bunny-lab/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Configs & Servers/Linux/privacyIDEA.md

Browse Source
This commit is contained in:
Nicole Rappe
2024-01-26 01:42:57 -07:00
parent d7138a73db
commit b483553ae2
1 changed files with 18 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
Configs & Servers/Linux/privacyIDEA.md
View File

@ -3,7 +3,8 @@
!!! info "Assumptions" !!! info "Assumptions"
It is assumed you have a provisioned virtual machine / physical machine, running Ubuntu Server 22.04 to deploy a privacyIDEA server. It is assumed you have a provisioned virtual machine / physical machine, running Ubuntu Server 22.04 to deploy a privacyIDEA server.
## Add Server to Inventory and Pull Inventory/Playbook Updates from Gitea ## AWX Deployment
### Add Server to Inventory and Pull Inventory/Playbook Updates from Gitea
You need to target the new server using a template in AWX (preferrably). You need to target the new server using a template in AWX (preferrably).
- We will assume the FQDN of the server is `auth.bunny-lab.io` or just `auth` - We will assume the FQDN of the server is `auth.bunny-lab.io` or just `auth`
@ -11,7 +12,7 @@ You need to target the new server using a template in AWX (preferrably).
- Update / Sync the "**Bunny-Lab**" project in AWX ([Resources > Projects > Bunny-Lab > Sync](https://awx.bunny-lab.io/#/projects/8/details)) - Update / Sync the "**Bunny-Lab**" project in AWX ([Resources > Projects > Bunny-Lab > Sync](https://awx.bunny-lab.io/#/projects/8/details))
- Update / Sync the git.bunny-lab.io Inventory Source ([Resources > Inventories > Homelab > Sources > git.bunny-lab.io > Sync](https://awx.bunny-lab.io/#/inventories/inventory/2/sources/9/details)) - Update / Sync the git.bunny-lab.io Inventory Source ([Resources > Inventories > Homelab > Sources > git.bunny-lab.io > Sync](https://awx.bunny-lab.io/#/inventories/inventory/2/sources/9/details))
## Create a Template ### Create a Template
Next, you want to make a template to automate the deployment of privacyIDEA on any servers that are members of the `[privacyideaServers]` inventory host group. This is useful for development / testing, as well as rapid re-deployment / scaling. Next, you want to make a template to automate the deployment of privacyIDEA on any servers that are members of the `[privacyideaServers]` inventory host group. This is useful for development / testing, as well as rapid re-deployment / scaling.
- Navigate to **Resources > Templates > Add** - Navigate to **Resources > Templates > Add**
@ -31,7 +32,7 @@ Next, you want to make a template to automate the deployment of privacyIDEA on a
- [X] Privilege Escalation: Checked - [X] Privilege Escalation: Checked
- [X] Enable Fact Storage: Checked - [X] Enable Fact Storage: Checked
## Launch the Template ### Launch the Template
Now we need to launch the template. Assuming all of the above was completed, we can now deploy the playbook/template against the Ubuntu Server via SSH. Now we need to launch the template. Assuming all of the above was completed, we can now deploy the playbook/template against the Ubuntu Server via SSH.
- Launch the Template (Rocket Button) - Launch the Template (Rocket Button)
@ -56,16 +57,17 @@ Now we need to launch the template. Assuming all of the above was completed, we
PLAY RECAP *********************************************************************auth : ok=7 changed=5 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 PLAY RECAP *********************************************************************auth : ok=7 changed=5 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
``` ```
## Create an Administrator Account ## Admin Access to WebUI
### Create a privacyIDEA Administrator Account
You will need to use the CLI in the server in order to create the first administrative account. Run the following command and provide a password for the administrator account. You will need to use the CLI in the server in order to create the first administrative account. Run the following command and provide a password for the administrator account.
``` sh ``` sh
sudo pi-manage admin add nicole.rappe -e nicole.rappe@bunny-lab.io sudo pi-manage admin add nicole.rappe -e nicole.rappe@bunny-lab.io
``` ```
## Log into the WebUI ### Log into the WebUI
Assuming you created an `A` record in the DNS server pointing to the IP address of the privacyIDEA server, Navigate to https://auth.bunny-lab.io and sign in with your newly-created username and password. (e.g. `nicole.rappe`) Assuming you created an `A` record in the DNS server pointing to the IP address of the privacyIDEA server, Navigate to https://auth.bunny-lab.io and sign in with your newly-created username and password. (e.g. `nicole.rappe`)
## Connect to Active Directory ## Connect to Active Directory/LDAP
### Create a LDAP User ID Resolver ### Create a LDAP User ID Resolver
This is what will connect privacyIDEA to an LDAP backend to pull-down users for authentication in Active Directory. Begin by navigating to "**Config > Users > New LDAP Resolver**" This is what will connect privacyIDEA to an LDAP backend to pull-down users for authentication in Active Directory. Begin by navigating to "**Config > Users > New LDAP Resolver**"
@ -84,10 +86,18 @@ This is what will connect privacyIDEA to an LDAP backend to pull-down users for
- Click the "**Preset Active Directory**" button. - Click the "**Preset Active Directory**" button.
- Click the "**Test LDAP Resolver**" button. - Click the "**Test LDAP Resolver**" button.
### Create a Realm ### Associate User ID Resolver with a Realm
Now we need to create what is called a "Realm". Users need to be in realms to have tokens assigned. A user, who is not member of a realm can not have a token assigned and can not authenticate. You can combine several different User ID Resolvers (see UserIdResolvers) into a realm. Navigate to "**Config > Realms**" Now we need to create what is called a "**Realm**". Users need to be in realms to have tokens assigned. A user, who is not member of a realm can not have a token assigned and can not authenticate. You can combine several different User ID Resolvers (see UserIdResolvers) into a realm. Navigate to "**Config > Realms**"
| **Field** | **Value** | | **Field** | **Value** |
| :--- | :--- | | :--- | :--- |
| Realm Name | `Bunny-Lab` | | Realm Name | `Bunny-Lab` |
| Resolver(s) | `BunnyLab-LDAP` |
## Enrolling the First Token
Navigate to "**Tokens > Enroll Token**"
| **Field** | **Value** |
| :--- | :--- |
| [X] Generate OTP Key on Server | `Bunny-Lab` |
| Resolver(s) | `BunnyLab-LDAP` | | Resolver(s) | `BunnyLab-LDAP` |