PrivacyIDEA - BasicAuth

136 views
Skip to first unread message

Tilmann

unread,
Sep 12, 2016, 4:08:06 PM9/12/16
to privacyidea

PrivacyIDEA - Install BasicAuth

 

Hi,

 

I try to activate the Basic Authentication for SSO purpose for the WebUI. If I change the AuthType in the apache config file „privacyidea.conf“ to basic the login dialog appears but the authentication failed. In the apache error log I receive the following Message.

 

/var/log/httpd/error_log:

[Mon Sep 12 21:11:34.936915 2016] [:error] [pid 1483] [client 172.16.16.16:63124] mod_wsgi (pid=1483): Exception occurred processing WSGI script '/opt/privacyIDEA/lib/python2.7/site-packages/authmodules/apache2/privacyidea_apache.py'.

[Mon Sep 12 21:11:34.936989 2016] [:error] [pid 1483] [client 172.16.16.16:63124] Traceback (most recent call last):

[Mon Sep 12 21:11:34.937046 2016] [:error] [pid 1483] [client 172.16.16.16:63124]   File "/opt/privacyIDEA/lib/python2.7/site-packages/authmodules/apache2/privacyidea_apache.py", line 66, in check_password

[Mon Sep 12 21:11:34.937129 2016] [:error] [pid 1483] [client 172.16.16.16:63124]     value = rd.get(key)

[Mon Sep 12 21:11:34.937146 2016] [:error] [pid 1483] [client 172.16.16.16:63124]   File "/opt/privacyIDEA/lib/python2.7/site-packages/redis/client.py", line 863, in get

[Mon Sep 12 21:11:34.937698 2016] [:error] [pid 1483] [client 172.16.16.16:63124]     return self.execute_command('GET', name)

[Mon Sep 12 21:11:34.937725 2016] [:error] [pid 1483] [client 172.16.16.16:63124]   File "/opt/privacyIDEA/lib/python2.7/site-packages/redis/client.py", line 570, in execute_command

[Mon Sep 12 21:11:34.937745 2016] [:error] [pid 1483] [client 172.16.16.16:63124]     connection.send_command(*args)

[Mon Sep 12 21:11:34.937757 2016] [:error] [pid 1483] [client 172.16.16.16:63124]   File "/opt/privacyIDEA/lib/python2.7/site-packages/redis/connection.py", line 556, in send_command

[Mon Sep 12 21:11:34.937958 2016] [:error] [pid 1483] [client 172.16.16.16:63124]     self.send_packed_command(self.pack_command(*args))

[Mon Sep 12 21:11:34.938001 2016] [:error] [pid 1483] [client 172.16.16.16:63124]   File "/opt/privacyIDEA/lib/python2.7/site-packages/redis/connection.py", line 532, in send_packed_command

[Mon Sep 12 21:11:34.938041 2016] [:error] [pid 1483] [client 172.16.16.16:63124]     self.connect()

[Mon Sep 12 21:11:34.938052 2016] [:error] [pid 1483] [client 172.16.16.16:63124]   File "/opt/privacyIDEA/lib/python2.7/site-packages/redis/connection.py", line 436, in connect

[Mon Sep 12 21:11:34.938065 2016] [:error] [pid 1483] [client 172.16.16.16:63124]     raise ConnectionError(self._error_message(e))

[Mon Sep 12 21:11:34.938081 2016] [:error] [pid 1483] [client 172.16.16.16:63124] ConnectionError: Error 111 connecting to localhost:6379. Connection refused.

 

 

/etc/httpd/conf.d/privacyidea.conf:

TraceEnable off

ServerSignature Off

ServerTokens Prod

WSGIPythonHome /opt/privacyIDEA

WSGISocketPrefix /var/run/wsgi

 

<VirtualHost _default_:80>

            ServerAdmin sup...@xxx.xy

            ServerName Servername1

            RewriteEngine On

            RewriteCond %{HTTPS} !=On

            RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

</VirtualHost>

 

<VirtualHost _default_:443>

            ServerAdmin support@xxx.xy

            ServerName Servername

            DocumentRoot /var/www

 

            <Directory />

        # For Apache 2.4 you need to set this:

        # Require all granted

        Options FollowSymLinks

        AllowOverride None

 

        SSLRequireSSL

        AuthType Basic

        AuthName "OTP WebUi Login"

                       AuthBasicProvider wsgi

                       WSGIAuthUserScript /opt/privacyIDEA/lib/python2.7/site-packages/authmodules/apache2/privacyidea_apache.py

        require valid-user

 

            </Directory>

 

            <Location /validate/check>

        Require all granted

        Options FollowSymLinks

        AllowOverride None

            </Location>

           

            <Location /ttype>

        Require all granted

        Options FollowSymLinks

        AllowOverride None

            </Location>

 

            # The daemon is running as user 'privacyidea'

            # This user should have access to the encKey database encryption file

            WSGIDaemonProcess privacyidea python-path=/etc/privacyidea:/opt/privacyIDEA/lib/python2.7/site-packages processes=1 threads=15 display-name=%{GROUP} user=privacyidea

            WSGIPassAuthorization On

            WSGIProcessGroup privacyidea

            WSGIPassAuthorization On

            WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi

            SSLEngine On

            SSLProtocol All -SSLv2 -SSLv3

            SSLHonorCipherOrder On

            SSLCipherSuite EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5

            SSLCertificateFile /etc/pki/tls/certs/privacyideaserver.pem

            SSLCertificateKeyFile /etc/pki/tls/private/privacyideaserver.key

</VirtualHost>

 

 

Software Versions:

PrivacyIDEA 2.14

centos-release-7-2.1511.el7.centos.2.10.x86_64

Python 2.7.5

Apache/2.4.6 (CentOS)

 

Could you please tell me, what is wrong?

 

Thanks in advance!

 

 

Tilmann


Cornelius Kölbel

unread,
Sep 14, 2016, 7:46:46 AM9/14/16
to priva...@googlegroups.com
Hi Tilmann,

you need to define a policy, so that privacyIDEA in fact will use the
basic authentication header.
Did you define the policy in the scope webui?

Kind regards
Cornelius
>             ServerAdmin sup...@xxx.xy
> -- 
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>  
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>  
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> --- 
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/privacyidea/119c598b-72a6-4029-a374-
> b58dc05979b5%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc

Tilmann

unread,
Sep 15, 2016, 7:01:03 AM9/15/16
to privacyidea
Hi,

Yes, i defined the following policy in the scope WebUi

{ "default_tokentype": "totp", "remote_user": "allowed", "tokenwizard": true }


Is that right? Is it nesseseary to set a filter to Realm, user-resolver or something else?

Regards, Timann

cornelius.koelbel

unread,
Sep 15, 2016, 7:35:49 AM9/15/16
to privacyidea
No realm filter necessary.
This should be OK. 
Turn on debug an look into the log.
You could also debug through the program.


Kind regards
Cornelius 


Cornelius Kölbel 
+49 151 2960 1417

-------- Ursprüngliche Nachricht --------
Von: Tilmann <til...@rehfeldt.eu>
Datum: 15.09.16 13:01 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: [privacyidea] Re: PrivacyIDEA - BasicAuth

--
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
 
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
 
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.

Tilmann

unread,
Sep 19, 2016, 5:37:58 AM9/19/16
to privacyidea
Okay, thank you!
I will check this.  

Regards, Tilmann

Tilmann

unread,
Nov 18, 2016, 3:21:57 AM11/18/16
to privacyidea
Hi Cornelius,

i have a nother question about this Topic. The Basic Webserver Authentication works now if I enter the OTP Pin in the Passwordfield. But for single sign on purpose i Need use the Password from the userstore (Active Directory). How can i adress this?

the Script "privacyidea_Apache.py" use the "/validate/check" Funktion. Is there a nother function that i must use? 

I can not find anything about this in your documentation,

Thanks in advanced!
Regards, Tilmann

Cornelius Kölbel

unread,
Nov 24, 2016, 3:32:50 PM11/24/16
to privacyidea
policy:
otppin=userstore?

Cornelius Kölbel

unread,
Nov 25, 2016, 1:11:46 AM11/25/16
to privacyidea
What were your search words, when searching the documentation?

/validate/check always tries to authenticate the user with one of his tokens and as defined in the authentication poilicies.


If you have any detailed/concrete recommendation how to improve the docs, please tell me. Thanks a lot!
Reply all
Reply to author
Forward
0 new messages