Debian + Error during installation

304 views
Skip to first unread message

Stefan Steuer

unread,
Feb 17, 2015, 11:52:22 AM2/17/15
to priva...@googlegroups.com
Hi,
I tried to install privacyidea in our debian server, but I'll get the following error

(privacyidea)root@mfaotrs:/etc/apache2/sites-available# cp etc/apache2/sites-available/privacyidea /etc/apache2/sites-available/
cp: Aufruf von stat für „etc/apache2/sites-available/privacyidea“ nicht möglich: Datei oder Verzeichnis nicht gefunden



So there are no other sub-folders in "sites-available" :(


Cornelius Kölbel

unread,
Feb 17, 2015, 11:56:33 AM2/17/15
to priva...@googlegroups.com
This howto refers to privacyidea 1.5.

2.0 was a total rewrite. The apache-configs etc. are not contained in the python package at the moment.

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/d608c097-e1a8-4f9a-8d4a-06532156e79e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Stefan Steuer

unread,
Feb 17, 2015, 12:13:24 PM2/17/15
to priva...@googlegroups.com
Hi Cornelius,
you're very fast ;)

I tried to install the 1.5.

Are there any debian packages for 2.0 available?

Stefan Steuer

unread,
Feb 17, 2015, 12:23:47 PM2/17/15
to priva...@googlegroups.com
btw - is it possible to auth. against username, password and the pin code out of the google auth. ?

Cornelius Kölbel

unread,
Feb 17, 2015, 12:34:37 PM2/17/15
to priva...@googlegroups.com
I am planning to build packages for wheezy.
If you tell me, you are running wheezy, I will take a look into it and re-prioritize it ;-)

Yes you can authenticate against the password from your userstore and the OTP value from GoogleAuth.
You need to define a policy, which looks like this in v2:



Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Stefan Steuer

unread,
Feb 17, 2015, 1:00:41 PM2/17/15
to priva...@googlegroups.com
Oh great :)
My otrs-instance is running on:

Description:    Debian GNU/Linux 7.8 (wheezy)
Release:        7.8


When yes or no ;-) how is the process for the user?

- Open the otrs url
- type in the username and password (LDAP) and submit
- a barcode will be displayed
- scan the barcode/qr with google auth.
- type in the onetime-token
- login successful

Cornelius Kölbel

unread,
Feb 17, 2015, 1:19:17 PM2/17/15
to priva...@googlegroups.com
:-)

The OTRS Module is the same for 2.0 like for 1.5. Nothing has changed.
https://github.com/privacyidea/privacyidea/tree/master/authmodules/OTRS

The user sees the same login mask, but in the password field he needs to enter
OTRS-static-Password (coming from the OTRS SQL userstore or from the LDAP userstore) concatenated with the OTP value.

The enrollment for the user is another topic.
You could have the user enter the selfservice portal to self-enroll a google authenticator.
It is similar to the administrative enrollment.
See: https://www.youtube.com/watch?v=Cwzz5PCjHQI&t=3m20s

You could as well - depending on the IT affinity of your users - enroll the device for the users yourself.
You might also use any hardware devices or - which i like a lot - the yubikey.

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Stefan Steuer

unread,
Feb 17, 2015, 1:27:47 PM2/17/15
to priva...@googlegroups.com
Does the user have to scan on each Login an other qr code or is it time based.

Cornelius Kölbel

unread,
Feb 17, 2015, 1:33:54 PM2/17/15
to priva...@googlegroups.com
The QR Code contains the secret key (unencrypted!!!) that is shared
between the server and the smartphone.
The user only needs to scan once during enrollment.
After that, the smartphone generated the OTP value on its own, i.e. on a
button press.

Stefan Steuer

unread,
Feb 17, 2015, 1:39:56 PM2/17/15
to priva...@googlegroups.com
Okay.

I'm curious for The new version :-)

Stefan Steuer

unread,
Feb 19, 2015, 12:45:01 PM2/19/15
to priva...@googlegroups.com
Hi Cornelius,
is the v1.5 still available for debian? :)

Cornelius Kölbel

unread,
Feb 19, 2015, 12:54:59 PM2/19/15
to priva...@googlegroups.com
Hi Stefan,
you can run privacyidea in a virtualenv on debian.

To install privacyidea 1.5 in a virtualenv you can specify the version.

    pip install privacyidea==1.5.1

Looking at your original post, you simply were in the wrong directory to get the apache-confg file.

In your virtualenv top level folder search at etc/apache2/sites-available/pidea...

This file you can copy to the apache folder.

I just finished the packages for ubuntu 14.04lts.
which you can find here:
    https://launchpad.net/~privacyidea/+archive/ubuntu/privacyidea-dev?field.series_filter=trusty

Yesterday I spent a lot of time looking at debian wheezy. Problem is, that maaaaany python modules are not packed for debian.
So I started to pack. I ended up with about 13 new packages and came to a point, where I also had to repack existing modules, since the exsting modules in wheezy are soooooo old.
So at the moment I think I would create a debian package for wheezy that just contains a complete running virtualenv.
I.e. the 60MB deb-file would hold all its software in a directory /opt/privacyidea.
I would create a second package that can be installed to run privacyidea with apache and another package to run PI with nginx. (I already did so on ubuntu)

Than everyone can choose to
a) only install the base package and roll PI as he wishes to
b) easily roll privacyIDEA with apache
c) easily roll privacyIDEA with nginx...

There is no sense in providing my own 15 packages replacing older versions and install them to the main system which might lead to version problems and breaking other software.
What do you think?

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Stefan Steuer

unread,
Feb 21, 2015, 4:50:12 AM2/21/15
to priva...@googlegroups.com
Dear Cornelius,
that sounds very good - so everyone can choose the own way to install pi :)

For myself I'll use a) - because I've apache and mysql already installed 

Cornelius Kölbel

unread,
Feb 21, 2015, 5:18:22 PM2/21/15
to priva...@googlegroups.com
Hi Stefan,

you may find a first shot of a wheezy package here:
https://www.privacyidea.org/wp-content/uploads/2015/privacyidea-venv_2.1~dev0_amd64.deb

I added a first quickly hacked howto:
http://privacyidea.readthedocs.org/en/latest/installation/index.html#debian-packages

I'd like to have an additional meta package, that at least installs the necessary config files and creates the available-sites/privacyidea.conf.
If you are willing to take a look at this prebeta package I am happy about any feedback.

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Message has been deleted

Stefan Steuer

unread,
Feb 22, 2015, 5:49:38 AM2/22/15
to priva...@googlegroups.com
Hi,
you should add to the manual, that the user has to add the directory /var/log/privacyidea/ manually.

What is the url for the  admin control panel after I installed the package successful?

Cornelius Kölbel

unread,
Feb 22, 2015, 7:09:22 AM2/22/15
to priva...@googlegroups.com
Hi Stefan,

it depends on how you configured the apache vhost.
The URL is determined by the WSGIScriptAlias in your config.
I.e. be default it is /, but you could set it to any other path.

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Cornelius Kölbel

unread,
Feb 22, 2015, 7:11:33 AM2/22/15
to priva...@googlegroups.com
Thanks, done.
Kind regards
Cornelius


Am 22.02.2015 um 11:41 schrieb Stefan Steuer:
Hi,
I received the following error-code while the command 

pi-manage.py createdb


(privacyidea-venv)root@mfaotrs:/# pi-manage.py createdb
The configuration name is: production
Additional configuration can be read from the file /etc/privacyidea/pi.cfg
Traceback (most recent call last):
  File "/opt/privacyidea/privacyidea-venv/bin/pi-manage.py", line 44, in <module>
    app = create_app(config_name='production')
  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/privacyidea/app.py", line 109, in create_app
    maxBytes=10000000)
  File "/usr/lib/python2.7/logging/handlers.py", line 117, in __init__
    BaseRotatingHandler.__init__(self, filename, mode, encoding, delay)
  File "/usr/lib/python2.7/logging/handlers.py", line 64, in __init__
    logging.FileHandler.__init__(self, filename, mode, encoding, delay)
  File "/usr/lib/python2.7/logging/__init__.py", line 901, in __init__
    StreamHandler.__init__(self, self._open())
  File "/usr/lib/python2.7/logging/__init__.py", line 924, in _open
    stream = open(self.baseFilename, self.mode)
IOError: [Errno 2] No such file or directory: '/var/log/privacyidea/privacyidea.log'


--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Stefan Steuer

unread,
Feb 22, 2015, 7:25:27 AM2/22/15
to priva...@googlegroups.com
oh you're right :)
So i enabled the site and tried to reload the apache2... failed.

apache2 errorlog:

[Sun Feb 22 11:47:51 2015] [error] [client ] File does not exist: /var/www/privacyidea
[Sun Feb 22 11:47:52 2015] [error] [client ] File does not exist: /var/www/favicon.ico
[Sun Feb 22 11:53:23 2015] [error] [client ] File does not exist: /var/www/privacyidea
[Sun Feb 22 11:53:27 2015] [error] [client ] File does not exist: /var/www/pi
[Sun Feb 22 11:54:40 2015] [error] [client ] File does not exist: /var/www/privacyidea-venv
[Sun Feb 22 13:14:15 2015] [error] [client ] File does not exist: /var/www/production

Stefan Steuer

unread,
Feb 22, 2015, 7:28:33 AM2/22/15
to priva...@googlegroups.com
This is the correct error log

Syntax error on line 1 of /etc/apache2/sites-enabled/privacyidea.conf:
Invalid command 'WSGIPythonHome', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
The Apache error log may have more information.
 failed!



Line 1: 

WSGIPythonHome /opt/privacyidea/privacyidea-venv

Stefan Steuer

unread,
Feb 22, 2015, 7:33:20 AM2/22/15
to priva...@googlegroups.com
so ok....
Last post ;)

You should add that the following mods have to be installed :)

sudo apt-get install libapache2-mod-wsgi
sudo a2enmod wsgi
a2enmod ssl

Stefan Steuer

unread,
Feb 22, 2015, 7:47:26 AM2/22/15
to priva...@googlegroups.com
in the Privacyidea.conf you have the line with the Documentroot

     DocumentRoot /var/www

But there are no files - so the result is, when I try to open the website with the patch which I definied in the WSGIScriptAlias I'll get the following error-code in the apache-log

Cornelius Kölbel

unread,
Feb 22, 2015, 8:11:09 AM2/22/15
to priva...@googlegroups.com
Hi,

this is wired.
It should not bother about the DocumentRoot.
Which URL are you calling?

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Cornelius Kölbel

unread,
Feb 22, 2015, 8:23:21 AM2/22/15
to priva...@googlegroups.com
I just checked,

You must not use

"require all granted", since probably you are running apache 2.2

The other stuff should work, so we need to check your apache config.

Kind regards
Cornelius

Am 22.02.2015 um 13:47 schrieb Stefan Steuer:
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Stefan Steuer

unread,
Feb 22, 2015, 8:34:02 AM2/22/15
to priva...@googlegroups.com
This is my privacyidea.conf - site is enabled.


WSGIPythonHome /opt/privacyidea/privacyidea-venv/
<VirtualHost _default_:80>
     ServerAdmin webmaster@localhost
     # You might want to change this
    ServerName localhost

     DocumentRoot /var/www
     <Directory />
             # For Apache 2.4 you need to set this:
             # Require all granted
             Options FollowSymLinks
             AllowOverride None
     </Directory>

     # We can run several instances on different paths with different configurations
     WSGIScriptAlias /pi/      /etc/privacyidea/piapp.wsgi
     #
     # The daemon is running as user 'privacyidea'
     # This user should have access to the encKey database encryption file
     WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
     WSGIProcessGroup privacyidea
     WSGIPassAuthorization On

     ErrorLog /var/log/apache2/error.log

     LogLevel warn
     LogFormat "%h %l %u %t %>s \"%m %U %H\"  %b \"%{Referer}i\" \"%{User-agent}i\"" privacyIDEA
     CustomLog /var/log/apache2/ssl_access.log privacyIDEA

     #   SSL Engine Switch:
     #   Enable/Disable SSL for this virtual host.
     SSLEngine off

     #   If both key and certificate are stored in the same file, only the
     #   SSLCertificateFile directive is needed.
#     SSLCertificateFile    /etc/ssl/certs/privacyideaserver.pem
#     SSLCertificateKeyFile /etc/ssl/private/privacyideaserver.key

     <FilesMatch "\.(cgi|shtml|phtml|php)$">
             SSLOptions +StdEnvVars
     </FilesMatch>
     <Directory /usr/lib/cgi-bin>
             SSLOptions +StdEnvVars
     </Directory>
     BrowserMatch ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0

</VirtualHost>

Cornelius Kölbel

unread,
Feb 22, 2015, 8:42:54 AM2/22/15
to priva...@googlegroups.com
You should specify

WSGIScriptAlias /pi   /etc...

(without a trailing slash - otherwise you need to call explicitly https://yourmachine/pi/)

But on top of this it looks like, that little error found its way back in, when specifying a path at the WSGIScriptAlias.

I need to look into it.

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Stefan Steuer

unread,
Feb 22, 2015, 8:50:24 AM2/22/15
to priva...@googlegroups.com
When you need an access to my test enviroment - I can send you the credentials via pn

Stefan Steuer

unread,
Feb 22, 2015, 9:17:58 AM2/22/15
to priva...@googlegroups.com
So i created an ssl-certificate and activate SSL.

Now I'm able to see:

Stefan Steuer

unread,
Feb 22, 2015, 10:35:03 AM2/22/15
to priva...@googlegroups.com
Issue solved!!! :)

WSGIScriptAlias /      /etc/privacyidea/piapp.wsgi


I can't define another scriptalias as the root directory... :) 
Message has been deleted

Stefan Steuer

unread,
Feb 22, 2015, 11:14:46 AM2/22/15
to priva...@googlegroups.com
he last problem is that I'll get a blank page while opening the otrs-login screen.

Apache error log:
ERROR: OTRS-CGI-98 Perl: 5.14.2 OS: linux Time: Sun Feb 22 17:10:33 2015
 Message: Can't load backend module Kernel::System::Auth::privacyIDEA!
 RemoteAddress: xxx
 RequestURI: /otrs/index.pl
 Traceback (5256):
   Module: Kernel::System::Auth::new Line: 69
   Module: Kernel::System::ObjectManager::_ObjectBuild Line: 222
   Module: Kernel::System::ObjectManager::Get Line: 176
   Module: Kernel::System::Web::InterfaceAgent::Run Line: 721
   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler Line: 41
   Module: (eval) (v1.99) Line: 204
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 204
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 170
   Module: ModPerl::Registry::handler (v1.99) Line: 31


Config.pm
 $Self->{'AuthModule'} = 'Kernel::System::Auth::privacyIDEA';
 $Self->{'AuthModule::privacyIDEA::URL'} = "http://localhost:5001/validate/simplecheck";

Cornelius Kölbel

unread,
Feb 22, 2015, 11:26:16 AM2/22/15
to priva...@googlegroups.com
If you are running otrs on the same system, this will not work!

You need to change the scriptalias.
Nevertheless I found the problem and will send the link for a patched version - immediately...

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Cornelius Kölbel

unread,
Feb 22, 2015, 11:35:57 AM2/22/15
to priva...@googlegroups.com

Stefan Steuer

unread,
Feb 22, 2015, 12:03:30 PM2/22/15
to priva...@googlegroups.com
any idea regarding the blank otrs login screen?

Cornelius Kölbel

unread,
Feb 22, 2015, 12:09:41 PM2/22/15
to priva...@googlegroups.com
Obviously your apache configuration is interfering.

As mentioned, I assume, that your are running OTRS in the same Apache host?
    How does your apache config look like?

Then you need to run privacyIDEA with the wsgiscript alias. Otherwise the path /otrs/index.pl would be grapped by the WSGI script.

Kind regards
COrnelius



Am 22.02.2015 um 18:03 schrieb Stefan Steuer:
any idea regarding the blank otrs login screen?
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Stefan Steuer

unread,
Feb 22, 2015, 12:27:30 PM2/22/15
to priva...@googlegroups.com
Yes - OTRS and privacyIDEA are on the same host.

apache.conf: default config.

privacyidea.conf as posted.

conf.d/otrs.conf

 # --
# added for OTRS (http://otrs.org/)
# --

ScriptAlias /otrs/ "/opt/otrs/bin/cgi-bin/"
Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"

<IfModule mod_perl.c>

    # Setup environment and preload modules
    Perlrequire /opt/otrs/scripts/apache2-perl-startup.pl

    # Reload Perl modules when changed on disk
    PerlModule Apache2::Reload
    PerlInitHandler Apache2::Reload

    # general mod_perl2 options
    <Location /otrs>
#        ErrorDocument 403 /otrs/customer.pl
        ErrorDocument 403 /otrs/index.pl
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv
 
 <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order allow,deny
        Allow from all
    </IfModule>

    <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/html text/javascript text/css text/xml application/json text/json
    </IfModule>
</Directory>

<Directory "/opt/otrs/var/httpd/htdocs/">
    AllowOverride None

    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order allow,deny
        Allow from all
    </IfModule>

    <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/html text/javascript text/css text/xml application/json text/json
    </IfModule>

    # Make sure CSS and JS files are read as UTF8 by the browsers.
    AddCharset UTF-8 .css
    AddCharset UTF-8 .js

    # Set explicit mime type for woff fonts since it is relatively new and apache may not know about it.
    AddType application/font-woff .woff

</Directory>

<IfModule mod_headers.c>
    # Cache css-cache for 30 days
    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css-cache">
        <FilesMatch "\.(css|CSS)$">
            Header set Cache-Control "max-age=2592000 must-revalidate"
        <FilesMatch "\.(css|CSS)$">
            Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache css thirdparty for 4 hours, including icon fonts
    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css/thirdparty">
        <FilesMatch "\.(css|CSS|woff|svg)$">
            Header set Cache-Control "max-age=14400 must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache js-cache for 30 days
    <Directory "/opt/otrs/var/httpd/htdocs/js/js-cache">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache js thirdparty for 4 hours
    <Directory "/opt/otrs/var/httpd/htdocs/js/thirdparty/">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=14400 must-revalidate"
        </FilesMatch>
    </Directory>
</IfModule>

# Limit the number of requests per child to avoid excessive memory usage
MaxRequestsPerChild 4000

Cornelius Kölbel

unread,
Feb 22, 2015, 12:31:30 PM2/22/15
to priva...@googlegroups.com
Obviously this is an Apache issue.

You are writing "conf.d/orts.conf" but it looks like a "sites-available"?

If you want to run both applications on one port on one server you must only have one VIrtualHost definition.
I.e. you need to have one link in

    /etc/apache2/sites-available/

listening on port 443 with ONE certificate.

In this VirtualHost defintion you might have

    WSGIScriptAlias /pi  /pathto/wsgi/scirp
    ScriptAlias /otrs/ ....
    Alias /otrs-web/....

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Stefan Steuer

unread,
Feb 23, 2015, 7:59:31 AM2/23/15
to priva...@googlegroups.com
Hi Cornelius,
so I tried to extract the parameter but every time with the same result.

Blank page and the following apache error-code:

ERROR: OTRS-CGI-98 Perl: 5.14.2 OS: linux Time: Mon Feb 23 12:55:48 2015

 Message: Can't load backend module Kernel::System::Auth::privacyIDEA!

 RemoteAddress: xxxxx
 RequestURI: /otrs/index.pl

 Traceback (4946):
   Module: Kernel::System::Auth::new Line: 69
   Module: Kernel::System::ObjectManager::_ObjectBuild Line: 222
   Module: Kernel::System::ObjectManager::Get Line: 176
   Module: Kernel::System::Web::InterfaceAgent::Run Line: 721
   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler Line: 41
   Module: (eval) (v1.99) Line: 204
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 204
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 170
   Module: ModPerl::Registry::handler (v1.99) Line: 31

privacyidea.conf

WSGIPythonHome /opt/privacyidea/privacyidea-venv
<VirtualHost _default_:443>
     ServerAdmin webmaster@localhost
     # You might want to change this
     ServerName localhost

     DocumentRoot /var/www
     <Directory />
             # For Apache 2.4 you need to set this:
             # Require all granted
              Options FollowSymLinks
              AllowOverride None
     </Directory>

     # We can run several instances on different paths with different configurations
     WSGIScriptAlias /      /etc/privacyidea/piapp.wsgi
     #
     # The daemon is running as user 'privacyidea'
     # This user should have access to the encKey database encryption file
     WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
     WSGIProcessGroup privacyidea
     WSGIPassAuthorization On

     ErrorLog /var/log/apache2/error.log

     LogLevel warn
     LogFormat "%h %l %u %t %>s \"%m %U %H\"  %b \"%{Referer}i\" \"%{User-agent}i\"" privacyIDEA
     CustomLog /var/log/apache2/ssl_access.log privacyIDEA

     #   SSL Engine Switch:
     #   Enable/Disable SSL for this virtual host.
     SSLEngine on

     #   If both key and certificate are stored in the same file, only the
     #   SSLCertificateFile directive is needed.
     SSLCertificateFile    /etc/ssl/certs/apache.pem
#     SSLCertificateKeyFile /etc/ssl/private/privacyideaserver.key

     <FilesMatch "\.(cgi|shtml|phtml|php)$">
             SSLOptions +StdEnvVars
     </FilesMatch>
     <Directory /usr/lib/cgi-bin>
             SSLOptions +StdEnvVars
     </Directory>
     BrowserMatch ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0

# --
# added for OTRS (http://otrs.org/)
# --

ScriptAlias /otrs/ "/opt/otrs/bin/cgi-bin/"
Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"
</VirtualHost>



conf.d/otrs.conf
</Location>

Stefan Steuer

unread,
Feb 23, 2015, 8:00:21 AM2/23/15
to priva...@googlegroups.com
sry wrong otrs.conf.

Cornelius Kölbel

unread,
Feb 23, 2015, 8:02:49 AM2/23/15
to priva...@googlegroups.com
Hi Stefan,
I did not get the error. You said a white page?

Obviously your configuration did not used VirtualHosts before.

Just disable privacyidea-site and enable your old site.
How did your old site look like?

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Stefan Steuer

unread,
Feb 23, 2015, 8:11:28 AM2/23/15
to priva...@googlegroups.com
When I disable the site I'll get also a blank page.
But I found the issue...

/opt/otrs/Kernel/Config.pm
 $Self->{'AuthModule'} = 'Kernel::System::Auth::privacyIDEA';
 $Self->{'AuthModule::privacyIDEA::URL'} = "localhost:5001/validate/simplecheck";


When I insert this two lines into the Config.PM I'll get the blank page. When delete them I'll get the login screen.



Cornelius Kölbel

unread,
Feb 23, 2015, 8:28:02 AM2/23/15
to priva...@googlegroups.com
OK, I was not aware, that you already activated the privacyIDEA module in OTRS.

So you need to change this to the correct URL - I think in your case it might be:

    https://localhost/pi/validate/simplecheck

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Stefan Steuer

unread,
Feb 23, 2015, 8:52:55 AM2/23/15
to priva...@googlegroups.com
Same result.
I think that the auth/privacyidea.pm is not compatible with OTRS4

Cornelius Kölbel

unread,
Feb 23, 2015, 8:54:44 AM2/23/15
to priva...@googlegroups.com
What does the OTRS error log say?

And I think otrs writes to the apache error log, can you see anything there?

Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Stefan Steuer

unread,
Feb 23, 2015, 9:04:44 AM2/23/15
to priva...@googlegroups.com
The OTRS Error log is empty.
only in the apache log are entries

Stefan Steuer

unread,
Feb 23, 2015, 9:21:23 AM2/23/15
to priva...@googlegroups.com
now I'd input the two lines into the /opt/otrs/Kernel/Config/Default.pm

result: blank page

Apache Error log:

[Mon Feb 23 15:18:50 2015] privacyIDEA.pm: Bareword found where operator expected at /opt/otrs//Kernel/System/Auth/privacyIDEA.pm line 5, near ""en" class"
[Mon Feb 23 15:18:50 2015] privacyIDEA.pm:      (Missing operator before class?)
[Mon Feb 23 15:18:50 2015] privacyIDEA.pm: Bareword found where operator expected at /opt/otrs//Kernel/System/Auth/privacyIDEA.pm line 12, near "<title>privacyidea"
[Mon Feb 23 15:18:50 2015] privacyIDEA.pm:      (Missing operator before privacyidea?)
ERROR: OTRS-CGI-98 Perl: 5.14.2 OS: linux Time: Mon Feb 23 15:18:50 2015


 Message: Unrecognized character \xC2; marked by <-- HERE after at master <-- HERE near column 49 at /opt/otrs//Kernel/System/Auth/privacyIDEA.pm line 12.


 RemoteAddress: xxxxxx
 RequestURI: /otrs/index.pl

 Traceback (5403):
   Module: Kernel::System::Auth::new Line: 69
   Module: Kernel::System::ObjectManager::_ObjectBuild Line: 222
   Module: Kernel::System::ObjectManager::Get Line: 176
   Module: Kernel::System::Web::InterfaceAgent::Run Line: 721
   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler Line: 41
   Module: (eval) (v1.99) Line: 204
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 204
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 170
   Module: ModPerl::Registry::handler (v1.99) Line: 31

ERROR: OTRS-CGI-98 Perl: 5.14.2 OS: linux Time: Mon Feb 23 15:18:50 2015

 Message: Can't load backend module Kernel::System::Auth::privacyIDEA!

 RemoteAddress: xxxx
 RequestURI: /otrs/index.pl

 Traceback (5403):
   Module: Kernel::System::Auth::new Line: 69
   Module: Kernel::System::ObjectManager::_ObjectBuild Line: 222
   Module: Kernel::System::ObjectManager::Get Line: 176
   Module: Kernel::System::Web::InterfaceAgent::Run Line: 721
   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler Line: 41
   Module: (eval) (v1.99) Line: 204
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 204
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 170
   Module: ModPerl::Registry::handler (v1.99) Line: 31

Stefan Steuer

unread,
Feb 23, 2015, 9:40:45 AM2/23/15
to priva...@googlegroups.com
Okay... i just found the issue...
when I downloaded the file with wget he added some courios google content....

Now I'll get an error 500 (apache error) which I can fix - hopefully ;)

Stefan Steuer

unread,
Feb 23, 2015, 9:42:44 AM2/23/15
to priva...@googlegroups.com
[Mon Feb 23 15:39:03 2015] [error] [Mon Feb 23 15:39:03 2015] -e: No LogObject! at /opt/otrs//Kernel/System/Auth/privacyIDEA.pm line 24.\n
[Mon Feb 23 15:39:05 2015] [error] [Mon Feb 23 15:39:05 2015] -e: No LogObject! at /opt/otrs//Kernel/System/Auth/privacyIDEA.pm line 24.\n
[Mon Feb 23 15:41:37 2015] [error] [Mon Feb 23 15:41:37 2015] -e: No LogObject! at /opt/otrs//Kernel/System/Auth/privacyIDEA.pm line 24.\n

Cornelius Kölbel

unread,
Feb 23, 2015, 9:57:01 AM2/23/15
to priva...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Stefan Steuer

unread,
Feb 23, 2015, 10:10:10 AM2/23/15
to priva...@googlegroups.com
mhm... any idea?

Cornelius Kölbel

unread,
Feb 23, 2015, 10:28:16 AM2/23/15
to priva...@googlegroups.com
Just looking into it.

Cornelius Kölbel

unread,
Feb 23, 2015, 11:41:39 AM2/23/15
to priva...@googlegroups.com
Good news!
I was able to reproduce the problem.
So the half way is done, now ;-)

Running a vanilla OTRS 4.0.5.

Kind regards
Cornelius

Cornelius Kölbel

unread,
Feb 23, 2015, 12:06:57 PM2/23/15
to priva...@googlegroups.com
I can say as much as this:
otrs 4.0 has changed a lot over 3.
This will be a new privacyidea otrs module!

Kind regards
Cornelius

Stefan Steuer

unread,
Feb 23, 2015, 1:48:27 PM2/23/15
to priva...@googlegroups.com
oh okay :(