Setting up privacyIDEA with apache2 for a webmail server

Marius_Bogdan · June 8, 2022, 11:21am

Hello! First post here after lurking for a while.

I am trying to set up OTP for logging to a webserver set with Apache2.

The server is actually a mail server, with postfix and dovecot, on a debian.

I have succesfully set up privacyIDEA and can enroll tokens to users in my passwd file. Token testing goes ok.

But i cannot set up OTP to prompt me to enter it when trying to login to my webmail. Is it possible? I cannot figure it out. thank you for any responses.

I have done what it says here, in the Apache2 section: 14. Application Plugins — privacyIDEA 3.6.2 documentation

but i don’t really understand where the Directory should point at. Also, self signed certs are working with privacyIdea?

kvv · June 9, 2022, 7:16pm

Hi Marius,

I have a setup like that running.
Put this in the part of apache config that you want to protect with mfa.

AuthName "Login"
AuthType form
AuthFormProvider wsgi
ErrorDocument 401 "/login/login.html"
Session On
SessionCryptoPassphrase your-very-secret-passphrase
SessionCookieName session path=/
SessionMaxAge 600
SessionExpiryUpdateInterval 10
WSGIAuthUserScript /usr/share/pyshared/privacyidea_apache.py
Require valid-user

Examples on form-login are in the apache documentation.

Then put privacyidea_apache.py in place, it comes from https://raw.githubusercontent.com/privacyidea/privacyidea/< version-number >/authmodules/apache2/privacyidea_apache.py.

Configure the privacyidea server location in /etc/privacyidea/apache.conf:

[DEFAULT]
redis = localhost
privacyidea = https://privacyideaserver.example.com/pi
sslverify = True

Or sslverify = False if you are not using valid certs. Don’t forget to install redis and some other rquirements: apt-get install redis-server python3-redis python3-passlib

Does this answer your question?

– Kees

Marius_Bogdan · June 10, 2022, 6:13am

Hello, Kees!

Thank you for your answer.

So, I have added the lines in my apache.conf and now when I acces my webmail url it prompts me with a new login pop-up, but after I enter some credentials it return me with an internal server error.

privacyIDEA console returns a HTTPStatus.Bad_request and my apache error.log return me the following traceback:

	Traceback (most recent call last):
 File "/usr/share/pyshared/privacyidea_apache.py", line 71, in check_password
    response = requests.post(PRIVACYIDEA + "/validate/check", data=data,
 File "/opt/privacyidea/lib/python3.9/site-packages/requests/api.py", line 117, in post
    return request('post', url, data=data, json=json, **kwargs)
 File "/opt/privacyidea/lib/python3.9/site-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
 File "/opt/privacyidea/lib/python3.9/site-packages/requests/sessions.py", line 542, in request
   resp = self.send(prep, **send_kwargs)
   File "/opt/privacyidea/lib/python3.9/site-packages/requests/sessions.py", line 655, in send
     r = adapter.send(request, **kwargs)
 File "/opt/privacyidea/lib/python3.9/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
	requests.exceptions.SSLError: HTTPSConnectionPool(host='localhost', port=5000): Max retries exceeded with url: /validate/check (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1123)')))

I get that this may be a SSL error, but I do not know exactly where to look. I have se sslverify to False, to avoid the fact that my certs are self-signed, not issued by globally trusted CA.

kvv · June 17, 2022, 2:28pm

I pasted this in google, I find a few refs to a bug in urllib3.
This is one returned result: python 3.x - SSL: WRONG_VERSION_NUMBER - Stack Overflow

Marius_Bogdan · June 20, 2022, 9:18am

I have tried that already, with no success. I think I will try setting up PI on a clean server again.