Install Privacyidea 2.13 on a clean Debian 8 Jessie

Quick guide to install Privacyidea on a fresh installed Debian 8. This guide was tested with PI version 2.13!


UPDATE: Also works with 2.14, 2.15

  • Install base Debian system (standard and SSH)
  • aptitude purge nfs-common rpcbind
  • aptitude install postfix
  • aptitude install libjpeg-dev zlib1g-dev python-dev \
    libffi-dev libssl-dev libxslt1-dev virtualenv gcc \
    mysql-server freeradius libconfig-inifiles-perl \
    libdata-dump-perl libtry-tiny-perl libconfig-json-perl \
    libjson-perl libmysqlclient-dev apache2 libapache2-mod-wsgi
  • virtualenv /opt/privacyidea
  • cd /opt/privacyidea
  • source bin/activate
  • pip install privacyidea
  • pip install MySQL-python
  • pip install click
  • mysql -u root -p
    create database pi;
    grant all privileges on pi.* to „pi“@“localhost“ identified by „XXX“;
    flush privileges;
  • mkdir /etc/privacyidea
  • mkdir /var/log/privacyidea
  • useradd -r privacyidea
  • cp etc/privacyidea/* /etc/privacyidea/
  • vi /etc/privacyidea/pi.cfg
    import logging
    # The realm, where users are allowed to login as administrators
    SUPERUSER_REALM = [’super‘]
    # Your database
    #SQLALCHEMY_DATABASE_URI = ’sqlite:////etc/privacyidea/data.sqlite‘
    # This is used to encrypt the auth_token
    #SECRET_KEY = ‚t0p s3cr3t‘
    # This is used to encrypt the admin passwords
    #PI_PEPPER = „Never know…“
    # This is used to encrypt the token data and token passwords
    PI_ENCFILE = ‚/etc/privacyidea/enckey‘
    # This is used to sign the audit log
    # This is the dummy base class
    #PI_AUDIT_MODULE = ‚privacyidea.lib.auditmodules.base‘
    # This is the default
    #PI_AUDIT_MODULE = ‚privacyidea.lib.auditmodules.sqlaudit‘
    # This is used to sign the audit log
    PI_AUDIT_KEY_PRIVATE = ‚/etc/privacyidea/private.pem‘
    PI_AUDIT_KEY_PUBLIC = ‚/etc/privacyidea/public.pem‘
    PI_LOGFILE = ‚/var/log/privacyidea/privacyidea.log‘
    PI_LOGLEVEL = logging.INFO
    PI_PEPPER = ‚X‘
    SECRET_KEY = ‚X‘
    SQLALCHEMY_DATABASE_URI = ‚mysql://pi:XXX@localhost/pi‘
  • a2enmod ssl
  • vi /etc/apache2/sites-available/privacyidea.conf
    <VirtualHost _default_:443>
    ServerAdmin webmaster@localhost
    # You might want to change this
    ServerName localhost
    DocumentRoot /var/www
    <Directory />
    # For Apache 2.4 you need to set this:
    Require all granted
    Options FollowSymLinks
    AllowOverride None
    # Yubico servers use /wsapi/2.0/verify as the path in the
    # validation URL. Some tools (e.g. Kolab 2fa) let the
    # user/admin change the api host, but not the rest of
    # the URL. Uncomment the following two lines to reroute
    # the api URL internally to privacyideas /ttype/yubikey.
    #RewriteEngine on
    #RewriteRule „^/wsapi/2.0/verify“ „/ttype/yubikey“ [PT]# We can run several instances on different paths with different configurations
    WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
    #WSGIScriptAlias /instance1 /home/cornelius/src/privacyidea/deploy/privacyideaapp1.wsgi
    #WSGIScriptAlias /instance2 /home/cornelius/src/privacyidea/deploy/privacyideaapp2.wsgi
    #WSGIScriptAlias /instance3 /home/cornelius/src/privacyidea/deploy/privacyideaapp3.wsgi
    # The daemon is running as user ‚privacyidea‘
    # This user should have access to the encKey database encryption file
    WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
    WSGIProcessGroup privacyidea
    WSGIPassAuthorization On
    ErrorLog /var/log/apache2/error.logLogLevel warn
    # Do not use %q! This will reveal all parameters, including setting PINs and Keys!
    # Using SSL_CLINET_S_DN_CN will show you, which administrator did what task
    LogFormat „%h %l %u %t %>s \“%m %U %H\“ %b \“%{Referer}i\“ \“%{User-agent}i\““ privacyIDEA
    CustomLog /var/log/apache2/ssl_access.log privacyIDEA# SSL Engine Switch:
    # Enable/Disable SSL for this virtual host.
    SSLEngine on
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
    # If both key and certificate are stored in the same file, only the
    # SSLCertificateFile directive is needed.
    SSLCertificateFile /etc/ssl/certs/privacyideaserver.pem
    SSLCertificateKeyFile /etc/ssl/private/privacyideaserver.key<FilesMatch „\.(cgi|shtml|phtml|php)$“>
    SSLOptions +StdEnvVars
    <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
    BrowserMatch „.*MSIE.*“ \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    </VirtualHost># If you want to forward http request to https enable the
    # following virtual host.
    #<VirtualHost _default_:80>
    # # This will enable the Rewrite capabilities
    # RewriteEngine On
    # # This checks to make sure the connection is not already HTTPS
    # RewriteCond %{HTTPS} !=on
    # RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
  • cd /etc/apache2/sites-enabled/
  • rm -f 000-default.conf
  • ln -s ../sites-available/privacyidea.conf .
  • mkdir /home/privacyidea
  • chown -R privacyidea /home/privacyidea/
  • chown -R privacyidea /etc/privacyidea/
  • chown -R privacyidea /var/log/privacyidea/
  • vi /etc/apache2/mods-enabled/wsgi.conf
    Add „WSGIPythonHome /opt/privacyidea/bin/python2.7“ at the end
  • Install certificates
    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/privacyideaserver.key -out /etc/ssl/certs/privacyideaserver.pem
  • service apache2 restart
  • pi-manage create_enckey
  • pi-manage create_audit_keys
  • pi-manage createdb
  • pi-manage admin add admin@localhost
  • privacyidea-fix-access-rights -f /etc/privacyidea/pi.cfg -u privacyidea
  • chown -R privacyidea /var/log/privacyidea/
  • cp /opt/privacyidea/lib/python2.7/site-packages/authmodules/FreeRADIUS/rlm_perl.ini /etc/privacyidea
  • Now you can reach your instance via https://ip/
  • Create a realm and resolver, assign a token
  • vi /etc/freeradius/users
    DEFAULT Auth-Type := perl
  • vi /etc/freeradius/modules/perl
    module = /opt/privacyidea/lib/privacyidea/authmodules/FreeRADIUS/
  • vi /etc/freeradius/sites-enabled/default
    authenticate {
  • service freeradius restart && service apache2 restart
  • Now test via
    echo „User-Name=user, Password=PIN541614“ | radclient -sx localhost auth testing123