--- /dev/null
+shibboleth-sp2 (2.3.1+dfsg-2) unstable; urgency=low
+
+ * Modify shib-keygen to create the new certificate key group-readable by
+ _shibd and not world-readable. (Closes: #571631)
+ * Force source format 1.0 for now since it makes backporting easier.
+ * Update debhelper compatibility level to V7.
+ - Use dh_prep instead of dh_clean -k.
+ * Update standards version to 3.8.4 (no changes required).
+
+ -- Russ Allbery <rra@debian.org> Sat, 15 May 2010 15:25:12 -0700
+
+shibboleth-sp2 (2.3.1+dfsg-1) unstable; urgency=low
+
+ * New upstream release.
+ - Don't sign messages for SOAP requests twice.
+ - Correctly generate metadata in the artifact resolution handler.
+ - Artifact resolution should return empty success on errors.
+ - Fixed crash in backchannel global logout.
+ - Fix duplicate indexes in metadata generation when multiple base URLs
+ are supplied.
+ - Correctly decrypt assertions in attribute responses.
+ * Apply upstream fix for shibd removing the PID file when called with
+ the -F option. This prevents the check of certificate permissions in
+ the init script from removing the PID file of a running shibd.
+ * Add ${shlibs:Depends} to the libshibsp-dev package dependencies.
+ * Add ${misc:Depends} to all package dependencies.
+
+ -- Russ Allbery <rra@debian.org> Sun, 03 Jan 2010 13:54:55 -0800
+
+shibboleth-sp2 (2.3+dfsg-1) unstable; urgency=high
+
+ [ Russ Allbery ]
+ * Urgency set to high for security fix.
+ * New upstream release.
+ - SECURITY: Partial fix for improper handling of URLs that could be
+ abused for script injection and other cross-site scripting attacks.
+ The complete fix also requires newer xmltooling and opensaml2
+ packages. (Closes: #555608, CVE-2009-3300)
+ - Avoid shibd crash on dead memcache server.
+ - Pass the affiliation name to the session initiator.
+ - Correctly handle a bogus ACS.
+ - Allow overriding the URL that's passed to the DS.
+ - Add schema types for new attribute decoders introduced in 2.2.
+ - Handle success with partial logout in the logout UI code.
+ - Fix POST data preservation with empty parameters and empty forms.
+ - Fix SAML 1 specification of attributes in the query plugin.
+ - Shorten ePTId-type persistent identifiers.
+ - Use an ID rather than a whole doc reference for generated metadata.
+ - Fix spelling of scopeDelimiter in the configuration parser, making
+ the code and documentation match the schema.
+ * Rename library package for upstream SONAME bump.
+ * Tighten build and package dependencies on xmltooling and opensaml2 to
+ require the versions with the security fix.
+ * Fix watch file for the new version mangling.
+ * Improve documentation of DAEMON_OPTS in /etc/default/shibd.
+ * Remove unnecessary patches to upstream files regenerated during the
+ build from the source package diff.
+
+ [ Faidon Liambotis ]
+ * Run make install with NOKEYGEN=1 and stop rm-ing generated
+ certificates. Fixes FTBFS.
+
+ [ Ferenc Wagner ]
+ * Run shibd as non-root.
+
+ -- Russ Allbery <rra@debian.org> Wed, 11 Nov 2009 14:39:44 -0800
+
+shibboleth-sp2 (2.2.1+dfsg-2) unstable; urgency=low
+
+ * Change the libapache2-mod-shib2 section to httpd, matching override.
+ * Add a NEWS.Debian entry for libapache2-mod-shib2 that explains the
+ recommended configuration update for the 2.2 version. Thanks, Scott
+ Cantor and Kristof BAJNOK.
+
+ -- Russ Allbery <rra@debian.org> Wed, 09 Sep 2009 12:15:08 -0700
+
+shibboleth-sp2 (2.2.1+dfsg-1) unstable; urgency=high
+
+ * New upstream release.
+ - SECURITY: Fix improper handling of certificate names containing nul
+ characters.
+ - SECURITY: Correctly validate the use attribute of KeyDescriptors,
+ preventing use of a key for signing or for encryption if its use
+ field says it may not be used for that purpose.
+ - New shib-metagen script for generating Shibboleth SP metadata.
+ - Support preserving form data across user authentication.
+ - Support internal server redirection while maintaining protection.
+ - Fix incompatibility between lazy sessions and servlet containers.
+ - Fix some problems with dynamic metadata resolution.
+ - Fix incompatibility with mod_include.
+ - Fix single logout via SOAP.
+ - Fix shibd crash with invalid metadata.
+ - Fix crash in chaining attribute resolver.
+ - Avoid infinite loop on empty attribute mapped to REMOTE_USER.
+ - Fix handling of some Unicode data in relaystate data in URLs.
+ - Correctly return Success to LogoutRequest where appropriate.
+ - Avoid chunked encoding in back-channel calls.
+ - Correctly check Recipient values in assertions.
+ - Fix attributePrefix handling in some contexts.
+ - Fix generated metadata DiscoveryResponse.
+ - Fix handling of unsigned responses with encryption.
+ - Fix handling of InProcess property.
+ * Rename library package for upstream SONAME bump.
+ * Tighten build dependencies and schema package dependencies on
+ opensaml2 and xmltooling.
+ * Build against Xerces-C 3.0.
+ * Dynamically determine the Debian and upstream package versions for
+ get-orig-source from debian/changelog.
+ * Update libapache2-mod-shib2's README.Debian for changes to the
+ TestShib web pages.
+ * Use the automatically-extracted package version as the version number
+ for the man pages.
+ * Update standards version to 3.8.3.
+ - Create /var/run/shibboleth in the init script if it doesn't exist.
+ - Don't ship /var/run/shibboleth in the package.
+ - Remove /var/run/shibboleth in postrm if it exists.
+
+ -- Russ Allbery <rra@debian.org> Mon, 07 Sep 2009 16:14:29 -0700
+
+shibboleth-sp2 (2.1.dfsg1-2) unstable; urgency=low
+
+ * Redo the variable quoting in doxygen.m4 so that configure can be
+ rebuilt with Autoconf 2.63. (Closes: #518039)
+
+ -- Russ Allbery <rra@debian.org> Tue, 03 Mar 2009 15:03:10 -0800
+
+shibboleth-sp2 (2.1.dfsg1-1) unstable; urgency=low
+
+ [ Russ Allbery ]
+ * New upstream version.
+ - New memory cache storage backend.
+ - Schema validation is now optional.
+ - Many bug fixes.
+ * Bump SONAME of libshibsp following upstream's versioning.
+ * Build-depend on libsaml2-dev >= 2.1 following the upstream spec file
+ and libxmltooling-dev 1.1 just in case (required by OpenSAML 2.1).
+ * Fix the name of the tarball created by get-orig-source.
+ * Logcheck rules.
+ * Tighten the dependency versioning; the 2.1 SP library requires the
+ 2.1 schemas from the Shibboleth SP and OpenSAML and the 1.1 schemas
+ from XMLTooling.
+ * Remove duplicate Section field for libapache2-mod-shib2.
+
+ [ Ferenc Wagner ]
+ * Follow the libshibsp1->2 package rename in the dh_makeshlibs invocation.
+ * Remove the Shibboleth minor version number from README.Debian.
+ * Comment out the reference to WS-Trust.xsd from the catalog.xml file in
+ shibboleth-sp2-schemas and document how to enable it again.
+
+ -- Russ Allbery <rra@debian.org> Fri, 27 Feb 2009 20:54:51 -0800
+
+shibboleth-sp2 (2.0.dfsg1-4) unstable; urgency=low
+
+ [ Ferenc Wagner ]
+ * Rename debian/shib.load to debian/shib2.load to avoid clashing with the
+ libapache2-mod-shib package. Otherwise its Apache config file breaks our
+ module.
+ * Add directory /var/log/shibboleth to libapache2-mod-shib2 (thanks to Peter
+ Schober for noticing)
+
+ [ Russ Allbery ]
+ * Add a postinst to disable the old configuration on upgrade and enable
+ the module if it had been enabled under the old configuration name.
+ * Wait for shibd to exit on stop or restart. This fixes a bug in
+ restart that could lead to no new shibd being started because the old
+ one had not yet exited.
+ * Fix a syntax error in the shibd man page.
+
+ -- Russ Allbery <rra@debian.org> Tue, 14 Oct 2008 21:47:36 -0700
+
+shibboleth-sp2 (2.0.dfsg1-3) unstable; urgency=low
+
+ [ Ferenc Wagner ]
+ * Avoid brace expansion in debian/rules, dash does not like it.
+ (Closes: #493408)
+
+ [ Russ Allbery ]
+ * Add logcheck rules to ignore some of the routine messages from the
+ Apache module. This only covers startup and teardown; more will
+ need to be added.
+ * Fix watch file for new upstream tarball naming.
+
+ -- Russ Allbery <rra@debian.org> Tue, 19 Aug 2008 19:04:35 -0700
+
+shibboleth-sp2 (2.0.dfsg1-2) unstable; urgency=low
+
+ * Apply upstream fix for variable sizes in the ODBC code. Fixes a
+ FTBFS on 64-bit platforms. (Closes: #492101)
+
+ -- Russ Allbery <rra@debian.org> Thu, 24 Jul 2008 08:44:50 -0700
+
+shibboleth-sp2 (2.0.dfsg1-1) unstable; urgency=low
+
+ [ Ferenc Wágner ]
+ * Initial release (Closes: #480290)
+
+ -- Russ Allbery <rra@debian.org> Wed, 25 Jun 2008 20:06:10 -0700
+
--- /dev/null
+Source: shibboleth-sp2
+Section: web
+Priority: extra
+Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
+Uploaders: Russ Allbery <rra@debian.org>, Ferenc Wagner <wferi@niif.hu>
+Build-Depends: debhelper (>= 7), autotools-dev, autoconf, automake,
+ libtool, apache2-threaded-dev, doxygen, liblog4cpp5-dev,
+ libsaml2-dev (>= 2.3), libssl-dev, libxerces-c-dev,
+ libxml-security-c-dev (>= 1.5), libxmltooling-dev (>= 1.3),
+ opensaml2-schemas, unixodbc-dev, xmltooling-schemas
+Standards-Version: 3.8.4
+Homepage: http://shibboleth.internet2.edu/
+Vcs-Git: git://git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git
+Vcs-Browser: http://git.debian.org/?p=pkg-shibboleth/shibboleth-sp2.git
+
+Package: libapache2-mod-shib2
+Section: httpd
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, adduser
+Recommends: apache2, openssl
+Conflicts: libapache2-mod-shib
+Description: Federated web single sign-on system (Apache module)
+ The Shibboleth System is a standards based software package for web
+ single sign-on across or within organizational boundaries. It supports
+ authorization and attribute exchange using the OASIS SAML 2.0 protocol.
+ Shibboleth allows sites to make informed authorization decisions for
+ individual access of protected online resources while allowing users to
+ establish their identities with their local authentication systems.
+ .
+ This package contains the Shibboleth Apache module for service providers
+ (web servers providing resources protected by Shibboleth) and the
+ supporting shibd daemon.
+
+Package: libshibsp4
+Section: libs
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, opensaml2-schemas (>= 2.3),
+ shibboleth-sp2-schemas (>= 2.3), xmltooling-schemas (>= 1.3)
+Description: Federated web single sign-on system (runtime)
+ The Shibboleth System is a standards based software package for web
+ single sign-on across or within organizational boundaries. It supports
+ authorization and attribute exchange using the OASIS SAML 2.0 protocol.
+ Shibboleth allows sites to make informed authorization decisions for
+ individual access of protected online resources while allowing users to
+ establish their identities with their local authentication systems.
+ .
+ This package contains the Shibboleth SP runtime library.
+
+Package: libshibsp-dev
+Section: libdevel
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends},
+ libshibsp4 (= ${binary:Version}), libsaml2-dev (>= 2.3),
+ libxerces-c-dev, libxmltooling-dev (>= 1.3)
+Suggests: libshib2-doc (= ${source:Version})
+Description: Federated web single sign-on system (development)
+ The Shibboleth System is a standards based software package for web
+ single sign-on across or within organizational boundaries. It supports
+ authorization and attribute exchange using the OASIS SAML 2.0 protocol.
+ Shibboleth allows sites to make informed authorization decisions for
+ individual access of protected online resources while allowing users to
+ establish their identities with their local authentication systems.
+ .
+ This package contains the headers and other necessary files to build
+ applications that use the Shibboleth SP library.
+
+Package: libshibsp-doc
+Section: doc
+Architecture: all
+Depends: ${misc:Depends}
+Description: Federated web single sign-on system (API docs)
+ The Shibboleth System is a standards based software package for web
+ single sign-on across or within organizational boundaries. It supports
+ authorization and attribute exchange using the OASIS SAML 2.0 protocol.
+ Shibboleth allows sites to make informed authorization decisions for
+ individual access of protected online resources while allowing users to
+ establish their identities with their local authentication systems.
+ .
+ This package contains the Shibboleth SP library API documentation.
+
+Package: shibboleth-sp2-schemas
+Section: text
+Architecture: all
+Depends: ${misc:Depends}
+Conflicts: libapache2-mod-shib
+Description: Federated web single sign-on system (schemas)
+ The Shibboleth System is a standards based software package for web
+ single sign-on across or within organizational boundaries. It supports
+ authorization and attribute exchange using the OASIS SAML 2.0 protocol.
+ Shibboleth allows sites to make informed authorization decisions for
+ individual access of protected online resources while allowing users to
+ establish their identities with their local authentication systems.
+ .
+ This package contains the additional schemas used by the Shibboleth SP.
--- /dev/null
+Format-Specification: http://wiki.debian.org/Proposals/CopyrightFormat
+Upstream-Author: Internet2
+Packaged-By: Ferenc Wágner <wferi@niif.hu>
+Packaged-Date: Mon, 28 Apr 2008 14:55:31 +0200
+Original-Source-Location:
+ http://shibboleth.internet2.edu/downloads/shibboleth/cpp/2.1/
+
+The original upstream source was repackaged to remove the WS-Trust.xsd
+schema, which was not distributed under a DFSG-free license.
+
+Files: *
+Copyright: 2001-2009 Internet2
+License: Apache-2.0
+
+Files: */Makefile.in
+Copyright: 2001-2009 Internet2
+ 2004 Oren Ben-Kiki
+ 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
+ Free Software Foundation, Inc.
+License: other
+ This Makefile.in is free software; the Free Software Foundation
+ gives unlimited permission to copy and/or distribute it,
+ with or without modifications, as long as this notice is preserved.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+ even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ PARTICULAR PURPOSE.
+
+Files: ./aclocal.m4
+Copyright: 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
+ Free Software Foundation, Inc.
+License: other
+ This file is free software; the Free Software Foundation
+ gives unlimited permission to copy and/or distribute it,
+ with or without modifications, as long as this notice is preserved.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+ even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ PARTICULAR PURPOSE.
+
+Files: ./acx_pthread.m4
+Copyright: 2006 Steven G. Johnson <stevenj@alum.mit.edu>
+License: GPL-2+ | other
+ This program is free software; you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by the
+ Free Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+ .
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+ Public License for more details.
+ .
+ The full text of the GNU General Public License version 2 is available on
+ Debian systems in /usr/share/common-licenses/GPL-2.
+ .
+ As a special exception, the respective Autoconf Macro's copyright owner
+ gives unlimited permission to copy, distribute and modify the configure
+ scripts that are the output of Autoconf when processing the Macro. You
+ need not follow the terms of the GNU General Public License when using or
+ distributing such scripts, even though portions of the text of the Macro
+ appear in them. The GNU General Public License (GPL) does govern all
+ other use of the material that constitutes the Autoconf Macro.
+ .
+ This special exception to the GPL applies to versions of the Autoconf
+ Macro released by the Autoconf Macro Archive. When you make and
+ distribute a modified version of the Autoconf Macro, you may extend this
+ special exception to the GPL to apply to your modified version as well.
+
+Files: ./config.guess, ./config.sub, ./depcomp, ./libtool.m4, ./ltmain.sh,
+ ./missing
+Copyright: 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
+ 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
+License: GPL-2+ | other
+ This file is free software; you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by the
+ Free Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+ .
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+ Public License for more details.
+ .
+ The full text of the GNU General Public License version 2 is available on
+ Debian systems in /usr/share/common-licenses/GPL-2.
+ .
+ As a special exception to the GNU General Public License, if you
+ distribute this file as part of a program that contains a configuration
+ script generated by Autoconf, you may include it under the same
+ distribution terms that you use for the rest of that program.
+
+Files: ./configure
+Copyright: 2003 Free Software Foundation, Inc.
+License: other
+ This configure script is free software; the Free Software Foundation
+ gives unlimited permission to copy, distribute and modify it.
+
+Files: ./debian/*
+Copyright: 2008 Ferenc Wágner <wferi@niif.hu>
+ 2008, 2009 Russ Allbery <rra@debian.org>
+License: Expat
+
+Files: ./doxygen.{am,m4}
+Copyright: 2004 Oren Ben-Kiki
+License: other
+ This file is free software; the Free Software Foundation
+ gives unlimited permission to copy and/or distribute it,
+ with or without modifications, as long as this notice is preserved.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+ even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ PARTICULAR PURPOSE.
+
+Files: ./install-sh
+Copyright: (C) 1994 X Consortium
+License: Expat
+
+License: Expat
+ Permission is hereby granted, free of charge, to any person obtaining
+ a copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so, subject to
+ the following conditions:
+ .
+ The above copyright notice and this permission notice shall be
+ included in all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+License: Apache-2.0
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian systems, the complete text of the Apache 2.0 license can be
+ found in the file /usr/share/common-licenses/Apache-2.0.
--- /dev/null
+shibboleth-sp2 (2.3+dfsg-1) unstable; urgency=high
+
+ As of this release, running shibd as a non-root user is supported and
+ recommended to limit the impact of any potential security issues. The
+ package will create a dedicated _shibd user on installation for that
+ purpose.
+
+ In order for shibd to run as user _shibd instead of as root, user _shibd
+ must have read access to the private key of the server. The easiest way
+ is to make the private key, normally /etc/shibboleth/sp-key.pem, owned
+ by root and readable by group _shibd:
+
+ chown root:_shibd /etc/shibboleth/sp-key.pem
+ chmod 640 /etc/shibboleth/sp-key.pem
+
+ The init script attempts to detect, when starting up shibd, whether it
+ can read the private key specified in the configuration and, if not,
+ falls back on running shibd as root, as was done in previous versions of
+ this package.
+
+ -- Russ Allbery <rra@debian.org> Tue, 10 Nov 2009 16:48:03 -0800
+
+shibboleth-sp2 (2.2.1+dfsg-2) unstable; urgency=low
+
+ There are several changes to the configuration syntax and defaults in
+ Shibboleth 2.2, one of which produce deprecation warnings on startup
+ until /etc/shibboleth/shibboleth2.xml is updated.
+
+ The most significant change is that <Rule> tags in the <Policy> element
+ should be changed to <PolicyRule> and a new policy rule added:
+
+ <PolicyRule type="Conditions">
+ <PolicyRule type="Audience"/>
+ <!-- Enable Delegation rule to permit delegated access. -->
+ <!-- <PolicyRule type="Delegation"/> -->
+ </PolicyRule>
+
+ See:
+
+ https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationChanges
+
+ for all the details and further explanation.
+
+ -- Russ Allbery <rra@debian.org> Tue, 15 Sep 2009 20:44:26 -0700
+
+shibboleth-sp2 (2.0.dfsg1-4) unstable; urgency=low
+
+ With this release, the Apache module configuration fragments in
+ /etc/apache2/mods-available have been renamed to shib2.* from shib.* to
+ avoid conflicts with libapache2-mod-shib. If you had any customizations
+ in /etc/apache2/mods-available/shib.load, you will need to move them to
+ /etc/apache2/mods-available/shib2.load.
+
+ -- Russ Allbery <rra@debian.org> Tue, 14 Oct 2008 20:52:20 -0700
+
--- /dev/null
+ Shibboleth 2 SP for Debian
+
+Introduction
+
+ This package provides the Shibboleth Apache module and accompanying
+ daemon for a service provider. In Shibboleth terminology, this is a web
+ server serving some content that should be secured via Shibboleth. In
+ order for someone to access protected content from a Shibboleth SP, they
+ will have to authenticate to a Shibboleth IdP (Identity Provider),
+ either one that the Shibboleth SP points to directly or one that is part
+ of a federation that is trusted by the Shibboleth SP.
+
+ This is the Shibboleth 2 version of the SP. For the 1.x version of
+ the Shibboleth SP (if it is still available), see libapache-mod-shib.
+
+Installation and Configuration
+
+ After installing this package, the module is available but not enabled.
+ It's not enabled automatically since some configuration is required
+ before it will work (at least creating a certificate for the SP to use
+ to authenticate to IdPs).
+
+ To generate a self-signed certificate for the Shibboleth SP, run
+ shib-keygen. See its manual page for more information. This may or may
+ not be what you want to do depending on which federation you plan on
+ joining; some federations may want you to follow other procedures for
+ generating a certificate.
+
+ The default error messages from Shibboleth are located in
+ /etc/shibboleth/*.html. The paths to those error messages are
+ configured in /etc/shibboleth/shibboleth2.xml in the <Errors> tag. If
+ you customize them, you may want to copy them somewhere else and change
+ /etc/shibboleth/shibboleth2.xml to point to the new locations. Also in
+ that <Errors> tag you can set the URLs to the logo and style sheet used
+ by the default errors. If you want to use the default URL (under
+ /shibboleth-sp), add this to your Apache configuration:
+
+ <Location /shibboleth-sp>
+ Allow from all
+ </Location>
+ Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
+ Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg
+
+ For Shibboleth to work properly, you will need to extensively customize
+ /etc/shibboleth/shibboleth2.xml for your site. In particular, the
+ <ApplicationDefaults> section will have to be customized for the
+ federations your SP will trust and the <CredentialResolver> section of
+ <Applications> needs to list the credentials that your SP will use to
+ authenticate when communicating with IdPs. Your local site may provide
+ a standard shibboleth2.xml for you to use.
+
+ Finally, you will want to protect some web content with Shibboleth. The
+ most basic configuration is:
+
+ <Location /secure>
+ AuthType shibboleth
+ ShibRequestSetting requireSession 1
+ require valid-user
+ </Location>
+
+ for some <Location>, <Directory>, or <Files> block. You can also put
+ similar code in an .htaccess file. This will require authorization
+ using the default federation defined in /etc/shibboleth/shibboleth2.xml.
+
+Changes in Debian Package
+
+ The logging configuration for the native.log file has been changed to
+ use syslog, since the upstream default tries to write to a file that
+ Apache has no privileges to write to. See /etc/shibboleth/native.logger
+ for more details. If you want the other parts of Shibboleth to also log
+ to syslog, change the other /etc/shibboleth/*.logger files similarly.
+
+ The WS-Trust.xsd schema, which is needed if you use the ADFS support
+ and turn on schema validation, was removed from the Debian package for
+ license reasons. To enable it again, do the following:
+
+ 1. Download the original source from
+ http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/
+
+ 2. Extract schemas/WS-Trust.xsd to some convenient location, for
+ example to /etc/shibboleth/WS-Trust.xsd.
+
+ 3. Copy /usr/share/xml/shibboleth/catalog.xml into /etc/shibboleth.
+
+ 4. Uncomment the WS-Trust line and set its uri attribute:
+ <system systemId="http://schemas.xmlsoap.org/ws/2005/02/trust"
+ uri="/etc/shibboleth/WS-Trust.xsd"/>
+
+ 5. Edit /etc/default/shibd to contain
+ DAEMON_OPTS="$DAEMON_OPTS -x /etc/shibboleth/catalog.xml:/usr/share/xml/opensaml/saml20-catalog.xml:/usr/share/xml/xmltooling/catalog.xml"
+
+ 6. Restart the Shibboleth daemon: /etc/init.d/shibd restart.
+
+Testing with TestShib
+
+ If you don't have a local Shibboleth Federation you can easily join but
+ want to test your Shibboleth installation, you can use the TestShib
+ federation (which exists primarily for this purpose). To do this, use
+ the following instructions (but test them against the details on the
+ testshib.org web pages in case anything has changed):
+
+ 1. Go to <http://testshib.org/>, click on Register, and log in with
+ either OpenIDP or ProtectNetwork. If you do not have an identity
+ with either, create one following the links on that page.
+
+ 2. Click on New Service Provider (unless you've already created an entry
+ for this host, in which case select Edit and reuse it). Enter your
+ hostname, your public certificate, and your first and last name, and
+ then click on Continue. Verify the information and click on Submit.
+
+ 3. Now select Configure, scroll down to Service Provider Configuration,
+ choose Other for the platform, enter your hostname, and click on
+ Create Me. Save the resulting configuration file as
+ /etc/shibboleth/shibboleth2.xml.
+
+ 4. Create some part of your web site that's protected with Shibboleth as
+ described above, restart Apache with apache2ctl restart, restart
+ shibd with /etc/init.d/shibd restart, and then go to that URL. You
+ should be redirected to the testshib.org IdP, and then get a basic
+ auth dialog box prompting for a username and password. Enter
+ "myself" and "myself". You should now be redirected back to your
+ protected page. The best test page to use is a CGI script that
+ prints out the environment; you can then confirm that you see the
+ Shibboleth attributes as environment variables. If this doesn't work
+ immediately, wait a few minutes and try again; sometimes the
+ testshib.org metadata takes a little bit to update.
+
+ These directions should work as of June 2008, but note that the
+ testshib.org service may have changed since then. TestShib is useful
+ *only* for testing, not for any production use. Those of us who have
+ worked on the Debian package are not affiliated with testshib.org, just
+ personally find it useful, and make no guarantees that it will work
+ properly. You should read over the shibboleth2.xml file that you
+ download from testshib.org before using it to make sure that there's
+ nothing strange in it.
+
+ If the above instructions don't work or there are changes in the
+ TestShib service, please file a bug against the Debian
+ libapache2-mod-shib2 package and let us know.
+
+Further Information
+
+ For further installation information, see:
+
+ https://spaces.internet2.edu/display/SHIB2/Home
+
+ and in particular the "Configuration" link.
+
+ -- Russ Allbery <rra@debian.org>, Tue, 10 Nov 2009 15:06:57 -0800
--- /dev/null
+usr/lib/apache2/modules
+usr/share/man/man1
+usr/share/man/man8
+var/log/shibboleth
--- /dev/null
+doc/CREDITS.txt
+doc/README.txt
+doc/RELEASE.txt
--- /dev/null
+debian/tmp/usr/bin
+debian/tmp/usr/sbin
+debian/tmp/etc/shibboleth
+debian/tmp/usr/lib/shibboleth
+
+debian/shib2.load etc/apache2/mods-available
+
+doc/logo.jpg usr/share/shibboleth
+doc/main.css usr/share/shibboleth
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO Shibboleth\.Config : shibboleth [0-9.]+ library (shutting down|shutdown complete)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO Shibboleth.SessionCache : cleanup thread exiting$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO XMLTooling.XMLToolingConfig : xmltooling [0-9.]+ library shutdown complete$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO Shibboleth\.Config : building ListenerService of type UnixListener\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO Shibboleth\.Config : building RequestMapper of type Native\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO Shibboleth\.Config : building SessionCache of type StorageService\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO Shibboleth\.SessionCache : cleanup thread started\.\.\.run every [0-9]+ secs; timeout after [0-9]+ secs$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO Shibboleth.SessionCache : purging [0-9]+ old sessions$
--- /dev/null
+#!/bin/sh
+
+set -e
+
+# Prior to 2.0.dfsg1-4, we named our Apache configuration files shib instead
+# of shib2. We therefore need to unlink the old configuration files, and if
+# they were linked in, we should link in the new ones.
+#
+# We also have to work around a bug in the etch Shibboleth SP 1.x packages
+# that caused them to remove the wrong module configuration and hence not
+# unlink their configuration. If the 1.x configuration is still linked in, it
+# will break the 2.x module, so make sure it's disabled on initial install.
+if [ "$1" = "configure" ] ; then
+ if dpkg --compare-versions "$2" lt-nl 2.0.dfsg1-4 ; then
+ if [ -f /etc/apache2/mods-enabled/shib.load ] ; then
+ a2enmod shib2
+ fi
+ a2dismod shib || true
+ fi
+
+ # Most of the time, this will produce an error message. It only does
+ # anything if we're replacing a broken libapache2-mod-shib package.
+ # Suppress the normally useless error message to not confuse people.
+ if [ -z "$2" ] ; then
+ a2dismod shib 2>/dev/null || true
+ fi
+
+ if ! getent passwd _shibd > /dev/null ; then
+ echo 'Adding system-user for Shibboleth daemon' 1>&2
+ adduser --system --group --quiet --home /var/log/shibboleth \
+ --no-create-home --disabled-login --force-badname _shibd
+ fi
+fi
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+#!/bin/sh
+
+set -e
+
+if [ "$1" = purge ] || [ "$1" = remove ] ; then
+ rm -rf /var/run/shibboleth
+fi
+
+#DEBHELPER#
--- /dev/null
+#!/bin/sh
+
+set -e
+
+if [ "$1" = "remove" ] || [ "$1" = "deconfigure" ] ; then
+ a2dismod shib2 || true
+fi
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+# /etc/default/shibd -- Defaults for the shibd init script. -*- sh -*-
+#
+# This file is sourced by /etc/init.d/shibd and is used to configure the
+# behavior of the init script. This file must follow standard POSIX shell
+# syntax.
+
+# To not start shibd at boot, uncomment this line.
+#NO_START=1
+
+# Options passed to shibd by the init script. The default options are:
+#
+# -f -c /etc/shibboleth2.xml -p $PIDFILE -w 30
+#
+# If you change the -p option, also change the $PIDFILE variable to point to
+# the new location or the init script won't work.
+#DAEMON_OPTS=""
--- /dev/null
+debian/tmp/usr/include/*
+debian/tmp/usr/lib/lib*.so
--- /dev/null
+Document: libshib2-doc
+Title: Shibboleth2 API documentation
+Author: Scott Cantor
+Abstract: Doxygen generated HTML documentation of the Shibboleth
+ library version 2.
+Section: Programming/C++
+
+Format: HTML
+Index: /usr/share/doc/libshibsp-doc/html/index.html
+Files: /usr/share/doc/libshibsp-doc/html/*.html
+ /usr/share/doc/libshibsp-doc/html/*.png
+ /usr/share/doc/libshibsp-doc/html/*.gif
+ /usr/share/doc/libshibsp-doc/html/*.css
--- /dev/null
+doc/CREDITS.txt
+doc/README.txt
+doc/RELEASE.txt
--- /dev/null
+doc/api/* usr/share/doc/libshibsp-doc
--- /dev/null
+debian/tmp/usr/lib/lib*.so.*
--- /dev/null
+=head1 NAME
+
+mdquery - Query Shibboleth metadata
+
+=head1 SYNOPSIS
+
+B<mdquery> B<-e> I<entity> [B<-a> I<app>] [B<-nostrict>]
+
+B<mdquery> B<-e> I<entity> B<-r> I<role> B<-p> I<protocol> [B<-a> I<app>]
+ [B<-ns> I<namespace>] [B<-nostrict>]
+
+=head1 DESCRIPTION
+
+B<mdquery> queries and displays Shibboleth SP metadata. It is primarily a
+debugging tool to use in conjunction with advice from the Shibboleth
+mantaininers. It can display either the metadata for an entity or the
+metadata for a particular role.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-a> I<app>
+
+Specifies the application ID for which to retrieve metadata. If not given
+the default is C<default>.
+
+=item B<-e> I<entity>
+
+Specifies the entity ID for which to show metadata. Normally this is the
+entity descriptor ID for an entity with which one is having a problem
+(such as the entity ID for the local SP).
+
+=item B<-nostrict>
+
+Relax the strictness of checking (such as of expiration dates).
+
+=item B<-ns> I<namespace>
+
+When retrieving metadata for a particular role, specify the namespace. If
+not given, the default is the SAML20MD namespace.
+
+=item B<-p> I<protocol>
+
+Specify a protocol when retrieving metadata for a particular role.
+Normally one would use the B<-saml10>, B<-saml11>, or B<-saml2> options to
+specify the protocol name, but this option allows an arbitrary protocol to
+be specified.
+
+=item B<-saml10>
+
+Specify a protocol of SAML 1.0.
+
+=item B<-saml11>
+
+Specify a protocol of SAML 1.1.
+
+=item B<-saml2>
+
+Specify a protocol of SAML 2.0.
+
+=item B<-r> I<role>
+
+Retrieve the metadata for a particular role. Normally one would use the
+B<-idp>, B<-aa>, B<-pdp>, or B<-sp> options to specify the role name, but
+this option allows an arbitrary role to be specified.
+
+=item B<-idp>
+
+Specify a role of IDPSSODescriptor.
+
+=item B<-aa>
+
+Specify a role of AttributeAuthorityDescriptor.
+
+=item B<-pdp>
+
+Specify a role of PDPDescriptor.
+
+=item B<-sp>
+
+Specify a role of SPSSODescriptor.
+
+=back
+
+=head1 AUTHOR
+
+This manual page was written by Russ Allbery for Debian GNU/Linux.
+
+=head1 COPYRIGHT
+
+Copyright 2008 Russ Allbery. This manual page is hereby placed into the
+public domain by its author.
+
+=cut
--- /dev/null
+=head1 NAME
+
+resolvertest - Test Shibboleth SP attribute resolver
+
+=head1 SYNOPSIS
+
+B<resolvertest> B<-n> I<name> B<-i> I<idp> B<-p> I<protocol>
+ [B<-f> I<format-uri>] [B<-a> I<app>]
+
+B<resolvertest> [B<-a> I<app>] < I<assertion>
+
+=head1 DESCRIPTION
+
+B<resolvertest> queries the Shibboleth SP attribute resolver and can be
+used to test attribute release policies and related configuration for a
+Shibboleth SP. Either a name, IdP, and protocol may be specified on the
+command-line or B<resolvertest> can take an assertion in XML on standard
+input.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-a> I<app>
+
+The application ID. If not given, the default is C<default>.
+
+=item B<-i> I<idp>
+
+The Identity Provider to query for attributes.
+
+=item B<-f> I<format-uri>
+
+The URI for the attribute format.
+
+=item B<-n> I<name>
+
+The name to look up.
+
+=item B<-p> I<protocol>
+
+The protocol to use. Normally, one of the B<-saml10>, B<-saml11>, or
+B<-saml2> options should be used to specify the protocol, but B<-p> can be
+used to specify an arbitrary protocol.
+
+=item B<-saml10>
+
+Use the SAML 1.0 protocol.
+
+=item B<-saml11>
+
+Use the SAML 1.1 protocol.
+
+=item B<-saml2>
+
+Use the SAML 2 protocol.
+
+=back
+
+=head1 AUTHOR
+
+This manual page was written by Russ Allbery for Debian GNU/Linux.
+
+=head1 COPYRIGHT
+
+Copyright 2008 Russ Allbery. This manual page is hereby placed into the
+public domain by its author.
+
+=cut
--- /dev/null
+=head1 NAME
+
+shib-keygen - Generate a key pair for a Shibboleth SP
+
+=head1 SYNOPSIS
+
+B<shib-keygen> [B<-bf>] [B<-e> I<entity-id>] [B<-h> I<hostname>]
+ [B<-y> I<years>]
+
+=head1 DESCRIPTION
+
+Generate a self-signed X.509 certificate for a Shibboleth SP. By default,
+the certificate will be for the local fully-qualified (as returned by
+C<hostname --fqdn>) hostname. An entity ID can be specified with the
+B<-e> flag. The B<openssl> command-line client is used to generate the
+key pair. The public certificate will be created in
+F</etc/shibboleth/sp-cert.pem> and the private key in
+F</etc/shibboleth/sp-key.pem>.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-b>
+
+Suppress all standard error output when creating the certificate. This
+option is normally only used by the package build.
+
+=item B<-e> I<entity-id>
+
+Add I<entity-id> (which should be a URI) as an alternative name for the
+certificate.
+
+=item B<-f>
+
+Remove F</etc/shibboleth/sp-cert.pem> and F</etc/shibboleth/sp-key.pem>
+before generating a new certificate. Without this option, if those files
+already exist, B<shib-keygen> prints an error and exits rather than
+overwriting them.
+
+=item B<-h> I<hostname>
+
+Specify the fully-qualified domain name for which to generate a
+certificate. If this option isn't given, the hostname defaults to the
+result of C<hostname --fqdn>.
+
+=item B<-y> I<years>
+
+The number of years for which the certificate should be valid. The
+default expiration time is ten years into the future.
+
+=back
+
+=head1 FILES
+
+=over 4
+
+=item F</etc/shibboleth/sp-cert.cnf>
+
+The OpenSSL configuration file used for generating the self-signed
+certificate. This configuration file is generated when the script is run
+and deleted afterwards.
+
+=item F</etc/shibboelth/sp-cert.pem>
+
+The public certificate created by this script.
+
+=item F</etc/shibboleth/sp-key.pem>
+
+The private key for the certificate created by this script.
+
+=back
+
+=head1 AUTHOR
+
+This manual page was written by Russ Allbery for Debian GNU/Linux.
+
+=head1 COPYRIGHT
+
+Copyright 2008 Russ Allbery. This manual page is hereby placed into the
+public domain by its author.
+
+=cut
--- /dev/null
+=head1 NAME
+
+shib-metagen - Generate metadata for a Shibboleth SP
+
+=head1 SYNOPSIS
+
+B<shib-metagen> [B<-c> I<cert> [B<-c> I<cert> ...]] [B<-e> I<entity-id>]
+ [B<-h> I<host> [B<-h> I<host> ...]] [B<-n> I<host> [B<-n> I<host> ...]]
+ [B<-o> I<organization>] [B<-a> I<admin> [B<-a> I<admin> ...]]
+ [B<-s> I<support> [B<-s> I<support> ...]]
+ [B<-t> I<tech> [B<-t> I<tech> ...]]
+
+=head1 DESCRIPTION
+
+Generate metadata for a Shibboleth SP. The metadata is printed to
+standard output. Most of the parameters are optional, but at least one of
+B<-h> or B<-n> must be given to specify the hostname to use in
+constructing URLs for the Shibboleth service for the SP. Other metadata
+can be added by using the other command-line parameters. Most parameters
+can be given multiple times.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-a> I<admin>
+
+An administrative contact for this Shibboleth SP. This option may be
+omitted, in which case administrative contact metadata is not included, or
+may be given multiple times to list multiple contacts. I<admin> should be
+in the form C<I<first>/I<last>/I<email>> where I<first> is the given name
+and I<last> is the surname.
+
+=item B<-c> I<cert>
+
+Specifies the SSL certificate used to identify this Shibboleth SP. This
+option may be given multiple times to specify multiple certificates. If
+it is not given, the default certificate is F<sp-cert.pem> in the current
+working directory.
+
+=item B<-e> I<entity-id>
+
+The entity ID for this SP. This must be a unique identifier for this SP
+and must be a URL. If B<-o> is given, it is used as the URL for the
+organization running this Shibboleth SP. If it is not specified, it
+defaults to C<https://I<host>/shibboleth> where I<host> is the argument to
+the first B<-h> option.
+
+=item B<-h> I<host>
+
+A hostname for this SP (possibly a virtual host). Either this option or
+B<-n> must be specified at least once. It should be repeated for every
+virtual host that responds to the Shibboleth protocol. B<-h> should be
+used for hostnames or virtual hosts that use SSL.
+
+=item B<-n> I<host>
+
+A hostname for this SP (possibly a virtual host). Either this option or
+B<-h> must be specified at least once. It should be repeated for every
+virtual host that responds to the Shibboleth protocol. B<-n> should be
+used for hostnames or virtual hosts that do not use SSL to protect the
+Shibboleth communication.
+
+=item B<-o> I<organization>
+
+The name of the organization that runs this Shibboleth SP. This option
+may be given only once and may be omitted, in which case organization
+metadata is not included. This is normally not necessary but may be used
+by other software systems for purposes such as displaying lists of
+entities with human-readable names.
+
+=item B<-s> I<support>
+
+A support contact for this Shibboleth SP. This option may be omitted, in
+which case support contact metadata is not included, or may be given
+multiple times to list multiple contacts. I<support> should be in the
+form C<I<first>/I<last>/I<email>> where I<first> is the given name and
+I<last> is the surname.
+
+=item B<-t> I<tech>
+
+A technical contact for this Shibboleth SP. This option may be omitted,
+in which case technical contact metadata is not included, or may be given
+multiple times to list multiple contacts. I<tech> should be in the form
+C<I<first>/I<last>/I<email>> where I<first> is the given name and I<last>
+is the surname.
+
+=back
+
+=head1 AUTHOR
+
+This manual page was written by Russ Allbery for Debian GNU/Linux.
+
+=head1 COPYRIGHT
+
+Copyright 2009 Russ Allbery. This manual page is hereby placed into the
+public domain by its author.
+
+=cut
--- /dev/null
+=head1 NAME
+
+shibd - Shibboleth daemon
+
+=head1 SYNOPSIS
+
+shibd [B<-tfFvh>] [B<-c> I<config>] [B<-d> I<prefix>] [B<-p> I<pidfile>]
+[B<-w> I<seconds>] [B<-x> I<catalog>]
+
+=head1 DESCRIPTION
+
+B<shibd> is the Shibboleth daemon. It handles attribute requests from the
+Apache Shibboleth module and should run in conjunction with it.
+
+=head1 OPTIONS
+
+B<shibd> takes the following command-line options.
+
+=over 4
+
+=item B<-c> I<pathname>
+
+Specifies the pathname of B<shibd>'s configuration file. Defaults to
+/etc/shibboleth/shibboleth2.xml or the value of the SHIBSP_CONFIG
+environment variable, if it is set.
+
+=item B<-d> I<pathname>
+
+Installation prefix. Defaults to /usr.
+
+=item B<-F>
+
+Stay in the foreground. Normally, B<shibd> backgrounds itself after
+starting up.
+
+=item B<-f>
+
+Force removal of listener socket.
+
+=item B<-h>
+
+Prints out a brief summary of the shibboleth options.
+
+=item B<-p> I<pathname>
+
+Specifies the pathname to use to write out the shibboleth PID file.
+
+=item B<-w> I<seconds>
+
+Seconds to wait for the background B<shibd> to start up before the
+foreground process returns. If not set, the default value is three
+seconds.
+
+=item B<-t>
+
+Validates the general correctness of the configuration. Not all problems
+can be detected this way, but the chance of successful startup is high if
+the checking process does not log any errors.
+
+=item B<-v>
+
+Prints out the version string.
+
+=item B<-x> I<pathname>
+
+Specifies the XML schema catalog to use. Defaults to
+/usr/share/xml/shibboleth/catalog.xml.
+
+=back
+
+=head1 AUTHORS
+
+shibd is part of the Internet 2 Shibboleth project written by
+Scott Cantor <cantor.2@osu.edu>.
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright 2005, 2006
+Internet2/MACE
+
+This program is free software; you may redistribute it and/or modify it
+under the terms of the Apache 2.0 License <http://www.apache.org/licenses>.
+
+=cut
--- /dev/null
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+# This has to be exported to make some magic below work.
+export DH_OPTIONS
+
+CFLAGS = -g
+CXXFLAGS = -g
+ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
+ DEBUG = --enable-debug
+else
+ DEBUG =
+endif
+
+# Tell Autoconf the correct system types.
+DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
+DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
+ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+ SYSTEM = --build $(DEB_HOST_GNU_TYPE)
+else
+ SYSTEM = --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)
+endif
+
+# These variable is used only by get-orig-source, which will normally only be
+# run by maintainers.
+DEBVERS := $(shell dpkg-parsechangelog | grep ^Version: | cut -d' ' -f2 \
+ | cut -d- -f1)
+VERSION := $(shell echo '$(DEBVERS)' | sed -e 's/[+-].*//' -e 's/~//g')
+URL = http://shibboleth.internet2.edu/downloads/shibboleth/cppsp
+
+# Download the upstream source and do the repackaging that we have to do for
+# DFSG reasons. Depends on wget.
+get-orig-source:
+ wget $(URL)/$(VERSION)/shibboleth-sp-$(VERSION).tar.gz
+ tar xfz shibboleth-sp-$(VERSION).tar.gz
+ rm shibboleth-sp-$(VERSION).tar.gz
+ rm shibboleth-$(VERSION)/schemas/WS-Trust.xsd
+ mv shibboleth-$(VERSION) shibboleth-sp2_$(DEBVERS).orig
+ tar cf shibboleth-sp2_$(DEBVERS).orig.tar \
+ shibboleth-sp2_$(DEBVERS).orig
+ rm -r shibboleth-sp2_$(DEBVERS).orig
+ gzip -9 shibboleth-sp2_$(DEBVERS).orig.tar
+
+configure: configure-stamp
+configure-stamp:
+ dh_testdir
+ cp /usr/share/misc/config.guess config.guess
+ cp /usr/share/misc/config.sub config.sub
+ rm -f libtool.m4
+ libtoolize --force
+ autoreconf --force
+ rm -rf autom4te.cache
+ CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" ./configure --prefix=/usr \
+ --sysconfdir=/etc --libexecdir=/usr/lib/shibboleth \
+ --localstatedir=/var --enable-apache-22 \
+ --with-apxs2=/usr/bin/apxs2 --disable-dependency-tracking \
+ $(SYSTEM)
+ touch $@
+
+build: build-arch build-indep
+build-arch: build-stamp
+build-indep:
+build-stamp: configure-stamp
+ dh_testdir
+ $(MAKE)
+ touch $@
+
+clean:
+ dh_testdir
+ dh_testroot
+ rm -f configure-stamp build-stamp install-stamp
+ [ ! -f Makefile ] || $(MAKE) distclean
+ find . -name Makefile.in -print0 | xargs -0r rm
+ dh_clean aclocal.m4 config.h config.h.in config.status configure \
+ config.guess config.sub libtool.m4 ltmain.sh shibsp/paths.h \
+ debian/libapache2-mod-shib2.shibd.init
+
+install: install-stamp
+install-stamp:
+ dh_testdir
+ dh_testroot
+ dh_prep
+ $(MAKE) NOKEYGEN=1 DESTDIR=$(CURDIR)/debian/tmp install
+ rm -r $(CURDIR)/debian/tmp/usr/share/doc/shibboleth*
+ rm -r $(CURDIR)/debian/tmp/var/run
+ rm $(CURDIR)/debian/tmp/etc/shibboleth/*.dist
+ rm $(CURDIR)/debian/tmp/etc/shibboleth/*.config
+ rm $(CURDIR)/debian/tmp/etc/shibboleth/shibd-osx.plist
+ rm $(CURDIR)/debian/tmp/etc/shibboleth/shibd-redhat
+ rm $(CURDIR)/debian/tmp/etc/shibboleth/shibd-suse
+ chmod +x $(CURDIR)/debian/tmp/etc/shibboleth/keygen.sh
+ mv $(CURDIR)/debian/tmp/etc/shibboleth/keygen.sh \
+ $(CURDIR)/debian/tmp/usr/sbin/shib-keygen
+ mv $(CURDIR)/debian/tmp/etc/shibboleth/metagen.sh \
+ $(CURDIR)/debian/tmp/usr/bin/shib-metagen
+ mv $(CURDIR)/debian/tmp/etc/shibboleth/shibd-debian \
+ $(CURDIR)/debian/libapache2-mod-shib2.shibd.init
+ dh_installdirs -s -i
+ mv $(CURDIR)/debian/tmp/usr/lib/shibboleth/mod_shib_22.so \
+ $(CURDIR)/debian/libapache2-mod-shib2/usr/lib/apache2/modules
+ rm $(CURDIR)/debian/tmp/usr/lib/shibboleth/mod_shib_22.la
+ pod2man $(CURDIR)/debian/man-pages/mdquery.pod --section 1 \
+ --center 'Shibboleth' --release $(VERSION) \
+ $(CURDIR)/debian/libapache2-mod-shib2/usr/share/man/man1/mdquery.1
+ pod2man $(CURDIR)/debian/man-pages/resolvertest.pod --section 1 \
+ --center 'Shibboleth' --release $(VERSION) \
+ $(CURDIR)/debian/libapache2-mod-shib2/usr/share/man/man1/resolvertest.1
+ pod2man $(CURDIR)/debian/man-pages/shib-metagen.pod --section 1 \
+ --center 'Shibboleth' --release $(VERSION) \
+ $(CURDIR)/debian/libapache2-mod-shib2/usr/share/man/man1/shib-metagen.1
+ pod2man $(CURDIR)/debian/man-pages/shib-keygen.pod --section 8 \
+ --center 'Shibboleth' --release $(VERSION) \
+ $(CURDIR)/debian/libapache2-mod-shib2/usr/share/man/man8/shib-keygen.8
+ pod2man $(CURDIR)/debian/man-pages/shibd.pod --section 8 \
+ --center 'Shibboleth' --release $(VERSION) \
+ $(CURDIR)/debian/libapache2-mod-shib2/usr/share/man/man8/shibd.8
+ dh_install -s -i --fail-missing
+ touch $@
+
+binary: binary-arch binary-indep
+binary-arch: DH_OPTIONS=-a
+binary-arch: install-stamp
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs
+ dh_installdocs -A doc/NOTICE.txt
+ dh_installinit --name=shibd
+ dh_installlogcheck
+ dh_strip
+ dh_compress
+ dh_fixperms
+ DH_OPTIONS="" dh_makeshlibs -plibshibsp4
+ dh_installdeb
+ dh_shlibdeps
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+binary-indep: DH_OPTIONS=-i
+binary-indep: install-stamp
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs
+ dh_installdocs -A doc/NOTICE.txt
+ dh_compress
+ dh_fixperms
+ dh_installdeb
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+.PHONY: binary binary-arch binary-indep build build-arch build-indep clean
+.PHONY: install
--- /dev/null
+LoadModule mod_shib /usr/lib/apache2/modules/mod_shib_22.so
--- /dev/null
+debian/tmp/usr/share/xml/shibboleth
--- /dev/null
+version=3
+opts=dversionmangle=s/\+dfsg\d*$// \
+ http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/(2[\d.]+)/ \
+ shibboleth-(?:sp-)?([\d.]+)\.tar\.gz