The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

NativeSPLinuxSRPMBuild

Building the Native SP from SRPM Source Packages

Building from SRPM is like a source build, but much more automated and less prone to user error if you're less experienced at building from source. It also results in a set of packages you can install or upgrade easily across many machines.

The basic process to rebuild an SRPM is simply this command:

rpmbuild --rebuild package.src.rpm

The rpmbuild command, and others required for the build process, are often missing from a server installation, so you may need to install them first.  The following list of packages covers most of the prerequisites on many systems:

  • automake
  • boost-devel
  • chrpath
  • doxygen
  • gcc-c++
  • groff
  • httpd-devel
  • libidn-devel
  • openldap-devel
  • openssl-devel
  • redhat-rpm-config
  • rpm-build (for rpmbuild)
  • stunnel (for curl-openssl)
  • unixODBC-devel

You can save some time during the build process by installing all of the above that are available on your system, along with their dependencies.  On "yum" platforms, the simplest way is just to install them all at once:

yum install automake boost-devel chrpath doxygen gcc-c++ ...

yum will just ignore any packages which aren't available or are already installed and will install any dependencies of the packages requested automatically.  You'll discover any prerequisites not in the above list during the build process.  The one exception to this is the rpmbuild command itself.  If that isn't installed by this point, you can use the "yum provides rpmbuild" command to locate the package needed.

By default, rpmbuild requires root access in order to use the default RPM tree in /usr/src/redhat. This isn't recommended, but using a local RPM tree is beyond the scope of this document. Following the very small "Setup" section of How to patch and rebuild an RPM package will get you there in a few minutes, though.

To rebuild the whole set of packages required for the SP, you'll need to download the SRPMs from
the download site and save them to /usr/src/redhat/SRPMS/.

You'll then need to repeat the same basic steps for each package, in the following order:

  1. log4shib
  2. xerces-c
  3. xml-security-c
  4. curl-openssl (on RHEL/CentOS 6.x and later)
  5. xmltooling
  6. opensaml
  7. shibboleth

If you jump ahead, the RPM commands will tell you what's missing. The basic steps for each package are:

rpmbuild --rebuild package.src.rpm
rpm -ivh /usr/src/redhat/RPMS/i386/libpackage-version-rec.arch.rpm
rpm -ivh /usr/src/redhat/RPMS/i386/libpackage-devel-version-rec.arch.rpm
rpm -ivh /usr/src/redhat/RPMS/i386/package-schemas-version-rec.arch.rpm

Replace package, version, and arch above (usually i386, i686 or x86_64) with the necessary information in each case.  Only some packages have a schemas RPM you need to install.

If at any time, you're told that a package needed to build the next one is missing, simply install it using yum or whatever tool is native to your OS. In particular, you'll usually need some kind of Apache development package (often httpd-devel) and its dependencies, assuming your goal is to integrate with the Apache that comes with your OS.

If on the other hand something breaks, it's probably that you've found a bug in one of the packages (usually not in the source, just the packaging process) and you can search the mailing list or ask for help.

At the end of the process, you'll be left with everything you need installed and you can refer to the RPM topic to proceed.

SRPM Options

A few options are built-in to control certain dependencies and turn on and off some optional features:

rpmbuild Option

Effect

--without adfs

Don't include ADFS module

--with odbc

Expressly include the ODBC storage plugin (requires unixODBC-devel)

--without odbc

Don't include the ODBC plugin, even if it can be built

--with log4cpp

Build against the original log4cpp library instead of log4shib

--with fastcgi

Include FastCGI support (requires fcgi-devel)

--without builtinapache

Bypass requirement for native OS httpd-devel package

Targeting a Custom Apache

Should the need arise to customize the build process to target a non-standard Apache, various options can be passed to the rpmbuild command. In fact, you can completely control the configure command used by defining the macro shib_options:

rpmbuild --rebuild -D 'shib_options --withfoo=bar' shibboleth-version.src.rpm

In this fashion, you can supply the usual configure options that control Apache build settings, such as --enable-apache-20 or --with-apxs2 and so on.

If you need to disable the RPM's dependency on the native OS Apache development package, you can use the option for that listed above in the table.

Examples

Amazon Linux with Apache 2.4

Amazon Linux with Apache 2.4 requires some additional arguments to be provided. This is because it uses the package http24_devel rather than http_devel and apxs is in a different location than expected.

Amazon Linux Build From SRPM
# Source RPMS to rebuild, and the order to rebuild them in.
RPMS_ORDER='log4shib-1.0.9-3.3.src.rpm xerces-c-3.1.4-1.2.src.rpm xml-security-c-1.7.3-3.3.src.rpm curl-openssl-7.57.0-1.1.src.rpm  xmltooling-1.6.3-3.1.src.rpm opensaml-2.6.1-3.1.src.rpm shibboleth-2.6.1-3.1.src.rpm'
for rpm in $RPMS_ORDER; do echo $rpm;
    wget "http://download.opensuse.org/repositories/security://shibboleth/CentOS_CentOS-6/src/$rpm"
done


# Build tools, as suggested earlier in the wiki
yum install \
  automake \
  boost-devel \
  chrpath \
  doxygen \
  gcc-c++ \
  groff \
  httpd24-devel \
  libidn-devel \
  openldap-devel \
  openssl-devel \
  redhat-rpm-config \
  rpm-build \
  stunnel \
  unixODBC-devel


for rpm in $RPMS_ORDER; do echo $rpm;
  # The shib source rpm has special instructions, so do that seperately
  if [[ $rpm != shibboleth* ]]; then
    sudo rpmbuild --rebuild $rpm
	# Install what we just built since it may be a dependency of the next build
    sudo yum localinstall -y /usr/src/rpm/RPMS/x86_64/*.rpm
  fi
done


# Shibboleth needs to be build differently since it names its apache24 packages differently.
# We need to tell the build to ignore looking for OS packages.
sudo rpmbuild --rebuild --without builtinapache -D 'shib_options -with-apxs24=/usr/bin/apxs -with-apr1=/usr/bin/apr-1-config -enable-apache-24' shibboleth*


sudo yum localinstall /usr/src/rpm/RPMS/x86_64/shibboleth-2.6.1-3.1.x86_64.rpm


# Confirm it has the apache mod you need
rpm -qpl /usr/src/rpm/RPMS/x86_64/shibboleth-2.6.1-3.1.x86_64.rpm | grep mod_shib
# Expected output: /usr/lib64/shibboleth/mod_shib_24.so