Quick guide to install Privacyidea on a fresh installed Debian 8. This guide was tested with PI version 2.13!
UPDATE: Also works with 2.14, 2.15
- Install base Debian system (standard and SSH)
- aptitude purge nfs-common rpcbind
- aptitude install postfix
- aptitude install libjpeg-dev zlib1g-dev python-dev \
libffi-dev libssl-dev libxslt1-dev virtualenv gcc \
mysql-server freeradius libconfig-inifiles-perl \
libdata-dump-perl libtry-tiny-perl libconfig-json-perl \
libjson-perl libmysqlclient-dev apache2 libapache2-mod-wsgi - virtualenv /opt/privacyidea
- cd /opt/privacyidea
- source bin/activate
- pip install privacyidea
- pip install MySQL-python
- pip install click
- mysql -u root -p
create database pi;
grant all privileges on pi.* to „pi“@“localhost“ identified by „XXX“;
flush privileges;
quit; - mkdir /etc/privacyidea
- mkdir /var/log/privacyidea
- useradd -r privacyidea
- cp etc/privacyidea/* /etc/privacyidea/
- vi /etc/privacyidea/pi.cfg
import logging
# The realm, where users are allowed to login as administrators
SUPERUSER_REALM = [’super‘]
# Your database
#SQLALCHEMY_DATABASE_URI = ’sqlite:////etc/privacyidea/data.sqlite‘
# This is used to encrypt the auth_token
#SECRET_KEY = ‚t0p s3cr3t‘
# This is used to encrypt the admin passwords
#PI_PEPPER = „Never know…“
# This is used to encrypt the token data and token passwords
PI_ENCFILE = ‚/etc/privacyidea/enckey‘
# This is used to sign the audit log
# This is the dummy base class
#PI_AUDIT_MODULE = ‚privacyidea.lib.auditmodules.base‘
# This is the default
#PI_AUDIT_MODULE = ‚privacyidea.lib.auditmodules.sqlaudit‘
# This is used to sign the audit log
PI_AUDIT_KEY_PRIVATE = ‚/etc/privacyidea/private.pem‘
PI_AUDIT_KEY_PUBLIC = ‚/etc/privacyidea/public.pem‘
PI_LOGFILE = ‚/var/log/privacyidea/privacyidea.log‘
PI_LOGLEVEL = logging.INFO
PI_PEPPER = ‚X‘
SECRET_KEY = ‚X‘
SQLALCHEMY_DATABASE_URI = ‚mysql://pi:XXX@localhost/pi‘ - a2enmod ssl
- vi /etc/apache2/sites-available/privacyidea.conf
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
# You might want to change this
ServerName localhost
DocumentRoot /var/www
<Directory />
# For Apache 2.4 you need to set this:
Require all granted
Options FollowSymLinks
AllowOverride None
</Directory>
# Yubico servers use /wsapi/2.0/verify as the path in the
# validation URL. Some tools (e.g. Kolab 2fa) let the
# user/admin change the api host, but not the rest of
# the URL. Uncomment the following two lines to reroute
# the api URL internally to privacyideas /ttype/yubikey.
#RewriteEngine on
#RewriteRule „^/wsapi/2.0/verify“ „/ttype/yubikey“ [PT]# We can run several instances on different paths with different configurations
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
#WSGIScriptAlias /instance1 /home/cornelius/src/privacyidea/deploy/privacyideaapp1.wsgi
#WSGIScriptAlias /instance2 /home/cornelius/src/privacyidea/deploy/privacyideaapp2.wsgi
#WSGIScriptAlias /instance3 /home/cornelius/src/privacyidea/deploy/privacyideaapp3.wsgi
#
# The daemon is running as user ‚privacyidea‘
# This user should have access to the encKey database encryption file
WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
WSGIProcessGroup privacyidea
WSGIPassAuthorization On
ErrorLog /var/log/apache2/error.logLogLevel warn
# Do not use %q! This will reveal all parameters, including setting PINs and Keys!
# Using SSL_CLINET_S_DN_CN will show you, which administrator did what task
LogFormat „%h %l %u %t %>s \“%m %U %H\“ %b \“%{Referer}i\“ \“%{User-agent}i\““ privacyIDEA
CustomLog /var/log/apache2/ssl_access.log privacyIDEA# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/privacyideaserver.pem
SSLCertificateKeyFile /etc/ssl/private/privacyideaserver.key<FilesMatch „\.(cgi|shtml|phtml|php)$“>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch „.*MSIE.*“ \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost># If you want to forward http request to https enable the
# following virtual host.
#<VirtualHost _default_:80>
# # This will enable the Rewrite capabilities
# RewriteEngine On
#
# # This checks to make sure the connection is not already HTTPS
# RewriteCond %{HTTPS} !=on
# RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
#</VirtualHost> - cd /etc/apache2/sites-enabled/
- rm -f 000-default.conf
- ln -s ../sites-available/privacyidea.conf .
- mkdir /home/privacyidea
- chown -R privacyidea /home/privacyidea/
- chown -R privacyidea /etc/privacyidea/
- chown -R privacyidea /var/log/privacyidea/
- vi /etc/apache2/mods-enabled/wsgi.conf
Add „WSGIPythonHome /opt/privacyidea/bin/python2.7“ at the end - Install certificates
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/privacyideaserver.key -out /etc/ssl/certs/privacyideaserver.pem - service apache2 restart
- pi-manage create_enckey
- pi-manage create_audit_keys
- pi-manage createdb
- pi-manage admin add admin@localhost
- privacyidea-fix-access-rights -f /etc/privacyidea/pi.cfg -u privacyidea
- chown -R privacyidea /var/log/privacyidea/
- cp /opt/privacyidea/lib/python2.7/site-packages/authmodules/FreeRADIUS/rlm_perl.ini /etc/privacyidea
- Now you can reach your instance via https://ip/
- Create a realm and resolver, assign a token
- vi /etc/freeradius/users
DEFAULT Auth-Type := perl - vi /etc/freeradius/modules/perl
module = /opt/privacyidea/lib/privacyidea/authmodules/FreeRADIUS/privacyidea_radius.pm - vi /etc/freeradius/sites-enabled/default
authenticate {
perl - service freeradius restart && service apache2 restart
- Now test via
echo „User-Name=user, Password=PIN541614“ | radclient -sx localhost auth testing123