PrivacyIDEA - BasicAuth

PrivacyIDEA - Install BasicAuth

Hi,

I try to activate the Basic Authentication for SSO purpose for the WebUI.
If I change the AuthType in the apache config file „privacyidea.conf“ to
basic the login dialog appears but the authentication failed. In the apache
error log I receive the following Message.

/var/log/httpd/error_log:

[Mon Sep 12 21:11:34.936915 2016] [:error] [pid 1483] [client
172.16.16.16:63124] mod_wsgi (pid=1483): Exception occurred processing WSGI
script
’/opt/privacyIDEA/lib/python2.7/site-packages/authmodules/apache2/privacyidea_apache.py’.

[Mon Sep 12 21:11:34.936989 2016] [:error] [pid 1483] [client
172.16.16.16:63124] Traceback (most recent call last):

[Mon Sep 12 21:11:34.937046 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/authmodules/apache2/privacyidea_apache.py",
line 66, in check_password

[Mon Sep 12 21:11:34.937129 2016] [:error] [pid 1483] [client
172.16.16.16:63124] value = rd.get(key)

[Mon Sep 12 21:11:34.937146 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/redis/client.py", line 863,
in get

[Mon Sep 12 21:11:34.937698 2016] [:error] [pid 1483] [client
172.16.16.16:63124] return self.execute_command(‘GET’, name)

[Mon Sep 12 21:11:34.937725 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/redis/client.py", line 570,
in execute_command

*[Mon Sep 12 21:11:34.937745 2016] [:error] [pid 1483] [client
172.16.16.16:63124] connection.send_command(args)

[Mon Sep 12 21:11:34.937757 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/redis/connection.py", line
556, in send_command

*[Mon Sep 12 21:11:34.937958 2016] [:error] [pid 1483] [client
172.16.16.16:63124] self.send_packed_command(self.pack_command(args))

[Mon Sep 12 21:11:34.938001 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/redis/connection.py", line
532, in send_packed_command

[Mon Sep 12 21:11:34.938041 2016] [:error] [pid 1483] [client
172.16.16.16:63124] self.connect()

[Mon Sep 12 21:11:34.938052 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/redis/connection.py", line
436, in connect

[Mon Sep 12 21:11:34.938065 2016] [:error] [pid 1483] [client
172.16.16.16:63124] raise ConnectionError(self._error_message(e))

[Mon Sep 12 21:11:34.938081 2016] [:error] [pid 1483] [client
172.16.16.16:63124] ConnectionError: Error 111 connecting to
localhost:6379. Connection refused.

/etc/httpd/conf.d/privacyidea.conf:

TraceEnable off

ServerSignature Off

ServerTokens Prod

WSGIPythonHome /opt/privacyIDEA

WSGISocketPrefix /var/run/wsgi

  •        ServerAdmin support@xxx.xy*
    
  •        ServerName Servername1*
    
  •        RewriteEngine On*
    
  •        RewriteCond %{HTTPS} !=On*
    
  •        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]*
    

  •        ServerAdmin support@xxx.**xy*
    
  •        ServerName Servername*
    
  •        DocumentRoot /var/www*
    
  •        <Directory />*
    
  •    # For Apache 2.4 you need to set this:*
    
  •    # Require all granted*
    
  •    Options FollowSymLinks*
    
  •    AllowOverride None*
    
  •    SSLRequireSSL*
    
  •    AuthType Basic*
    
  •    AuthName "OTP WebUi Login"*
    
  •                   AuthBasicProvider wsgi*
    
  •                   WSGIAuthUserScript 
    

/opt/privacyIDEA/lib/python2.7/site-packages/authmodules/apache2/privacyidea_apache.py*

  •    require valid-user*
    
  •        </Directory>*
    
  •        <Location /validate/check>*
    
  •    Require all granted*
    
  •    Options FollowSymLinks*
    
  •    AllowOverride None*
    
  •        </Location>*
    
  •        <Location /ttype>*
    
  •    Require all granted*
    
  •    Options FollowSymLinks*
    
  •    AllowOverride None*
    
  •        </Location>*
    
  •        # The daemon is running as user 'privacyidea'*
    
  •        # This user should have access to the encKey database 
    

encryption file*

  •        WSGIDaemonProcess privacyidea 
    

python-path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages
processes=1 threads=15 display-name=%{GROUP} user=privacyidea*

  •        WSGIPassAuthorization On*
    
  •        WSGIProcessGroup privacyidea*
    
  •        WSGIPassAuthorization On*
    
  •        WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi*
    
  •        SSLEngine On*
    
  •        SSLProtocol All -SSLv2 -SSLv3*
    
  •        SSLHonorCipherOrder On*
    
  •        SSLCipherSuite 
    

EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5*

  •        SSLCertificateFile /etc/pki/tls/certs/privacyideaserver.pem*
    
  •        SSLCertificateKeyFile 
    

/etc/pki/tls/private/privacyideaserver.key*

Software Versions:

PrivacyIDEA 2.14

centos-release-7-2.1511.el7.centos.2.10.x86_64

Python 2.7.5

Apache/2.4.6 (CentOS)

Could you please tell me, what is wrong?

Thanks in advance!

Tilmann

Hi Tilmann,

you need to define a policy, so that privacyIDEA in fact will use the
basic authentication header.
Did you define the policy in the scope webui?

Kind regards
CorneliusAm Montag, den 12.09.2016, 13:08 -0700 schrieb Tilmann:

PrivacyIDEA - Install BasicAuth

Hi,

I try to activate the Basic Authentication for SSO purpose for the
WebUI. If I change the AuthType in the apache config file
„privacyidea.conf“ to basic the login dialog appears but the
authentication failed. In the apache error log I receive the
following Message.

/var/log/httpd/error_log:
[Mon Sep 12 21:11:34.936915 2016] [:error] [pid 1483] [client
172.16.16.16:63124] mod_wsgi (pid=1483): Exception occurred
processing WSGI script ‘/opt/privacyIDEA/lib/python2.7/site-
packages/authmodules/apache2/privacyidea_apache.py’.
[Mon Sep 12 21:11:34.936989 2016] [:error] [pid 1483] [client
172.16.16.16:63124] Traceback (most recent call last):
[Mon Sep 12 21:11:34.937046 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File “/opt/privacyIDEA/lib/python2.7/site-
packages/authmodules/apache2/privacyidea_apache.py”, line 66, in
check_password
[Mon Sep 12 21:11:34.937129 2016] [:error] [pid 1483] [client
172.16.16.16:63124] value = rd.get(key)
[Mon Sep 12 21:11:34.937146 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File “/opt/privacyIDEA/lib/python2.7/site-
packages/redis/client.py”, line 863, in get
[Mon Sep 12 21:11:34.937698 2016] [:error] [pid 1483] [client
172.16.16.16:63124] return self.execute_command(‘GET’, name)
[Mon Sep 12 21:11:34.937725 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File “/opt/privacyIDEA/lib/python2.7/site-
packages/redis/client.py”, line 570, in execute_command
[Mon Sep 12 21:11:34.937745 2016] [:error] [pid 1483] [client
172.16.16.16:63124] connection.send_command(*args)
[Mon Sep 12 21:11:34.937757 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File “/opt/privacyIDEA/lib/python2.7/site-
packages/redis/connection.py”, line 556, in send_command
[Mon Sep 12 21:11:34.937958 2016] [:error] [pid 1483] [client
172.16.16.16:63124]
self.send_packed_command(self.pack_command(*args))
[Mon Sep 12 21:11:34.938001 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File “/opt/privacyIDEA/lib/python2.7/site-
packages/redis/connection.py”, line 532, in send_packed_command
[Mon Sep 12 21:11:34.938041 2016] [:error] [pid 1483] [client
172.16.16.16:63124] self.connect()
[Mon Sep 12 21:11:34.938052 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File “/opt/privacyIDEA/lib/python2.7/site-
packages/redis/connection.py”, line 436, in connect
[Mon Sep 12 21:11:34.938065 2016] [:error] [pid 1483] [client
172.16.16.16:63124] raise ConnectionError(self._error_message(e))
[Mon Sep 12 21:11:34.938081 2016] [:error] [pid 1483] [client
172.16.16.16:63124] ConnectionError: Error 111 connecting to
localhost:6379. Connection refused.

/etc/httpd/conf.d/privacyidea.conf:
TraceEnable off
ServerSignature Off
ServerTokens Prod
WSGIPythonHome /opt/privacyIDEA
WSGISocketPrefix /var/run/wsgi

ServerAdmin support@xxx.xy ServerName Servername1 RewriteEngine On RewriteCond %{HTTPS} !=On RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] ServerAdmin support@xxx.xy ServerName Servername DocumentRoot /var/www
        <Directory />
    # For Apache 2.4 you need to set this:
    # Require all granted
    Options FollowSymLinks
    AllowOverride None

    SSLRequireSSL
    AuthType Basic
    AuthName "OTP WebUi Login"
                   AuthBasicProvider wsgi
                   WSGIAuthUserScript

/opt/privacyIDEA/lib/python2.7/site-
packages/authmodules/apache2/privacyidea_apache.py
require valid-user

        </Directory>

        <Location /validate/check>
    Require all granted
    Options FollowSymLinks
    AllowOverride None
        </Location>
       
        <Location /ttype>
    Require all granted
    Options FollowSymLinks
    AllowOverride None
        </Location>

        # The daemon is running as user 'privacyidea'
        # This user should have access to the encKey database

encryption file
WSGIDaemonProcess privacyidea python-
path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages
processes=1 threads=15 display-name=%{GROUP} user=privacyidea
WSGIPassAuthorization On
WSGIProcessGroup privacyidea
WSGIPassAuthorization On
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
SSLEngine On
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite
EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-
SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-
SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
SSLCertificateFile
/etc/pki/tls/certs/privacyideaserver.pem
SSLCertificateKeyFile
/etc/pki/tls/private/privacyideaserver.key

Software Versions:
PrivacyIDEA 2.14
centos-release-7-2.1511.el7.centos.2.10.x86_64
Python 2.7.5
Apache/2.4.6 (CentOS)

Could you please tell me, what is wrong?

Thanks in advance!

Tilmann


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/
msgid/privacyidea/119c598b-72a6-4029-a374-
b58dc05979b5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Hi,

Yes, i defined the following policy in the scope WebUi

{ “default_tokentype”: “totp”, “remote_user”: “allowed”, “tokenwizard”:
true }

Is that right? Is it nesseseary to set a filter to Realm, user-resolver or
something else?

Regards, TimannAm Montag, 12. September 2016 22:08:06 UTC+2 schrieb Tilmann:

PrivacyIDEA - Install BasicAuth

Hi,

I try to activate the Basic Authentication for SSO purpose for the WebUI.
If I change the AuthType in the apache config file „privacyidea.conf“ to
basic the login dialog appears but the authentication failed. In the apache
error log I receive the following Message.

/var/log/httpd/error_log:

[Mon Sep 12 21:11:34.936915 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] mod_wsgi (pid=1483):
Exception occurred processing WSGI script
’/opt/privacyIDEA/lib/python2.7/site-packages/authmodules/apache2/privacyidea_apache.py’.

[Mon Sep 12 21:11:34.936989 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] Traceback (most recent call
last):

[Mon Sep 12 21:11:34.937046 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/authmodules/apache2/privacyidea_apache.py",
line 66, in check_password

[Mon Sep 12 21:11:34.937129 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] value = rd.get(key)

[Mon Sep 12 21:11:34.937146 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/redis/client.py", line 863,
in get

[Mon Sep 12 21:11:34.937698 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] return
self.execute_command(‘GET’, name)

[Mon Sep 12 21:11:34.937725 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/redis/client.py", line 570,
in execute_command

*[Mon Sep 12 21:11:34.937745 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124]
connection.send_command(args)

[Mon Sep 12 21:11:34.937757 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/redis/connection.py", line
556, in send_command

*[Mon Sep 12 21:11:34.937958 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124]
self.send_packed_command(self.pack_command(args))

[Mon Sep 12 21:11:34.938001 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/redis/connection.py", line
532, in send_packed_command

[Mon Sep 12 21:11:34.938041 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] self.connect()

[Mon Sep 12 21:11:34.938052 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/redis/connection.py", line
436, in connect

[Mon Sep 12 21:11:34.938065 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] raise
ConnectionError(self._error_message(e))

[Mon Sep 12 21:11:34.938081 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] ConnectionError: Error 111
connecting to localhost:6379. Connection refused.

/etc/httpd/conf.d/privacyidea.conf:

TraceEnable off

ServerSignature Off

ServerTokens Prod

WSGIPythonHome /opt/privacyIDEA

WSGISocketPrefix /var/run/wsgi

  •        ServerAdmin support@xxx.xy*
    
  •        ServerName Servername1*
    
  •        RewriteEngine On*
    
  •        RewriteCond %{HTTPS} !=On*
    
  •        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]*
    

  •        ServerAdmin support@xxx.**xy*
    
  •        ServerName Servername*
    
  •        DocumentRoot /var/www*
    
  •        <Directory />*
    
  •    # For Apache 2.4 you need to set this:*
    
  •    # Require all granted*
    
  •    Options FollowSymLinks*
    
  •    AllowOverride None*
    
  •    SSLRequireSSL*
    
  •    AuthType Basic*
    
  •    AuthName "OTP WebUi Login"*
    
  •                   AuthBasicProvider wsgi*
    
  •                   WSGIAuthUserScript 
    

/opt/privacyIDEA/lib/python2.7/site-packages/authmodules/apache2/privacyidea_apache.py*

  •    require valid-user*
    
  •        </Directory>*
    
  •        <Location /validate/check>*
    
  •    Require all granted*
    
  •    Options FollowSymLinks*
    
  •    AllowOverride None*
    
  •        </Location>*
    
  •        <Location /ttype>*
    
  •    Require all granted*
    
  •    Options FollowSymLinks*
    
  •    AllowOverride None*
    
  •        </Location>*
    
  •        # The daemon is running as user 'privacyidea'*
    
  •        # This user should have access to the encKey database 
    

encryption file*

  •        WSGIDaemonProcess privacyidea 
    

python-path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages
processes=1 threads=15 display-name=%{GROUP} user=privacyidea*

  •        WSGIPassAuthorization On*
    
  •        WSGIProcessGroup privacyidea*
    
  •        WSGIPassAuthorization On*
    
  •        WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi*
    
  •        SSLEngine On*
    
  •        SSLProtocol All -SSLv2 -SSLv3*
    
  •        SSLHonorCipherOrder On*
    
  •        SSLCipherSuite 
    

EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5*

  •        SSLCertificateFile /etc/pki/tls/certs/privacyideaserver.pem*
    
  •        SSLCertificateKeyFile 
    

/etc/pki/tls/private/privacyideaserver.key*

Software Versions:

PrivacyIDEA 2.14

centos-release-7-2.1511.el7.centos.2.10.x86_64

Python 2.7.5

Apache/2.4.6 (CentOS)

Could you please tell me, what is wrong?

Thanks in advance!

Tilmann

Okay, thank you!

I will check this.

Regards, Tilmann

Hi Cornelius,

i have a nother question about this Topic. The Basic Webserver
Authentication works now if I enter the OTP Pin in the Passwordfield. But
for single sign on purpose i Need use the Password from the userstore
(Active Directory). How can i adress this?

the Script “privacyidea_Apache.py” use the “/validate/check” Funktion. Is
there a nother function that i must use?

I can not find anything about this in your documentation,

Thanks in advanced!
Regards, Tilmann

policy:
otppin=userstore?Am Freitag, 18. November 2016 09:21:57 UTC+1 schrieb Tilmann:

Hi Cornelius,

i have a nother question about this Topic. The Basic Webserver
Authentication works now if I enter the OTP Pin in the Passwordfield. But
for single sign on purpose i Need use the Password from the userstore
(Active Directory). How can i adress this?

the Script “privacyidea_Apache.py” use the “/validate/check” Funktion. Is
there a nother function that i must use?

I can not find anything about this in your documentation,

Thanks in advanced!
Regards, Tilmann

What were your search words, when searching the documentation?

/validate/check always tries to authenticate the user with one of his
tokens and as defined in the authentication poilicies.

http://privacyidea.readthedocs.io/en/latest/policies/authentication.html

If you have any detailed/concrete recommendation how to improve the docs,
please tell me. Thanks a lot!Am Donnerstag, 24. November 2016 21:32:50 UTC+1 schrieb Cornelius Kölbel:

policy:
otppin=userstore?

Am Freitag, 18. November 2016 09:21:57 UTC+1 schrieb Tilmann:

Hi Cornelius,

i have a nother question about this Topic. The Basic Webserver
Authentication works now if I enter the OTP Pin in the Passwordfield. But
for single sign on purpose i Need use the Password from the userstore
(Active Directory). How can i adress this?

the Script “privacyidea_Apache.py” use the “/validate/check” Funktion. Is
there a nother function that i must use?

I can not find anything about this in your documentation,

Thanks in advanced!
Regards, Tilmann