Getting started guides for PrivacyIDEA

[Nicke]

One problem with PrivacyIDEA is that it exist no howto's how to get started. Installing guides exist and works flawless but then you are stuck.

Please create some "how to" or "getting started" guides.

These should include something like creating your first token, testing login and maybe getting one webservice (or something) to authenticate against PrivacyIDEA.

[Cornelius Kölbel]

Hello Nicke,

thanks a lot for the feedback.

Where did you read the installation?
And where would you expect the gettingStarted?

There are some howtos at howtoforge.com, which explain how to enroll a token, how to setup a certain authentication.

But it might be, that haveing such a getting started chapter in the documentation is a good idea.
Did you start reading at readthedocs - or where did you start?

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/c593c025-15ec-4e69-ab82-0335556f1691%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[Nicke]

I followed the installation guide found in the official documentation, http://privacyidea.readthedocs.org/en/latest/installation/index.html. I used the ubuntu package way with apache as webserver.

Then looking in the documendation there is no red line how to continue and getting started. Searching on the web gives me a few options but they seems to not be up to date. A few requires freeradius but that is not something for a getting started guide in my option. The best I have found so far is https://www.privacyidea.org/documentation/howtos/manage-two-factor-authentication-in-your-serverfarm-easily/ but in one of the last steps is suggest to try login at https://your-server/auth/index but this URL does not exist. Making it hard to test..

I do believe it should exist a simple getting started guide in the official documendation that is kept updated as PrivacyIDEA is updated.

[Cornelius Kölbel]

Hello Nicke,

ok. I will add this or adapt the documentation accordingly.

Thanks a lot for this really valuable feedback!
I added a issue on github - if you want to comment on it
https://github.com/privacyidea/privacyidea/issues/143

You can test the token in the token details view.

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/3571d941-66ef-41d4-9442-f05925452629%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Nicke]

Great to see that a getting started guide can become reality that will (probably) follow current version of PrivacyIDEA that howto's around the Internet do not.

Ticket 143 seems right, nothing to add.

[Cornelius Kölbel]

Hi Nicke,

what about that?

    http://privacyidea.readthedocs.org/en/latest/

see "First steps"...

Kind regards
Cornelius

Am 19.05.2015 um 11:44 schrieb Nicke:

Great to see that a getting started guide can become reality that will (probably) follow current version of PrivacyIDEA that howto's around the Internet do not.

Ticket 143 seems right, nothing to add.

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/c6f5b7af-5315-4541-ba78-856ddadaec7f%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Nicke]

Hello

I have read your first step guide and I like it. Here are my comments.

3.1. Login to the Web UI

privacyIDEA has one login form for users to login and for administrators to login.

I do not get that sentence. Does it exist two login pages or one that both uses?

3.2. Creating your first realm

After installing ubuntu packages, useridresolver and realm is asked to be created for you. So this instructions maybe does not always apply. Create a note about that?

3.3. Enrolling your first token

The problem here is not the guide but how fast the user needs to be. 

After the admin has enrolled a new token google authenticator should be used. The admin has 30 seconds (!) to get up his phone, start google authenticating app (maybe new to the admin) and scan the code.

Either increase the timeout or make instruction how to access the QRcode again if admin has been logged out.

After all is done, applications plugins is suggested to be used which is great. I would like to see here instructions how to get apache2 and/or nginx to authenticate against privacyidea. That will probably be used by many and will secure the web in a wider easier way.

[Cornelius Kölbel]

Hello Nicke,

thanks a lot for your feedback.

Am Mittwoch, den 03.06.2015, 06:18 -0700 schrieb Nicke:
> Hello
> I have read your first step guide and I like it. Here are my comments.
>
>
> 3.1. Login to the Web UI
> privacyIDEA has one login form for users to login and for
> administrators to login.
> I do not get that sentence. Does it exist two login pages or one that
> both uses?

one that both uses.
"privacyIDEA has only one login form that is used by administrators and
normal users to login."

>
>
> 3.2. Creating your first realm
> After installing ubuntu packages, useridresolver and realm is asked to
> be created for you. So this instructions maybe does not always apply.
> Create a note about that?

In this case I do not get your point?

>
>
> 3.3. Enrolling your first token
> The problem here is not the guide but how fast the user needs to be.
> After the admin has enrolled a new token google authenticator should
> be used. The admin has 30 seconds (!) to get up his phone, start
> google authenticating app (maybe new to the admin) and scan the code.
> Either increase the timeout or make instruction how to access the
> QRcode again if admin has been logged out.

So how long does it take you?
What would you suggest?
Honestly I do not want to be the default to be too long. Since only a
few people log out intentionally.
I do not like it to be 5 minutes.
And I even do not know, if I would like it to be two minutes.

>
>
> After all is done, applications plugins is suggested to be used which
> is great. I would like to see here instructions how to get apache2
> and/or nginx to authenticate against privacyidea. That will probably
> be used by many and will secure the web in a wider easier way.

Thanks. I think there should be a smoother transit to the application
section.
So you want to see a setup for basic authentication with a webserver?
But you know, that in this case the OTP user is not bound to the
application user! I.e. you can take your janitors OTP token and do basic
authentication and login with the admins credentials to the
application...

What Web applications are you thinking of?

Kind regards
Cornelius

>
>
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/ad424120-f9e6-4da7-9301-ef4968de1326%40googlegroups.com.

[Cornelius Kölbel]

Hi Nicke,

I added some of your comments and are online, now.

https://privacyidea.readthedocs.org/en/latest/firststeps/index.html

Kind regards
Cornelius

[Nicke]

3.2. Creating your first realm, yeah, you created a note there, perfect!

About the timeout. Well, at least 1 minute. I do not understand how this short timeout you have will increase security. If the admins computer is not safe.. eeh.. well, your timeout will not help the security in my opinion.

To get out my google authenticator and scanning the qrcode took about 45 seconds. Then (not me) new users will reflect and see these cool numbers for 30 seconds more, maybe read some more "first steps" documentation.. You timeout has already happen... irritating.

About webapp. Well, am thinking about apache2 basic authentication here. You can show how authentication and authorization can be done in a easy way with PrivacyIDEA. That will help people (me) getting started with good security. Then maybe it will be applied into a webapp (wordpress etc..) but that is up to the community to write based on your great (?) API :)

Just some opinions.

Thanks for the first steps guide!

[Cornelius Kölbel]

Hi Nicke,

refreshing to read from you. ;-)

OK, will increase the default timeout (which is called "logout_time") to
120s.

The point is, I really do not like the basic authentication thing, since
it is... evil. Basic authentication sends the credentials with every
request. So the auth module needs to cache the OTP value, otherwise the
next auth would not work out. Caching the authenticated state of the
user and remembering the credentials that were leading to this state.
I.e. the apache module needs some persistant data storage like
memcached... :-/
Some years ago I hacked this in C for the predecessor product and I did
not like it. It was copied from mod-auth-radius.
And it looks like, that this authentication module is gone. I have not
packed it with privacyIDEA.
Maybe today I would go with mod_python like this:
http://modpython.org/live/mod_python-3.2.8/doc-html/tut-more-complicated.html
But you still have to cache the logged in state of the user in the
apache module...

So in my opinion to get the quickest success story would be to use PAM
on the local system and issue the command "login" as root and test
authentication while in the system.

Kind regards
Cornelius

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/5c699f1f-c6ff-4043-b0c7-3398868f8ef5%40googlegroups.com.

[Cornelius Kölbel]

Ok, inspiring.

I just pushed the implementation for Apache Basic Authentication with
OTP.

https://github.com/privacyidea/privacyidea/commit/47e59e79385789c8efe70065b0d97dd3328b5c27

This implementation uses redis to cache the login.

When the tests run successfully I will push this to the development
repository at ppa:privacyidea/privacyidea-dev.

So if you like to, you are welcome to take a look at it:

add-apt-repository ppa:privacyidea/privacyidea-dev
apt-get update
apt-get install privacyidea-apache-client

Read
http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html#apache2


Kind regards
Cornelius

Am Mittwoch, den 03.06.2015, 13:08 -0700 schrieb Nicke:

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/5c699f1f-c6ff-4043-b0c7-3398868f8ef5%40googlegroups.com.

[Nicke]

I just want to say that it is awesome to have a apache2 module. I will absolutely try it out on Tuesday or Wednesday the coming week.

I will report back.

[Cornelius Kölbel]

Hi Nicke,

thanks!

Just drop me a note if you have any questions, which will help to
improve the docs.

Kind regards
Cornelius

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/c7a85357-88ff-4046-b96f-f8408de3f6ef%40googlegroups.com.

[Nicke]

For me to be able to test this it would be good if privacyidea-apache-client exist in the dev repository on launchpad.

add-apt-repository ppa:privacyidea/privacyidea-dev 
apt-get update 
apt-get install privacyidea-apache-client

.. does not work on Ubuntu 14.04 because privacyidea-apache-client is missing.

[Cornelius Kölbel]

Hi Nicke,

it does.
Did you run an apt-get update?

Kind regards
Cornelius

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/ac3b3d13-3fed-4d19-98f8-cd038d5d4ceb%40googlegroups.com.

[Nicke]

You are right, it does work now. I do not know what I did wrong last time I tried.

The file /etc/privacyidea/apache.conf contains " on redis and privacyidea value. In apache error file it complains (error) about this so I had to remove it.

Anway, I still can not get this to work, I get

 mod_wsgi (pid=4105): Exception occurred processing WSGI script '/usr/share/pyshared/privacyidea_apache.py'.
 Traceback (most recent call last):
   File "/usr/share/pyshared/privacyidea_apache.py", line 81, in check_password
     if json_response.get("result", {}).get("value"):
 AttributeError: 'function' object has no attribute 'get'
 mod_wsgi (pid=4105): Exception occurred processing WSGI script '/usr/share/pyshared/privacyidea_apache.py'., referer: https://subdomain.example.com/
 Traceback (most recent call last):, referer: https://subdomain.example.com/
   File "/usr/share/pyshared/privacyidea_apache.py", line 81, in check_password, referer: https://subdomain.example.com/
     if json_response.get("result", {}).get("value"):, referer: https://subdomain.example.com/
 AttributeError: 'function' object has no attribute 'get', referer: https://subdomain.example.com/

[Cornelius Kölbel]

Hi Nicke,

1.) what did you remove? I did not get it in the formatting.

2.) How does your /etc/privacyidea/apache.conf looks like, now?

3.) Does you /var/log/syslog contain

"request > 1.0"

or

"request < 1.0"


Kind regards
Cornelius

> https://groups.google.com/d/msgid/privacyidea/55416469-bde4-4e6f-bbbc-8462b4e1da1b%40googlegroups.com.

[Nicke]

Hi

1)

Before it was

[DEFAULT]
redis = "localhost"
privacyidea = "https://auth.example.com"
sslverify = False

But that created exceptions so I changed that to

[DEFAULT]
redis = localhost
privacyidea = https://auth.example.com
sslverify = False

2)
Se above

3)

It contains 

mod_wsgi: requests < 1.0

[Nicke]

Here is one example of error when having redis = "localhost" in the config file,

 mod_wsgi (pid=4105): Exception occurred processing WSGI script '/usr/share/pyshared/privacyidea_apache.py'.
 Traceback (most recent call last):

   File "/usr/share/pyshared/privacyidea_apache.py", line 60, in check_password
     value = rd.get(username)
   File "/usr/lib/python2.7/dist-packages/redis/client.py", line 551, in get
     return self.execute_command('GET', name)
   File "/usr/lib/python2.7/dist-packages/redis/client.py", line 364, in execute_command
     connection.send_command(*args)
   File "/usr/lib/python2.7/dist-packages/redis/connection.py", line 301, in send_command
     self.send_packed_command(self.pack_command(*args))
   File "/usr/lib/python2.7/dist-packages/redis/connection.py", line 283, in send_packed_command
     self.connect()
   File "/usr/lib/python2.7/dist-packages/redis/connection.py", line 231, in connect
     raise ConnectionError(self._error_message(e))
 ConnectionError: Error -2 connecting "localhost":6379. Name or service not known.

root@files:/etc/redis# netstat -lptnu | grep 6379
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      4052/redis-server 1

[Cornelius Kölbel]

Hi,

I am sorry. On what system are you running?
(I would like to try running request 2.x)

Probably there is an exception where it should not be.
Could you please use the attached file, restart apache and take a look
at the syslog again.

Thx and kind regards
Cornelius

> https://groups.google.com/d/msgid/privacyidea/bfc540e9-7e7a-4524-ace6-f207dab1730a%40googlegroups.com.

[Nicke]

Am running Ubuntu 14.04.2 on the client machine having privacyidea-apache-client installed, this is called "subdomain.example.com".

Authentication server is another host running the same system. This machine is called "auth.example.com".

Here is the only output with your new file,

[Wed Jun 10 12:12:19.064834 2015] [:error] [pid 4728:tid 139652069586688] (13)Permission denied: [client 2a02:xxx:0:10:cccc:97fc:6f52:b703:36240] mod_wsgi (pid=4728, process='', application=''): Call to fopen() failed for '/usr/share/pyshared/privacyidea_apache.py'.
[Wed Jun 10 12:12:19.250990 2015] [:error] [pid 4728:tid 139652052801280] (13)Permission denied: [client 2a02:xxx:0:10:cccc:97fc:6f52:b703:36241] mod_wsgi (pid=4728, process='', application=''): Call to fopen() failed for '/usr/share/pyshared/privacyidea_apache.py'., referer: https://subdomain.example.com/

[Cornelius Kölbel]

Hi,

please check the access right of
/usr/share/pyshared/privacyidea_apache.py

The apache user should be able to read it.
Should be 644.

Kind regards
Cornelius

> https://groups.google.com/d/msgid/privacyidea/140accd8-8d81-4840-a2b0-dad6e4639ccd%40googlegroups.com.

[Nicke]

Yeah, you are right, access right errors. Am a little tired so did not pay attention enough.

So here is the output now,

Jun 10 12:57:50 files mod_wsgi: Reading configuration https://auth.example.com, localhost, False
Jun 10 12:57:50 files mod_wsgi: Authentication with https://auth.example.com, localhost, False
Jun 10 12:57:50 files mod_wsgi: requests < 1.0
Jun 10 12:57:50 files mod_wsgi: Traceback (most recent call last):#012  File "/usr/share/pyshared/privacyidea_apache.py", line 75, in check_password#012    json_response = response.json()#012  File "/usr/lib/python2.7/dist-packages/requests/models.py", line 741, in json#012    return json.loads(self.text, **kwargs)#012  File "/usr/lib/python2.7/json/__init__.py", line 338, in loads#012    return _default_decoder.decode(s)#012  File "/usr/lib/python2.7/json/decoder.py", line 366, in decode#012    obj, end = self.raw_decode(s, idx=_w(s, 0).end())#012  File "/usr/lib/python2.7/json/decoder.py", line 384, in raw_decode#012    raise ValueError("No JSON object could be decoded")#012ValueError: No JSON object could be decoded

When having privacyidea = "https://auth.example.com" in /etc/privacyidea/apache.conf

 mod_wsgi (pid=4865): Exception occurred processing WSGI script '/usr/share/pyshared/privacyidea_apache.py'.

 Traceback (most recent call last):

   File "/usr/share/pyshared/privacyidea_apache.py", line 72, in check_password
     verify=SSLVERIFY)
   File "/usr/lib/python2.7/dist-packages/requests/api.py", line 88, in post
     return request('post', url, data=data, **kwargs)
   File "/usr/lib/python2.7/dist-packages/requests/api.py", line 44, in request
     return session.request(method=method, url=url, **kwargs)
   File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 455, in request
     resp = self.send(prep, **send_kwargs)
   File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 553, in send
     adapter = self.get_adapter(url=request.url)
   File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 598, in get_adapter
     raise InvalidSchema("No connection adapters were found for '%s'" % url)
 InvalidSchema: No connection adapters were found for '"https://auth.example.com"/validate/check'


 mod_wsgi (pid=4865): Exception occurred processing WSGI script '/usr/share/pyshared/privacyidea_apache.py'., referer: https://subdomain.example.com/

 Traceback (most recent call last):, referer: https://subdomain.example.com/

   File "/usr/share/pyshared/privacyidea_apache.py", line 72, in check_password, referer: https://subdomain.example.com/
     verify=SSLVERIFY), referer: https://subdomain.example.com/
   File "/usr/lib/python2.7/dist-packages/requests/api.py", line 88, in post, referer: https://subdomain.example.com/
     return request('post', url, data=data, **kwargs), referer: https://subdomain.example.com/
   File "/usr/lib/python2.7/dist-packages/requests/api.py", line 44, in request, referer: https://subdomain.example.com/
     return session.request(method=method, url=url, **kwargs), referer: https://subdomain.example.com/
   File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 455, in request, referer: https://subdomain.example.com/
     resp = self.send(prep, **send_kwargs), referer: https://subdomain.example.com/
   File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 553, in send, referer: https://subdomain.example.com/
     adapter = self.get_adapter(url=request.url), referer: https://subdomain.example.com/
   File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 598, in get_adapter, referer: https://subdomain.example.com/
     raise InvalidSchema("No connection adapters were found for '%s'" % url), referer: https://subdomain.example.com/
 InvalidSchema: No connection adapters were found for '"https://auth.example.com"/validate/check', referer: https://subdomain.example.com/

When having privacyidea = https://auth.example.com in /etc/privacyidea/apache.conf

 mod_wsgi (pid=4865): Exception occurred processing WSGI script '/usr/share/pyshared/privacyidea_apache.py'.

 Traceback (most recent call last):

   File "/usr/share/pyshared/privacyidea_apache.py", line 83, in check_password
     if json_response.get("result", {}).get("value"):

 AttributeError: 'function' object has no attribute 'get'

 mod_wsgi (pid=4865): Exception occurred processing WSGI script '/usr/share/pyshared/privacyidea_apache.py'., referer: https://subdomain.example.com/

 Traceback (most recent call last):, referer: https://subdomain.example.com/

   File "/usr/share/pyshared/privacyidea_apache.py", line 83, in check_password, referer: https://subdomain.example.com/

     if json_response.get("result", {}).get("value"):, referer: https://subdomain.example.com/
 AttributeError: 'function' object has no attribute 'get', referer: https://subdomain.example.com/

[Cornelius Kölbel]

Hi Nicke,

no. You indeed need no quotes.

The interesting line is

ValueError("No JSON object could be decoded")

I.e. the url you requested, did not respond as expected.

Can you see this /validate/check request in the Audit log in the web UI?
What does it say there?

Kind regards
Cornelius

> https://groups.google.com/d/msgid/privacyidea/fd2dc6ce-260c-4214-8ab2-6f58c3532b8d%40googlegroups.com.

[Nicke]

Hi

Now when I have slept for a while I look with new eyes on the problem and see directly that am doing it wrong. My privacyidea host is not auth.example.com but aaa.example.com. So embarrassing.

Your basic auth client works great.

The only thing I believe you can improve is the error message for the next m****n that tries to authenticate against wrong URL.

Truly sorry for taking up your time. 

[Cornelius Kölbel]

:o)

Great!

Well, but you are totally right. This is a very important  thing to improve the error message. In this case thank you very much for this experience and the input.

Will be taken care of! ;-)

Kind regards
Cornelius

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/7a0acb0e-1762-44de-8184-78188c50e6db%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.