[SCM] Debian packaging for the 2.0 Apache Shibboleth SP branch, master, updated. debian/2.3.1+dfsg-2-20-gad6ee1e
Russ Allbery
rra at debian.org
Thu Apr 7 00:58:36 UTC 2011
The following commit has been merged in the master branch:
commit 452b2d3e05bdb8857941c1665ac1655cbd1349b2
Merge: f9e67799ded148df80b05aabf22ada03ef9059c8 dcdaebee3864e1659f5589ed3ad8ceed1e014de0
Author: Russ Allbery <rra at debian.org>
Date: Wed Apr 6 17:49:32 2011 -0700
Merge commit 'upstream/2.4.2+dfsg'
Conflicts:
configs/keygen.sh
configs/native.logger.in
configs/shibd-debian.in
schemas/Makefile.am
diff --combined configs/Makefile.am
index ee604e6,38f1446..9ff0a9b
--- a/configs/Makefile.am
+++ b/configs/Makefile.am
@@@ -1,11 -1,11 +1,11 @@@
- ## $Id: Makefile.am 3168 2009-10-31 20:34:11Z cantor $
+ ## $Id: Makefile.am 3293 2010-08-13 04:23:23Z cantor $
AUTOMAKE_OPTIONS = foreign
pkglibdir = ${libdir}/@PACKAGE@
pkglogdir = ${localstatedir}/log/@PACKAGE@
-pkgdocdir = $(datadir)/doc/@PACKAGE at -@PACKAGE_VERSION@
-shirelogdir = ${localstatedir}/log/httpd
+pkgdocdir = ${datadir}/doc/@PACKAGE@
+shirelogdir = ${localstatedir}/log/apache2
pkgxmldir = $(datadir)/xml/@PACKAGE@
pkgrundir = $(localstatedir)/run/@PACKAGE@
pkgsysconfdir = $(sysconfdir)/@PACKAGE@
@@@ -35,7 -35,10 +35,10 @@@ CONFIGFILES =
shibboleth2.xml \
attribute-map.xml \
attribute-policy.xml \
+ protocols.xml \
+ security-policy.xml \
example-metadata.xml \
+ example-shibboleth2.xml \
console.logger \
syslog.logger \
accessError.html \
diff --combined configs/keygen.sh
index e68607c,4ee69f6..c94f23e
--- a/configs/keygen.sh
+++ b/configs/keygen.sh
@@@ -1,39 -1,39 +1,45 @@@
#! /bin/sh
- # Added for Debian. The upstream version is installed in /etc/shibboleth and
- # for Debian we wanted to move it to /usr/bin, so change directories so that
- # it puts files in the correct location.
- cd /etc/shibboleth
++# Defaults added for Debian. They can still be overridden by command-line
++# options.
++OUT=/etc/shibboleth
++GROUP=_shibd
+
- while getopts h:e:y:bf c
+ while getopts h:u:g:o:e:y:bf c
do
case $c in
+ u) USER=$OPTARG;;
+ g) GROUP=$OPTARG;;
+ o) OUT=$OPTARG;;
b) BATCH=1;;
f) FORCE=1;;
h) FQDN=$OPTARG;;
e) ENTITYID=$OPTARG;;
y) YEARS=$OPTARG;;
- \?) echo keygen [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert]
+ \?) echo "keygen [-o output directory (default .)] [-u username to own keypair] [-g owning groupname] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert]"
exit 1;;
esac
done
+ if [ -z "$OUT" ] ; then
+ OUT=.
+ fi
if [ -n "$FORCE" ] ; then
- rm sp-key.pem sp-cert.pem
+ rm $OUT/sp-key.pem $OUT/sp-cert.pem
fi
- if [ -s sp-key.pem -o -s sp-cert.pem ] ; then
+ if [ -s $OUT/sp-key.pem -o -s $OUT/sp-cert.pem ] ; then
if [ -z "$BATCH" ] ; then
- echo The files sp-key.pem and/or sp-cert.pem already exist!
+ echo The files $OUT/sp-key.pem and/or $OUT/sp-cert.pem already exist!
echo Use -f option to force recreation of keypair.
exit 2
fi
exit 0
fi
+# --fqdn flag added for Debian to generate better names for certificates.
if [ -z "$FQDN" ] ; then
- FQDN=`hostname`
+ FQDN=`hostname --fqdn`
fi
if [ -z "$YEARS" ] ; then
@@@ -48,7 -48,8 +54,8 @@@ els
ALTNAME=DNS:$FQDN,URI:$ENTITYID
fi
- cat >sp-cert.cnf <<EOF
+ SSLCNF=$OUT/sp-cert.cnf
+ cat >$SSLCNF <<EOF
# OpenSSL configuration file for creating sp-cert.pem
[req]
prompt=no
@@@ -66,15 -67,19 +73,19 @@@ subjectAltName=$ALTNAM
subjectKeyIdentifier=hash
EOF
- # Added for Debian. Make the key mode 640 and readable by group _shibd so
- # that the Debian shibd can use a non-root user.
- touch sp-key.pem
- chgrp _shibd sp-key.pem
- chmod 640 sp-key.pem
+ touch $OUT/sp-key.pem
+ chmod 600 $OUT/sp-key.pem
if [ -z "$BATCH" ] ; then
- openssl req -config sp-cert.cnf -new -x509 -days $DAYS -keyout sp-key.pem -out sp-cert.pem
+ openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem
else
- openssl req -config sp-cert.cnf -new -x509 -days $DAYS -keyout sp-key.pem -out sp-cert.pem 2> /dev/null
+ openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem 2> /dev/null
+ fi
+ rm $SSLCNF
+
+ if [ -s $OUT/sp-key.pem -a -n "$USER" ] ; then
+ chown $USER $OUT/sp-key.pem $OUT/sp-cert.pem
fi
- rm sp-cert.cnf
+ if [ -s $OUT/sp-key.pem -a -n "$GROUP" ] ; then
+ chgrp $GROUP $OUT/sp-key.pem $OUT/sp-cert.pem
+ fi
diff --combined configs/metagen.sh
index 16c9180,e460240..ce71382
--- a/configs/metagen.sh
+++ b/configs/metagen.sh
@@@ -1,23 -1,55 +1,55 @@@
-#! /bin/sh
+#! /bin/bash
- while getopts a:c:e:h:n:o:s:t: c
+ DECLS=1
+
+ SAML1=0
+ SAML2=0
+ ARTIFACT=0
+ DS=0
+ LOGOUT=0
+ NAMEIDMGMT=0
+
+ SAML10PROT="urn:oasis:names:tc:SAML:1.0:protocol"
+ SAML11PROT="urn:oasis:names:tc:SAML:1.1:protocol"
+ SAML20PROT="urn:oasis:names:tc:SAML:2.0:protocol"
+
+ SAML20SOAP="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+ SAML20REDIRECT="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ SAML20POST="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+ SAML20POSTSS="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
+ SAML20ART="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+ SAML20PAOS="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
+
+ SAML1POST="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
+ SAML1ART="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
+
+ while getopts a:c:e:f:h:n:o:s:t:u:12ADLNO c
do
case $c in
- c) CERTS[${#CERTS[*]}]=$OPTARG;;
- e) ENTITYID=$OPTARG;;
- h) HOSTS[${#HOSTS[*]}]=$OPTARG;;
- n) NAKEDHOSTS[${#NAKEDHOSTS[*]}]=$OPTARG;;
- o) ORGNAME=$OPTARG;;
- a) ADMIN[${#ADMIN[*]}]=$OPTARG;;
- s) SUP[${#SUP[*]}]=$OPTARG;;
- t) TECH[${#TECH[*]}]=$OPTARG;;
- \?) echo metagen -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID]
- exit 1;;
+ c) CERTS[${#CERTS[*]}]=$OPTARG;;
+ e) ENTITYID=$OPTARG;;
+ f) FORMATS[${#FORMATS[*]}]=$OPTARG;;
+ h) HOSTS[${#HOSTS[*]}]=$OPTARG;;
+ n) NAKEDHOSTS[${#NAKEDHOSTS[*]}]=$OPTARG;;
+ o) ORGNAME=$OPTARG;;
+ a) ADMIN[${#ADMIN[*]}]=$OPTARG;;
+ s) SUP[${#SUP[*]}]=$OPTARG;;
+ t) TECH[${#TECH[*]}]=$OPTARG;;
+ u) URL=$OPTARG;;
+ 1) SAML1=1;;
+ 2) SAML2=1;;
+ A) ARTIFACT=1;;
+ D) DS=1;;
+ L) LOGOUT=1;;
+ N) NAMEIDMGMT=1;;
+ O) DECLS=0;;
+ \?) echo metagen [-12ADLNO] -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID]
+ exit 1;;
esac
done
if [ ${#HOSTS[*]} -eq 0 -a ${#NAKEDHOSTS[*]} -eq 0 ] ; then
- echo metagen -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID]
+ echo metagen [-12ADLN] -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID]
exit 1
fi
@@@ -34,12 -66,87 +66,87 @@@ d
done
if [ -z $ENTITYID ] ; then
- ENTITYID=https://${HOSTS[0]}/shibboleth
+ if [ ${#HOSTS[*]} -eq 0 ] ; then
+ ENTITYID=https://${NAKEDHOSTS[0]}/shibboleth
+ else
+ ENTITYID=https://${HOSTS[0]}/shibboleth
+ fi
+ fi
+
+ # Establish protocols and bindings.
+
+ if [ $SAML1 -eq 0 -a $SAML2 -eq 0 ] ; then
+ SAML1=1
+ SAML2=1
+ fi
+
+ if [ $LOGOUT -eq 1 -o $NAMEIDMGMT -eq 1 ] ; then
+ SAML2=1
+ SLO[${#SLO[*]}]=$SAML20SOAP
+ SLO[${#SLO[*]}]=$SAML20REDIRECT
+ SLO[${#SLO[*]}]=$SAML20POST
+ SLOLOC[${#SLOLOC[*]}]="SOAP"
+ SLOLOC[${#SLOLOC[*]}]="Redirect"
+ SLOLOC[${#SLOLOC[*]}]="POST"
+ if [ $ARTIFACT -eq 1 ] ; then
+ SLO[${#SLO[*]}]=$SAML20ART
+ SLOLOC[${#SLOLOC[*]}]="Artifact"
+ fi
+ fi
+
+ if [ $SAML1 -eq 1 -a $SAML2 -eq 1 ] ; then
+ PROTENUM="$SAML20PROT $SAML11PROT"
+ elif [ $SAML1 -eq 1 ] ; then
+ PROTENUM="$SAML11PROT"
+ else
+ PROTENUM="$SAML20PROT"
+ fi
+
+ if [ $SAML2 -eq 1 ] ; then
+ ACS[${#ACS[*]}]=$SAML20POST
+ ACSLOC[${#ACSLOC[*]}]="SAML2/POST"
+ ACS[${#ACS[*]}]=$SAML20POSTSS
+ ACSLOC[${#ACSLOC[*]}]="SAML2/POST-SimpleSign"
+ if [ $ARTIFACT -eq 1 ] ; then
+ ACS[${#ACS[*]}]=$SAML20ART
+ ACSLOC[${#ACSLOC[*]}]="SAML2/Artifact"
+ fi
+ ACS[${#ACS[*]}]=$SAML20PAOS
+ ACSLOC[${#ACSLOC[*]}]="SAML2/ECP"
+ fi
+
+ if [ $SAML1 -eq 1 ] ; then
+ ACS[${#ACS[*]}]=$SAML1POST
+ ACSLOC[${#ACSLOC[*]}]="SAML/POST"
+ if [ $ARTIFACT -eq 1 ] ; then
+ ACS[${#ACS[*]}]=$SAML1ART
+ ACSLOC[${#ACSLOC[*]}]="SAML/Artifact"
+ fi
+ fi
+
+ if [ $SAML2 -eq 1 ] ; then
+ ACS[${#ACS[*]}]=$SAML20PAOS
+ ACSLOC[${#ACSLOC[*]}]="SAML2/ECP"
+ fi
+
+ if [ $DECLS -eq 1 ] ; then
+ DECLS="xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" "
+ if [ $DS -eq 1 ] ; then
+ DECLS="${DECLS}xmlns:disco=\"urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol\" "
+ fi
+ else
+ DECLS=""
fi
cat <<EOF
- <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="${ENTITYID}">
- <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
+ <md:EntityDescriptor ${DECLS}entityID="${ENTITYID}">
+ <md:SPSSODescriptor protocolSupportEnumeration="${PROTENUM}">
+ EOF
+
+ # Discovery BEGIN
+ if [ $DS -eq 1 ] ; then
+
+ cat << EOF
<md:Extensions>
EOF
@@@ -47,7 -154,7 +154,7 @@@ count=
for h in ${HOSTS[@]}
do
cat << EOF
- <DiscoveryResponse xmlns="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://$h/Shibboleth.sso/DS" index="$count"/>
+ <disco:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://$h/Shibboleth.sso/DS" index="$count"/>
EOF
let "count++"
done
@@@ -55,7 -162,7 +162,7 @@@
for h in ${NAKEDHOSTS[@]}
do
cat << EOF
- <DiscoveryResponse xmlns="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://$h/Shibboleth.sso/DS" index="$count"/>
+ <disco:DiscoveryResponse xmlns="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://$h/Shibboleth.sso/DS" index="$count"/>
EOF
let "count++"
done
@@@ -64,11 -171,14 +171,14 @@@ cat << EO
</md:Extensions>
EOF
+ fi
+ # Discovery END
+
for c in ${CERTS[@]}
do
cat << EOF
<md:KeyDescriptor>
- <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
EOF
@@@ -81,79 -191,98 +191,98 @@@ cat << EO
EOF
done
+ for f in ${FORMATS[@]}
+ do
cat << EOF
- <!--
+ <md:NameIDFormat>$f</md:NameIDFormat>
EOF
+ done
+
+ # Logout BEGIN
+ if [ $LOGOUT -eq 1 ] ; then
for h in ${HOSTS[@]}
do
- cat <<EOF
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://$h/Shibboleth.sso/SLO/SOAP"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://$h/Shibboleth.sso/SLO/Redirect"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://$h/Shibboleth.sso/SLO/POST"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://$h/Shibboleth.sso/SLO/Artifact"/>
+ count=0
+ while [ $count -lt ${#SLO[*]} ]
+ do
+ cat <<EOF
+ <md:SingleLogoutService Binding="${SLO[$count]}" Location="https://$h/Shibboleth.sso/SLO/${SLOLOC[$count]}"/>
EOF
+ let "count++"
+ done
done
for h in ${NAKEDHOSTS[@]}
do
- cat <<EOF
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://$h/Shibboleth.sso/SLO/SOAP"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://$h/Shibboleth.sso/SLO/Redirect"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://$h/Shibboleth.sso/SLO/POST"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://$h/Shibboleth.sso/SLO/Artifact"/>
+ count=0
+ while [ $count -lt ${#SLO[*]} ]
+ do
+ cat <<EOF
+ <md:SingleLogoutService Binding="${SLO[$count]}" Location="http://$h/Shibboleth.sso/SLO/${SLOLOC[$count]}"/>
EOF
+ let "count++"
+ done
done
+ fi
+ # Logout END
+
+ # NameID Mgmt BEGIN
+ if [ $NAMEIDMGMT -eq 1 ] ; then
+
for h in ${HOSTS[@]}
do
- cat <<EOF
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://$h/Shibboleth.sso/NIM/SOAP"/>
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://$h/Shibboleth.sso/NIM/Redirect"/>
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://$h/Shibboleth.sso/NIM/POST"/>
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://$h/Shibboleth.sso/NIM/Artifact"/>
+ count=0
+ while [ $count -lt ${#SLO[*]} ]
+ do
+ cat <<EOF
+ <md:ManageNameIDService Binding="${SLO[$count]}" Location="https://$h/Shibboleth.sso/NIM/${SLOLOC[$count]}"/>
EOF
+ let "count++"
+ done
done
for h in ${NAKEDHOSTS[@]}
do
- cat <<EOF
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://$h/Shibboleth.sso/NIM/SOAP"/>
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://$h/Shibboleth.sso/NIM/Redirect"/>
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://$h/Shibboleth.sso/NIM/POST"/>
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://$h/Shibboleth.sso/NIM/Artifact"/>
+ count=0
+ while [ $count -lt ${#SLO[*]} ]
+ do
+ cat <<EOF
+ <md:ManageNameIDService Binding="${SLO[$count]}" Location="http://$h/Shibboleth.sso/NIM/${SLOLOC[$count]}"/>
EOF
+ let "count++"
+ done
done
- cat <<EOF
- -->
- EOF
+ fi
+ # NameID Mgmt END
- count=0
+ index=0
for h in ${HOSTS[@]}
do
- cat <<EOF
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://$h/Shibboleth.sso/SAML2/POST" index="$((count+1))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://$h/Shibboleth.sso/SAML2/POST-SimpleSign" index="$((count+2))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://$h/Shibboleth.sso/SAML2/Artifact" index="$((count+3))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://$h/Shibboleth.sso/SAML2/ECP" index="$((count+4))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://$h/Shibboleth.sso/SAML/POST" index="$((count+5))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://$h/Shibboleth.sso/SAML/Artifact" index="$((count+6))"/>
- EOF
- let "count+=6"
+ count=0
+ while [ $count -lt ${#ACS[*]} ]
+ do
+ cat <<EOF
+ <md:AssertionConsumerService Binding="${ACS[$count]}" Location="https://$h/Shibboleth.sso/${ACSLOC[$count]}" index="$((index+1))"/>
+ EOF
+ let "count++"
+ let "index++"
+ done
done
for h in ${NAKEDHOSTS[@]}
do
- cat <<EOF
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://$h/Shibboleth.sso/SAML2/POST" index="$((count+1))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://$h/Shibboleth.sso/SAML2/POST-SimpleSign" index="$((count+2))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://$h/Shibboleth.sso/SAML2/Artifact" index="$((count+3))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://$h/Shibboleth.sso/SAML2/ECP" index="$((count+4))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://$h/Shibboleth.sso/SAML/POST" index="$((count+5))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="http://$h/Shibboleth.sso/SAML/Artifact" index="$((count+6))"/>
- EOF
- let "count+=6"
+ count=0
+ while [ $count -lt ${#ACS[*]} ]
+ do
+ cat <<EOF
+ <md:AssertionConsumerService Binding="${ACS[$count]}" Location="http://$h/Shibboleth.sso/${ACSLOC[$count]}" index="$((index+1))"/>
+ EOF
+ let "count++"
+ let "index++"
+ done
done
cat <<EOF
@@@ -161,18 -290,22 +290,22 @@@
EOF
if [ -n "$ORGNAME" ] ; then
+ if [ -z "$URL" ] ; then
+ URL=$ENTITYID
+ fi
cat <<EOF
<md:Organization>
<md:OrganizationName xml:lang="en">$ORGNAME</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">$ORGNAME</md:OrganizationDisplayName>
- <md:OrganizationURL xml:lang="en">$ENTITYID</md:OrganizationURL>
+ <md:OrganizationURL xml:lang="en">$URL</md:OrganizationURL>
</md:Organization>
EOF
fi
- for c in ${ADMIN[@]}
+ count=${#ADMIN[*]}
+ for (( i=0; i<count; i++ ))
do
- c=(${c//\// })
+ IFS="/"; declare -a c=(${ADMIN[$i]})
cat <<EOF
<md:ContactPerson contactType="administrative">
<md:GivenName>${c[0]}</md:GivenName>
@@@ -182,9 -315,10 +315,10 @@@
EOF
done
- for c in ${SUP[@]}
+ count=${#SUP[*]}
+ for (( i=0; i<count; i++ ))
do
- c=(${c//\// })
+ IFS="/"; declare -a c=(${SUP[$i]})
cat <<EOF
<md:ContactPerson contactType="support">
<md:GivenName>${c[0]}</md:GivenName>
@@@ -194,9 -328,10 +328,10 @@@
EOF
done
- for c in ${TECH[@]}
+ count=${#TECH[*]}
+ for (( i=0; i<count; i++ ))
do
- c=(${c//\// })
+ IFS="/"; declare -a c=(${TECH[$i]})
cat <<EOF
<md:ContactPerson contactType="technical">
<md:GivenName>${c[0]}</md:GivenName>
@@@ -208,4 -343,5 +343,5 @@@ don
cat <<EOF
</md:EntityDescriptor>
+
EOF
diff --combined configs/native.logger.in
index 2927392,8c17632..dc5f3c6
--- a/configs/native.logger.in
+++ b/configs/native.logger.in
@@@ -1,5 -1,5 +1,5 @@@
# set overall behavior
- log4j.rootCategory=INFO, native_log
+ log4j.rootCategory=INFO, native_log, warn_log
# fairly verbose for DEBUG, so generally leave at INFO
log4j.category.XMLTooling.XMLObject=INFO
@@@ -26,23 -26,17 +26,29 @@@ log4j.category.XMLTooling.libcurl=INF
# define the appender
-log4j.appender.native_log=org.apache.log4j.RollingFileAppender
-log4j.appender.native_log.fileName=@-SHIRELOGDIR-@/native.log
-log4j.appender.native_log.maxFileSize=1000000
-log4j.appender.native_log.maxBackupIndex=10
-log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.native_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+# This is the default, but it's essentially useless under normal
+# circumstances since Apache doesn't have access to write to that
+# directory.
+#log4j.appender.native_log=org.apache.log4j.RollingFileAppender
+#log4j.appender.native_log.fileName=@-SHIRELOGDIR-@/native.log
+#log4j.appender.native_log.maxFileSize=1000000
+#log4j.appender.native_log.maxBackupIndex=10
- ##log4j.appender.native_log.layout=org.apache.log4j.BasicLayout
+#log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
+#log4j.appender.native_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
++#log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
++#log4j.appender.warn_log.fileName=@-SHIRELOGDIR-@/native_warn.log
++#log4j.appender.warn_log.maxFileSize=1000000
++#log4j.appender.warn_log.maxBackupIndex=10
++#log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
++#log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
++#log4j.appender.warn_log.threshold=WARN
-log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
-log4j.appender.warn_log.fileName=@-SHIRELOGDIR-@/native_warn.log
-log4j.appender.warn_log.maxFileSize=1000000
-log4j.appender.warn_log.maxBackupIndex=10
-log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-log4j.appender.warn_log.threshold=WARN
+# Use syslog instead, since then at least the messages will go somewhere.
+# That facility is (3 << 3) or LOG_DAEMON, since log4cpp apparently
+# doesn't recognize symbolic log facilities.
+#
+# This is a Debian-specific change.
+log4j.appender.native_log=org.apache.log4j.LocalSyslogAppender
+log4j.appender.native_log.syslogName=shibboleth-sp
+log4j.appender.native_log.facility=24
+log4j.appender.native_log.layout=org.apache.log4j.BasicLayout
diff --combined configs/shibd-debian.in
index a3c224b,59f0995..be513fd
--- a/configs/shibd-debian.in
+++ b/configs/shibd-debian.in
@@@ -7,8 -7,8 +7,8 @@@
# Default-Stop: 0 1 6
# Short-Description: Shibboleth 2 Service Provider Daemon
# Description: Starts the separate daemon used by the Shibboleth
- # Apache module to manage sessions and to retrieve
- # attributes from Shibboleth Identity Providers.
+ # Apache module to manage sessions and to retrieve
+ # attributes from Shibboleth Identity Providers.
### END INIT INFO
#
# Written by Quanah Gibson-Mount <quanah at stanford.edu>
@@@ -29,7 -29,6 +29,7 @@@ DAEMON=@-PREFIX-@/sbin/$NAM
SCRIPTNAME=/etc/init.d/$NAME
PIDFILE=@-PKGRUNDIR-@/$NAME.pid
DAEMON_OPTS=""
+DAEMON_USER=_shibd
# Force removal of socket
DAEMON_OPTS="$DAEMON_OPTS -f"
@@@ -52,63 -51,30 +52,63 @@@ DAEMON_OPTS="$DAEMON_OPTS -w 30
# Get the setting of VERBOSE and other rcS variables.
[ -f /etc/default/rcS ] && . /etc/default/rcS
+prepare_environment () {
+ # Ensure @-PKGRUNDIR-@ exists. /var/run may be on a tmpfs file system.
+ [ -d '@-PKGRUNDIR-@' ] || mkdir -p '@-PKGRUNDIR-@'
+
+ # If $DAEMON_USER is set, try to run shibd as that user. However,
+ # versions of the Debian package prior to 2.3+dfsg-1 ran shibd as root,
+ # and the local administrator may not have made the server's private key
+ # readable by $DAEMON_USER. We therefore test first by running shibd -t
+ # and looking for the error code indicating that the private key could not
+ # be read. If we get that error, we fall back on running shibd as root.
+ if [ -n "$DAEMON_USER" ]; then
+ DIAG=$(su -s $DAEMON $DAEMON_USER -- -t $DAEMON_OPTS 2>/dev/null)
+ if [ $? = 0 ] ; then
+ # openssl errstr 200100D (hex for 33558541) says:
+ # error:0200100D:system library:fopen:Permission denied
+ ERROR='ERROR OpenSSL : error code: 33558541 '
+ if echo "$DIAG" | fgrep -q "$ERROR" ; then
+ unset DAEMON_USER
+ echo "$NAME warning: file permissions require running as root"
+ else
+ chown -Rh "$DAEMON_USER" '@-PKGRUNDIR-@' '@-PKGLOGDIR-@'
+ fi
+ else
+ unset DAEMON_USER
+ echo "$NAME error: unable to run config check as user $DAEMON_USER"
+ fi
+ unset DIAG
+ fi
+}
+
case "$1" in
start)
+ prepare_environment
+
# Don't start shibd if NO_START is set.
if [ "$NO_START" = 1 ] ; then
echo "Not starting $DESC (see /etc/default/$NAME)"
exit 0
fi
echo -n "Starting $DESC: "
- start-stop-daemon --start --quiet \
+ start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
--pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE \
- --retry TERM/30/KILL/5 --exec $DAEMON
+ --exec $DAEMON
echo "$NAME."
;;
restart|force-reload)
+ prepare_environment
+
echo -n "Restarting $DESC: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE \
- --exec $DAEMON
- sleep 1
- start-stop-daemon --start --quiet \
+ --retry TERM/30/KILL/5 --exec $DAEMON
+ start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
--pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
diff --combined schemas/Makefile.am
index 2651b14,f8c246f..4ed2cd8
--- a/schemas/Makefile.am
+++ b/schemas/Makefile.am
@@@ -1,18 -1,20 +1,19 @@@
- ## $Id: Makefile.am 3168 2009-10-31 20:34:11Z cantor $
+ ## $Id: Makefile.am 3293 2010-08-13 04:23:23Z cantor $
AUTOMAKE_OPTIONS = foreign
- pkgxmldir = $(datadir)/xml/@PACKAGE@
+ pkgxmldir = $(datadir)/xml/@PACKAGE_NAME@
schemafiles = \
shibboleth.xsd \
shibboleth-metadata-1.0.xsd \
shibboleth-2.0-native-sp-config.xsd \
+ shibboleth-2.0-native-sp-protocols.xsd \
+ shibboleth-2.0-sp-notify.xsd \
shibboleth-2.0-afp.xsd \
shibboleth-2.0-afp-mf-basic.xsd \
shibboleth-2.0-afp-mf-saml.xsd \
-- shibboleth-2.0-attribute-map.xsd \
- shibboleth-2.0-sp-notify.xsd
- WS-Trust.xsd
++ shibboleth-2.0-attribute-map.xsd
pkgxml_DATA = \
catalog.xml \
diff --combined schemas/catalog.xml.in
index d483854,ca7c797..fbb3fe3
--- a/schemas/catalog.xml.in
+++ b/schemas/catalog.xml.in
@@@ -2,13 -2,12 +2,14 @@@
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
<system systemId="urn:mace:shibboleth:metadata:1.0" uri="@-PKGXMLDIR-@/shibboleth-metadata-1.0.xsd"/>
<system systemId="urn:mace:shibboleth:2.0:native:sp:config" uri="@-PKGXMLDIR-@/shibboleth-2.0-native-sp-config.xsd"/>
+ <system systemId="urn:mace:shibboleth:2.0:native:sp:protocols" uri="@-PKGXMLDIR-@/shibboleth-2.0-native-sp-protocols.xsd"/>
+ <system systemId="urn:mace:shibboleth:2.0:sp:notify" uri="@-PKGXMLDIR-@/shibboleth-2.0-sp-notify.xsd"/>
<system systemId="urn:mace:shibboleth:2.0:afp" uri="@-PKGXMLDIR-@/shibboleth-2.0-afp.xsd"/>
<system systemId="urn:mace:shibboleth:2.0:afp:mf:basic" uri="@-PKGXMLDIR-@/shibboleth-2.0-afp-mf-basic.xsd"/>
<system systemId="urn:mace:shibboleth:2.0:afp:mf:saml" uri="@-PKGXMLDIR-@/shibboleth-2.0-afp-mf-saml.xsd"/>
<system systemId="urn:mace:shibboleth:2.0:attribute-map" uri="@-PKGXMLDIR-@/shibboleth-2.0-attribute-map.xsd"/>
- <system systemId="urn:mace:shibboleth:2.0:sp:notify" uri="@-PKGXMLDIR-@/shibboleth-2.0-sp-notify.xsd"/>
<system systemId="urn:mace:shibboleth:1.0" uri="@-PKGXMLDIR-@/shibboleth.xsd"/>
+ <!-- WS-Trust.xsd has been removed from the Debian package because of license problems
<system systemId="http://schemas.xmlsoap.org/ws/2005/02/trust" uri="@-PKGXMLDIR-@/WS-Trust.xsd"/>
+ -->
</catalog>
--
Debian packaging for the 2.0 Apache Shibboleth SP
More information about the Pkg-shibboleth-devel
mailing list