Warning | ||
---|---|---|
| ||
This topic Work In Progress and requires review by a suitable macOS user |
Using the MacPort of the Shibboleth Native SP
The following installation procedure will build install the SP and all its dependencies. Completion of the instructions will result in a functional and loaded but unconfigured SP installed under the /opt/local
file system tree maintained by the MacPorts system.
Note | ||
---|---|---|
| ||
At this time, only Apache installations in detectable locations that the configure script can locate automatically are usable. In practice this means that the "right" Apache apxs script needs to be in the system path when the port is configured. Either upon release or shortly after, a port variant will be added to specify use of the MacPort-provided Apache package. |
Installing MacPorts
You can find disk images with an installer at http://www.macports.org/ or you can download and build the port software manually from their tarball. After installing it, particularly if you do so from source, you may need to add /opt/local/bin to your shell path.
Once installed, the port software is self updating using the port selfupdate
command.
Getting the Shibboleth Portfiles
The Portfiles are available in the default port repository, so you should be able to install them directly.
Installing Shibboleth
Normally, it's possible to just install the primary port ("shibboleth in this case") and let it automatically handle dependencies. This won't work in this case because one of the dependencies (curl) has to be installed with a port "variant" to enable SSL support. Ports cannot indicate that a variant of a dependency is required, so you have to install curl yourself first.
All port installations MUST be done as root.
Code Block | ||
---|---|---|
| ||
$ sudo -s # port install curl +ssl # port install shibboleth |
You should see a number of packages downloaded and installed for you. Other port commands and options include -v
for a verbose trace of the process, the upgrade
command to grab the latest get new versions, and uninstall
to remove things.
...
If you want to use the ODBC storage plugin, you can add +odbc
to the command line and it will ensure that the unixODBC port is installed and build the plugin for you.You may notice that packages are installed that you already have (e.g. perl or openssl). This is unavoidable. Packaging systems that are added to an OS by somebody other than the vendor typically use build conventions that require that all non-OS dependencies be managed and built by the packaging system itself.
Basic Configuration
These steps will configure Apache to load mod_shib
, supply it with proper host and scheme information, and start shibd
.
- Edit Apache configurationIn httpd.conf:
- Shibboleth includes sample Apache configuration files in snippets in /opt/local/etc/shibboleth for for each version of Apache. On newer OS X versions, one method is to copy the appropriate file to
/private/etc/apache2/other/shib.conf
and make whatever adjustments you like. Alternatively, you can add anInclude
tohttpd.conf
itself, but this isn't advisable because that file will be overwritten on subsequent installs/upgrades. Use it as a sample to add the necessary commands to your own configuration. - Ensure that the
ServerName
directive is properly set, and that Apache is being started with SSL enabled. - Do not include these files directly but copy the relevant portions to your own Apache configuration files/strategy.
- Use of the
<RequestMap>
feature is not recommended needed for use with Apache, but if you must, its use absolutely requires that theUseCanonicalName
Apache directive be set. - Ensure that the
ServerName
directive be setin each virtual host is properly set, including overriding the scheme or port as required by any load balancing, proxying, or offloading you may be doing.
- Shibboleth includes sample Apache configuration files in snippets in /opt/local/etc/shibboleth for for each version of Apache. On newer OS X versions, one method is to copy the appropriate file to
Restart Apache.
The port install process generates and installs a launchd descriptor to use in starting and monitoring monitoring shibd. You can manually start and stop it yourself, or you can use launchctl like so:
Code Block launchctl load -F /Library/LaunchDaemons/org.macports.shibd.plist launchctl unload -F /Library/LaunchDaemons/org.macports.shibd.plist
If you want shibd to start upon boot, run:
Code Block launchctl load -Fw /Library/LaunchDaemons/org.macports.shibd.plist
Note title 32/64 bits? Remove this? If you get this error: httpd: Syntax error on line 484 of /etc/apache2/httpd.conf: Syntax error on line 2 of /private/etc/apache2/other/shibboleth.conf: Syntax error on line 13 of /opt/local/etc/shibboleth/apache22.config: Cannot load /opt/local/lib/shibboleth/mod_shib_22.so into server: dlopen(/opt/local/lib/shibboleth/mod_shib_22.so, 10): no suitable image found. Did find:\n\t/opt/local/lib/shibboleth/mod_shib_22.so: mach-o, but wrong architecture
Then refer to the NativeSPMacApache32 topic for information on Apple's questionable Apache choice.
By default, the Shibboleth module is configured to log information on behalf of Apache to
/opt/local/var/log/shibboleth-www/native.log
shibd
createsto the local syslog, with a subset also to the Apache error log.
- The shibd service creates its own separate logs in in /opt/local/var/log/shibboleth
...
- . This is the most important log used for debugging anything regarding the SP and most problems manifest here rather than on the web server side.
Upgrades
In order to upgrade the installation, run the commands below.
Code Block |
---|
sudo -s port sync port upgrade shibbolethoutdated |