...
- Set
DYLD_LIBRARY_PATH
to the eventual lib path into which you'll be installing the packages you're building (/opt/shibboleth-sp/lib
) - Set
MACOSX_DEPLOYMENT_TARGET
to your OS X version (e.g.10.4
or10.5
) - See not DYLD_LIBRARY_PATH note below for additional setup option before proceeding.
...
- libcurl: (not needed on 10.4, or use
./configure --disable-static --without-ca-bundle --enable-thread --with-ssl --prefix=/opt/shibboleth-sp
- log4shib:
./configure --disable-static --disable-doxygen --prefix=/opt/shibboleth-sp
- ICU:
./configure --prefix=/opt/shibboleth-sp
(-enable-rpath see DYLD_LIBRARY_PATH note below) - Xerces-C:
./configure --prefix=/opt/shibboleth-sp --disable-static --enable-netaccessor-socket --enable-transcoder-icu --with-icu=/opt/shibboleth-sp
- XML-Security-C:
./configure --without-xalan --prefix=/opt/shibboleth-sp --with-xerces=/opt/shibboleth-sp
- XMLTooling-C:
./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
- OpenSAML-C:
./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
...
These steps will configure Apache to load mod_shib
, supply it with proper host and scheme information, and start shibd
.
- Edit
httpd.conf
Apache configuration:Shibboleth includes sample Apache configuration
directivesfiles in
which must be addedetc/shibboleth
for each version of Apache. On newer OS X versions, one method is to copy the appropriate file to
:/private/etc/apache2/other/shib.conf
and make whatever adjustments you like. Alternatively, you can add anInclude
tohttpd.conf
itselfCode Block none none Include /opt/local/etc/shibboleth/apache.config, but this isn't advisable because that file will be overwritten on subsequent installs/upgrades. Use it as a sample to add the necessary commands to your own configuration.
- Ensure that the
ServerName
directive is properly set, and that Apache is being started with SSL enabled. - The Use of theĀ
<RequestMap>
feature is not recommended for use with Apache, but its use requires that theĀUseCanonicalName
directive should be set toOn
for secure operation.
- Restart Apache.
/opt/shibboleth-sp/sbin/shibd
must be independently started and run in order to handle access requests. The daemon should in the future be loaded and monitored along with all other major services. A launchd file is included inetc/shibboleth/shibd.osx.plist
Code Block none none /opt/shibboleth-sp/sbin/shibd &
By default, the Shibboleth module is configured to log information on behalf of Apache to
httpd/native.log, though this can be changed by modifying the/opt/shibboleth-sp/var/log/
native.logger
files pointed to by the configuration. For this log to be created, Apache must have permission to write to this file, which may require that the file be manually created and permissions assigned to whatever user Apache is configured to run under. If the file does not appear when Apache runs with the modules loaded, check for permission problems or change the location used.shibboleth-www/native.log
shibd
creates its own separate logs at in/opt/shibboleth-sp/var/log/shibboleth/shibd.log
and must have appropriate write permissions itself as well.
...
Anchor | ||||
---|---|---|---|---|
|
If you build as indicated above you should be successful, however, it is likely that you will have difficulty getting the module to load in Apache. This is because the DYLD_LIBRARY_PATH must be set when Apache is started, but Apple starts Apache with a launch control process (/bin/launchctl) and it is difficult to set an environment variable that this process will notice when starting Apache because it executes httpd directly rather than using /usr/sbin/apachectl. So, I present two options for you:
Option 1: Write DYLD_LIBRARY_PATH into compiled binaries
This is the option I prefer because everything will just work all the time when you are done compiling. When setting up your build environment:
- Set LDFLAGS="-Wl,-rpath,(your_shib-sp_install_dir)/lib"
...
- Add
--enable-rpath
as
...
- an option to the ICU configure line.
Option 2: Set DYLD_LIBRARY_PATH for launchctl
Personally I dislike this option because I don't like doing something that could get obliterated by an Apple system update. This may be someone else's preferred method though so I will put it here for the record. Note that I discovered this solution when trying to figure this out myself and came across the thread http://lists.apple.com/archives/macos-x-server/2008/Nov/msg00210msg00241.html.
Add the following XML snippet to /System/Library/LaunchDaemons/org.apache.httpd.plist
.
Code Block | |
---|---|
/System/Library/LaunchDaemons/org.apache.httpd.plist | |
borderStyle | solid |
<key>EnvironmentVariables</key>
<dict>
<key>DYLD_LIBRARY_PATH</key>
<string>/opt/shibboleth-sp/lib</string>
</dict>
|
...