Versions Compared

Old Version 38

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 39

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Set DYLD_LIBRARY_PATH to the eventual lib path into which you'll be installing the packages you're building (/opt/shibboleth-sp/lib)
  • Set MACOSX_DEPLOYMENT_TARGET to your OS X version (e.g. 10.4 or 10.5)
  • See not below for additional setup option before proceeding.

Building Shibboleth

The following packages must be built in the following order using the ./configure commands listed. Be sure to make and make install as appropriate for each package, including Shibboleth itself.

...

  • libcurl: (not needed on 10.4, or use ./configure --disable-static --without-ca-bundle --enable-thread --with-ssl --prefix=/opt/shibboleth-sp
  • log4shib: ./configure --disable-static --disable-doxygen --prefix=/opt/shibboleth-sp
  • ICU: ./configure --prefix=/opt/shibboleth-sp [-enable-rpath (see DYLD_LIBRARY_PATH note below)
  • Xerces-C: ./configure --prefix=/opt/shibboleth-sp --disable-static --enable-netaccessor-socket --enable-transcoder-icu --with-icu=/opt/shibboleth-sp
  • XML-Security-C: ./configure --without-xalan --prefix=/opt/shibboleth-sp --with-xerces=/opt/shibboleth-sp
  • XMLTooling-C: ./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
  • OpenSAML-C: ./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C

...

  1. Edit httpd.conf:
    • Shibboleth includes Apache configuration directives in etc/shibboleth for each version of Apache which must be added. On newer OS X versions, one method is to copy the appropriate file to /private/etc/apache2/other/shib.conf. Alternatively, you can add an Include to httpd.conf itself:
      Code Block
      none
      none
      Include /opt/local/etc/shibboleth/apache.config
    • Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.
    • The UseCanonicalName directive should be set to On for secure operation.
  2. Restart Apache.
  3. /opt/shibboleth-sp/sbin/shibd must be independently started and run in order to handle access requests. The daemon should in the future be loaded and monitored along with all other major services. A launchd file is included in etc/shibboleth/shibd.osx.plist
    Code Block
    none
    none
    /opt/shibboleth-sp/sbin/shibd &
  4. By default, the Shibboleth module is configured to log information on behalf of Apache to /opt/shibboleth-sp/var/log/httpd/native.log, though this can be changed by modifying the native.logger files pointed to by the configuration. For this log to be created, Apache must have permission to write to this file, which may require that the file be manually created and permissions assigned to whatever user Apache is configured to run under. If the file does not appear when Apache runs with the modules loaded, check for permission problems or change the location used.
  5. shibd creates its own separate logs at /opt/shibboleth-sp/var/log/shibboleth/shibd.log and must have appropriate write permissions itself as well.

#dyldlibpathapacheDYLD_LIBRARY_PATH and Apache on Mac OS X

If you build as indicated above you should be successful, however, it is likely that you will have difficulty getting the module to load in Apache. This is because the DYLD_LIBRARY_PATH must be set when Apache is started, but Apple starts Apache with a launch control process (/bin/launchctl) and it is difficult to set an environment variable that this process will notice when starting Apache because it executes httpd directly rather than using /usr/sbin/apachectl. So, I present two options for you:

Option 1: Write DYLD_LIBRARY_PATH into compiled binaries

This is the option I prefer because everything will just work all the time when you are done compiling. When setting up your build environment:

  • Set LDFLAGS="-Wl,-rpath,(your_shib-sp_install_dir)/lib"

If you use this option remember to add --enable-rpath as a configure option when building ICU.

Option 2: Set DYLD_LIBRARY_PATH for launchctl

Personally I dislike this option because I don't like doing something that could get obliterated by an Apple system update. This may be someone else's preferred method though so I will put it here for the record. Note that I discovered this solution when trying to figure this out myself and came across the thread http://lists.apple.com/archives/macos-x-server/2008/Nov/msg00210.html.

Add the following XML snippet to /System/Library/LaunchDaemons/org.apache.httpd.plist.

Code Block
title/System/Library/LaunchDaemons/org.apache.httpd.plist
borderStylesolid

<key>EnvironmentVariables</key>
    <dict>
        <key>DYLD_LIBRARY_PATH</key>
        <string>/opt/shibboleth-sp/lib</string>
    </dict>

For 64-bit Intel

I'm no Gnu config expert, so this is surely not the best, but the results do seem to work:

...