Bug 202952

Summary:	shibboleth ebuild request
Product:	Gentoo Linux	Reporter:	Pat Riehecky <jcpunk>
Component:	New packages	Assignee:	Default Assignee for New Packages <maintainer-wanted>
Status:	CONFIRMED ---
Severity:	enhancement	CC:	flow, jackhill, jonnykent, lebarjack, linkages
Priority:	High	Keywords:	EBUILD
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://shibboleth.internet2.edu/
Whiteboard:	sunrise suggested
Package list:		Runtime testing required:	---
Bug Depends on:	334317, 334385, 334313
Bug Blocks:
Attachments:	ebuild for shibboleth shibboleth ebuild Manifest for shibboleth ebuild digest for shibboleth ebuild: digest-shibboleth-sp-1.3f log4shib-1.0 ebuild xml-security-c-1.3.0 ebuild provided here for completness only, most updated version may be found here: http://bugs.gentoo.org/show_bug.cgi?id=89076 opensaml-1.1b ebuild shibboleth-sp-1.3.1 ebuild for apache 2.2 shibboleth-sp-2.4.3.ebuild - BETA Supplemental files

Description Pat Riehecky 2007-12-21 19:34:19 UTC

The Shibboleth software implements the OASIS SAML v1.1 specification, providing a federated Single-SignOn and attribute exchange framework. Shibboleth also provides extended privacy functionality allowing the browser user and their home site to control the Attribute information being released to each Service Provider. Using Shibboleth-enabled access simplifies management of identity and access permissions for both Identity and Service Providers. Shibboleth is developed in an open and participatory environment, is freely available, and is released under the Apache Software License.

Reproducible: Always

Steps to Reproduce:
1. emerge --search shibboleth
2. nothing found



forums topic on this issue:
http://forums.gentoo.org/viewtopic-t-484842-view-previous.html?sid=adf2ce55e28b7c5120f412c3fd8c3563

Comment 1 Eli Ben-Shoshan 2008-03-10 17:19:20 UTC

I am starting work an ebuild for both the apache module and shibd and the required dependencies. Hopefully I'll have something up later this week since I will be needing this for my regular day job.

Comment 2 Johnny 2008-03-15 05:23:44 UTC

I was searching for this last year and Giacomo Tenaglia  from the opensaml mailing list offered me an ebuild that he had done. It worked well on my system (gentoo-hardened 2.6.18 at that time) and has been happily running since early October. He has given permission for me to upload it here.
All credit for this version of the ebuild must go to him. He also notes 
"it's possible that I made mistakes on writing them (for example I have explicitely used the switch --with-apache-20 in the shibboleth-sp ebuild, which I suppose is not the right way to specify that)."

Anyway this is a geat place to start from.

Comment 3 Johnny 2008-03-15 05:28:17 UTC

Created attachment 146186 [details]
ebuild for shibboleth

ebuild for Shibboleth credited to Giacomo Tenaglia

Comment 4 Johnny 2008-03-15 05:46:47 UTC

Some added comments for those trying the build.
After a succesful build using the Gentoo reverse dependency checker on the system I saw these issues:

  broken /usr/libexec/adfs.la (requires /usr/lib/libshib.la)
  broken /usr/libexec/adfs.la (requires /usr/lib/libshib-target.la)
  broken /usr/libexec/mod_shib_20.la (requires /usr/lib/libshib.la)
  broken /usr/libexec/mod_shib_20.la (requires /usr/lib/libshib- target.la)
  broken /usr/libexec/xmlproviders.la (requires /usr/lib/libshib.la)
  broken /usr/libexec/xmlproviders.la (requires /usr/lib/libshib-target.la )
and consulted with the gurus on the opensaml list who say the lib files aren't needed and hat that may be an issue with libtool (it's a weird interaction between libtool, prefix, DESTDIR, and the various ways in which one can install libraries). I have ignored it without problems for around 6 months now.

Several dependencies  are listed in the ebuild:
DEPEND=">=dev-libs/openssl-0.9.7
	=dev-libs/log4cpp-0.3.5_rc1
	>=dev-libs/xerces-c-2.6.1
	=dev-libs/xml-security-c-1.3.0
	=dev-cpp/opensaml-1.1b"

Of these openssl, log4cpp, xerces-c,  and xml-security-c are already in portage  for you to emerge. Note hat xerces is not the same as xerces-c and same for xml-security.

The next issue is that it being an unstable build you need to unmask it 
per this http://forums.gentoo.org/viewtopic-t-33534.html
I used ACCEPT_KEYWORDS="~x86" successfully.

Caveat emptor: I am currently running apache 2.0.59 and had grief using this ebuild with apache 2.2  Of course since there is a current security advisory on apache <2.2 I may be forced into upgrading quite soon.

And then there's a newer version of either Shibboleth or opensaml (don't recal which) in the wings also.

Good luck with your Shibboleth ebuilds.

Comment 5 Johnny 2008-03-15 06:24:33 UTC

Created attachment 146191 [details]
shibboleth ebuild

oops my bad. No tgz files allowed. Here is the plain text shibboleth ebuild

Comment 6 Johnny 2008-03-15 06:26:16 UTC

Created attachment 146192 [details]
Manifest for shibboleth ebuild

Comment 7 Johnny 2008-03-15 06:27:54 UTC

Created attachment 146193 [details]
digest for shibboleth ebuild: digest-shibboleth-sp-1.3f

Comment 8 Johnny 2008-03-15 06:35:15 UTC

opensaml-1.1 is also in portage so the above is all you should need extra.

On my system they are in folders:

/etc/local/portage/www-apps/shibboleth-sp/shibboleth-sp-1.3f.ebuild
/etc/local/portage/www-apps/shibboleth-sp/Manifest
/etc/local/portage/www-apps/shibboleth-sp/files/digest-shibboleth-sp-1.3f

Comment 9 Johnny 2008-03-28 05:16:26 UTC

(In reply to comment #8)
I now have shibboleth 1.3.1 working under gentoo hardened 2.6.23-r7 with apache 2.2
I was a little off in my previous posts above about which dependencies were in portage and which were not, so I'll update everything now to the latest I have and make it complete for others trying this.

I have these versions of packages that Shibboleth depends on:
openssl-0.9.8g : in portage currently at ver 0.9.8g for x86
log4shib-1.0 : not in portage
log4cpp-1.0 : this is in portage but masked
xerces-c-2.7-r1 : in portage 
xml-security-c-1.3.0: not in portage
opensaml-1.1b: not in portage

I have both but you don't need both log4cpp and log4shib. log4shib is a version of log4cpp specifically for shibboleth. Right now the working version of the shibboleth came from an ebuild that calls for log4shib. I will add the ebuilds for log4shib, xml-security-c, and shibboleth-1.3.1 in the next 4 posts.

Comment 10 Johnny 2008-03-28 05:23:07 UTC

Created attachment 147497 [details]
log4shib-1.0  ebuild

Comment 11 Johnny 2008-03-28 05:24:23 UTC

Created attachment 147498 [details]
xml-security-c-1.3.0 ebuild
provided here for completness only, most updated version may be found here: http://bugs.gentoo.org/show_bug.cgi?id=89076

Comment 12 Johnny 2008-03-28 05:25:38 UTC

Created attachment 147501 [details]
opensaml-1.1b ebuild

Comment 13 Johnny 2008-03-28 05:30:04 UTC

Created attachment 147504 [details]
shibboleth-sp-1.3.1 ebuild for apache 2.2

may work for earlier versions of apache by removing the --enable-apache-22 flag as the shibboleth docs say that the build will figure out what version of apache you are running. Caveat: I haven't tried without the apache 22 flag.

Comment 14 Michał Górny archtester

2010-08-23 20:29:41 UTC

Please open separate bugs for dev-cpp/opensaml and dev-libs/log4shib, add the Sunrise keywords & whiteboard for them and make them block this bug.

Comment 15 Johnny 2010-08-25 05:44:20 UTC

(In reply to comment #14)
> Please open separate bugs for dev-cpp/opensaml and dev-libs/log4shib, add the
> Sunrise keywords & whiteboard for them and make them block this bug.
> 
Thomas Beierlein  appears to have quite recently opened bugs 334317 and 334313 and made those block this bug.

I would recommend that this bug target Shibboleth 2 now as 1.3 is, although still working, becoming superceded by Shibboleth 2.x

Comment 16 Johnny 2010-08-25 06:51:45 UTC

(In reply to comment #15)
> (In reply to comment #14)
> > Please open separate bugs for dev-cpp/opensaml and dev-libs/log4shib, add the
> > Sunrise keywords & whiteboard for them and make them block this bug.
> > 
> Thomas Beierlein  appears to have quite recently opened bugs 334317 and 334313
> and made those block this bug.
> 
> I would recommend that this bug target Shibboleth 2 now as 1.3 is, although
> still working, becoming superceded by Shibboleth 2.x
> 

The Shibboleth website http://shibboleth.internet2.edu/ now states that Shibboleth 1.3 is unsupported as of June 30th, 2010.

Shibboleth 2.x requires OpenSAML 2 and a new library XML-Tooling-c and also Shibboleth 2.2 supports xerces-c 2.x and 3.x 
XML-Security: OpenSAML and Shibboleth 2.x require at least version 1.4.0, and version 1.5.1 or later are recommended.

Since it seems better to move straight to Shibboleth 2.x should we open a new bug for that and add another bug to get tghe newly required XML-Tooling-c as well?

Comment 17 Michał Górny archtester

2010-08-25 07:00:51 UTC

(In reply to comment #16)
> Since it seems better to move straight to Shibboleth 2.x should we open a new
> bug for that and add another bug to get tghe newly required XML-Tooling-c as
> well?

No, this bug is fine. Simply open another bug for the dep.

Comment 18 Martin Samek 2011-10-07 12:34:44 UTC

Created attachment 289065 [details]
shibboleth-sp-2.4.3.ebuild - BETA

This is a ebuild for shibboleth-sp 2 package. Service provider is a part of Shibboleth Internet2 project. I have also prepared ebuilds for dependencies blocking this package, Bug 334317, Bug 334385. This ebuild have still some issues with doc build and files in /etc/shibboleth. Additional files as init script, conf.d and apache module conf are included in another attachment. All files will need some review. But at this moment are able to build running shibboleth service provider.

Comment 19 Martin Samek 2011-10-07 12:53:53 UTC

Created attachment 289075 [details]
Supplemental files

Comment 20 Martin Samek 2013-12-10 21:40:07 UTC

Almost 6 years and nobody cares about Shibboleth in Portage :(