4.9 KiB
Purpose: privacyIDEA is a modular authentication system. Using privacyIDEA you can enhance your existing applications like local login, VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication.
!!! info "Assumptions" It is assumed you have a provisioned virtual machine / physical machine, running Ubuntu Server 22.04 to deploy a privacyIDEA server.
Add Server to Inventory and Pull Inventory/Playbook Updates from Gitea
You need to target the new server using a template in AWX (preferrably).
- We will assume the FQDN of the server is
auth.bunny-lab.ioor justauth - Be sure to add the host into the AWX Homelab Inventory File
- Update / Sync the "Bunny-Lab" project in AWX (Resources > Projects > Bunny-Lab > Sync)
- Update / Sync the git.bunny-lab.io Inventory Source (Resources > Inventories > Homelab > Sources > git.bunny-lab.io > Sync)
Create a Template
Next, you want to make a template to automate the deployment of privacyIDEA on any servers that are members of the [privacyideaServers] inventory host group. This is useful for development / testing, as well as rapid re-deployment / scaling.
- Navigate to Resources > Templates > Add
| Field | Value |
|---|---|
| Template Name | Deploy PrivacyIDEA Server |
| Description | Ubuntu Server 22.04 Required |
| Project | Bunny-Lab (Click the Magnifying Lens) |
| Inventory | Homelab |
| Playbook | playbooks/Linux/Deployments/privacyIDEA.yml |
| Execution Environment | AWX EE (latest) (Click the Magnifying Lens) |
| Credentials | SSH: (LINUX) nicole |
Options:
- Privilege Escalation: Checked
- Enable Fact Storage: Checked
Launch the Template
Now we need to launch the template. Assuming all of the above was completed, we can now deploy the playbook/template against the Ubuntu Server via SSH.
- Launch the Template (Rocket Button)
- As the template runs, you will see deployment progress output on the screen
!!! success
You will know if everything was successful if you see something that looks like the following:
sh ok: [auth] TASK [Install wget and software-properties-common] ***************************** ok: [auth] TASK [Download PrivacyIDEA signing key] **************************************** changed: [auth] TASK [Add signing key for Ubuntu 22.04LTS] ************************************* changed: [auth] TASK [Add PrivacyIDEA repository] ********************************************** changed: [auth] TASK [Update apt cache] ******************************************************** changed: [auth] TASK [Install PrivacyIDEA with Apache2] **************************************** changed: [auth] PLAY RECAP *********************************************************************auth : ok=7 changed=5 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Create an Administrator Account
You will need to use the CLI in the server in order to create the first administrative account. Run the following command and provide a password for the administrator account.
sudo pi-manage admin add nicole.rappe -e nicole.rappe@bunny-lab.io
Log into the WebUI
Assuming you created an A record in the DNS server pointing to the IP address of the privacyIDEA server, Navigate to https://auth.bunny-lab.io and sign in with your newly-created username and password. (e.g. nicole.rappe)
Connect to Active Directory
Create a LDAP User ID Resolver
This is what will connect privacyIDEA to an LDAP backend to pull-down users for authentication in Active Directory. Begin by navigating to "Config > Users > New LDAP Resolver"
| Field | Value |
|---|---|
| Resolver Name | BunnyLab-LDAP |
| Server URI | ldap://bunny-dc-01.bunny-lab.io, ldap://bunny-db-02.bunny.lab.io |
| Pooling Strategy | ROUND_ROBIN |
| StartTLS | <Unchecked> |
| Base DN | CN=Users,DC=bunny-lab,DC=io |
| Scope | SUBTREE |
| Bind Type | Simple |
| Bind DN | CN=Nicole Rappe,CN=Users,DC=bunny-lab,DC=io |
| Bind Password | <Domain Admin Password for "nicole.rappe"> |
- Click the "Preset Active Directory" button.
- Click the "Test LDAP Resolver" button.
Create a Realm
Now we need to create what is called a "Realm". Users need to be in realms to have tokens assigned. A user, who is not member of a realm can not have a token assigned and can not authenticate. You can combine several different User ID Resolvers (see UserIdResolvers) into a realm. Navigate to "Config > Realms"
| Field | Value |
|---|---|
| Realm Name | Bunny-Lab |
| Resolver(s) | BunnyLab-LDAP |