diff --git a/Configs & Servers/Linux/privacyIDEA.md b/Configs & Servers/Linux/privacyIDEA.md index 1eaff08..d23c71c 100644 --- a/Configs & Servers/Linux/privacyIDEA.md +++ b/Configs & Servers/Linux/privacyIDEA.md @@ -3,7 +3,8 @@ !!! info "Assumptions" It is assumed you have a provisioned virtual machine / physical machine, running Ubuntu Server 22.04 to deploy a privacyIDEA server. -## Add Server to Inventory and Pull Inventory/Playbook Updates from Gitea +## AWX Deployment +### Add Server to Inventory and Pull Inventory/Playbook Updates from Gitea You need to target the new server using a template in AWX (preferrably). - We will assume the FQDN of the server is `auth.bunny-lab.io` or just `auth` @@ -11,7 +12,7 @@ You need to target the new server using a template in AWX (preferrably). - Update / Sync the "**Bunny-Lab**" project in AWX ([Resources > Projects > Bunny-Lab > Sync](https://awx.bunny-lab.io/#/projects/8/details)) - Update / Sync the git.bunny-lab.io Inventory Source ([Resources > Inventories > Homelab > Sources > git.bunny-lab.io > Sync](https://awx.bunny-lab.io/#/inventories/inventory/2/sources/9/details)) -## Create a Template +### Create a Template Next, you want to make a template to automate the deployment of privacyIDEA on any servers that are members of the `[privacyideaServers]` inventory host group. This is useful for development / testing, as well as rapid re-deployment / scaling. - Navigate to **Resources > Templates > Add** @@ -31,7 +32,7 @@ Next, you want to make a template to automate the deployment of privacyIDEA on a - [X] Privilege Escalation: Checked - [X] Enable Fact Storage: Checked -## Launch the Template +### Launch the Template Now we need to launch the template. Assuming all of the above was completed, we can now deploy the playbook/template against the Ubuntu Server via SSH. - Launch the Template (Rocket Button) @@ -56,16 +57,17 @@ Now we need to launch the template. Assuming all of the above was completed, we PLAY RECAP *********************************************************************auth : ok=7 changed=5 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 ``` -## Create an Administrator Account +## Admin Access to WebUI +### Create a privacyIDEA Administrator Account You will need to use the CLI in the server in order to create the first administrative account. Run the following command and provide a password for the administrator account. ``` sh sudo pi-manage admin add nicole.rappe -e nicole.rappe@bunny-lab.io ``` -## Log into the WebUI +### Log into the WebUI Assuming you created an `A` record in the DNS server pointing to the IP address of the privacyIDEA server, Navigate to https://auth.bunny-lab.io and sign in with your newly-created username and password. (e.g. `nicole.rappe`) -## Connect to Active Directory +## Connect to Active Directory/LDAP ### Create a LDAP User ID Resolver This is what will connect privacyIDEA to an LDAP backend to pull-down users for authentication in Active Directory. Begin by navigating to "**Config > Users > New LDAP Resolver**" @@ -84,10 +86,18 @@ This is what will connect privacyIDEA to an LDAP backend to pull-down users for - Click the "**Preset Active Directory**" button. - Click the "**Test LDAP Resolver**" button. -### Create a Realm -Now we need to create what is called a "Realm". Users need to be in realms to have tokens assigned. A user, who is not member of a realm can not have a token assigned and can not authenticate. You can combine several different User ID Resolvers (see UserIdResolvers) into a realm. Navigate to "**Config > Realms**" +### Associate User ID Resolver with a Realm +Now we need to create what is called a "**Realm**". Users need to be in realms to have tokens assigned. A user, who is not member of a realm can not have a token assigned and can not authenticate. You can combine several different User ID Resolvers (see UserIdResolvers) into a realm. Navigate to "**Config > Realms**" | **Field** | **Value** | | :--- | :--- | | Realm Name | `Bunny-Lab` | +| Resolver(s) | `BunnyLab-LDAP` | + +## Enrolling the First Token +Navigate to "**Tokens > Enroll Token**" + +| **Field** | **Value** | +| :--- | :--- | +| [X] Generate OTP Key on Server | `Bunny-Lab` | | Resolver(s) | `BunnyLab-LDAP` | \ No newline at end of file