEA log. 
    
    4. Debug 
    
    You enabled DEBUG=true in the your rlm_perl.ini. 
    So you should get more privacyIDEA specific output when 
    running 
    
     freeradius -X 
    
    You did not post this. Can you do so? 
    
    Kind regards 
    Cornelius 
    
    
    
    
    Am Freitag, den 08.01.2016, 06:02 -0800 schrieb John Whitten: 
    > Hi Cornelius, 
    > 
    > 
    > Thanks for the quick reply. 
    > 
    > 
    > Yes, you were correct that my "rlm_perl.ini" file was 
    missing. But, 
    > sadly, adding the file and adjusting the params did not 
    resolve the 
    > issue. In fact, the problem remains the same: 
    > 
    > 
    > [root@myhost FreeRADIUS]# echo "User-Name=user, 
    Password=pin123456" | 
    > radclient -sx localhost auth 'OURSECRET' 
    > Sending Access-Request of id 127 to 127.0.0.1 port 1812 
    >         User-Name = "user" 
    >         Password = "pin123456" 
    > 
    > 
    > ==> /var/log/httpd/error.log <== 
    > [Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1] 
    mod_wsgi 
    > (pid=24859): Target WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' 
    cannot be 
    > loaded as Python module. 
    > [Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1] 
    mod_wsgi 
    > (pid=24859): Exception occurred processing WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'. 
    > [Fri Jan 08 08:53:23 2016] [error] Traceback (most recent 
    call last): 
    > [Fri Jan 08 08:53:23 2016] [error]   File 
    > "/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi", line 
    3, in 
    > <module> 
    > [Fri Jan 08 08:53:23 2016] [error]     from privacyidea.app 
    import 
    > create_app 
    > [Fri Jan 08 08:53:23 2016] [error] ImportError: No module 
    named 
    > privacyidea.app 
    > 
    > 
    > ==> /var/log/httpd/ssl_access.log <== 
    > 127.0.0.1 - - [08/Jan/2016:08:53:23 -0500] 500 
    "POST /validate/check 
    > HTTP/1.1"  599 "-" "libwww-perl/6.15" 
    > rad_recv: Access-Reject packet from host 127.0.0.1 port 
    1812, id=127, 
    > length=75 
    >         Reply-Message = "privacyIDEA request failed: 500 
    Internal 
    > Server Error" 
    > 
    > 
    >            Total approved auths:  0 
    >              Total denied auths:  1 
    >                Total lost auths:  0 
    > --- 
    > 
    > 
    > 
    > Here is what the "rlm_perl.ini" file now contains: 
    > 
    > 
    > [Default] 
    > URL = https://myhost:5000/validate/check 
    > REALM = myrealm 
    > #RESCONF = someResolver 
    > #SSL_CHECK = true 
    > SSL_CHECK = false 
    > DEBUG = true 
    > --- 
    > 
    > 
    > BTW, the result is the same with or without the port 5000 
    part. I 
    > tried removing it and it is still bombing with the import 
    error. It is 
    > apparently looking for something called "privacyidea.app" 
    and there is 
    > nothing with that name on my system, or available on your 
    site as far 
    > as I can tell. At least not directly. 
    > 
    > 
    > It feels to me like I am very close to getting this thing up 
    and 
    > running! So I am hopeful! ;-) 
    > 
    > 
    > John 
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    > On Friday, January 8, 2016 at 2:31:59 AM UTC-5, Cornelius  Kölbel  wrote: 
    >         Hello John, 
    >         
    >         thanks for the feedback regarding the installation 
    >         instructions. 
    >         This is the official instruction 
    > 

2. Installation — privacyIDEA 3.8 documentation

    >         I will add a note, that it needs python 2.7. 
    >         
    >         Good news: If you are able to access the web ui, 
    >         authenticating with 
    >         FreeRADIUS will also work in a moment. 
    >         
    >         I assume you are accessing the webui at an URL like 
    >         
    >         https://yourserver/ 
    >         
    >         i.e. in the root directory? 
    >         
    >         Then the FreeRADIUS would have to call 
    >         
    >         https://yourserver/validate/check 
    >         
    >         I think the FreeRADIUS privacyIDEA plugin is just 
    not 
    >         completely 
    >         configured yet. 
    >         See 
    > 

http://privacyidea.readthedocs.org/en/latest/application_plugins/radius.html?highlight=freeradius

    >         
    >         Have you created any /opt/privacyidea/rlm_perl.ini 
    file yet? 
    >         
    >         I recommend creating a file 
    >         /etc/privacyidea/rlm_perl.ini 
    >         with the following content: 
    >         
    >         [Default] 
    >         URL = https://your.server/validate/check 
    >         SSL_CHECK = false 
    >         DEBUG = true 
    >         
    >         adapt the URL accordingly. 
    >         You should change SSL_CHECK to true, later. I.e. you 
    need to 
    >         get a 
    >         trusted certificate, if privacyIDEA is running on 
    another 
    >         server than 
    >         freeradius. 
    >         
    >         Starting with DEBUG=true gives you some good ideas 
    about whats 
    >         going on. 
    >         
    >         Please tell, if it was your rlm_perl.ini that was 
    missing. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Donnerstag, den 07.01.2016, 22:24 -0800 schrieb 
    John 
    >         Whitten: 
    >         > 
    >         > Hello, 
    >         > 
    >         > 
    >         > I have been working to get this PrivacyIDEA 
    software 
    >         installed on a 
    >         > CentOS 6.5 system, along with FreeRADIUS. 
    >         > 
    >         > 
    >         > I have been mostly following the directions in 
    these three 
    >         documents 
    >         > (none of them appears to be entirely accurate): 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > CentOS install: 
    >         > 
    > 

Two factor authentication with OTP using privacyIDEA and FreeRADIUS on CentOS

    >         > 
    >         > 
    >         > 
    >         > Python Install: 
    >         > 
    > 

2.1. Python Package Index — privacyIDEA 3.8 documentation

    >         > 
    >         > 
    >         > 
    >         > PrivacyIdea Documentation Latest: 
    >         > https://privacyidea.readthedocs.org/en/latest/ 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > Between the various documents though, and a whole 
    lot of 
    >         trial and 
    >         > error, I have gotten it mostly working I think. 
    The actual 
    >         > installation files are from using the "Python PIP 
    Install" 
    >         method, so 
    >         > are whichever version are available that way. (I'm 
    not a 
    >         Python guy). 
    >         >  Also I should mention that I figured out that it 
    doesn't 
    >         work with 
    >         > Python 2.6 and have installed Python 2.7. As soon 
    as I did 
    >         that, the 
    >         > install went very smoothly. You should probably 
    note that 
    >         someplace in 
    >         > the documents and save people a whole lot of 
    time. 
    >         > 
    >         > 
    >         > Anyway, I have come to the part where I'm hooking 
    up 
    >         FreeRADIUS and it 
    >         > keeps bombing with the following message: 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > ==> /var/log/httpd/error.log <== 
    >         > [Thu Jan 07 23:27:48 2016] [error] [client 
    10.200.1.10] 
    >         mod_wsgi 
    >         > (pid=24859): Target WSGI script 
    >         > 
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' 
    >         cannot be 
    >         > loaded as Python module. 
    >         > [Thu Jan 07 23:27:48 2016] [error] [client 
    10.200.1.10] 
    >         mod_wsgi 
    >         > (pid=24859): Exception occurred processing WSGI 
    script 
    >         > 
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'. 
    >         > [Thu Jan 07 23:27:48 2016] [error] Traceback (most 
    recent 
    >         call last): 
    >         > [Thu Jan 07 23:27:48 2016] [error]   File 
    >         > 
    "/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi", line 
    >         3, in 
    >         > <module> 
    >         > [Thu Jan 07 23:27:48 2016] [error]     from 
    privacyidea.app 
    >         import 
    >         > create_app 
    >         > [Thu Jan 07 23:27:48 2016] [error] ImportError: No 
    module 
    >         named 
    >         > privacyidea.app 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > RADIUS itself seems to be working fine. I had it 
    set up 
    >         originally and 
    >         > tested it with the test radius client and it all 
    seemed to 
    >         work fine. 
    >         > I now have it configured to call the 
    "privacyidea_radius.pm" 
    >         module 
    >         > from /etc/raddb/modules/perl. I had to correct the 
    path as 
    >         below: 
    >         > 
    >         > 
    >         > perl { 
    >         > #       module 
    = /opt/privacyIDEA/privacyidea_radius.pm 
    >         >         module 
    >         > 
    > 
    = /opt/privacyIDEA/lib/privacyidea/authmodules/FreeRADIUS/

privacyidea_radius.pm

    >         >         } 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > When I try to authenticate using the test client 
    now, I get 
    >         the above 
    >         > error message, apparently looking for something 
    called 
    >         > "privacyidea.app". There is nothing on my system 
    anywhere 
    >         with that 
    >         > name, and I cannot find any good reference to it 
    online 
    >         apart from a 
    >         > brief mention here and there with respect to the 
    "perl" file 
    >         in the 
    >         > RADIUS modules directory. 
    >         > 
    >         > 
    >         > Can you assist me? I am under the gun to get this 
    worked out 
    >         and I'm 
    >         > having a heck of a time getting everything set up 
    and 
    >         working. 
    >         > 
    >         > 
    >         > 
    >         > I have gotten the PrivacyIDEA web portion itself 
    worked out. 
    >         I have 
    >         > been able to login as Admin, set up a Realm, 
    connect it to 
    >         our Active 
    >         > Directory and whatnot, and all that seems to work. 
    I also 
    >         was able to 
    >         > login to the PrivacyIDEA as a user and enroll 
    myself a 
    >         token. I got 
    >         > the FreeOTP Android App for my smartphone from 
    Google Play, 
    >         and used 
    >         > the QR feature to set up the token into the 
    FreeOTP app. All 
    >         of that 
    >         > went very smoothly and without much problem. 
    >         > 
    >         > 
    >         > But when I go to try to authenticate with it, I 
    run into the 
    >         problem 
    >         > above. 
    >         > 
    >         > 
    >         > Thanks for any assistance you can provide! 
    >         > 
    >         > 
    >         > John Whitten 
    >         > -- 
    >         > You received this message because you are 
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving 
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    > 

https://groups.google.com/d/msgid/privacyidea/d7f639b0-bfcd-403a-a6c8-c176e7d66519%40googlegroups.com.

    >         > For more options, visit 
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/2e9e6914-9e02-458d-9656-e73d5613e152%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/107f7393-dd39-4671-b0be-5908b9b5a5c5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

virtualenv.
I followed the steps in your guide, mixed with an old one from howtoforge.
I documented all the steps since I want to write a Debian 8 howto:

  • aptitude install libjpeg-dev zlib1g-dev python-dev
    libffi-dev libssl-dev libxslt1-dev virtualenv gcc
    mysql-server freeradius libconfig-inifiles-perl
    libdata-dump-perl libtry-tiny-perl libconfig-json-perl
    libjson-perl libmysqlclient-dev apache2 libapache2-mod-wsgi
  • virtualenv /opt/privacyidea
  • cd /opt/privacyidea
  • source bin/activate
  • pip install privacyidea
  • pip install MySQL-python
  • pip install click
  • mysql -u root -p
    create database pi;
    grant all privileges on pi.* to “pi”@“localhost” identified by “XXX”;
    flush privileges;
    quit;
  • mkdir /etc/privacyidea
  • useradd -r privacyidea
  • cp etc/privacyidea/* /etc/privacyidea/
  • vi /etc/privacyidea/pi.cfg
    import logging

The realm, where users are allowed to login as administrators

SUPERUSER_REALM = [‘super’]

Your database

#SQLALCHEMY_DATABASE_URI = ‘sqlite:////etc/privacyidea/data.sqlite’

This is used to encrypt the auth_token

#SECRET_KEY = ‘t0p s3cr3t’

This is used to encrypt the admin passwords

#PI_PEPPER = “Never know…”

This is used to encrypt the token data and token passwords

PI_ENCFILE = ‘/etc/privacyidea/enckey’

This is used to sign the audit log

This is the dummy base class

#PI_AUDIT_MODULE = ‘privacyidea.lib.auditmodules.base’

This is the default

#PI_AUDIT_MODULE = ‘privacyidea.lib.auditmodules.sqlaudit’

This is used to sign the audit log

PI_AUDIT_KEY_PRIVATE = ‘/etc/privacyidea/private.pem’
PI_AUDIT_KEY_PUBLIC = ‘/etc/privacyidea/public.pem’
PI_LOGFILE = ‘/var/log/privacyidea/privacyidea.log’
PI_LOGLEVEL = logging.INFO

PI_PEPPER = ‘X’
SECRET_KEY = ‘X’
SQLALCHEMY_DATABASE_URI = ‘mysql://pi:XXX@localhost/pi’

  • pi-manage create_enckey

  • pi-manage create_audit_keys

  • pi-manage createdb

  • pi-manage admin add admin@localhost

  • privacyidea-fix-access-rights -f /etc/privacyidea/pi.cfg -u privacyidea

  • a2enmod ssl

  • vi /etc/apache2/sites-available/privacyidea.conf

ServerAdmin webmaster@localhost # You might want to change this ServerName localhost
    DocumentRoot /var/www
    <Directory />
            # For Apache 2.4 you need to set this:
            Require all granted
            Options FollowSymLinks
            AllowOverride None
    </Directory>

    # Yubico servers use /wsapi/2.0/verify as the path in the
    # validation URL. Some tools (e.g. Kolab 2fa) let the
    # user/admin change the api host, but not the rest of
    # the URL. Uncomment the following two lines to reroute
    # the api URL internally to privacyideas /ttype/yubikey.
    #RewriteEngine  on
    #RewriteRule    "^/wsapi/2.0/verify"  "/ttype/yubikey" [PT]

    # We can run several instances on different paths with different 

configurations
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
#WSGIScriptAlias /instance1
/home/cornelius/src/privacyidea/deploy/privacyideaapp1.wsgi
#WSGIScriptAlias /instance2
/home/cornelius/src/privacyidea/deploy/privacyideaapp2.wsgi
#WSGIScriptAlias /instance3
/home/cornelius/src/privacyidea/deploy/privacyideaapp3.wsgi#
# The daemon is running as user ‘privacyidea’
# This user should have access to the encKey database encryption
file
WSGIDaemonProcess privacyidea processes=1 threads=15
display-name=%{GROUP} user=privacyidea
WSGIProcessGroup privacyidea
WSGIPassAuthorization On

    ErrorLog /var/log/apache2/error.log

    LogLevel warn
    # Do not use %q! This will reveal all parameters, including setting 

PINs and Keys!
# Using SSL_CLINET_S_DN_CN will show you, which administrator did
what task
LogFormat “%h %l %u %t %>s "%m %U %H" %b "%{Referer}i"
"%{User-agent}i"” privacyIDEA
CustomLog /var/log/apache2/ssl_access.log privacyIDEA

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5


    #   If both key and certificate are stored in the same file, only 

the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/privacyideaserver.pem
SSLCertificateKeyFile /etc/ssl/private/privacyideaserver.key

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
            SSLOptions +StdEnvVars
    </Directory>
    BrowserMatch ".*MSIE.*" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0

If you want to forward http request to https enable the

following virtual host.

#

# This will enable the Rewrite capabilities

RewriteEngine On

# This checks to make sure the connection is not already HTTPS

RewriteCond %{HTTPS} !=on

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

#

cd /etc/apache2/sites-enabled/
rm -f 000-default.conf
ln -s …/sites-available/privacyidea.conf .

mkdir /home/privacyidea
chown -R privacyidea /home/privacyidea/
chown -R privacyidea /etc/privacyidea/

The part with user privacyidea is not within your guide, so there could be
a problem but I don’t get it.

Thanks
Michael

Am Mittwoch, 6. Juli 2016 14:25:04 UTC+2 schrieb Cornelius Kölbel:

Pip in root or virtual environment?
Config?

Cornelius Kölbel
+49 151 2960 1417

NetKnights GmbH
Http://NetKnights. It
+49 561 3166 797

-------- Ursprüngliche Nachricht --------
Von: Michael Muenz <m.m...@gmail.com <javascript:>>
Datum: 06.07.16 14:17 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com <javascript:>>
Betreff: [privacyidea] Re: ImportError: No module named privacyidea.app

Hi,

I installed PI 2.13 via PiP on a fresh Debian 8 and have the same issue
here.
Running via py-manage runserver I can access the system, but via apache /
wsgi I get:

[Wed Jul 06 14:12:55.024738 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] mod_wsgi (pid=17269): Target WSGI script
‘/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.
[Wed Jul 06 14:12:55.024797 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] mod_wsgi (pid=17269): Exception occurred
processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.
[Wed Jul 06 14:12:55.024837 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] Traceback (most recent call last):
[Wed Jul 06 14:12:55.024875 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] File
“/etc/privacyidea/privacyideaapp.wsgi”, line 3, in
[Wed Jul 06 14:12:55.024929 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] from privacyidea.app import create_app
[Wed Jul 06 14:12:55.024964 2016] [wsgi:error] [pid 17269:tid
139826853345024] [remote X:59909] ImportError: No module named
privacyidea.app
[Wed Jul 06 14:12:55.125165 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] mod_wsgi (pid=17269): Target WSGI script
‘/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.
[Wed Jul 06 14:12:55.125198 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] mod_wsgi (pid=17269): Exception occurred
processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.
[Wed Jul 06 14:12:55.125231 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] Traceback (most recent call last):
[Wed Jul 06 14:12:55.125263 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] File
“/etc/privacyidea/privacyideaapp.wsgi”, line 3, in
[Wed Jul 06 14:12:55.125309 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] from privacyidea.app import create_app
[Wed Jul 06 14:12:55.125341 2016] [wsgi:error] [pid 17269:tid
139826937272064] [remote X:59909] ImportError: No module named
privacyidea.app

Thanks
Michael

Am Montag, 11. Januar 2016 17:47:15 UTC+1 schrieb Cornelius Kölbel:

Hello John,

the “privacyidea.app” in fact indicates that there is something wrong
with your python setup. In certain cases the WSGI process does not find
the complete python environment.

Which howto did you use to install?
→ This is the change to improve the documentation :slight_smile:

We do not need to take a look at FreeRADIUS now, since your privacyIDEA
installation seems messed up.

Kind regards
Cornelius

Am Montag, den 11.01.2016, 07:58 -0800 schrieb John Whitten:

Hello Cornelius,

  1. How does the
    file /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi look like?

[root@MyHost privacyidea]#
cat /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi
import sys
sys.stdout = sys.stderr
from privacyidea.app import create_app

Now we can select the config file:

application = create_app(config_name=“production”,
config_file=“/etc/privacyidea/pi.cfg”)

  1. When I run it via Apache I get a “500 Server Error” and the error
    log contains the message about the “privacyidea.app” issue:

==> /var/log/httpd/error.log <==
[Sun Jan 10 01:25:29 2016] [error] [client 192.168.3.204] mod_wsgi
(pid=24859): Target WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’ cannot be
loaded as Python module.
[Sun Jan 10 01:25:29 2016] [error] [client 192.168.3.204] mod_wsgi
(pid=24859): Exception occurred processing WSGI script
‘/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi’.
[Sun Jan 10 01:25:29 2016] [error] Traceback (most recent call last):
[Sun Jan 10 01:25:29 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Sun Jan 10 01:25:29 2016] [error] from privacyidea.app import
create_app
[Sun Jan 10 01:25:29 2016] [error] ImportError: No module named
privacyidea.app

When I run it (via the “pi-manage runserver” method which is set to
operate on port 5000), it logs me in and I get a “token/list” url and
a page which should be showing me tokens, but for some reason it does
not show any listed. There should be two tokens registered for the
username I’m using. Here is the command line I’m using:

pi-manage runserver -h MyHost -p 5000 -d -r

  1. This is what I get from the privacyidea.log:

[2016-01-11

10:29:28,768][25056][140316471326464][DEBUG][privacyidea.api.lib.utils:235]
Can not get param: No JSON object could be decoded

  1. Post output of Freeradius -X

Request:

[root@MyHost FreeRADIUS]# echo “User-Name=SomeUser@SomeRealm,
Password=SomePassword” | radclient -sx localhost auth ‘OurSecret’
Sending Access-Request of id 89 to 127.0.0.1 port 1812
User-Name = “SomeUser@SomeRealm”
Password = “SomePassword”
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=89,
length=75
Reply-Message = “privacyIDEA request failed: 500 Internal
Server Error”

       Total approved auths:  0 
         Total denied auths:  1 
           Total lost auths:  0 

Debug Output:

rad_recv: Access-Request packet from host 127.0.0.1 port 54525, id=89,
length=55
User-Name = “SomeUser@SomeRealm”
User-Password = “SomePassword”

Executing section authorize from

file /etc/raddb/sites-enabled/privacyidea
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm “SomeRealm” for User-Name =
“SomeUser@SomeRealm”
[suffix] No such realm “SomeRealm”
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 183
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No “known good” password found for the user.
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = perl

Executing group from file /etc/raddb/sites-enabled/privacyidea

+group authenticate {
rlm_perl: Config File not found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type perl
rlm_perl: Warning:
rlm_perl: Auth-Type: perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: SomeUser@SomeRealm
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 Internal Server Error
rlm_perl: return RLM_MODULE_FAIL
rlm_perl: Added pair User-Name = SomeUser@SomeRealm
rlm_perl: Added pair User-Password = SomePassword
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Reply-Message = privacyIDEA request failed: 500
Internal Server Error
rlm_perl: Added pair Auth-Type = perl
++[perl] = fail
+} # group authenticate = fail
Failed to authenticate the user.
Delaying reject of request 15 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 15
Sending Access-Reject of id 89 to 127.0.0.1 port 54525
Reply-Message = “privacyIDEA request failed: 500 Internal
Server Error”
Waking up in 4.9 seconds.
Cleaning up request 15 ID 89 with timestamp +409247
Ready to process requests.

You didn’t ask, but here is my Apache config:

[root@MyHost conf.d]# cat privacyidea.conf

TraceEnable on
ServerSignature Off
ServerTokens Prod
WSGIPythonHome /opt/privacyIDEA
WSGISocketPrefix /var/run/wsgi

#############################################

Redirect All Port 80 Accesses to Port 443

#############################################

#

ServerAdmin webmaster@localhost

ServerName localhost

RewriteEngine On

RewriteCond %{HTTPS} !=On

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

#

#############################################

Handle Port 443 Accesses

#############################################

#
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName localhost
DocumentRoot /var/www

    <Directory /> 

Require all granted

            Allow from all 
            Options FollowSymLinks 
            AllowOverride None 
    </Directory> 

WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi

WSGIScriptAlias / /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi
# The daemon is running as user ‘privacyidea’
# This user should have access to the encKey database
encryption file
WSGIDaemonProcess privacyidea

python-path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages
processes=1 threads=15 display-name=%{GROUP} user=privacyidea

    WSGIProcessGroup privacyidea 
    WSGIPassAuthorization On 


    ## Logging 


    ErrorLog /var/log/httpd/error.log 


    LogLevel warn 
    # Do not use %q! This will reveal all parameters, including 

setting PINs and Keys!
# Using SSL_CLINET_S_DN_CN will show you, which administrator
did what task
#LogFormat “%h %l %u %t %>s "%m %U %H" %b "%{Referer}i"
"%{User-agent}i"” privacyIDEA
LogFormat “%h %l %u %t %>s "%m %U %H" %b "%{Referer}i"
"%{User-agent}i" %q” privacyIDEA
CustomLog /var/log/httpd/ssl_access.log privacyIDEA

    SSLEngine On 
    SSLProtocol All -SSLv2 -SSLv3 
    SSLHonorCipherOrder On 
    SSLCipherSuite EECDH+AES256:DHE+AES256:EECDH+AES:EDH 

+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!
LOW:!MD5
SSLCertificateFile /etc/pki/tls/certs/privacyideaserver.pem

SSLCertificateKeyFile /etc/pki/tls/private/privacyideaserver.key

IMO, while I may very well have other issues in the setup, the biggest
problem always seems to come back to this one item:

[Sat Jan 09 01:25:22 2016] [error] File
“/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi”, line 3, in

[Sat Jan 09 01:25:22 2016] [error] from privacyidea.app import
create_app
[Sat Jan 09 01:25:22 2016] [error] ImportError: No module named
privacyidea.app

Thanks for all of your kind assistance! I really appreciate your help.

John

On Friday, January 8, 2016 at 3:54:43 PM UTC-5, Cornelius Kölbel wrote:
Hello John,

    1. Check the configuration 
    
    The httpd error log says 
    Target WSGI script 
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' cannot 
    be loaded 
    as Python module 
    
    a) How does the 
    file /opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi look 
    like? 
    
    b) How does your apache config look like? 
    I suspect that that you have two different configurations, one 
    that 
    works when accessing the UI and on that does not work and is 
    accessed 
    when issuing the authentication request. 
    
    2. Check the API without the FreeRADIUS 
    
    Please execute 
    https://yourhost/validate/check?user=....&pass=... 
    
    in your browser and take a look at the result. 
    
    Or course you must not use the port 5000 unless you are 
    running the 
    Apache SSL on 5000. 
    
    3. Check the log file 
    
    The FreeRADIUS reply message says: 
    
    rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, 
    id=127, 
    length=75 
            Reply-Message = "privacyIDEA request failed: 500 
    Internal Server 
    Error" 
    
    So please check the privacyIDEA log. 
    
    4. Debug 
    
    You enabled DEBUG=true in the your rlm_perl.ini. 
    So you should get more privacyIDEA specific output when 
    running 
    
     freeradius -X 
    
    You did not post this. Can you do so? 
    
    Kind regards 
    Cornelius 
    
    
    
    
    Am Freitag, den 08.01.2016, 06:02 -0800 schrieb John Whitten: 
    > Hi Cornelius, 
    > 
    > 
    > Thanks for the quick reply. 
    > 
    > 
    > Yes, you were correct that my "rlm_perl.ini" file was 
    missing. But, 
    > sadly, adding the file and adjusting the params did not 
    resolve the 
    > issue. In fact, the problem remains the same: 
    > 
    > 
    > [root@myhost FreeRADIUS]# echo "User-Name=user, 
    Password=pin123456" | 
    > radclient -sx localhost auth 'OURSECRET' 
    > Sending Access-Request of id 127 to 127.0.0.1 port 1812 
    >         User-Name = "user" 
    >         Password = "pin123456" 
    > 
    > 
    > ==> /var/log/httpd/error.log <== 
    > [Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1] 
    mod_wsgi 
    > (pid=24859): Target WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' 
    cannot be 
    > loaded as Python module. 
    > [Fri Jan 08 08:53:23 2016] [error] [client 127.0.0.1] 
    mod_wsgi 
    > (pid=24859): Exception occurred processing WSGI script 
    > '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'. 
    > [Fri Jan 08 08:53:23 2016] [error] Traceback (most recent 
    call last): 
    > [Fri Jan 08 08:53:23 2016] [error]   File 
    > "/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi", line 
    3, in 
    > <module> 
    > [Fri Jan 08 08:53:23 2016] [error]     from privacyidea.app 
    import 
    > create_app 
    > [Fri Jan 08 08:53:23 2016] [error] ImportError: No module 
    named 
    > privacyidea.app 
    > 
    > 
    > ==> /var/log/httpd/ssl_access.log <== 
    > 127.0.0.1 - - [08/Jan/2016:08:53:23 -0500] 500 
    "POST /validate/check 
    > HTTP/1.1"  599 "-" "libwww-perl/6.15" 
    > rad_recv: Access-Reject packet from host 127.0.0.1 port 
    1812, id=127, 
    > length=75 
    >         Reply-Message = "privacyIDEA request failed: 500 
    Internal 
    > Server Error" 
    > 
    > 
    >            Total approved auths:  0 
    >              Total denied auths:  1 
    >                Total lost auths:  0 
    > --- 
    > 
    > 
    > 
    > Here is what the "rlm_perl.ini" file now contains: 
    > 
    > 
    > [Default] 
    > URL = https://myhost:5000/validate/check 
    > REALM = myrealm 
    > #RESCONF = someResolver 
    > #SSL_CHECK = true 
    > SSL_CHECK = false 
    > DEBUG = true 
    > --- 
    > 
    > 
    > BTW, the result is the same with or without the port 5000 
    part. I 
    > tried removing it and it is still bombing with the import 
    error. It is 
    > apparently looking for something called "privacyidea.app" 
    and there is 
    > nothing with that name on my system, or available on your 
    site as far 
    > as I can tell. At least not directly. 
    > 
    > 
    > It feels to me like I am very close to getting this thing up 
    and 
    > running! So I am hopeful! ;-) 
    > 
    > 
    > John 
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    > On Friday, January 8, 2016 at 2:31:59 AM UTC-5, Cornelius  Kölbel  wrote: 
    >         Hello John, 
    >         
    >         thanks for the feedback regarding the installation 
    >         instructions. 
    >         This is the official instruction 
    > 

2. Installation — privacyIDEA 3.8 documentation

    >         I will add a note, that it needs python 2.7. 
    >         
    >         Good news: If you are able to access the web ui, 
    >         authenticating with 
    >         FreeRADIUS will also work in a moment. 
    >         
    >         I assume you are accessing the webui at an URL like 
    >         
    >         https://yourserver/ 
    >         
    >         i.e. in the root directory? 
    >         
    >         Then the FreeRADIUS would have to call 
    >         
    >         https://yourserver/validate/check 
    >         
    >         I think the FreeRADIUS privacyIDEA plugin is just 
    not 
    >         completely 
    >         configured yet. 
    >         See 
    > 

http://privacyidea.readthedocs.org/en/latest/application_plugins/radius.html?highlight=freeradius

    >         
    >         Have you created any /opt/privacyidea/rlm_perl.ini 
    file yet? 
    >         
    >         I recommend creating a file 
    >         /etc/privacyidea/rlm_perl.ini 
    >         with the following content: 
    >         
    >         [Default] 
    >         URL = https://your.server/validate/check 
    >         SSL_CHECK = false 
    >         DEBUG = true 
    >         
    >         adapt the URL accordingly. 
    >         You should change SSL_CHECK to true, later. I.e. you 
    need to 
    >         get a 
    >         trusted certificate, if privacyIDEA is running on 
    another 
    >         server than 
    >         freeradius. 
    >         
    >         Starting with DEBUG=true gives you some good ideas 
    about whats 
    >         going on. 
    >         
    >         Please tell, if it was your rlm_perl.ini that was 
    missing. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Donnerstag, den 07.01.2016, 22:24 -0800 schrieb 
    John 
    >         Whitten: 
    >         > 
    >         > Hello, 
    >         > 
    >         > 
    >         > I have been working to get this PrivacyIDEA 
    software 
    >         installed on a 
    >         > CentOS 6.5 system, along with FreeRADIUS. 
    >         > 
    >         > 
    >         > I have been mostly following the directions in 
    these three 
    >         documents 
    >         > (none of them appears to be entirely accurate): 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > CentOS install: 
    >         > 
    > 

Two factor authentication with OTP using privacyIDEA and FreeRADIUS on CentOS

    >         > 
    >         > 
    >         > 
    >         > Python Install: 
    >         > 
    > 

2.1. Python Package Index — privacyIDEA 3.8 documentation

    >         > 
    >         > 
    >         > 
    >         > PrivacyIdea Documentation Latest: 
    >         > https://privacyidea.readthedocs.org/en/latest/ 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > Between the various documents though, and a whole 
    lot of 
    >         trial and 
    >         > error, I have gotten it mostly working I think. 
    The actual 
    >         > installation files are from using the "Python PIP 
    Install" 
    >         method, so 
    >         > are whichever version are available that way. (I'm 
    not a 
    >         Python guy). 
    >         >  Also I should mention that I figured out that it 
    doesn't 
    >         work with 
    >         > Python 2.6 and have installed Python 2.7. As soon 
    as I did 
    >         that, the 
    >         > install went very smoothly. You should probably 
    note that 
    >         someplace in 
    >         > the documents and save people a whole lot of 
    time. 
    >         > 
    >         > 
    >         > Anyway, I have come to the part where I'm hooking 
    up 
    >         FreeRADIUS and it 
    >         > keeps bombing with the following message: 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > ==> /var/log/httpd/error.log <== 
    >         > [Thu Jan 07 23:27:48 2016] [error] [client 
    10.200.1.10] 
    >         mod_wsgi 
    >         > (pid=24859): Target WSGI script 
    >         > 
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi' 
    >         cannot be 
    >         > loaded as Python module. 
    >         > [Thu Jan 07 23:27:48 2016] [error] [client 
    10.200.1.10] 
    >         mod_wsgi 
    >         > (pid=24859): Exception occurred processing WSGI 
    script 
    >         > 
    '/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi'. 
    >         > [Thu Jan 07 23:27:48 2016] [error] Traceback (most 
    recent 
    >         call last): 
    >         > [Thu Jan 07 23:27:48 2016] [error]   File 
    >         > 
    "/opt/privacyIDEA/etc/privacyidea/privacyideaapp.wsgi", line 
    >         3, in 
    >         > <module> 
    >         > [Thu Jan 07 23:27:48 2016] [error]     from 
    privacyidea.app 
    >         import 
    >         > create_app 
    >         > [Thu Jan 07 23:27:48 2016] [error] ImportError: No 
    module 
    >         named 
    >         > privacyidea.app 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > RADIUS itself seems to be working fine. I had it 
    set up 
    >         originally and 
    >         > tested it with the test radius client and it all 
    seemed to 
    >         work fine. 
    >         > I now have it configured to call the 
    "privacyidea_radius.pm" 
    >         module 
    >         > from /etc/raddb/modules/perl. I had to correct the 
    path as 
    >         below: 
    >         > 
    >         > 
    >         > perl { 
    >         > #       module 
    = /opt/privacyIDEA/privacyidea_radius.pm 
    >         >         module 
    >         > 
    > 
    = /opt/privacyIDEA/lib/privacyidea/authmodules/FreeRADIUS/

privacyidea_radius.pm

    >         >         } 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > When I try to authenticate using the test client 
    now, I get 
    >         the above 
    >         > error message, apparently looking for something 
    called 
    >         > "privacyidea.app". There is nothing on my system 
    anywhere 
    >         with that 
    >         > name, and I cannot find any good reference to it 
    online 
    >         apart from a 
    >         > brief mention here and there with respect to the 
    "perl" file 
    >         in the 
    >         > RADIUS modules directory. 
    >         > 
    >         > 
    >         > Can you assist me? I am under the gun to get this 
    worked out 
    >         and I'm 
    >         > having a heck of a time getting everything set up 
    and 
    >         working. 
    >         > 
    >         > 
    >         > 
    >         > I have gotten the PrivacyIDEA web portion itself 
    worked out. 
    >         I have 
    >         > been able to login as Admin, set up a Realm, 
    connect it to 
    >         our Active 
    >         > Directory and whatnot, and all that seems to work. 
    I also 
    >         was able to 
    >         > login to the PrivacyIDEA as a user and enroll 
    myself a 
    >         token. I got 
    >         > the FreeOTP Android App for my smartphone from 
    Google Play, 
    >         and used 
    >         > the QR feature to set up the token into the 
    FreeOTP app. All 
    >         of that 
    >         > went very smoothly and without much problem. 
    >         > 
    >         > 
    >         > But when I go to try to authenticate with it, I 
    run into the 
    >         problem 
    >         > above. 
    >         > 
    >         > 
    >         > Thanks for any assistance you can provide! 
    >         > 
    >         > 
    >         > John Whitten 
    >         > -- 
    >         > You received this message because you are 
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving 
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    > 

https://groups.google.com/d/msgid/privacyidea/d7f639b0-bfcd-403a-a6c8-c176e7d66519%40googlegroups.com.

    >         > For more options, visit 
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/2e9e6914-9e02-458d-9656-e73d5613e152%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/107f7393-dd39-4671-b0be-5908b9b5a5c5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu…@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google Groups
“privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/bfcaacaa-3167-473c-b360-17bf4b9e93b5%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/bfcaacaa-3167-473c-b360-17bf4b9e93b5%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.