[SCM] Debian packaging for the 2.0 Apache Shibboleth SP branch, master, updated. debian/2.4.3+dfsg-5-35-ga1d4225

Russ Allbery rra at debian.org
Fri May 31 22:59:10 UTC 2013 

The following commit has been merged in the master branch:
commit 0767db8e0d43ea8e9d16d082ad58cdeade4109d9
Author: Russ Allbery <rra at debian.org>
Date:   Fri May 31 15:55:03 2013 -0700

    Update README.Debian for hte new release and Apache 2.4
    
    * Update libapache2-mod-shib2's README.Debian:
      - Use the Apache 2.4 authorization syntax.
      - Mention possibly having to grant access to /Shibboleth.sso.
      - The module is now enabled by default but still needs configuration.
      - Update the upstream configuration documentation URL.
      - The reason for switching native.logger to syslog is now obsolete
        (but the package still does that, possibly to be reconsidered
        later).

diff --git a/debian/changelog b/debian/changelog
index ddb4cfb..c2ea017 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -41,6 +41,14 @@ shibboleth-sp2 (2.5.1+dfsg-1) UNRELEASED; urgency=low
       handled more smoothly.
     - SP initialization now fails if an external session cache is
       configured but cannot be opened.
+  * Update libapache2-mod-shib2's README.Debian:
+    - Use the Apache 2.4 authorization syntax.
+    - Mention possibly having to grant access to /Shibboleth.sso.
+    - The module is now enabled by default but still needs configuration.
+    - Update the upstream configuration documentation URL.
+    - The reason for switching native.logger to syslog is now obsolete
+      (but the package still does that, possibly to be reconsidered
+      later).
   * Remove the (undefined) warn_log destination from the default
     native.logger configuration file, restoring consistency with the
     Debian modification to log to syslog.  Since all native logs go to
diff --git a/debian/libapache2-mod-shib2.README.Debian b/debian/libapache2-mod-shib2.README.Debian
index ab0b6d2..6ac5d32 100644
--- a/debian/libapache2-mod-shib2.README.Debian
+++ b/debian/libapache2-mod-shib2.README.Debian
@@ -10,15 +10,17 @@ Introduction
   either one that the Shibboleth SP points to directly or one that is part
   of a federation that is trusted by the Shibboleth SP.
 
-  This is the Shibboleth 2 version of the SP.  For the 1.x version of
-  the Shibboleth SP (if it is still available), see libapache-mod-shib.
-
 Installation and Configuration
 
-  After installing this package, the module is available but not enabled.
-  It's not enabled automatically since some configuration is required
-  before it will work (at least creating a certificate for the SP to use
-  to authenticate to IdPs).
+  The following instructions assume use of the Apache 2.4 access
+  restriction syntax.  If you are still using the earlier Allow/Deny
+  directives, you may need to use "Allow from all" instead of or in
+  addition to "Require all granted".
+
+  After installing this package, the module is enabled but not properly
+  configured.  At least some manual configuration will be required before
+  the module can be used, such as creating a certificate for the SP to use
+  to authenticate to IdPs.
 
   To generate a self-signed certificate for the Shibboleth SP, run
   shib-keygen.  See its manual page for more information.  This may or may
@@ -26,6 +28,14 @@ Installation and Configuration
   joining; some federations may want you to follow other procedures for
   generating a certificate.
 
+  If you use a restrictive Apache configuration that denies access to all
+  URLs by default, you will need to grant access to any authenticated
+  Shibboleth client to the /Shibboleth.sso URL.  For example:
+
+    <Location "/Shibboleth.sso">
+        Require all granted
+    </Location>
+
   The default error messages from Shibboleth are located in
   /etc/shibboleth/*.html.  The paths to those error messages are
   configured in /etc/shibboleth/shibboleth2.xml in the <Errors> tag.  If
@@ -36,7 +46,7 @@ Installation and Configuration
   /shibboleth-sp), add this to your Apache configuration:
 
     <Location /shibboleth-sp>
-        Allow from all
+        Require all granted
     </Location>
     Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
 
@@ -64,10 +74,9 @@ Installation and Configuration
 Changes in Debian Package
 
   The logging configuration for the native.log file has been changed to
-  use syslog, since the upstream default tries to write to a file that
-  Apache has no privileges to write to.  See /etc/shibboleth/native.logger
-  for more details.  If you want the other parts of Shibboleth to also log
-  to syslog, change the other /etc/shibboleth/*.logger files similarly.
+  use syslog.  See /etc/shibboleth/native.logger for more details.  If you
+  want the other parts of Shibboleth to also log to syslog, change the
+  other /etc/shibboleth/*.logger files similarly.
 
   The WS-Trust.xsd schema, which is needed if you use the ADFS support
   and turn on schema validation, was removed from the Debian package for
@@ -141,8 +150,6 @@ Further Information
 
   For further installation information, see:
 
-    https://spaces.internet2.edu/display/SHIB2/Home
-
-  and in particular the "Configuration" link.
+    https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
 
- -- Russ Allbery <rra at debian.org>, Fri, 31 May 2013 11:13:59 -0700
+ -- Russ Allbery <rra at debian.org>, Fri, 31 May 2013 15:52:13 -0700

-- 
Debian packaging for the 2.0 Apache Shibboleth SP

More information about the Pkg-shibboleth-devel mailing list