privacyIDEA DualMaster HA Setup with Debian 8

This short Howto uses the SQL Server from Oracle since we want to use GTIDs where DualMaster replication is much more stable.

Debian standard install with system utilities and SSH server

  • Download the MySQL 5.7 repo from Oracle:
  • Install the .deb and choose 5.7
  • aptitude update and aptitude install mysql-community-server mysql-utilities
  • Edit /etc/mysql/mysql.conf.d/mysqld.cnf and change
    bind-address to
    server-id = 1
    gtid-mode = ON
    enforce-gtid-consistency = ON
    log_bin = mysql-bin
    log_error = mysql-bin.err
    binlog_do_db = pi
    auto-increment-increment = 2
    auto-increment-offset = 1
  • On the second system do the same but set the server-id = 2 and auto-increment-offset = 2
  • Restart both services
  • On both systems login to mysql and create the DB:
    mysql -u root -p
    GRANT REPLICATION SLAVE ON *.* TO ‚replication’@’%‘ IDENTIFIED BY ‚replication‘;
    CHANGE MASTER TO MASTER_HOST=’other-master-ip‘, MASTER_USER=’replication‘, MASTER_PASSWORD=’replication‘, MASTER_AUTO_POSITION=1;
  • create database pi;
  • Check on both systems if the DB is available
  • aptitude purge nfs-common rpcbind
  • aptitude install postfix
  • aptitude install libjpeg-dev zlib1g-dev python-dev \
    libffi-dev libssl-dev libxslt1-dev virtualenv gcc \
    mysql-server freeradius libconfig-inifiles-perl \
    libdata-dump-perl libtry-tiny-perl libconfig-json-perl \
    libjson-perl libmysqlclient-dev apache2 libapache2-mod-wsgi
  • virtualenv /opt/privacyidea
  • cd /opt/privacyidea
  • source bin/activate
  • pip install privacyidea
  • pip install MySQL-python
  • pip install click
  • On one of the systems:
    mysql -u root -p
    grant all privileges on pi.* to „pi“@“localhost“ identified by „XXX“;
    flush privileges;
  • mkdir /etc/privacyidea
  • mkdir /var/log/privacyidea
  • useradd -r privacyidea
  • cp etc/privacyidea/* /etc/privacyidea/
  • vi /etc/privacyidea/pi.cfg
    import logging
    # The realm, where users are allowed to login as administrators
    SUPERUSER_REALM = [’super‘]
    # Your database
    #SQLALCHEMY_DATABASE_URI = ’sqlite:////etc/privacyidea/data.sqlite‘
    # This is used to encrypt the auth_token
    #SECRET_KEY = ‚t0p s3cr3t‘
    # This is used to encrypt the admin passwords
    #PI_PEPPER = Never know
    # This is used to encrypt the token data and token passwords
    PI_ENCFILE = ‚/etc/privacyidea/enckey‘
    # This is used to sign the audit log
    # This is the dummy base class
    #PI_AUDIT_MODULE = ‚privacyidea.lib.auditmodules.base‘
    # This is the default
    #PI_AUDIT_MODULE = ‚privacyidea.lib.auditmodules.sqlaudit‘
    # This is used to sign the audit log
    PI_AUDIT_KEY_PRIVATE = ‚/etc/privacyidea/private.pem‘
    PI_AUDIT_KEY_PUBLIC = ‚/etc/privacyidea/public.pem‘
    PI_LOGFILE = ‚/var/log/privacyidea/privacyidea.log‘
    PI_LOGLEVEL = logging.INFO
    SQLALCHEMY_DATABASE_URI = ‚mysql://pi:XXX@localhost/pi‘
  • a2enmod ssl
  • vi /etc/apache2/sites-enabled/privacyidea.conf
    <VirtualHost _default_:443>
    ServerAdmin webmaster@localhost
    # You might want to change this
    ServerName localhost
    DocumentRoot /var/www
    <Directory />
    # For Apache 2.4 you need to set this:
    Require all granted
    Options FollowSymLinks
    AllowOverride None
    # Yubico servers use /wsapi/2.0/verify as the path in the
    # validation URL. Some tools (e.g. Kolab 2fa) let the
    # user/admin change the api host, but not the rest of
    # the URL. Uncomment the following two lines to reroute
    # the api URL internally to privacyideas /ttype/yubikey.
    #RewriteEngine on
    #RewriteRule „^/wsapi/2.0/verify“ „/ttype/yubikey“ [PT]# We can run several instances on different paths with different configurations
    WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
    #WSGIScriptAlias /instance1 /home/cornelius/src/privacyidea/deploy/privacyideaapp1.wsgi
    #WSGIScriptAlias /instance2 /home/cornelius/src/privacyidea/deploy/privacyideaapp2.wsgi
    #WSGIScriptAlias /instance3 /home/cornelius/src/privacyidea/deploy/privacyideaapp3.wsgi
    # The daemon is running as user ‚privacyidea‘
    # This user should have access to the encKey database encryption file
    WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
    WSGIProcessGroup privacyidea
    WSGIPassAuthorization On
    ErrorLog /var/log/apache2/error.log
    LogLevel warn
    # Do not use %q! This will reveal all parameters, including setting PINs and Keys!
    # Using SSL_CLINET_S_DN_CN will show you, which administrator did what task
    LogFormat „%h %l %u %t %>s \“%m %U %H\“ %b \“%{Referer}i\“ \“%{User-agent}i\““ privacyIDEA
    CustomLog /var/log/apache2/ssl_access.log privacyIDEA
    # SSL Engine Switch:
    # Enable/Disable SSL for this virtual host.
    SSLEngine on
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
    # If both key and certificate are stored in the same file, only the
    # SSLCertificateFile directive is needed.
    SSLCertificateFile /etc/ssl/certs/privacyideaserver.pem
    SSLCertificateKeyFile /etc/ssl/private/privacyideaserver.key
    <FilesMatch „\.(cgi|shtml|phtml|php)$“>
    SSLOptions +StdEnvVars
    <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
    BrowserMatch „.*MSIE.*“ \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    # If you want to forward http request to https enable the
    # following virtual host.
    #<VirtualHost _default_:80>
    # # This will enable the Rewrite capabilities
    # RewriteEngine On
    # # This checks to make sure the connection is not already HTTPS
    # RewriteCond %{HTTPS} !=on
    # RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
  • cd /etc/apache2/sites-enabled/
  • rm -f 000-default.conf
  • mkdir /home/privacyidea
  • chown -R privacyidea /home/privacyidea/
  • chown -R privacyidea /etc/privacyidea/
  • chown -R privacyidea /var/log/privacyidea/
  • vi /etc/apache2/mods-enabled/wsgi.conf
    Add „WSGIPythonHome /opt/privacyidea/bin/python2.7“ at the end
  • Install certificates
    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/privacyideaserver.key -out /etc/ssl/certs/privacyideaserver.pem
  • service apache2 restart
  • On one system:
    pi-manage createdb
    pi-manage admin add admin@localhost
  • privacyidea-fix-access-rights -f /etc/privacyidea/pi.cfg -u privacyidea
  • chown -R privacyidea /var/log/privacyidea/
  • cp /opt/privacyidea/lib/python2.7/site-packages/authmodules/FreeRADIUS/rlm_perl.ini /etc/privacyidea
  • vi /etc/freeradius/users
    DEFAULT Auth-Type := perl
  • vi /etc/freeradius/modules/perl
    module = /opt/privacyidea/lib/privacyidea/authmodules/FreeRADIUS/
  • vi /etc/freeradius/sites-enabled/default
    authenticate {
  • service freeradius restart && service apache2 restart
  • Now you can reach your instance via https://ip/