Tessando
asked on
Serving LinOTP (MFA Solution) over a Different Port than 443 - Unable to Authenticate after Port Change
I would like to serve LinOTP on a port different the 443. The port I've chosen is 8458. I was able to figure out how to do this on Amazon Linux 2 but I am getting an authentication error when signing in.
In order to do this I modified two lines in the config file for the Port I am using (port 8458) /etc/httpd/conf.d/ssl_linotp.conf. These were lines:
After I changed this config and restart Apache, I am unable to authenticate MFA using this particular setup.
To investigate further, I looked at the log file here: /var/log/linotp/linotp.log and I am getting the following error:
The file linotp.ini is located at /etc/linotp2/linotp.ini. When I look at the audit section of that file there are only four items that are uncommented out. I've pasted in the entire Audit section:
Can someone please help me troubleshoot what this error means? If it's not super clear, perhaps there is another location that needs to have the port modified or how to effectively configure this Audit configuration.
Thanks for your help.
In order to do this I modified two lines in the config file for the Port I am using (port 8458) /etc/httpd/conf.d/ssl_linotp.conf. These were lines:
#Listen 443
Listen 8458
#<VirtualHost _default_:443>
<VirtualHost _default_:8458>
After I changed this config and restart Apache, I am unable to authenticate MFA using this particular setup.
To investigate further, I looked at the log file here: /var/log/linotp/linotp.log and I am getting the following error:
ERROR [linotp.lib.audit.base][getAuditClass #52] No suitable Audit Class found. Working with dummy AuditBase class. Probably you didn't configure 'linotpAudit' in the linotp.ini file.
The file linotp.ini is located at /etc/linotp2/linotp.ini. When I look at the audit section of that file there are only four items that are uncommented out. I've pasted in the entire Audit section:
48 ##############################################################################
49 ## LinOTP Configuration:
50 ## ---------------------
51 ## in the following section you can define the LinOTP process parameters
52 [DEFAULT]
53 debug = false
54 profile = false
55 # Uncomment and replace with the address which should receive any error reports
56 #email_to = you@yourdomain.com
57 smtp_server = localhost
58 error_email_from = paste@localhost
59
61 ## Audit Log:
62 ## ---------
63 ## Audit log capability will log all requests in a non repudiable way in a
64 ## audit log database. To switch the audit capability on uncomment the
65 ## linotpAudit.type, which should point to your audit log class
66 #linotpAudit.type = linotp.lib.audit.SQLAudit
67 #linotpAudit.sql.url = mysql://linotp2:1234@localhost/LinOTP2
68
69 linotpAudit.key.private = %(here)s/private.pem
70 linotpAudit.key.public = %(here)s/public.pem
71
72 ## define the max amount of audit log entries in the log database
73 ## - one SQL audit entry might take up about 1K of space
74 linotpAudit.sql.highwatermark = 10000
75 linotpAudit.sql.lowwatermark = 5000
76
77
78 ## Audit table and column definition:
79 ## ----------------------------------
80 ## some databases don't support the used table or column names
81 ## to prevent collission the following table and column prefix
82 ## can be defined
83 #linotpAudit.sql.table_prefix = lino
84
85
86 ## Audit Data truncation:
87 ## ----------------------
88 ## Some databases (eg. MySQL) silently truncate data if the data is longer that
89 ## the VARCHAR column definition. To prevent this silent truncation an error
90 ## can be raised.
91 ## Other databases (e.g. Oracle, PostgreSQL) raise an exception (if the data
92 ## length exceeds the field length).
93 ## Basically we make sure all DBs behave the same way. If error_on_truncation is
94 ## set to True, an Exception is raised. If error_on_truncation is False (default)
95 ## then the data is silently truncated.
96 ##
97 ## Caution: Setting this parameter to True might make your system unusable!
98 ##
99 # linotpAudit.error_on_truncation = True
100
Can someone please help me troubleshoot what this error means? If it's not super clear, perhaps there is another location that needs to have the port modified or how to effectively configure this Audit configuration.
Thanks for your help.
ASKER
I'm using an AWS Application Load Balancer for serving the site, which is working as expected. This is why when I switch the config to 443 it authenticates correctly. Check this out:
Authentication is done with FreeRadius via Port443. I'm consistently able to use MFA successfully when tcp/443 is configured.
My evidence to back this up is in a LinOTP Setup doc: "You usually will do the authentication via RADIUS. The LinOTP RADIUS plugin communicates with the LinOTP core on port 443, while the application (e.g. Firewall, SSL VPN) you are logging in to communicates to the FreeRADIUS server which by default is also located on the LinOTP server via Port 1812".
This is a pretty key piece to this setup. Here's my question: How can I change the port that FreeRadius uses to authenticate with LinOTP? It's deeper than simply a config file as I've very carefully "grep'd" all instances of 443. Any insight would be greatly appreciated.
Authentication is done with FreeRadius via Port443. I'm consistently able to use MFA successfully when tcp/443 is configured.
My evidence to back this up is in a LinOTP Setup doc: "You usually will do the authentication via RADIUS. The LinOTP RADIUS plugin communicates with the LinOTP core on port 443, while the application (e.g. Firewall, SSL VPN) you are logging in to communicates to the FreeRADIUS server which by default is also located on the LinOTP server via Port 1812".
This is a pretty key piece to this setup. Here's my question: How can I change the port that FreeRadius uses to authenticate with LinOTP? It's deeper than simply a config file as I've very carefully "grep'd" all instances of 443. Any insight would be greatly appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Changing port requires you make changes to firewalls, software firewall if any to allow port 8458 through, then allow port ...
Some browsers limit, require users to add exception for a variation of the port
80, 443, 8080 3128 are commonly expected, known