Howto run privacyIDEA with Apache2 and MySQL

We assume that you have an Apache2 and MySQL database installed. This example was done on Ubuntu 14.04 LTS.

Install dependencies

We are using the python virtualenv. So the installation will get all correct versions of its depending python modules.

We also need to install some development packages:

apt-get install python-dev python-virtualenv libldap2-dev libsasl2-dev libmysqlclient-dev

We will install privacyidea to /srv/privacyidea:

cd /srv
virtualenv privacyidea
cd privacyidea
source bin/activate

Note: source bin/activate will enter the python virtualenv. All python packages you install via pip will not be installed to your main system but to /srv/privacyidea.

We assume that you downloaded the privacyidea version 1.0dev0. (Or install it directly from pypi)

pip install privacyIDEA-1.0dev0.tar.gz

This will also install all dependencies. Some of the packages need to be compiled, this is why we installed the development packages in the first step.

As we will use MySQL as the database, we need to install the python package:

pip install MySQL-python

Now we will create the database and the database user:

$ mysql -u root -p
 Enter password: 
 Welcome to the MySQL monitor. Commands end with ; or \g.
 Your MySQL connection id is 42
 Server version: 5.5.35-1ubuntu1 (Ubuntu)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
 affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> create database privacyidea;
 Query OK, 1 row affected (0.00 sec)mysql> grant all privileges on privacyidea.* to "privacyidea"@"localhost" identified by "yourPassword";
 Query OK, 0 rows affected (0.00 sec)
 mysql> flush privileges;
 Query OK, 0 rows affected (0.00 sec)mysql> quit;

Prepare configuration

Create the configuration directory:

mkdir /etc/privacyidea

Add the user, the wsgi script will run as:

useradd -r privacyidea

Copy the configuration examples:

cp etc/privacyidea/* /etc/privacyidea/
mv /etc/privacyidea/privacyidea.ini.example /etc/privacyidea/privacyidea.ini

In /etc/privacyidea/privacyidea.ini adapt the following lines:

sqlalchemy.url = mysql://privacyidea:yourPassword@localhost/privacyidea
args = ('/var/log/privacyidea/privacyidea.log','a', 10000000, 4)
who.log_file = /var/log/privacyidea/privacyidea.log
privacyideaURL = https://yourServer

create your own encryption key:

privacyidea-create-enckey -f /etc/privacyidea/privacyidea.ini

Fix access rights:

privacyidea-fix-access-rights -f /etc/privacyidea/privacyidea.ini -u privacyidea

Create the database:

paster setup-app /etc/privacyidea/privacyidea.ini

Create admin users

In the first step, we will use admin users from a password file /etc/privacyidea/admin-users. Later you can define realms in privacyidea.ini, that contain admin users.

privacyidea-create-pwidresolver-user -u admin -i 1000 > /etc/privacyidea/admin-users

If you create an admin user “admin”, you can login as “admin@admin”.

Setup Apache

Finally we setup Apache, we install mod-wsgi and enable a bunch of modules:

apt-get install libapache2-mod-wsgi
a2enmod headers
a2enmod auth_digest
a2enmod ssl
a2dissite 000-default

Copy the example apache config to its place:

cp etc/apache2/sites-available/privacyidea /etc/apache2/sites-available/

Note: With Apache 2.4 the file needs to be renamed to privacyidea.conf

Now adapt privaycyidea.conf:

WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
WSGIPythonHome /srv/privacyideasi

Note: With Apache 2.4 you need to change the access statement to “Require all granted”, otherwise you will get “AH01630: client denied by server configuration”.

As we want to run with SSL, you need to create self signed certificates:

privacyidea-create-certificate -f /etc/apache2/sites-available/privacyidea.conf
privacyidea-create-certificate -f /etc/apache2/sites-available/privacyidea

Now enable your site:

a2ensite privacyidea

Restart apache and login with the administrator “admin@admin” you created earlier.