PrivacyIDEA - BasicAuth

Tilmann · September 12, 2016, 8:08pm

PrivacyIDEA - Install BasicAuth

Hi,

I try to activate the Basic Authentication for SSO purpose for the WebUI.
If I change the AuthType in the apache config file „privacyidea.conf“ to
basic the login dialog appears but the authentication failed. In the apache
error log I receive the following Message.

/var/log/httpd/error_log:

[Mon Sep 12 21:11:34.936915 2016] [:error] [pid 1483] [client
172.16.16.16:63124] mod_wsgi (pid=1483): Exception occurred processing WSGI
script
’/opt/privacyIDEA/lib/python2.7/site-packages/authmodules/apache2/privacyidea_apache.py’.

[Mon Sep 12 21:11:34.936989 2016] [:error] [pid 1483] [client
172.16.16.16:63124] Traceback (most recent call last):

[Mon Sep 12 21:11:34.937046 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/authmodules/apache2/privacyidea_apache.py",
line 66, in check_password

[Mon Sep 12 21:11:34.937129 2016] [:error] [pid 1483] [client
172.16.16.16:63124] value = rd.get(key)

[Mon Sep 12 21:11:34.937146 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/redis/client.py", line 863,
in get

[Mon Sep 12 21:11:34.937698 2016] [:error] [pid 1483] [client
172.16.16.16:63124] return self.execute_command(‘GET’, name)

[Mon Sep 12 21:11:34.937725 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/redis/client.py", line 570,
in execute_command

*[Mon Sep 12 21:11:34.937745 2016] [:error] [pid 1483] [client
172.16.16.16:63124] connection.send_command(args)

[Mon Sep 12 21:11:34.937757 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/redis/connection.py", line
556, in send_command

*[Mon Sep 12 21:11:34.937958 2016] [:error] [pid 1483] [client
172.16.16.16:63124] self.send_packed_command(self.pack_command(args))

[Mon Sep 12 21:11:34.938001 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/redis/connection.py", line
532, in send_packed_command

[Mon Sep 12 21:11:34.938041 2016] [:error] [pid 1483] [client
172.16.16.16:63124] self.connect()

[Mon Sep 12 21:11:34.938052 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File
"/opt/privacyIDEA/lib/python2.7/site-packages/redis/connection.py", line
436, in connect

[Mon Sep 12 21:11:34.938065 2016] [:error] [pid 1483] [client
172.16.16.16:63124] raise ConnectionError(self._error_message(e))

[Mon Sep 12 21:11:34.938081 2016] [:error] [pid 1483] [client
172.16.16.16:63124] ConnectionError: Error 111 connecting to
localhost:6379. Connection refused.

/etc/httpd/conf.d/privacyidea.conf:

TraceEnable off

ServerSignature Off

ServerTokens Prod

WSGIPythonHome /opt/privacyIDEA

WSGISocketPrefix /var/run/wsgi

```
       ServerAdmin support@xxx.xy*
```
```
       ServerName Servername1*
```
```
       RewriteEngine On*
```
```
       RewriteCond %{HTTPS} !=On*
```

       RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]*

```
       ServerAdmin support@xxx.**xy*
```
```
       ServerName Servername*
```
```
       DocumentRoot /var/www*
```
```
       <Directory />*
```

   # For Apache 2.4 you need to set this:*

```
   # Require all granted*
```
```
   Options FollowSymLinks*
```
```
   AllowOverride None*
```
```
   SSLRequireSSL*
```
```
   AuthType Basic*
```
```
   AuthName "OTP WebUi Login"*
```

                  AuthBasicProvider wsgi*

```
                  WSGIAuthUserScript 
```

/opt/privacyIDEA/lib/python2.7/site-packages/authmodules/apache2/privacyidea_apache.py*

```
   require valid-user*
```
```
       </Directory>*
```
```
       <Location /validate/check>*
```
```
   Require all granted*
```
```
   Options FollowSymLinks*
```
```
   AllowOverride None*
```
```
       </Location>*
```
```
       <Location /ttype>*
```
```
   Require all granted*
```
```
   Options FollowSymLinks*
```
```
   AllowOverride None*
```
```
       </Location>*
```

       # The daemon is running as user 'privacyidea'*

       # This user should have access to the encKey database

encryption file*

```
       WSGIDaemonProcess privacyidea 
```

python-path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages
processes=1 threads=15 display-name=%{GROUP} user=privacyidea*

```
       WSGIPassAuthorization On*
```
```
       WSGIProcessGroup privacyidea*
```
```
       WSGIPassAuthorization On*
```

       WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi*

```
       SSLEngine On*
```
```
       SSLProtocol All -SSLv2 -SSLv3*
```
```
       SSLHonorCipherOrder On*
```
```
       SSLCipherSuite 
```

EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5*

       SSLCertificateFile /etc/pki/tls/certs/privacyideaserver.pem*

```
       SSLCertificateKeyFile 
```

/etc/pki/tls/private/privacyideaserver.key*

Software Versions:

PrivacyIDEA 2.14

centos-release-7-2.1511.el7.centos.2.10.x86_64

Python 2.7.5

Apache/2.4.6 (CentOS)

Could you please tell me, what is wrong?

Thanks in advance!

Tilmann

cornelinux · September 14, 2016, 11:46am

Hi Tilmann,

you need to define a policy, so that privacyIDEA in fact will use the
basic authentication header.
Did you define the policy in the scope webui?

Kind regards
CorneliusAm Montag, den 12.09.2016, 13:08 -0700 schrieb Tilmann:

PrivacyIDEA - Install BasicAuth

Hi,

I try to activate the Basic Authentication for SSO purpose for the
WebUI. If I change the AuthType in the apache config file
„privacyidea.conf“ to basic the login dialog appears but the
authentication failed. In the apache error log I receive the
following Message.

/var/log/httpd/error_log:
[Mon Sep 12 21:11:34.936915 2016] [:error] [pid 1483] [client
172.16.16.16:63124] mod_wsgi (pid=1483): Exception occurred
processing WSGI script ‘/opt/privacyIDEA/lib/python2.7/site-
packages/authmodules/apache2/privacyidea_apache.py’.
[Mon Sep 12 21:11:34.936989 2016] [:error] [pid 1483] [client
172.16.16.16:63124] Traceback (most recent call last):
[Mon Sep 12 21:11:34.937046 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File “/opt/privacyIDEA/lib/python2.7/site-
packages/authmodules/apache2/privacyidea_apache.py”, line 66, in
check_password
[Mon Sep 12 21:11:34.937129 2016] [:error] [pid 1483] [client
172.16.16.16:63124] value = rd.get(key)
[Mon Sep 12 21:11:34.937146 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File “/opt/privacyIDEA/lib/python2.7/site-
packages/redis/client.py”, line 863, in get
[Mon Sep 12 21:11:34.937698 2016] [:error] [pid 1483] [client
172.16.16.16:63124] return self.execute_command(‘GET’, name)
[Mon Sep 12 21:11:34.937725 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File “/opt/privacyIDEA/lib/python2.7/site-
packages/redis/client.py”, line 570, in execute_command
[Mon Sep 12 21:11:34.937745 2016] [:error] [pid 1483] [client
172.16.16.16:63124] connection.send_command(*args)
[Mon Sep 12 21:11:34.937757 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File “/opt/privacyIDEA/lib/python2.7/site-
packages/redis/connection.py”, line 556, in send_command
[Mon Sep 12 21:11:34.937958 2016] [:error] [pid 1483] [client
172.16.16.16:63124]
self.send_packed_command(self.pack_command(*args))
[Mon Sep 12 21:11:34.938001 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File “/opt/privacyIDEA/lib/python2.7/site-
packages/redis/connection.py”, line 532, in send_packed_command
[Mon Sep 12 21:11:34.938041 2016] [:error] [pid 1483] [client
172.16.16.16:63124] self.connect()
[Mon Sep 12 21:11:34.938052 2016] [:error] [pid 1483] [client
172.16.16.16:63124] File “/opt/privacyIDEA/lib/python2.7/site-
packages/redis/connection.py”, line 436, in connect
[Mon Sep 12 21:11:34.938065 2016] [:error] [pid 1483] [client
172.16.16.16:63124] raise ConnectionError(self._error_message(e))
[Mon Sep 12 21:11:34.938081 2016] [:error] [pid 1483] [client
172.16.16.16:63124] ConnectionError: Error 111 connecting to
localhost:6379. Connection refused.

/etc/httpd/conf.d/privacyidea.conf:
TraceEnable off
ServerSignature Off
ServerTokens Prod
WSGIPythonHome /opt/privacyIDEA
WSGISocketPrefix /var/run/wsgi
ServerAdmin support@xxx.xy ServerName Servername1 RewriteEngine On RewriteCond %{HTTPS} !=On RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] ServerAdmin support@xxx.xy ServerName Servername DocumentRoot /var/www
        <Directory />
    # For Apache 2.4 you need to set this:
    # Require all granted
    Options FollowSymLinks
    AllowOverride None

    SSLRequireSSL
    AuthType Basic
    AuthName "OTP WebUi Login"
                   AuthBasicProvider wsgi
                   WSGIAuthUserScript
/opt/privacyIDEA/lib/python2.7/site-
packages/authmodules/apache2/privacyidea_apache.py
require valid-user
        </Directory>

        <Location /validate/check>
    Require all granted
    Options FollowSymLinks
    AllowOverride None
        </Location>
       
        <Location /ttype>
    Require all granted
    Options FollowSymLinks
    AllowOverride None
        </Location>

        # The daemon is running as user 'privacyidea'
        # This user should have access to the encKey database
encryption file
WSGIDaemonProcess privacyidea python-
path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages
processes=1 threads=15 display-name=%{GROUP} user=privacyidea
WSGIPassAuthorization On
WSGIProcessGroup privacyidea
WSGIPassAuthorization On
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
SSLEngine On
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite
EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-
SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-
SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
SSLCertificateFile
/etc/pki/tls/certs/privacyideaserver.pem
SSLCertificateKeyFile
/etc/pki/tls/private/privacyideaserver.key

Software Versions:
PrivacyIDEA 2.14
centos-release-7-2.1511.el7.centos.2.10.x86_64
Python 2.7.5
Apache/2.4.6 (CentOS)

Could you please tell me, what is wrong?

Thanks in advance!

Tilmann

–
Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/
msgid/privacyidea/119c598b-72a6-4029-a374-
b58dc05979b5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Tilmann · September 15, 2016, 11:01am

Hi,

Yes, i defined the following policy in the scope WebUi

{ “default_tokentype”: “totp”, “remote_user”: “allowed”, “tokenwizard”:
true }

Is that right? Is it nesseseary to set a filter to Realm, user-resolver or
something else?

Regards, TimannAm Montag, 12. September 2016 22:08:06 UTC+2 schrieb Tilmann:

PrivacyIDEA - Install BasicAuth

Hi,

I try to activate the Basic Authentication for SSO purpose for the WebUI.
If I change the AuthType in the apache config file „privacyidea.conf“ to
basic the login dialog appears but the authentication failed. In the apache
error log I receive the following Message.

/var/log/httpd/error_log:

[Mon Sep 12 21:11:34.936915 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] mod_wsgi (pid=1483):
Exception occurred processing WSGI script
‘/opt/privacyIDEA/lib/python2.7/site-packages/authmodules/apache2/privacyidea_apache.py’.

[Mon Sep 12 21:11:34.936989 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] Traceback (most recent call
last):

[Mon Sep 12 21:11:34.937046 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] File
“/opt/privacyIDEA/lib/python2.7/site-packages/authmodules/apache2/privacyidea_apache.py”,
line 66, in check_password

[Mon Sep 12 21:11:34.937129 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] value = rd.get(key)

[Mon Sep 12 21:11:34.937146 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] File
“/opt/privacyIDEA/lib/python2.7/site-packages/redis/client.py”, line 863,
in get

[Mon Sep 12 21:11:34.937698 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] return
self.execute_command(‘GET’, name)

[Mon Sep 12 21:11:34.937725 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] File
“/opt/privacyIDEA/lib/python2.7/site-packages/redis/client.py”, line 570,
in execute_command

*[Mon Sep 12 21:11:34.937745 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124]
connection.send_command(args)

[Mon Sep 12 21:11:34.937757 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] File
“/opt/privacyIDEA/lib/python2.7/site-packages/redis/connection.py”, line
556, in send_command

*[Mon Sep 12 21:11:34.937958 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124]
self.send_packed_command(self.pack_command(args))

[Mon Sep 12 21:11:34.938001 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] File
“/opt/privacyIDEA/lib/python2.7/site-packages/redis/connection.py”, line
532, in send_packed_command

[Mon Sep 12 21:11:34.938041 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] self.connect()

[Mon Sep 12 21:11:34.938052 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] File
“/opt/privacyIDEA/lib/python2.7/site-packages/redis/connection.py”, line
436, in connect

[Mon Sep 12 21:11:34.938065 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] raise
ConnectionError(self._error_message(e))

[Mon Sep 12 21:11:34.938081 2016] [:error] [pid 1483] [client
172.16.16.16:63124 http://172.16.16.16:63124] ConnectionError: Error 111
connecting to localhost:6379. Connection refused.

/etc/httpd/conf.d/privacyidea.conf:

TraceEnable off

ServerSignature Off

ServerTokens Prod

WSGIPythonHome /opt/privacyIDEA

WSGISocketPrefix /var/run/wsgi
       ServerAdmin support@xxx.xy*
       ServerName Servername1*
       RewriteEngine On*
       RewriteCond %{HTTPS} !=On*
       RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]*
       ServerAdmin support@xxx.**xy*
       ServerName Servername*
       DocumentRoot /var/www*
       <Directory />*
   # For Apache 2.4 you need to set this:*
   # Require all granted*
   Options FollowSymLinks*
   AllowOverride None*
   SSLRequireSSL*
   AuthType Basic*
   AuthName "OTP WebUi Login"*
                  AuthBasicProvider wsgi*
                  WSGIAuthUserScript 
/opt/privacyIDEA/lib/python2.7/site-packages/authmodules/apache2/privacyidea_apache.py*
   require valid-user*
       </Directory>*
       <Location /validate/check>*
   Require all granted*
   Options FollowSymLinks*
   AllowOverride None*
       </Location>*
       <Location /ttype>*
   Require all granted*
   Options FollowSymLinks*
   AllowOverride None*
       </Location>*
       # The daemon is running as user 'privacyidea'*
       # This user should have access to the encKey database 
encryption file*
       WSGIDaemonProcess privacyidea 
python-path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages
processes=1 threads=15 display-name=%{GROUP} user=privacyidea*
       WSGIPassAuthorization On*
       WSGIProcessGroup privacyidea*
       WSGIPassAuthorization On*
       WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi*
       SSLEngine On*
       SSLProtocol All -SSLv2 -SSLv3*
       SSLHonorCipherOrder On*
       SSLCipherSuite 
EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5*
       SSLCertificateFile /etc/pki/tls/certs/privacyideaserver.pem*
       SSLCertificateKeyFile 
/etc/pki/tls/private/privacyideaserver.key*

Software Versions:

PrivacyIDEA 2.14

centos-release-7-2.1511.el7.centos.2.10.x86_64

Python 2.7.5

Apache/2.4.6 (CentOS)

Could you please tell me, what is wrong?

Thanks in advance!

Tilmann

Tilmann · September 19, 2016, 9:37am

Okay, thank you!

I will check this.

Regards, Tilmann

Tilmann · November 18, 2016, 8:21am

Hi Cornelius,

i have a nother question about this Topic. The Basic Webserver
Authentication works now if I enter the OTP Pin in the Passwordfield. But
for single sign on purpose i Need use the Password from the userstore
(Active Directory). How can i adress this?

the Script “privacyidea_Apache.py” use the “/validate/check” Funktion. Is
there a nother function that i must use?

I can not find anything about this in your documentation,

Thanks in advanced!
Regards, Tilmann

cornelinux · November 24, 2016, 8:32pm

policy:
otppin=userstore?Am Freitag, 18. November 2016 09:21:57 UTC+1 schrieb Tilmann:

Hi Cornelius,

i have a nother question about this Topic. The Basic Webserver
Authentication works now if I enter the OTP Pin in the Passwordfield. But
for single sign on purpose i Need use the Password from the userstore
(Active Directory). How can i adress this?

the Script “privacyidea_Apache.py” use the “/validate/check” Funktion. Is
there a nother function that i must use?

I can not find anything about this in your documentation,

Thanks in advanced!
Regards, Tilmann

cornelinux · November 25, 2016, 6:11am

What were your search words, when searching the documentation?

/validate/check always tries to authenticate the user with one of his
tokens and as defined in the authentication poilicies.

http://privacyidea.readthedocs.io/en/latest/policies/authentication.html

If you have any detailed/concrete recommendation how to improve the docs,
please tell me. Thanks a lot!Am Donnerstag, 24. November 2016 21:32:50 UTC+1 schrieb Cornelius Kölbel:

policy:
otppin=userstore?

Am Freitag, 18. November 2016 09:21:57 UTC+1 schrieb Tilmann:

Hi Cornelius,

i have a nother question about this Topic. The Basic Webserver
Authentication works now if I enter the OTP Pin in the Passwordfield. But
for single sign on purpose i Need use the Password from the userstore
(Active Directory). How can i adress this?

the Script “privacyidea_Apache.py” use the “/validate/check” Funktion. Is
there a nother function that i must use?

I can not find anything about this in your documentation,

Thanks in advanced!
Regards, Tilmann

PrivacyIDEA - BasicAuth

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY: privacyIDEA Support Level

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level