3.3. Installing on RHEL or CentOS v7 (64bit)¶
The LinOTP components are available via rpm repositories. You can use this method to install the LinOTP server on Red Hat Enterprise Linux / CentOS 7 (64bit). The package architecture is modular. The LinOTP server package doesn’t contain drivers or configuration files for databases or web servers, but there are several packages which provide these additions.
The repositories are hosted on linotp.org.
Download a package to install the necessary yum repositories:
yum localinstall http://linotp.org/rpm/el7/linotp/x86_64/Packages/LinOTP_repos-1.1-1.el7.x86_64.rpm
This package contains the following repositories in /etc/yum.repos.d/linotp.repo:
[linotp] name=KeyIdentity LinOTP Packages for Enterprise Linux 7 - $basearch baseurl=http://linotp.org/rpm/el7/linotp/x86_64 enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LINOTP-7 [linotp-dependencies] name=KeyIdentity LinOTP Packages required for Enterprise Linux 7 baseurl=http://linotp.org/rpm/el7/dependencies/x86_64 enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LINOTP-7
These repositories provide the LinOTP server software (linotp) and packages build by KeyIdentity with software from other open source projects which are dependencies needed by LinOTP (linotp-dependencies).
Furthermore some packages are needed from EPEL (Extra Packages for Enterprise Linux) which is maintained by Fedora and has to be enabled for a successfull LinOTP installation:
Activate EPEL on the system:
yum install epel-release.noarch
If you don’t want to enable EPEL, KeyIdentity provides a repository for support customers which contains all packages from EPEL for your LinOTP installation. This ensures that you get a consistent repository maintained by KeyIdentity. The packages from the enterprise repository are signed with the LinOTP GPG key. Please contact KeyIdentity to receive further information:
The use of SELinux is supported, you can use the default setting (enforcing). The SELinux configuration for LinOTP is provided by the package LinOTP_apache (see below). In case you don’t want to use this package please apply following rules:
semanage fcontext -a -t httpd_sys_content_t "/etc/linotp2(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t "/etc/linotp2/data(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t "/var/log/linotp(/.*)?" restorecon -Rv /etc/linotp2/ restorecon -Rv /var/log/linotp setsebool -P httpd_can_network_connect_db on setsebool -P httpd_can_connect_ldap on
Before you start the installation, please make sure the network setup for the server is accurate and the server name is resolved correctly.
The desired database is not installed automatically with the LinOTP package.
In case you would like to use MariaDB as LinOTP database, you can install the database on the same or a remote server:
yum update yum install mariadb-server
The LinOTP packages can be installed by:
yum install LinOTP # contains LinOTP core, useridresolver # and smsprovider yum install LinOTP_mariadb # installs the mariadb client, drivers # and a setup script
With the package LinOTP_mariadb you’ll get the script linotp-create-mariadb which can be used to create a database and if not present a new encryption key.
Instead of MariaDB you can also use PostgreSQL or Oracle as your token database. For PostgreSQL you can install another package:
yum install LinOTP_postgresql
This package contains only the client and the driver for PostgreSQL but not the PostgreSQL server. You can install it by executing
yum install postgresql-server
The PostgreSQL server must allow password authentication. Please consult the PostgreSQL documentation for further information: https://www.postgresql.org/docs/
To use Oracle as your token database please contact KeyIdentity:
For support customers KeyIdentity provides installation instructions for the oracle client and a RPM package which contain the necessary drivers.
You can also create the token database manually as described in section Setup token database.
In case you like to use databases as UserIdResolvers, you also have to install the LinOTP packages for the databases mentioned above. For more details about UserIdResolvers please see UserIdResolvers and Realms - The Concepts.
During installation of the LinOTP package you’ll get a fixed version of the package python-repoze-who from the LinOTP repositories. For further system updates you have to lock this package:
yum install yum-plugin-versionlock yum versionlock python-repoze-who
For integration with Apache you can use a separate package which provides examples of configuration files for the ssl and the wsgi configuration:
yum install LinOTP_apache
Please use the template
ssl_linotp.conf.template to adapt or create your
Apache configuration. To create a config file
wsgi_linotp.conf.template is no longer necessary since LinOTP 184.108.40.206.
The template is located in
The entries in
ssl_linotp.conf.template for the SSL certificate files of
course should be changed to guarantee a secure service because they point
to a default configuration.
For the first login to LinOTP please use following credentials:
You can change the login credentials as follows:
htdigest /etc/linotp2/admins "LinOTP2 admin area" admin
The python package python-ldap which will be used when your users are located in an LDAP or Active Directory is installed automatically as a requirement of the LinOTP package.