#! /bin/sh
-
- while getopts h:e:y:bf c
+# Added for Debian. The upstream version is installed in /etc/shibboleth and
+# for Debian we wanted to move it to /usr/bin, so change directories so that
+# it puts files in the correct location.
+cd /etc/shibboleth
+ while getopts h:u:g:o:e:y:bf c
do
case $c in
+ u) USER=$OPTARG;;
+ g) GROUP=$OPTARG;;
+ o) OUT=$OPTARG;;
b) BATCH=1;;
f) FORCE=1;;
h) FQDN=$OPTARG;;
e) ENTITYID=$OPTARG;;
y) YEARS=$OPTARG;;
- \?) echo keygen [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert]
+ \?) echo "keygen [-o output directory (default .)] [-u username to own keypair] [-g owning groupname] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert]"
exit 1;;
esac
done
+ if [ -z "$OUT" ] ; then
+ OUT=.
+ fi
if [ -n "$FORCE" ] ; then
- rm sp-key.pem sp-cert.pem
+ rm $OUT/sp-key.pem $OUT/sp-cert.pem
fi
- if [ -s sp-key.pem -o -s sp-cert.pem ] ; then
+ if [ -s $OUT/sp-key.pem -o -s $OUT/sp-cert.pem ] ; then
if [ -z "$BATCH" ] ; then
- echo The files sp-key.pem and/or sp-cert.pem already exist!
+ echo The files $OUT/sp-key.pem and/or $OUT/sp-cert.pem already exist!
echo Use -f option to force recreation of keypair.
exit 2
fi
exit 0
fi
+# --fqdn flag added for Debian to generate better names for certificates.
if [ -z "$FQDN" ] ; then
- FQDN=`hostname`
+ FQDN=`hostname --fqdn`
fi
if [ -z "$YEARS" ] ; then
ALTNAME=DNS:$FQDN,URI:$ENTITYID
fi
- cat >sp-cert.cnf <<EOF
+ SSLCNF=$OUT/sp-cert.cnf
+ cat >$SSLCNF <<EOF
# OpenSSL configuration file for creating sp-cert.pem
[req]
prompt=no
subjectKeyIdentifier=hash
EOF
- # Added for Debian. Make the key mode 640 and readable by group _shibd so
- # that the Debian shibd can use a non-root user.
- touch sp-key.pem
- chgrp _shibd sp-key.pem
- chmod 640 sp-key.pem
+ touch $OUT/sp-key.pem
+ chmod 600 $OUT/sp-key.pem
if [ -z "$BATCH" ] ; then
- openssl req -config sp-cert.cnf -new -x509 -days $DAYS -keyout sp-key.pem -out sp-cert.pem
+ openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem
else
- openssl req -config sp-cert.cnf -new -x509 -days $DAYS -keyout sp-key.pem -out sp-cert.pem 2> /dev/null
+ openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem 2> /dev/null
fi
+ rm $SSLCNF
- rm sp-cert.cnf
+ if [ -s $OUT/sp-key.pem -a -n "$USER" ] ; then
+ chown $USER $OUT/sp-key.pem $OUT/sp-cert.pem
+ fi
+
+ if [ -s $OUT/sp-key.pem -a -n "$GROUP" ] ; then
+ chgrp $GROUP $OUT/sp-key.pem $OUT/sp-cert.pem
+ fi
-#! /bin/sh
+#! /bin/bash
- while getopts a:c:e:h:n:o:s:t: c
+ DECLS=1
+
+ SAML1=0
+ SAML2=0
+ ARTIFACT=0
+ DS=0
+ LOGOUT=0
+ NAMEIDMGMT=0
+
+ SAML10PROT="urn:oasis:names:tc:SAML:1.0:protocol"
+ SAML11PROT="urn:oasis:names:tc:SAML:1.1:protocol"
+ SAML20PROT="urn:oasis:names:tc:SAML:2.0:protocol"
+
+ SAML20SOAP="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+ SAML20REDIRECT="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ SAML20POST="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+ SAML20POSTSS="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
+ SAML20ART="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+ SAML20PAOS="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
+
+ SAML1POST="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
+ SAML1ART="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
+
+ while getopts a:c:e:f:h:n:o:s:t:u:12ADLNO c
do
case $c in
- c) CERTS[${#CERTS[*]}]=$OPTARG;;
- e) ENTITYID=$OPTARG;;
- h) HOSTS[${#HOSTS[*]}]=$OPTARG;;
- n) NAKEDHOSTS[${#NAKEDHOSTS[*]}]=$OPTARG;;
- o) ORGNAME=$OPTARG;;
- a) ADMIN[${#ADMIN[*]}]=$OPTARG;;
- s) SUP[${#SUP[*]}]=$OPTARG;;
- t) TECH[${#TECH[*]}]=$OPTARG;;
- \?) echo metagen -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID]
- exit 1;;
+ c) CERTS[${#CERTS[*]}]=$OPTARG;;
+ e) ENTITYID=$OPTARG;;
+ f) FORMATS[${#FORMATS[*]}]=$OPTARG;;
+ h) HOSTS[${#HOSTS[*]}]=$OPTARG;;
+ n) NAKEDHOSTS[${#NAKEDHOSTS[*]}]=$OPTARG;;
+ o) ORGNAME=$OPTARG;;
+ a) ADMIN[${#ADMIN[*]}]=$OPTARG;;
+ s) SUP[${#SUP[*]}]=$OPTARG;;
+ t) TECH[${#TECH[*]}]=$OPTARG;;
+ u) URL=$OPTARG;;
+ 1) SAML1=1;;
+ 2) SAML2=1;;
+ A) ARTIFACT=1;;
+ D) DS=1;;
+ L) LOGOUT=1;;
+ N) NAMEIDMGMT=1;;
+ O) DECLS=0;;
+ \?) echo metagen [-12ADLNO] -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID]
+ exit 1;;
esac
done
if [ ${#HOSTS[*]} -eq 0 -a ${#NAKEDHOSTS[*]} -eq 0 ] ; then
- echo metagen -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID]
+ echo metagen [-12ADLN] -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID]
exit 1
fi
done
if [ -z $ENTITYID ] ; then
- ENTITYID=https://${HOSTS[0]}/shibboleth
+ if [ ${#HOSTS[*]} -eq 0 ] ; then
+ ENTITYID=https://${NAKEDHOSTS[0]}/shibboleth
+ else
+ ENTITYID=https://${HOSTS[0]}/shibboleth
+ fi
+ fi
+
+ # Establish protocols and bindings.
+
+ if [ $SAML1 -eq 0 -a $SAML2 -eq 0 ] ; then
+ SAML1=1
+ SAML2=1
+ fi
+
+ if [ $LOGOUT -eq 1 -o $NAMEIDMGMT -eq 1 ] ; then
+ SAML2=1
+ SLO[${#SLO[*]}]=$SAML20SOAP
+ SLO[${#SLO[*]}]=$SAML20REDIRECT
+ SLO[${#SLO[*]}]=$SAML20POST
+ SLOLOC[${#SLOLOC[*]}]="SOAP"
+ SLOLOC[${#SLOLOC[*]}]="Redirect"
+ SLOLOC[${#SLOLOC[*]}]="POST"
+ if [ $ARTIFACT -eq 1 ] ; then
+ SLO[${#SLO[*]}]=$SAML20ART
+ SLOLOC[${#SLOLOC[*]}]="Artifact"
+ fi
+ fi
+
+ if [ $SAML1 -eq 1 -a $SAML2 -eq 1 ] ; then
+ PROTENUM="$SAML20PROT $SAML11PROT"
+ elif [ $SAML1 -eq 1 ] ; then
+ PROTENUM="$SAML11PROT"
+ else
+ PROTENUM="$SAML20PROT"
+ fi
+
+ if [ $SAML2 -eq 1 ] ; then
+ ACS[${#ACS[*]}]=$SAML20POST
+ ACSLOC[${#ACSLOC[*]}]="SAML2/POST"
+ ACS[${#ACS[*]}]=$SAML20POSTSS
+ ACSLOC[${#ACSLOC[*]}]="SAML2/POST-SimpleSign"
+ if [ $ARTIFACT -eq 1 ] ; then
+ ACS[${#ACS[*]}]=$SAML20ART
+ ACSLOC[${#ACSLOC[*]}]="SAML2/Artifact"
+ fi
+ ACS[${#ACS[*]}]=$SAML20PAOS
+ ACSLOC[${#ACSLOC[*]}]="SAML2/ECP"
+ fi
+
+ if [ $SAML1 -eq 1 ] ; then
+ ACS[${#ACS[*]}]=$SAML1POST
+ ACSLOC[${#ACSLOC[*]}]="SAML/POST"
+ if [ $ARTIFACT -eq 1 ] ; then
+ ACS[${#ACS[*]}]=$SAML1ART
+ ACSLOC[${#ACSLOC[*]}]="SAML/Artifact"
+ fi
+ fi
+
+ if [ $SAML2 -eq 1 ] ; then
+ ACS[${#ACS[*]}]=$SAML20PAOS
+ ACSLOC[${#ACSLOC[*]}]="SAML2/ECP"
+ fi
+
+ if [ $DECLS -eq 1 ] ; then
+ DECLS="xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" "
+ if [ $DS -eq 1 ] ; then
+ DECLS="${DECLS}xmlns:disco=\"urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol\" "
+ fi
+ else
+ DECLS=""
fi
cat <<EOF
- <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="${ENTITYID}">
- <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
+ <md:EntityDescriptor ${DECLS}entityID="${ENTITYID}">
+ <md:SPSSODescriptor protocolSupportEnumeration="${PROTENUM}">
+ EOF
+
+ # Discovery BEGIN
+ if [ $DS -eq 1 ] ; then
+
+ cat << EOF
<md:Extensions>
EOF
for h in ${HOSTS[@]}
do
cat << EOF
- <DiscoveryResponse xmlns="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://$h/Shibboleth.sso/DS" index="$count"/>
+ <disco:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://$h/Shibboleth.sso/DS" index="$count"/>
EOF
let "count++"
done
for h in ${NAKEDHOSTS[@]}
do
cat << EOF
- <DiscoveryResponse xmlns="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://$h/Shibboleth.sso/DS" index="$count"/>
+ <disco:DiscoveryResponse xmlns="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://$h/Shibboleth.sso/DS" index="$count"/>
EOF
let "count++"
done
</md:Extensions>
EOF
+ fi
+ # Discovery END
+
for c in ${CERTS[@]}
do
cat << EOF
<md:KeyDescriptor>
- <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
EOF
EOF
done
+ for f in ${FORMATS[@]}
+ do
cat << EOF
- <!--
+ <md:NameIDFormat>$f</md:NameIDFormat>
EOF
+ done
+
+ # Logout BEGIN
+ if [ $LOGOUT -eq 1 ] ; then
for h in ${HOSTS[@]}
do
- cat <<EOF
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://$h/Shibboleth.sso/SLO/SOAP"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://$h/Shibboleth.sso/SLO/Redirect"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://$h/Shibboleth.sso/SLO/POST"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://$h/Shibboleth.sso/SLO/Artifact"/>
+ count=0
+ while [ $count -lt ${#SLO[*]} ]
+ do
+ cat <<EOF
+ <md:SingleLogoutService Binding="${SLO[$count]}" Location="https://$h/Shibboleth.sso/SLO/${SLOLOC[$count]}"/>
EOF
+ let "count++"
+ done
done
for h in ${NAKEDHOSTS[@]}
do
- cat <<EOF
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://$h/Shibboleth.sso/SLO/SOAP"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://$h/Shibboleth.sso/SLO/Redirect"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://$h/Shibboleth.sso/SLO/POST"/>
- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://$h/Shibboleth.sso/SLO/Artifact"/>
+ count=0
+ while [ $count -lt ${#SLO[*]} ]
+ do
+ cat <<EOF
+ <md:SingleLogoutService Binding="${SLO[$count]}" Location="http://$h/Shibboleth.sso/SLO/${SLOLOC[$count]}"/>
EOF
+ let "count++"
+ done
done
+ fi
+ # Logout END
+
+ # NameID Mgmt BEGIN
+ if [ $NAMEIDMGMT -eq 1 ] ; then
+
for h in ${HOSTS[@]}
do
- cat <<EOF
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://$h/Shibboleth.sso/NIM/SOAP"/>
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://$h/Shibboleth.sso/NIM/Redirect"/>
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://$h/Shibboleth.sso/NIM/POST"/>
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://$h/Shibboleth.sso/NIM/Artifact"/>
+ count=0
+ while [ $count -lt ${#SLO[*]} ]
+ do
+ cat <<EOF
+ <md:ManageNameIDService Binding="${SLO[$count]}" Location="https://$h/Shibboleth.sso/NIM/${SLOLOC[$count]}"/>
EOF
+ let "count++"
+ done
done
for h in ${NAKEDHOSTS[@]}
do
- cat <<EOF
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://$h/Shibboleth.sso/NIM/SOAP"/>
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://$h/Shibboleth.sso/NIM/Redirect"/>
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://$h/Shibboleth.sso/NIM/POST"/>
- <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://$h/Shibboleth.sso/NIM/Artifact"/>
+ count=0
+ while [ $count -lt ${#SLO[*]} ]
+ do
+ cat <<EOF
+ <md:ManageNameIDService Binding="${SLO[$count]}" Location="http://$h/Shibboleth.sso/NIM/${SLOLOC[$count]}"/>
EOF
+ let "count++"
+ done
done
- cat <<EOF
- -->
- EOF
+ fi
+ # NameID Mgmt END
- count=0
+ index=0
for h in ${HOSTS[@]}
do
- cat <<EOF
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://$h/Shibboleth.sso/SAML2/POST" index="$((count+1))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://$h/Shibboleth.sso/SAML2/POST-SimpleSign" index="$((count+2))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://$h/Shibboleth.sso/SAML2/Artifact" index="$((count+3))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://$h/Shibboleth.sso/SAML2/ECP" index="$((count+4))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://$h/Shibboleth.sso/SAML/POST" index="$((count+5))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://$h/Shibboleth.sso/SAML/Artifact" index="$((count+6))"/>
- EOF
- let "count+=6"
+ count=0
+ while [ $count -lt ${#ACS[*]} ]
+ do
+ cat <<EOF
+ <md:AssertionConsumerService Binding="${ACS[$count]}" Location="https://$h/Shibboleth.sso/${ACSLOC[$count]}" index="$((index+1))"/>
+ EOF
+ let "count++"
+ let "index++"
+ done
done
for h in ${NAKEDHOSTS[@]}
do
- cat <<EOF
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://$h/Shibboleth.sso/SAML2/POST" index="$((count+1))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://$h/Shibboleth.sso/SAML2/POST-SimpleSign" index="$((count+2))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://$h/Shibboleth.sso/SAML2/Artifact" index="$((count+3))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://$h/Shibboleth.sso/SAML2/ECP" index="$((count+4))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://$h/Shibboleth.sso/SAML/POST" index="$((count+5))"/>
- <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="http://$h/Shibboleth.sso/SAML/Artifact" index="$((count+6))"/>
- EOF
- let "count+=6"
+ count=0
+ while [ $count -lt ${#ACS[*]} ]
+ do
+ cat <<EOF
+ <md:AssertionConsumerService Binding="${ACS[$count]}" Location="http://$h/Shibboleth.sso/${ACSLOC[$count]}" index="$((index+1))"/>
+ EOF
+ let "count++"
+ let "index++"
+ done
done
cat <<EOF
EOF
if [ -n "$ORGNAME" ] ; then
+ if [ -z "$URL" ] ; then
+ URL=$ENTITYID
+ fi
cat <<EOF
<md:Organization>
<md:OrganizationName xml:lang="en">$ORGNAME</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">$ORGNAME</md:OrganizationDisplayName>
- <md:OrganizationURL xml:lang="en">$ENTITYID</md:OrganizationURL>
+ <md:OrganizationURL xml:lang="en">$URL</md:OrganizationURL>
</md:Organization>
EOF
fi
- for c in ${ADMIN[@]}
+ count=${#ADMIN[*]}
+ for (( i=0; i<count; i++ ))
do
- c=(${c//\// })
+ IFS="/"; declare -a c=(${ADMIN[$i]})
cat <<EOF
<md:ContactPerson contactType="administrative">
<md:GivenName>${c[0]}</md:GivenName>
EOF
done
- for c in ${SUP[@]}
+ count=${#SUP[*]}
+ for (( i=0; i<count; i++ ))
do
- c=(${c//\// })
+ IFS="/"; declare -a c=(${SUP[$i]})
cat <<EOF
<md:ContactPerson contactType="support">
<md:GivenName>${c[0]}</md:GivenName>
EOF
done
- for c in ${TECH[@]}
+ count=${#TECH[*]}
+ for (( i=0; i<count; i++ ))
do
- c=(${c//\// })
+ IFS="/"; declare -a c=(${TECH[$i]})
cat <<EOF
<md:ContactPerson contactType="technical">
<md:GivenName>${c[0]}</md:GivenName>
cat <<EOF
</md:EntityDescriptor>
+
EOF
# set overall behavior
- log4j.rootCategory=INFO, native_log
+ log4j.rootCategory=INFO, native_log, warn_log
# fairly verbose for DEBUG, so generally leave at INFO
log4j.category.XMLTooling.XMLObject=INFO
# define the appender
-log4j.appender.native_log=org.apache.log4j.RollingFileAppender
-log4j.appender.native_log.fileName=@-SHIRELOGDIR-@/native.log
-log4j.appender.native_log.maxFileSize=1000000
-log4j.appender.native_log.maxBackupIndex=10
-log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.native_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+# This is the default, but it's essentially useless under normal
+# circumstances since Apache doesn't have access to write to that
+# directory.
+#log4j.appender.native_log=org.apache.log4j.RollingFileAppender
+#log4j.appender.native_log.fileName=@-SHIRELOGDIR-@/native.log
+#log4j.appender.native_log.maxFileSize=1000000
+#log4j.appender.native_log.maxBackupIndex=10
- ##log4j.appender.native_log.layout=org.apache.log4j.BasicLayout
+#log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
+#log4j.appender.native_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+ log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
+ log4j.appender.warn_log.fileName=@-SHIRELOGDIR-@/native_warn.log
+ log4j.appender.warn_log.maxFileSize=1000000
+ log4j.appender.warn_log.maxBackupIndex=10
+ log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+ log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+ log4j.appender.warn_log.threshold=WARN
+# Use syslog instead, since then at least the messages will go somewhere.
+# That facility is (3 << 3) or LOG_DAEMON, since log4cpp apparently
+# doesn't recognize symbolic log facilities.
+#
+# This is a Debian-specific change.
+log4j.appender.native_log=org.apache.log4j.LocalSyslogAppender
+log4j.appender.native_log.syslogName=shibboleth-sp
+log4j.appender.native_log.facility=24
+log4j.appender.native_log.layout=org.apache.log4j.BasicLayout
# Default-Stop: 0 1 6
# Short-Description: Shibboleth 2 Service Provider Daemon
# Description: Starts the separate daemon used by the Shibboleth
-# Apache module to manage sessions and to retrieve
-# attributes from Shibboleth Identity Providers.
+# Apache module to manage sessions and to retrieve
+# attributes from Shibboleth Identity Providers.
### END INIT INFO
#
# Written by Quanah Gibson-Mount <quanah@stanford.edu>
SCRIPTNAME=/etc/init.d/$NAME
PIDFILE=@-PKGRUNDIR-@/$NAME.pid
DAEMON_OPTS=""
+DAEMON_USER=_shibd
# Force removal of socket
DAEMON_OPTS="$DAEMON_OPTS -f"
# Get the setting of VERBOSE and other rcS variables.
[ -f /etc/default/rcS ] && . /etc/default/rcS
+prepare_environment () {
+ # Ensure @-PKGRUNDIR-@ exists. /var/run may be on a tmpfs file system.
+ [ -d '@-PKGRUNDIR-@' ] || mkdir -p '@-PKGRUNDIR-@'
+
+ # If $DAEMON_USER is set, try to run shibd as that user. However,
+ # versions of the Debian package prior to 2.3+dfsg-1 ran shibd as root,
+ # and the local administrator may not have made the server's private key
+ # readable by $DAEMON_USER. We therefore test first by running shibd -t
+ # and looking for the error code indicating that the private key could not
+ # be read. If we get that error, we fall back on running shibd as root.
+ if [ -n "$DAEMON_USER" ]; then
+ DIAG=$(su -s $DAEMON $DAEMON_USER -- -t $DAEMON_OPTS 2>/dev/null)
+ if [ $? = 0 ] ; then
+ # openssl errstr 200100D (hex for 33558541) says:
+ # error:0200100D:system library:fopen:Permission denied
+ ERROR='ERROR OpenSSL : error code: 33558541 '
+ if echo "$DIAG" | fgrep -q "$ERROR" ; then
+ unset DAEMON_USER
+ echo "$NAME warning: file permissions require running as root"
+ else
+ chown -Rh "$DAEMON_USER" '@-PKGRUNDIR-@' '@-PKGLOGDIR-@'
+ fi
+ else
+ unset DAEMON_USER
+ echo "$NAME error: unable to run config check as user $DAEMON_USER"
+ fi
+ unset DIAG
+ fi
+}
+
case "$1" in
start)
+ prepare_environment
+
# Don't start shibd if NO_START is set.
if [ "$NO_START" = 1 ] ; then
echo "Not starting $DESC (see /etc/default/$NAME)"
exit 0
fi
echo -n "Starting $DESC: "
- start-stop-daemon --start --quiet \
+ start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
--pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE \
-- --exec $DAEMON
++ --retry TERM/30/KILL/5 --exec $DAEMON
echo "$NAME."
;;
restart|force-reload)
-
+ prepare_environment
echo -n "Restarting $DESC: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE \
--exec $DAEMON
sleep 1
- start-stop-daemon --start --quiet \
+ start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
--pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;