PrivacyIDEA installieren (AlmaLinux/CentOS)

Aus RT-Wiki - IT-Notizbuch
Zur Navigation springen Zur Suche springen

Getestet auf: AlmaLinux 8

PrivacyIDEA installieren

dnf install mariadb-server httpd python3-mod_wsgi mod_ssl python3-virtualenv policycoreutils-python-utils
systemctl enable --now httpd
systemctl enable --now mariadb
mysql_secure_installation

<dbsecret> durch ein sicheres Passwort ersetzen

echo 'create database pi;' | mysql -u root -p
echo 'create user "pi"@"localhost" identified by "<dbsecret>";' | mysql -u root -p
echo 'grant all privileges on pi.* to "pi"@"localhost";' | mysql -u root -p
mkdir /etc/privacyidea
mkdir /opt/privacyidea
mkdir /var/log/privacyidea
useradd -r -M -d /opt/privacyidea privacyidea
chown privacyidea:privacyidea /opt/privacyidea /etc/privacyidea /var/log/privacyidea


su - privacyidea
virtualenv /opt/privacyidea
. /opt/privacyidea/bin/activate


pip install -U pip setuptools
export PI_VERSION=3.7.1
pip install -r https://raw.githubusercontent.com/privacyidea/privacyidea/v${PI_VERSION}/requirements.txt
pip install privacyidea==${PI_VERSION}


vi /etc/privacyidea/pi.cfg

<dbsecret> durch das vorher erstellte Passwort ersetzen

import logging
# The realm, where users are allowed to login as administrators
SUPERUSER_REALM = ['super']
# Your database
SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://pi:<dbsecret>@localhost/pi'
# This is used to encrypt the auth_token
#SECRET_KEY = 't0p s3cr3t'
# This is used to encrypt the admin passwords
#PI_PEPPER = "Never know..."
# This is used to encrypt the token data and token passwords
PI_ENCFILE = '/etc/privacyidea/enckey'
# This is used to sign the audit log
PI_AUDIT_KEY_PRIVATE = '/etc/privacyidea/private.pem'
PI_AUDIT_KEY_PUBLIC = '/etc/privacyidea/public.pem'
PI_AUDIT_SQL_TRUNCATE = True
# The Class for managing the SQL connection pool
PI_ENGINE_REGISTRY_CLASS = "shared"
PI_AUDIT_POOL_SIZE = 20
PI_LOGFILE = '/var/log/privacyidea/privacyidea.log'
PI_LOGLEVEL = logging.INFO
chmod 640 /etc/privacyidea/pi.cfg
PEPPER="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c24)"
echo "PI_PEPPER = '$PEPPER'" >> /etc/privacyidea/pi.cfg
SECRET="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c24)"
echo "SECRET_KEY = '$SECRET'" >> /etc/privacyidea/pi.cfg
pi-manage create_enckey  # encryption key for the database
pi-manage create_audit_keys  # key for verification of audit log entries
pi-manage createdb  # create the database structure
pi-manage db stamp head -d /opt/privacyidea/lib/privacyidea/migrations/  # stamp the db
pi-manage admin add <admin-user>
deactivate
su -


Apache Webserver einrichten

semanage fcontext -a -t httpd_sys_rw_content_t "/var/log/privacyidea(/.*)?"
restorecon -R /var/log/privacyidea
setsebool -P httpd_can_network_connect_db 1

# Only for if LDAP is backend
setsebool -P httpd_can_connect_ldap 1

# For SMTP
setsebool -P httpd_can_sendmail 1
vi /etc/httpd/conf/httpd.conf

Unter Listen 80 muss Listen 443 eingefügt werden

Zusätzlich einfügen z.B. unter ServerRoot WSGIPythonHome /opt/privacyidea

cd /etc/httpd/conf.d
mv ssl.conf ssl.conf.inactive
mv welcome.conf welcome.conf.inactive
curl -o privacyidea.conf https://raw.githubusercontent.com/privacyidea/privacyidea/master/deploy/apache/sites-available/privacyidea.conf


#   If both key and certificate are stored in the same file, only the
#   SSLCertificateFile directive is needed.
SSLCertificateFile    /etc/ssl/certs/privacyideaserver.pem
SSLCertificateKeyFile /etc/ssl/private/privacyideaserver.key

apache2 in httpd ändern

ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/ssl_access.log privacyIDEA
cd /etc/privacyidea
curl -O https://raw.githubusercontent.com/privacyidea/privacyidea/master/deploy/apache/privacyideaapp.wsgi
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
systemctl restart httpd

Quellen