Bug#740603: /etc/shibboleth not created when not using libapache2-mod-shib2

[Cantor, Scott]

On 3/3/14, 4:56 PM, "Russ Allbery" <rra at debian.org> wrote:

>Am I correct in my understanding of the original bug report that the
>shibsp library actually requires /etc/shibboleth to work?  In other words,
>from a package perspective, should libshibsp depend on the configuration
>files (however provided)?  I was assuming that it was meaningful to use
>the library without it, but I never really investigated that assumption.

Strictly speaking it's not an absolute, but the default/only
implementation of the configuration layer of the library does depend on
the XML-based mechanism to do that. Where it lives is arbitrary, but the
use of etc/shibboleth is compiled in as a default.

>It sounds like the latter more accurately reflects the real underlying
>dependencies and requirements.

I think that's true.

>I am a little worried about downgrading
>the shibd dependency in libapache2-mod-shib2 to recommends; maybe it
>should stay as depends for now even though it's possible to run shibd on a
>different host?

I think you can leave that, particularly if all that's installing is shibd
+ init script. It's possible, but ultimately impractical to run shibd
remotely at any scale, leads to security mistakes, and it's an explicit
requirement of the Apache half that a shibd be used, which leads me to
believe requiring it is the best choice.

-- Scott