PrivacyIDEA 3.x Installation and Configuration Guide (Ubuntu 24.04)
From Notes_Wiki
Home > PrivacyIDEA 3.x Installation and Configuration Guide (Ubuntu 24.04)
PrivacyIDEA 3.x Installation and Configuration Guide (Ubuntu 24.04)
PrivacyIDEA Installation on Ubuntu 24.04
Step 1: Update System
sudo apt update && sudo apt upgrade -y
Step 2: Download NetKnights Signing Key
wget https://lancelot.netknights.it/NetKnights-Release.asc
Step 3: Verify Key Fingerprint (Optional)
gpg --import --import-options show-only --with-fingerprint NetKnights-Release.asc
You should see:
pub 4096R/AE250082 2017-05-16 NetKnights GmbH <release@netknights.it> Key fingerprint = 0940 4ABB EDB3 586D EDE4 AD22 00F7 0D62 AE25 0082
Step 4: Add Signing Key to Trusted Keyring
Ubuntu 24.04 uses trusted.gpg.d.
sudo mv NetKnights-Release.asc /etc/apt/trusted.gpg.d/
Step 5: Add PrivacyIDEA Repository
echo "deb http://lancelot.netknights.it/community/noble/stable noble main" | sudo tee /etc/apt/sources.list.d/privacyidea.list
This repository works for Ubuntu 24.04.
Step 6: Install PrivacyIDEA with Apache
sudo apt update
sudo apt install privacyidea-apache2 -y
Step 7: Install FreeRADIUS Plugin
sudo apt install privacyidea-radius -y
Step 8: Create PrivacyIDEA Admin User
sudo pi-manage admin add admin -e admin@localhost
You will be prompted to set the admin password.
To reset the password:
sudo pi-manage admin reset admin
Access the Web Interface
Open your browser and access:
http://<privacyidea server IP>
UserIdResolvers and Realms
UserIdResolver
A resolver connects PrivacyIDEA to a user source.
Resolvers tell PrivacyIDEA where to find users.
Supported resolver types:
- Passwordresolver
- LDAPresolver
- SQLresolver
- HTTPresolver
- SCIMresolver
LDAP / Active Directory Resolver Configuration
Navigate to:
Configuration → Users → Add Resolver → New ldapresolver
Resolver Configuration
- Resolver Name : ldap_gbb
- Type : LDAPResolver
- Server URI : ldap://<AD ip address>
- Base DN : CN=Users,DC=xxx,DC=xxx
- Scope : SUBTREE
- Bind Type : Simple Bind
- Bind DN : CN=<username>,CN=Users,DC=xxx,DC=xxx
- Bind Password : your password
OpenLDAP Settings
- Loginname Attribute : uid
- Search Filter : (uid=*)(objectClass=inetOrgPerson)
Attribute Mapping:
{
"phone" : "telephoneNumber",
"mobile" : "mobile",
"email" : "mail",
"surname" : "sn",
"givenname" : "givenName"
}
- Multivalue Attributes : memberOf
- UID Type : entryUUID
Active Directory Settings
- Loginname Attribute : sAMAccountName
- Search Filter : (sAMAccountName=*)(objectCategory=person)
Attribute Mapping:
{
"phone" : "telephoneNumber",
"mobile" : "mobile",
"email" : "mail",
"surname" : "sn",
"givenname" : "givenName"
}
- Multivalue Attributes : memberOf
- UID Type : objectGUID
Enable the following options:
- No anonymous referral chasing
- No retrieval of schema information
After configuration run:
- Quick Resolver Test
- LDAP Resolver Test
If successful you will see:
Your LDAP config seems to be OK, 79 user objects found
Realm Configuration
A realm groups resolvers.
Users are referenced as:
username@realm
Steps
- Go to Configuration → Users → Realms
- Click Add Realm
- Provide Realm Name
Example:
Test
- Assign Resolver
ldap_relam
- Save configuration
Now all LDAP users are available in the ldap realm.
Token Enrollment Steps
- Click Enroll Token
- Select token type: TOTP
- Configure options:
- Realm
- Username
- PIN
- Click Enroll
- A QR Code will appear
- Scan the QR code using:
- Google Authenticator
- FreeOTP
- Microsoft Authenticator
- Save the token in the mobile application
TOTP Reset / Re-enrollment
- If the user still has access to the previously enrolled token (QR code or authenticator app), they can continue using the existing token without re-enrollment.
- If the QR code or secret key is available, it can be scanned again to restore the token in the authenticator app.
- If the user no longer has access to the old token, you must:
- Delete the existing token from PrivacyIDEA
- Enroll a new TOTP token for the user
- Provide the new QR code for scanning
Testing the Token
Navigate to:
Users → Token → Test Token
Enter the OTP from the mobile app.
If successful:
Result = OK
