2 Version: @PACKAGE_VERSION@
4 Summary: Open source system for attribute-based Web SSO
5 Group: Productivity/Networking/Security
6 Vendor: Shibboleth Consortium
8 URL: http://shibboleth.net/
9 Source: %{name}-sp-%{version}.tar.gz
10 BuildRoot: %{_tmppath}/%{name}-sp-%{version}-root
11 Obsoletes: shibboleth-sp = 2.5.0
13 %if 0%{?rhel} >= 6 || 0%{?centos_version} >= 600 || 0%{?amzn} >= 1
14 PreReq: xmltooling-schemas%{?_isa} >= 1.5.0, opensaml-schemas%{?_isa} >= 2.5.0
16 PreReq: xmltooling-schemas >= 1.5.0, opensaml-schemas >= 2.5.0
18 %if 0%{?suse_version} > 1030 && 0%{?suse_version} < 1130
19 PreReq: %{insserv_prereq} %{fillup_prereq}
20 BuildRequires: libXerces-c-devel >= 2.8.0
22 %if 0%{?rhel} >= 7 || 0%{?centos_version} >= 700
23 BuildRequires: xerces-c-devel >= 2.8.0
25 BuildRequires: libxerces-c-devel >= 2.8.0
28 BuildRequires: libxml-security-c-devel >= 1.4.0
29 BuildRequires: libxmltooling-devel >= 1.5.0
30 BuildRequires: libsaml-devel >= 2.5.0
31 %{?_with_log4cpp:BuildRequires: liblog4cpp-devel >= 1.0}
32 %{!?_with_log4cpp:BuildRequires: liblog4shib-devel >= 1.0.4}
33 %if 0%{?rhel} >= 6 || 0%{?centos_version} >= 600 || 0%{?amzn} >= 1
34 Requires: libcurl-openssl%{?_isa} >= 7.21.7
35 BuildRequires: chrpath
37 %if 0%{?suse_version} > 1300
38 BuildRequires: libtool
40 BuildRequires: gcc-c++, zlib-devel, boost-devel >= 1.32.0
41 %{!?_without_gssapi:BuildRequires: krb5-devel}
42 %{!?_without_doxygen:BuildRequires: doxygen}
43 %{!?_without_odbc:BuildRequires:unixODBC-devel}
44 %{?_with_fastcgi:BuildRequires: fcgi-devel}
45 %if 0%{?centos_version} >= 600
46 BuildRequires: libmemcached-devel
48 %{?_with_memcached:BuildRequires: libmemcached-devel}
49 %if "%{_vendor}" == "redhat" || "%{_vendor}" == "amazon"
50 %if 0%{?rhel} >= 6 || 0%{?centos_version} >= 600 || 0%{?amzn} >= 1
51 %{!?_without_builtinapache:BuildRequires: httpd-devel%{?_isa}}
53 %{!?_without_builtinapache:BuildRequires: httpd-devel}
55 BuildRequires: redhat-rpm-config
56 Requires(pre): shadow-utils
57 Requires(post): chkconfig
58 Requires(preun): chkconfig, initscripts
60 %if "%{_vendor}" == "suse"
61 Requires(pre): pwdutils
62 %{!?_without_builtinapache:BuildRequires: apache2-devel}
66 %if "%{_vendor}" == "suse"
67 %define pkgdocdir %{_docdir}/shibboleth
69 %define pkgdocdir %{_docdir}/shibboleth-%{version}
73 Shibboleth is a Web Single Sign-On implementations based on OpenSAML
74 that supports multiple protocols, federated identity, and the extensible
75 exchange of rich attributes subject to privacy controls.
77 This package contains the Shibboleth Service Provider runtime libraries,
78 daemon, default plugins, and Apache module(s).
81 Summary: Shibboleth Development Headers
82 Group: Development/Libraries/C and C++
83 Requires: %{name} = %{version}-%{release}
84 Obsoletes: shibboleth-sp-devel = 2.5.0
85 %if 0%{?suse_version} > 1030 && 0%{?suse_version} < 1130
86 Requires: libXerces-c-devel >= 2.8.0
88 %if 0%{?rhel} >= 7 || 0%{?centos_version} >= 700
89 Requires: xerces-c-devel >= 2.8.0
91 Requires: libxerces-c-devel >= 2.8.0
94 Requires: libxml-security-c-devel >= 1.4.0
95 Requires: libxmltooling-devel >= 1.5.0
96 Requires: libsaml-devel >= 2.5.0
97 %{?_with_log4cpp:Requires: liblog4cpp-devel >= 1.0}
98 %{!?_with_log4cpp:Requires: liblog4shib-devel >= 1.0.4}
101 Shibboleth is a Web Single Sign-On implementations based on OpenSAML
102 that supports multiple protocols, federated identity, and the extensible
103 exchange of rich attributes subject to privacy controls.
105 This package includes files needed for development with Shibboleth.
108 %setup -n %{name}-sp-%{version}
111 %if 0%{?centos_version} >= 600
112 %configure %{?_without_odbc:--disable-odbc} %{?_without_adfs:--disable-adfs} %{?_with_fastcgi} %{!?_without_gssapi:--with-gssapi} %{!?_without_memcached:--with-memcached} %{?shib_options}
114 %configure %{?_without_odbc:--disable-odbc} %{?_without_adfs:--disable-adfs} %{?_with_fastcgi} %{!?_without_gssapi:--with-gssapi} %{?_with_memcached} %{?shib_options}
116 %{__make} pkgdocdir=%{pkgdocdir}
119 %{__make} install NOKEYGEN=1 DESTDIR=$RPM_BUILD_ROOT pkgdocdir=%{pkgdocdir}
121 %if "%{_vendor}" == "suse"
122 %{__sed} -i "s/\/var\/log\/httpd/\/var\/log\/apache2/g" \
123 $RPM_BUILD_ROOT%{_sysconfdir}/shibboleth/native.logger
126 # Plug the SP into the built-in Apache on a recognized system.
129 if [ -f $RPM_BUILD_ROOT%{_libdir}/shibboleth/mod_shib_13.so ] ; then
130 APACHE_CONFIG="apache.config"
132 if [ -f $RPM_BUILD_ROOT%{_libdir}/shibboleth/mod_shib_20.so ] ; then
133 APACHE_CONFIG="apache2.config"
135 if [ -f $RPM_BUILD_ROOT%{_libdir}/shibboleth/mod_shib_22.so ] ; then
136 APACHE_CONFIG="apache22.config"
138 if [ -f $RPM_BUILD_ROOT%{_libdir}/shibboleth/mod_shib_24.so ] ; then
139 APACHE_CONFIG="apache24.config"
141 %{?_without_builtinapache:APACHE_CONFIG="no"}
142 if [ "$APACHE_CONFIG" != "no" ] ; then
144 if [ -d %{_sysconfdir}/httpd/conf.d ] ; then
145 APACHE_CONFD="%{_sysconfdir}/httpd/conf.d"
147 if [ -d %{_sysconfdir}/apache2/conf.d ] ; then
148 APACHE_CONFD="%{_sysconfdir}/apache2/conf.d"
150 if [ "$APACHE_CONFD" != "no" ] ; then
151 %{__mkdir} -p $RPM_BUILD_ROOT$APACHE_CONFD
152 %{__cp} -p $RPM_BUILD_ROOT%{_sysconfdir}/shibboleth/$APACHE_CONFIG $RPM_BUILD_ROOT$APACHE_CONFD/shib.conf
153 echo "%config(noreplace) $APACHE_CONFD/shib.conf" >> rpm.filelist
157 # Establish location of sysconfig file, if any.
159 %if "%{_vendor}" == "redhat" || "%{_vendor}" == "amazon"
160 %{__mkdir} -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
161 echo "%config(noreplace) %{_sysconfdir}/sysconfig/shibd" >> rpm.filelist
162 SYSCONFIG_SHIBD="$RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/shibd"
164 %if "%{_vendor}" == "suse"
165 %{__mkdir} -p $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates
166 echo "%{_localstatedir}/adm/fillup-templates/sysconfig.shibd" >> rpm.filelist
167 SYSCONFIG_SHIBD="$RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates/sysconfig.shibd"
169 if [ "$SYSCONFIG_SHIBD" != "no" ] ; then
170 # Populate the sysconfig file.
171 cat > $SYSCONFIG_SHIBD <<EOF
172 # Shibboleth SP init script customization
174 # User account for shibd
175 SHIBD_USER=%{runuser}
177 %if 0%{?rhel} >= 6 || 0%{?centos_version} >= 600 || 0%{?amzn} >= 1
178 cat >> $SYSCONFIG_SHIBD <<EOF
180 # Override OS-supplied libcurl
181 export LD_LIBRARY_PATH=/opt/shibboleth/%{_lib}
183 # Strip existing rpath to libcurl.
184 chrpath -d $RPM_BUILD_ROOT%{_sbindir}/shibd
185 chrpath -d $RPM_BUILD_ROOT%{_bindir}/mdquery
186 chrpath -d $RPM_BUILD_ROOT%{_bindir}/resolvertest
190 %if "%{_vendor}" == "redhat" || "%{_vendor}" == "amazon" || "%{_vendor}" == "suse"
191 # %{_initddir} not yet in RHEL5, use deprecated %{_initrddir}
192 install -d -m 0755 $RPM_BUILD_ROOT%{_initrddir}
193 install -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/shibboleth/shibd-%{_vendor} $RPM_BUILD_ROOT%{_initrddir}/shibd
194 %if "%{_vendor}" == "suse"
195 install -d -m 0755 $RPM_BUILD_ROOT/%{_sbindir}
196 %{__ln_s} -f %{_initrddir}/shibd $RPM_BUILD_ROOT%{_sbindir}/rcshibd
204 [ "$RPM_BUILD_ROOT" != "/" ] && %{__rm} -rf $RPM_BUILD_ROOT
207 getent group %{runuser} >/dev/null || groupadd -r %{runuser}
208 getent passwd %{runuser} >/dev/null || useradd -r -g %{runuser} \
209 -d %{_localstatedir}/run/shibboleth -s /sbin/nologin -c "Shibboleth SP daemon" %{runuser}
213 %ifnos solaris2.8 solaris2.9 solaris2.10 solaris2.11
217 # Key generation or ownership fix
218 cd %{_sysconfdir}/shibboleth
219 if [ -f sp-key.pem ] ; then
220 %{__chown} %{runuser}:%{runuser} sp-key.pem sp-cert.pem 2>/dev/null || :
222 sh ./keygen.sh -b -u %{runuser} -g %{runuser}
225 # Fix ownership of log files (even on new installs, if they're left from an older one).
226 %{__chown} %{runuser}:%{runuser} %{_localstatedir}/log/shibboleth/* 2>/dev/null || :
228 %if "%{_vendor}" == "redhat" || "%{_vendor}" == "amazon"
229 if [ "$1" -gt "1" ] ; then
230 # On Red Hat with shib.conf installed, clean up old Alias commands
231 # by pointing them at new version-independent /usr/share/share tree.
232 # Any Aliases we didn't create we assume are custom files.
233 # This is to accomodate making shib.conf a noreplace config file.
234 # We can't do this for SUSE, because they disallow changes to
235 # packaged files in scriplets.
237 if [ -f %{_sysconfdir}/httpd/conf.d/shib.conf ] ; then
238 APACHE_CONF="%{_sysconfdir}/httpd/conf.d/shib.conf"
240 if [ "$APACHE_CONF" != "no" ] ; then
241 %{__sed} -i "s/\/usr\/share\/doc\/shibboleth\(\-\(.\)\{1,\}\)\{0,1\}\/main\.css/\/usr\/share\/shibboleth\/main.css/g" \
243 %{__sed} -i "s/\/usr\/share\/doc\/shibboleth\(\-\(.\)\{1,\}\)\{0,1\}\/logo\.jpg/\/usr\/share\/shibboleth\/logo.jpg/g" \
248 # This adds the proper /etc/rc*.d links for the script
249 /sbin/chkconfig --add shibd
251 %if "%{_vendor}" == "suse"
252 # This adds the proper /etc/rc*.d links for the script
253 # and populates the sysconfig/shibd file.
255 %{fillup_only -n shibd}
256 %insserv_force_if_yast shibd
260 # On final removal, stop shibd and remove service, restart Apache if running.
261 %if "%{_vendor}" == "redhat" || "%{_vendor}" == "amazon"
262 if [ "$1" -eq 0 ] ; then
263 /sbin/service shibd stop >/dev/null 2>&1
264 /sbin/chkconfig --del shibd
265 %{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null}
268 %if "%{_vendor}" == "suse"
269 %stop_on_removal shibd
270 if [ "$1" -eq 0 ] ; then
271 %{!?_without_builtinapache:/etc/init.d/apache2 status 1>/dev/null && /etc/init.d/apache2 restart 1>/dev/null}
277 %ifnos solaris2.8 solaris2.9 solaris2.10 solaris2.11
280 %if "%{_vendor}" == "redhat" || "%{_vendor}" == "amazon"
281 # On upgrade, restart components if they're already running.
282 if [ "$1" -ge "1" ] ; then
283 /etc/init.d/shibd status 1>/dev/null && /etc/init.d/shibd restart 1>/dev/null
284 %{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null}
288 %if "%{_vendor}" == "suse"
290 %restart_on_update shibd
291 %{!?_without_builtinapache:%restart_on_update apache2}
296 # ugly hack if init script got removed during %postun by upgraded (buggy/2.1) package
297 %if "%{_vendor}" == "redhat" || "%{_vendor}" == "amazon"
298 if [ ! -f %{_initrddir}/shibd ] ; then
299 if [ -f %{_sysconfdir}/shibboleth/shibd-%{_vendor} ] ; then
300 %{__cp} -p %{_sysconfdir}/shibboleth/shibd-%{_vendor} %{_initrddir}/shibd
301 %{__chmod} 755 %{_initrddir}/shibd
302 /sbin/chkconfig --add shibd
307 %files -f rpm.filelist
308 %defattr(-,root,root,-)
311 %{_bindir}/resolvertest
312 %{_libdir}/libshibsp.so.*
313 %{_libdir}/libshibsp-lite.so.*
314 %dir %{_libdir}/shibboleth
315 %{_libdir}/shibboleth/*
316 %attr(0750,%{runuser},%{runuser}) %dir %{_localstatedir}/log/shibboleth
317 %if "%{_vendor}" == "redhat" || "%{_vendor}" == "amazon" || "%{_vendor}" == "suse"
318 %if "%{_vendor}" == "redhat" || "%{_vendor}" == "amazon"
319 %attr(0750,apache,apache) %dir %{_localstatedir}/log/shibboleth-www
321 %if "%{_vendor}" == "suse"
322 %attr(0750,wwwrun,www) %dir %{_localstatedir}/log/shibboleth-www
325 %attr(0750,-,-) %dir %{_localstatedir}/log/shibboleth-www
327 %if 0%{?suse_version} < 1300
328 %attr(0755,%{runuser},%{runuser}) %dir %{_localstatedir}/run/shibboleth
330 %attr(0755,%{runuser},%{runuser}) %dir %{_localstatedir}/cache/shibboleth
331 %dir %{_datadir}/xml/shibboleth
332 %{_datadir}/xml/shibboleth/*
333 %dir %{_datadir}/shibboleth
334 %{_datadir}/shibboleth/*
335 %dir %{_sysconfdir}/shibboleth
336 %config(noreplace) %{_sysconfdir}/shibboleth/*.xml
337 %config(noreplace) %{_sysconfdir}/shibboleth/*.html
338 %config(noreplace) %{_sysconfdir}/shibboleth/*.logger
339 %if "%{_vendor}" == "redhat" || "%{_vendor}" == "amazon" || "%{_vendor}" == "suse"
340 %config %{_initrddir}/shibd
342 %if "%{_vendor}" == "suse"
345 %{_sysconfdir}/shibboleth/*.dist
346 %{_sysconfdir}/shibboleth/apache*.config
347 %{_sysconfdir}/shibboleth/shibd-*
348 %attr(0755,root,root) %{_sysconfdir}/shibboleth/keygen.sh
349 %attr(0755,root,root) %{_sysconfdir}/shibboleth/metagen.sh
350 %{_sysconfdir}/shibboleth/*.xsl
352 %exclude %{pkgdocdir}/api
355 %defattr(-,root,root,-)
357 %{_libdir}/libshibsp.so
358 %{_libdir}/libshibsp-lite.so
359 %doc %{pkgdocdir}/api
362 * Wed Feb 25 2015 Scott Cantor <cantor.2@osu.edu> - 2.5.4-1
363 - Add Amazon VM support
364 - Add a separate native logging directory
366 * Mon Nov 17 2014 Scott Cantor <cantor.2@osu.edu> - 2.5.3-2
367 - Add libtool dep for OpenSUSE 13
368 - Remove /var/run/shibboleth for OpenSUSE 13
370 * Tue May 13 2014 Ian Young <ian@iay.org.uk> - 2.5.3-1.2
371 - Update package dependencies for RHEL/CentOS 7
372 - Fix bogus dates in changelog
374 * Sat Jun 8 2013 Scott Cantor <cantor.2@osu.edu> - 2.5.2-1
375 - Add --with-gssapi using MIT K5 by default
377 * Tue Sep 25 2012 Scott Cantor <cantor.2@osu.edu> - 2.5.1-1
378 - Merge back various changes used in released packages
379 - Prep for 2.5.1 by pulling extra restart out
381 * Tue Aug 7 2012 Scott Cantor <cantor.2@osu.edu> - 2.5.0-2
382 - Changed package name back to shibboleth because of upgrade bugs
383 - Put back extra restart for this release only.
385 * Thu Mar 1 2012 Scott Cantor <cantor.2@osu.edu> - 2.5.0-1
386 - Move logo and stylesheet to version-independent tree
387 - Make shib.conf noreplace
388 - Post-fixup of Alias commands in older shib.conf
389 - Changes to run shibd as non-root shibboleth user
390 - Move init customizations to /etc/sysconfig/shibd
391 - Copy shibd restart for Red Hat to postun
392 - Add boost-devel dependency
393 - Build memcache plugin on RH6
394 - Add cachedir to install
395 - Add Apache 2.4 to install
397 * Sun Jun 26 2011 Scott Cantor <cantor.2@osu.edu> - 2.4.3-1
398 - Log files shouldn't be world readable.
399 - Explicit requirement for libcurl-openssl on RHEL6
400 - Uncomment LD_LIBRARY_PATH in init script for RHEL6
401 - Remove rpath from binaries for RHEL6
403 * Fri Dec 25 2009 Scott Cantor <cantor.2@osu.edu> - 2.4-1
404 - Update dependencies.
406 * Mon Nov 23 2009 Scott Cantor <cantor.2@osu.edu> - 2.3.1-1
407 - Reset revision for 2.3.1 release
409 * Wed Aug 19 2009 Scott Cantor <cantor.2@osu.edu> - 2.2.1-2
410 - SuSE init script changes
411 - Restart Apache on removal, not just upgrade
412 - Fix scriptlet exit values when Apache is stopped
414 * Mon Aug 10 2009 Scott Cantor <cantor.2@osu.edu> - 2.2.1-1
415 - Doc handling changes
418 * Tue Aug 4 2009 Scott Cantor <cantor.2@osu.edu> - 2.2.1-1
419 - Initial version for 2.2.1, with shibd/httpd restart on upgrade
421 * Thu Jun 25 2009 Scott Cantor <cantor.2@osu.edu> - 2.2-3
422 - Add additional cleanup to posttrans fix
424 * Tue Jun 23 2009 Scott Cantor <cantor.2@osu.edu> - 2.2-2
425 - Reverse without_builtinapache macro test
426 - Fix init script handling on Red Hat to handle upgrades
428 * Wed Dec 3 2008 Scott Cantor <cantor.2@osu.edu> - 2.2-1
429 - Bump minor version.
430 - Make keygen.sh executable.
431 - Fixing SUSE Xerces dependency name.
432 - Optionally package shib.conf.
434 * Tue Jun 10 2008 Scott Cantor <cantor.2@osu.edu> - 2.1-1
435 - Change shib.conf handling to treat as config file.
437 * Mon Mar 17 2008 Scott Cantor <cantor.2@osu.edu> - 2.0-6
440 * Fri Jan 18 2008 Scott Cantor <cantor.2@osu.edu> - 2.0-5
441 - Release candidate 1.
443 * Sun Oct 21 2007 Scott Cantor <cantor.2@osu.edu> - 2.0-4
444 - libexec -> lib/shibboleth changes
445 - Added doc subpackage
447 * Thu Aug 16 2007 Scott Cantor <cantor.2@osu.edu> - 2.0-3
450 * Fri Jul 13 2007 Scott Cantor <cantor.2@osu.edu> - 2.0-2
451 - Second alpha release.
453 * Sun Jun 10 2007 Scott Cantor <cantor.2@osu.edu> - 2.0-1
454 - First alpha release.
456 * Mon Oct 2 2006 Scott Cantor <cantor.2@osu.edu> - 1.3-11
457 - Applied fix for secadv 20061002
458 - Fix for metadata loader loop
460 * Thu Jun 15 2006 Scott Cantor <cantor.2@osu.edu> - 1.3-10
461 - Applied fix for sec 20060615
463 * Sat Apr 15 2006 Scott Cantor <cantor.2@osu.edu> - 1.3-9
464 - Misc. patches, SuSE, Apache 2.2, gcc 4.1, and 64-bit support
466 * Mon Jan 9 2006 Scott Cantor <cantor.2@osu.edu> - 1.3-8
467 - Applied new fix for secadv 20060109
469 * Tue Nov 8 2005 Scott Cantor <cantor.2@osu.edu> - 1.3-7
470 - Applied new fix for secadv 20050901 plus rollup
472 * Fri Sep 23 2005 Scott Cantor <cantor.2@osu.edu> - 1.3-6
473 - Minor patches and default config changes
475 - Fix shib.conf creation
476 - Integrated init.d script
477 - Prevent replacement of config files
479 * Thu Sep 1 2005 Scott Cantor <cantor.2@osu.edu> - 1.3-5
480 - Applied fix for secadv 20050901 plus rollup of NSAPI fixes
482 * Sun Apr 24 2005 Scott Cantor <cantor.2@osu.edu> - 1.3-1
483 - Updated test programs and location of schemas.
484 - move siterefresh to to sbindir
486 * Fri Apr 1 2005 Derek Atkins <derek@ihtfp.com> - 1.3-1
487 - Add selinux-targeted-policy package
488 - move shar to sbindir
490 * Tue Oct 19 2004 Derek Atkins <derek@ihtfp.com> - 1.2-1
491 - Create SPEC file based on various versions in existence.