-Name: @PACKAGE@
+Name: @PACKAGE_NAME@
Version: @PACKAGE_VERSION@
Release: 1
-Summary: Open source system for attribute-based Web SSO
-Group: System Environment/Libraries
-Vendor: Internet2
+Summary: Open source system for attribute-based Web SSO
+Group: Productivity/Networking/Security
+Vendor: Internet2
License: Apache 2.0
URL: http://shibboleth.internet2.edu/
-Source: %{name}-sp-%{version}.tar.gz
+Source: %{name}-sp-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-root
-%if 0%{?suse_version} > 1030
-BuildRequires: libXerces-c-devel >= 2.8.0
-BuildRequires: libxml-security-c-devel >= 1.4.0
-BuildRequires: libxmltooling-devel >= 1.2
-BuildRequires: libsaml-devel >= 2.2
+Requires: openssl
+PreReq: xmltooling-schemas, opensaml-schemas
+%if 0%{?suse_version} > 1030 && 0%{?suse_version} < 1130
+PreReq: %{insserv_prereq} %{fillup_prereq}
+BuildRequires: libXerces-c-devel >= 2.8.0
+%else
+BuildRequires: libxerces-c-devel >= 2.8.0
+%endif
+BuildRequires: libxml-security-c-devel >= 1.4.0
+BuildRequires: libxmltooling-devel >= 1.5
+BuildRequires: libsaml-devel >= 2.5
%{?_with_log4cpp:BuildRequires: liblog4cpp-devel >= 1.0}
%{!?_with_log4cpp:BuildRequires: liblog4shib-devel}
-%else
-BuildRequires: xerces%{?xercesver}-c-devel >= 2.8.0
-BuildRequires: xml-security-c-devel >= 1.4.0
-BuildRequires: xmltooling-devel >= 1.2
-BuildRequires: opensaml-devel >= 2.2
-%{?_with_log4cpp:BuildRequires: log4cpp-devel >= 1.0}
-%{!?_with_log4cpp:BuildRequires: log4shib-devel}
+%if 0%{?rhel} >= 6 || 0%{?centos_version} >= 600
+Requires: libcurl-openssl >= 7.21.7
+BuildRequires: chrpath
%endif
-BuildRequires: gcc-c++
+BuildRequires: gcc-c++, zlib-devel, boost-devel >= 1.32.0
%{!?_without_doxygen:BuildRequires: doxygen}
%{!?_without_odbc:BuildRequires:unixODBC-devel}
-BuildRequires: zlib-devel
%{?_with_fastcgi:BuildRequires: fcgi-devel}
+%if 0%{?centos_version} >= 600
+BuildRequires: libmemcached-devel
+%endif
+%{?_with_memcached:BuildRequires: libmemcached-devel}
%if "%{_vendor}" == "redhat"
%{!?_without_builtinapache:BuildRequires: httpd-devel}
+BuildRequires: redhat-rpm-config
+Requires(pre): shadow-utils
+Requires(post): chkconfig
+Requires(preun): chkconfig, initscripts
%endif
%if "%{_vendor}" == "suse"
+Requires(pre): pwdutils
%{!?_without_builtinapache:BuildRequires: apache2-devel}
%endif
+%define runuser shibd
%if "%{_vendor}" == "suse"
%define pkgdocdir %{_docdir}/%{name}
%else
that supports multiple protocols, federated identity, and the extensible
exchange of rich attributes subject to privacy controls.
-This package contains the Shibboleth Service Provider runtime libraries
-and Apache module(s).
+This package contains the Shibboleth Service Provider runtime libraries,
+daemon, default plugins, and Apache module(s).
%package devel
-Summary: Shibboleth development Headers
-Group: Development/Libraries
-Requires: %{name} = %{version}
-%if 0%{?suse_version} > 1030
-Requires: libXerces-c-devel >= 2.8.0
-Requires: libxml-security-c-devel >= 1.4.0
-Requires: libxmltooling-devel >= 1.2
-Requires: libsaml-devel >= 2.2
-%{?_with_log4cpp:Requires: liblog4cpp-devel >= 1.0}
-%{!?_with_log4cpp:Requires: liblog4shib-devel}
+Summary: Shibboleth Development Headers
+Group: Development/Libraries/C and C++
+Requires: %{name} = %{version}-%{release}
+%if 0%{?suse_version} > 1030 && 0%{?suse_version} < 1130
+Requires: libXerces-c-devel >= 2.8.0
%else
-Requires: xerces%{?xercesver}-c-devel >= 2.8.0
-Requires: xml-security-c-devel >= 1.4.0
-Requires: xmltooling-devel >= 1.2
-Requires: opensaml-devel >= 2.2
-%{?_with_log4cpp:Requires: log4cpp-devel >= 1.0}
-%{!?_with_log4cpp:Requires: log4shib-devel}
+Requires: libxerces-c-devel >= 2.8.0
%endif
+Requires: libxml-security-c-devel >= 1.4.0
+Requires: libxmltooling-devel >= 1.5
+Requires: libsaml-devel >= 2.5
+%{?_with_log4cpp:Requires: liblog4cpp-devel >= 1.0}
+%{!?_with_log4cpp:Requires: liblog4shib-devel}
%description devel
Shibboleth is a Web Single Sign-On implementations based on OpenSAML
This package includes files needed for development with Shibboleth.
-
%prep
%setup -q
%build
-%configure %{?_without_odbc:--disable-odbc} %{?_without_adfs:--disable-adfs} %{?_with_fastcgi} %{?_with_memcached} %{?shib_options}
+%if 0%{?centos_version} >= 600
+ %configure %{?_without_odbc:--disable-odbc} %{?_without_adfs:--disable-adfs} %{?_with_fastcgi} %{!?_without_memcached:--with-memcached} %{?shib_options}
+%else
+ %configure %{?_without_odbc:--disable-odbc} %{?_without_adfs:--disable-adfs} %{?_with_fastcgi} %{?_with_memcached} %{?shib_options}
+%endif
%{__make} pkgdocdir=%{pkgdocdir}
%install
touch rpm.filelist
APACHE_CONFIG="no"
if [ -f $RPM_BUILD_ROOT%{_libdir}/%{name}/mod_shib_13.so ] ; then
- APACHE_CONFIG="apache.config"
+ APACHE_CONFIG="apache.config"
fi
if [ -f $RPM_BUILD_ROOT%{_libdir}/%{name}/mod_shib_20.so ] ; then
- APACHE_CONFIG="apache2.config"
+ APACHE_CONFIG="apache2.config"
fi
if [ -f $RPM_BUILD_ROOT%{_libdir}/%{name}/mod_shib_22.so ] ; then
- APACHE_CONFIG="apache22.config"
+ APACHE_CONFIG="apache22.config"
+fi
+if [ -f $RPM_BUILD_ROOT%{_libdir}/%{name}/mod_shib_24.so ] ; then
+ APACHE_CONFIG="apache24.config"
fi
%{?_without_builtinapache:APACHE_CONFIG="no"}
if [ "$APACHE_CONFIG" != "no" ] ; then
- APACHE_CONFD="no"
- if [ -d %{_sysconfdir}/httpd/conf.d ] ; then
- APACHE_CONFD="%{_sysconfdir}/httpd/conf.d"
- fi
- if [ -d %{_sysconfdir}/apache2/conf.d ] ; then
- APACHE_CONFD="%{_sysconfdir}/apache2/conf.d"
- fi
- if [ "$APACHE_CONFD" != "no" ] ; then
- %{__mkdir} -p $RPM_BUILD_ROOT$APACHE_CONFD
- %{__cp} -p $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/$APACHE_CONFIG $RPM_BUILD_ROOT$APACHE_CONFD/shib.conf
- echo "%config $APACHE_CONFD/shib.conf" > rpm.filelist
- fi
+ APACHE_CONFD="no"
+ if [ -d %{_sysconfdir}/httpd/conf.d ] ; then
+ APACHE_CONFD="%{_sysconfdir}/httpd/conf.d"
+ fi
+ if [ -d %{_sysconfdir}/apache2/conf.d ] ; then
+ APACHE_CONFD="%{_sysconfdir}/apache2/conf.d"
+ fi
+ if [ "$APACHE_CONFD" != "no" ] ; then
+ %{__mkdir} -p $RPM_BUILD_ROOT$APACHE_CONFD
+ %{__cp} -p $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/$APACHE_CONFIG $RPM_BUILD_ROOT$APACHE_CONFD/shib.conf
+ echo "%config(noreplace) $APACHE_CONFD/shib.conf" >> rpm.filelist
+ fi
+fi
+
+# Establish location of sysconfig file, if any.
+SYSCONFIG_SHIBD="no"
+%if "%{_vendor}" == "redhat"
+ %{__mkdir} -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
+ echo "%config(noreplace) %{_sysconfdir}/sysconfig/shibd" >> rpm.filelist
+ SYSCONFIG_SHIBD="$RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/shibd"
+%endif
+%if "%{_vendor}" == "suse"
+ %{__mkdir} -p $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates
+ echo "%{_localstatedir}/adm/fillup-templates/sysconfig.shibd" >> rpm.filelist
+ SYSCONFIG_SHIBD="$RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates/sysconfig.shibd"
+%endif
+if [ "$SYSCONFIG_SHIBD" != "no" ] ; then
+ # Populate the sysconfig file.
+ cat > $SYSCONFIG_SHIBD <<EOF
+# Shibboleth SP init script customization
+
+# User account for shibd
+SHIBD_USER=%{runuser}
+EOF
+ %if 0%{?rhel} >= 6 || 0%{?centos_version} >= 600
+ cat >> $SYSCONFIG_SHIBD <<EOF
+
+# Override OS-supplied libcurl
+export LD_LIBRARY_PATH=/opt/shibboleth/%{_lib}
+EOF
+ # Strip existing rpath to libcurl.
+ chrpath -d $RPM_BUILD_ROOT%{_sbindir}/shibd
+ chrpath -d $RPM_BUILD_ROOT%{_bindir}/mdquery
+ chrpath -d $RPM_BUILD_ROOT%{_bindir}/resolvertest
+ %endif
fi
%if "%{_vendor}" == "redhat" || "%{_vendor}" == "suse"
# %{_initddir} not yet in RHEL5, use deprecated %{_initrddir}
- mkdir -p $RPM_BUILD_ROOT%{_initrddir}
- %{__cp} -p $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/shibd-%{_vendor} $RPM_BUILD_ROOT%{_initrddir}/shibd
- %{__chmod} 755 $RPM_BUILD_ROOT%{_initrddir}/shibd
+ install -d -m 0755 $RPM_BUILD_ROOT%{_initrddir}
+ install -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/shibd-%{_vendor} $RPM_BUILD_ROOT%{_initrddir}/shibd
+%if "%{_vendor}" == "suse"
+ install -d -m 0755 $RPM_BUILD_ROOT/%{_sbindir}
+ %{__ln_s} -f %{_initrddir}/shibd $RPM_BUILD_ROOT%{_sbindir}/rcshibd
+%endif
%endif
%check
%clean
[ "$RPM_BUILD_ROOT" != "/" ] && %{__rm} -rf $RPM_BUILD_ROOT
+%pre
+getent group %{runuser} >/dev/null || groupadd -r %{runuser}
+getent passwd %{runuser} >/dev/null || useradd -r -g %{runuser} \
+ -d %{_localstatedir}/run/%{name} -s /sbin/nologin -c "Shibboleth SP daemon" %{runuser}
+exit 0
+
%post
%ifnos solaris2.8 solaris2.9 solaris2.10
/sbin/ldconfig
%endif
-# Key generation
+# Key generation or ownership fix
cd %{_sysconfdir}/%{name}
-sh ./keygen.sh -b
+if [ -f sp-key.pem ] ; then
+ %{__chown} %{runuser}:%{runuser} sp-key.pem sp-cert.pem 2>/dev/null || :
+else
+ sh ./keygen.sh -b -u %{runuser} -g %{runuser}
+fi
+
+# Fix ownership of log files (even on new installs, if they're left from an older one).
+%{__chown} %{runuser}:%{runuser} %{_localstatedir}/log/%{name}/* 2>/dev/null || :
%if "%{_vendor}" == "redhat"
+ if [ "$1" -gt "1" ] ; then
+ # On Red Hat with shib.conf installed, clean up old Alias commands
+ # by pointing them at new version-independent /usr/share/share tree.
+ # Any Aliases we didn't create we assume are custom files.
+ # This is to accomodate making shib.conf a noreplace config file.
+ # We can't do this for SUSE, because they disallow changes to
+ # packaged files in scriplets.
+ APACHE_CONF="no"
+ if [ -f %{_sysconfdir}/httpd/conf.d/shib.conf ] ; then
+ APACHE_CONF="%{_sysconfdir}/httpd/conf.d/shib.conf"
+ fi
+ if [ "$APACHE_CONF" != "no" ] ; then
+ %{__sed} -i "s/\/usr\/share\/doc\/shibboleth\(\-\(.\)\{1,\}\)\{0,1\}\/main\.css/\/usr\/share\/shibboleth\/main.css/g" \
+ $APACHE_CONF
+ %{__sed} -i "s/\/usr\/share\/doc\/shibboleth\(\-\(.\)\{1,\}\)\{0,1\}\/logo\.jpg/\/usr\/share\/shibboleth\/logo.jpg/g" \
+ $APACHE_CONF
+ fi
+ fi
+
# This adds the proper /etc/rc*.d links for the script
/sbin/chkconfig --add shibd
+
# On upgrade, restart components if they're already running.
- if [ "$1" -gt "1" ] ; then
- /etc/init.d/shibd status 1>/dev/null && /etc/init.d/shibd restart 1>/dev/null
- %{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null}
- fi
+ # This gets repeated now down in %postun, and the next release
+ # should remove this copy. If we yank it now, we'll break upgrades.
+ if [ "$1" -gt "1" ] ; then
+ /etc/init.d/shibd status 1>/dev/null && /etc/init.d/shibd restart 1>/dev/null
+ %{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null}
+ exit 0
+ fi
%endif
%if "%{_vendor}" == "suse"
- # This adds the proper /etc/rc*.d links for the script
- /sbin/chkconfig --add shibd
- cd /usr/sbin && ln -s /etc/init.d/shibd rcshibd
- # On upgrade, restart components if they're already running.
- if [ "$1" -gt "1" ] ; then
- /etc/init.d/shibd status 1>/dev/null && /etc/init.d/shibd restart 1>/dev/null
- %{!?_without_builtinapache:/etc/init.d/apache2 status 1>/dev/null && /etc/init.d/apache2 restart 1>/dev/null}
- fi
+ # This adds the proper /etc/rc*.d links for the script
+ # and populates the sysconfig/shibd file.
+ cd /
+ %{fillup_only -n shibd}
+ %insserv_force_if_yast shibd
%endif
%preun
+# On final removal, stop shibd and remove service, restart Apache if running.
%if "%{_vendor}" == "redhat"
- if [ "$1" = 0 ] ; then
+ if [ "$1" -eq 0 ] ; then
/sbin/service shibd stop >/dev/null 2>&1
/sbin/chkconfig --del shibd
+ %{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null}
fi
%endif
%if "%{_vendor}" == "suse"
- if [ "$1" = 0 ] ; then
- /sbin/service shibd stop >/dev/null 2>&1
- /sbin/chkconfig --del shibd
- cd /usr/sbin && %{__rm} -f rcshibd
- fi
+ %stop_on_removal shibd
+ if [ "$1" -eq 0 ] ; then
+ %{!?_without_builtinapache:/etc/init.d/apache2 status 1>/dev/null && /etc/init.d/apache2 restart 1>/dev/null}
+ fi
%endif
+exit 0
+%postun
%ifnos solaris2.8 solaris2.9 solaris2.10
-%postun -p /sbin/ldconfig
+/sbin/ldconfig
+%endif
+%if "%{_vendor}" == "redhat"
+ # On upgrade, restart components if they're already running.
+ if [ "$1" -ge "1" ] ; then
+ /etc/init.d/shibd status 1>/dev/null && /etc/init.d/shibd restart 1>/dev/null
+ %{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null}
+ exit 0
+ fi
+%endif
+%if "%{_vendor}" == "suse"
+ cd /
+ %restart_on_update shibd
+ %{!?_without_builtinapache:%restart_on_update apache2}
+ %{insserv_cleanup}
%endif
%posttrans
# ugly hack if init script got removed during %postun by upgraded (buggy/2.1) package
%if "%{_vendor}" == "redhat"
- if [ ! -f %{_initrddir}/shibd ] ; then
- if [ -f %{_sysconfdir}/%{name}/shibd-%{_vendor} ] ; then
- %{__cp} -p %{_sysconfdir}/%{name}/shibd-%{_vendor} %{_initrddir}/shibd
- %{__chmod} 755 %{_initrddir}/shibd
- /sbin/chkconfig --add shibd
- fi
- fi
+ if [ ! -f %{_initrddir}/shibd ] ; then
+ if [ -f %{_sysconfdir}/%{name}/shibd-%{_vendor} ] ; then
+ %{__cp} -p %{_sysconfdir}/%{name}/shibd-%{_vendor} %{_initrddir}/shibd
+ %{__chmod} 755 %{_initrddir}/shibd
+ /sbin/chkconfig --add shibd
+ fi
+fi
%endif
%files -f rpm.filelist
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/*
%exclude %{_libdir}/%{name}/*.la
-%dir %{_localstatedir}/log/%{name}
-%dir %{_localstatedir}/run/%{name}
+%attr(0750,%{runuser},%{runuser}) %dir %{_localstatedir}/log/%{name}
+%attr(0755,%{runuser},%{runuser}) %dir %{_localstatedir}/run/%{name}
+%attr(0755,%{runuser},%{runuser}) %dir %{_localstatedir}/cache/%{name}
%dir %{_datadir}/xml/%{name}
%{_datadir}/xml/%{name}/*
+%dir %{_datadir}/%{name}
+%{_datadir}/%{name}/*
%dir %{_sysconfdir}/%{name}
%config(noreplace) %{_sysconfdir}/%{name}/*.xml
%config(noreplace) %{_sysconfdir}/%{name}/*.html
%config(noreplace) %{_sysconfdir}/%{name}/*.logger
%if "%{_vendor}" == "redhat" || "%{_vendor}" == "suse"
-%attr(755, root, root) %{_initrddir}/shibd
+%config %{_initrddir}/shibd
+%endif
+%if "%{_vendor}" == "suse"
+%{_sbindir}/rcshibd
%endif
%{_sysconfdir}/%{name}/*.dist
%{_sysconfdir}/%{name}/apache*.config
%{_sysconfdir}/%{name}/shibd-*
-%attr(755, root, root) %{_sysconfdir}/%{name}/keygen.sh
-%attr(755, root, root) %{_sysconfdir}/%{name}/metagen.sh
+%attr(0755,root,root) %{_sysconfdir}/%{name}/keygen.sh
+%attr(0755,root,root) %{_sysconfdir}/%{name}/metagen.sh
%{_sysconfdir}/%{name}/*.xsl
%doc %{pkgdocdir}
%exclude %{pkgdocdir}/api
%doc %{pkgdocdir}/api
%changelog
+* Thu Mar 1 2012 Scott Cantor <cantor.2@osu.edu> - 2.5-1
+- Move logo and stylesheet to version-independent tree
+- Make shib.conf noreplace
+- Post-fixup of Alias commands in older shib.conf
+- Changes to run shibd as non-root shibboleth user
+- Move init customizations to /etc/sysconfig/shibd
+- Copy shibd restart for Red Hat to postun
+- Add boost-devel dependency
+- Build memcache plugin on RH6
+- Add cachedir to install
+- Add Apache 2.4 to install
+
+* Sun Jun 26 2011 Scott Cantor <cantor.2@osu.edu> - 2.4.3-1
+- Log files shouldn't be world readable.
+- Explicit requirement for libcurl-openssl on RHEL6
+- Uncomment LD_LIBRARY_PATH in init script for RHEL6
+- Remove rpath from binaries for RHEL6
+
+* Fri Dec 25 2009 Scott Cantor <cantor.2@osu.edu> - 2.4-1
+- Update dependencies.
+
+* Mon Nov 23 2009 Scott Cantor <cantor.2@osu.edu> - 2.3.1-1
+- Reset revision for 2.3.1 release
+
+* Wed Aug 19 2009 Scott Cantor <cantor.2@osu.edu> - 2.2.1-2
+- SuSE init script changes
+- Restart Apache on removal, not just upgrade
+- Fix scriptlet exit values when Apache is stopped
+
* Mon Aug 10 2009 Scott Cantor <cantor.2@osu.edu> - 2.2.1-1
- Doc handling changes
- SuSE init script