This short Howto uses the SQL Server from Oracle since we want to use GTIDs where DualMaster replication is much more stable.
Debian standard install with system utilities and SSH server
- Download the MySQL 5.7 repo from Oracle: https://dev.mysql.com/downloads/repo/apt/
- Install the .deb and choose 5.7
- aptitude update and aptitude install mysql-community-server mysql-utilities
- Edit /etc/mysql/mysql.conf.d/mysqld.cnf and change
bind-address to 0.0.0.0
server-id = 1
gtid-mode = ON
enforce-gtid-consistency = ON
log_bin = mysql-bin
log_error = mysql-bin.err
binlog_do_db = pi
auto-increment-increment = 2
auto-increment-offset = 1 - On the second system do the same but set the server-id = 2 and auto-increment-offset = 2
- Restart both services
- On both systems login to mysql and create the DB:
mysql -u root -p
GRANT REPLICATION SLAVE ON *.* TO ‚replication’@’%‘ IDENTIFIED BY ‚replication‘;
CHANGE MASTER TO MASTER_HOST=’other-master-ip‘, MASTER_USER=’replication‘, MASTER_PASSWORD=’replication‘, MASTER_AUTO_POSITION=1; - create database pi;
- Check on both systems if the DB is available
- aptitude purge nfs-common rpcbind
- aptitude install postfix
- aptitude install libjpeg-dev zlib1g-dev python-dev \
libffi-dev libssl-dev libxslt1-dev virtualenv gcc \
mysql-server freeradius libconfig-inifiles-perl \
libdata-dump-perl libtry-tiny-perl libconfig-json-perl \
libjson-perl libmysqlclient-dev apache2 libapache2-mod-wsgi - virtualenv /opt/privacyidea
- cd /opt/privacyidea
- source bin/activate
- pip install privacyidea
- pip install MySQL-python
- pip install click
- On one of the systems:
mysql -u root -p
grant all privileges on pi.* to „pi“@“localhost“ identified by „XXX“;
flush privileges;
quit; - mkdir /etc/privacyidea
- mkdir /var/log/privacyidea
- useradd -r privacyidea
- cp etc/privacyidea/* /etc/privacyidea/
- vi /etc/privacyidea/pi.cfg
import logging
# The realm, where users are allowed to login as administrators
SUPERUSER_REALM = [’super‘]
# Your database
#SQLALCHEMY_DATABASE_URI = ’sqlite:////etc/privacyidea/data.sqlite‘
# This is used to encrypt the auth_token
#SECRET_KEY = ‚t0p s3cr3t‘
# This is used to encrypt the admin passwords
#PI_PEPPER = Never know
# This is used to encrypt the token data and token passwords
PI_ENCFILE = ‚/etc/privacyidea/enckey‘
# This is used to sign the audit log
# This is the dummy base class
#PI_AUDIT_MODULE = ‚privacyidea.lib.auditmodules.base‘
# This is the default
#PI_AUDIT_MODULE = ‚privacyidea.lib.auditmodules.sqlaudit‘
# This is used to sign the audit log
PI_AUDIT_KEY_PRIVATE = ‚/etc/privacyidea/private.pem‘
PI_AUDIT_KEY_PUBLIC = ‚/etc/privacyidea/public.pem‘
PI_LOGFILE = ‚/var/log/privacyidea/privacyidea.log‘
PI_LOGLEVEL = logging.INFO
PI_PEPPER = ‚XXX‘
SECRET_KEY = ‚XXX‘
SQLALCHEMY_DATABASE_URI = ‚mysql://pi:XXX@localhost/pi‘ - a2enmod ssl
- vi /etc/apache2/sites-enabled/privacyidea.conf
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
# You might want to change this
ServerName localhost
DocumentRoot /var/www
<Directory />
# For Apache 2.4 you need to set this:
Require all granted
Options FollowSymLinks
AllowOverride None
</Directory>
# Yubico servers use /wsapi/2.0/verify as the path in the
# validation URL. Some tools (e.g. Kolab 2fa) let the
# user/admin change the api host, but not the rest of
# the URL. Uncomment the following two lines to reroute
# the api URL internally to privacyideas /ttype/yubikey.
#RewriteEngine on
#RewriteRule „^/wsapi/2.0/verify“ „/ttype/yubikey“ [PT]# We can run several instances on different paths with different configurations
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
#WSGIScriptAlias /instance1 /home/cornelius/src/privacyidea/deploy/privacyideaapp1.wsgi
#WSGIScriptAlias /instance2 /home/cornelius/src/privacyidea/deploy/privacyideaapp2.wsgi
#WSGIScriptAlias /instance3 /home/cornelius/src/privacyidea/deploy/privacyideaapp3.wsgi
#
# The daemon is running as user ‚privacyidea‘
# This user should have access to the encKey database encryption file
WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
WSGIProcessGroup privacyidea
WSGIPassAuthorization On
ErrorLog /var/log/apache2/error.log
LogLevel warn
# Do not use %q! This will reveal all parameters, including setting PINs and Keys!
# Using SSL_CLINET_S_DN_CN will show you, which administrator did what task
LogFormat „%h %l %u %t %>s \“%m %U %H\“ %b \“%{Referer}i\“ \“%{User-agent}i\““ privacyIDEA
CustomLog /var/log/apache2/ssl_access.log privacyIDEA
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/privacyideaserver.pem
SSLCertificateKeyFile /etc/ssl/private/privacyideaserver.key
<FilesMatch „\.(cgi|shtml|phtml|php)$“>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch „.*MSIE.*“ \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
# If you want to forward http request to https enable the
# following virtual host.
#<VirtualHost _default_:80>
# # This will enable the Rewrite capabilities
# RewriteEngine On
#
# # This checks to make sure the connection is not already HTTPS
# RewriteCond %{HTTPS} !=on
# RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
#</VirtualHost> - cd /etc/apache2/sites-enabled/
- rm -f 000-default.conf
- mkdir /home/privacyidea
- chown -R privacyidea /home/privacyidea/
- chown -R privacyidea /etc/privacyidea/
- chown -R privacyidea /var/log/privacyidea/
- vi /etc/apache2/mods-enabled/wsgi.conf
Add „WSGIPythonHome /opt/privacyidea/bin/python2.7“ at the end - Install certificates
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/privacyideaserver.key -out /etc/ssl/certs/privacyideaserver.pem - service apache2 restart
- On one system:
pi-manage createdb
pi-manage admin add admin@localhost - privacyidea-fix-access-rights -f /etc/privacyidea/pi.cfg -u privacyidea
- chown -R privacyidea /var/log/privacyidea/
- cp /opt/privacyidea/lib/python2.7/site-packages/authmodules/FreeRADIUS/rlm_perl.ini /etc/privacyidea
- vi /etc/freeradius/users
DEFAULT Auth-Type := perl - vi /etc/freeradius/modules/perl
module = /opt/privacyidea/lib/privacyidea/authmodules/FreeRADIUS/privacyidea_radius.pm - vi /etc/freeradius/sites-enabled/default
authenticate {
perl - service freeradius restart && service apache2 restart
- Now you can reach your instance via https://ip/