URL: http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/target/install-target-1.1-debian-stable.html
Author: Valery Tschopp, SWITCH
Contact: aai@switch.ch
Version: 1.0 - 20030930
Installing Shibboleth 1.1 Target on Debian GNU/Linux 3.0r1 (woody)
This guide is only an addition to the original Shibboleth
1.1
Target Deployment Guide.
SWITCH provides a precompiled binary package available for the
stable release Debian 3.0r1 (woody)
on i386 architecture.
The Shibboleth 1.1 Target distribution was build from source,
including needed
libraries that are not available as debian stable package or not
compatible with OpenSAML/Shibboleth source code.
The precompiled binary package contains a directory layout where
everything will be located under opt/shibboleth
.
If your platform is RedHat or Solaris, you can get the rpm or tar
binary
packages for the original
Shibboleth distribution.
1. Debian 3.0r1 Configuration
In order to deploy Shibboleth 1.1 Target on debian
stable, some additional system configuration has to be done.
1.1 Syslog Configuration (syslogd)
The remote UDP logging capabilities of syslog should be enabled as
this feature is by default disabled.
Edit
the file /etc/init.d/syslogd
and add the -r
option to the SYSLOGD
variable.
# /etc/init.d/sysklogd: start the system log daemon.
PATH=/bin:/usr/bin:/sbin:/usr/sbin
...
# Options for start/restart the daemons # For remote UDP logging use SYSLOGD="-r" # SYSLOGD="-r"
|
1.2 APT Configuration
The Debian 3.0r1 (woody) should be uptodated and the latest security
patches installed (in particular for SSL support). A recommended APT
configuration file /etc/apt/sources.list
could contains
the following entries (as used by SWITCH to
install/update
Debian 3.0r1 woody)
# /etc/apt/sources.list: package resource list for APT # # Standard package sources for woody distributions # deb http://sunsite.cnlab-switch.ch/ftp/mirror/debian/ woody main non-free contrib deb http://sunsite.cnlab-switch.ch/ftp/mirror/debian-non-US/ woody/non-US main non-free contrib
# # Standard source package sources for woody distributions # deb-src http://sunsite.cnlab-switch.ch/ftp/mirror/debian/ woody main non-free contrib deb-src http://sunsite.cnlab-switch.ch/ftp/mirror/debian-non-US/ woody/non-US main non-free contrib
# # Security patches and updates # deb ftp://sunsite.cnlab-switch.ch/mirror/debian-security woody/updates main contrib non-free deb http://security.debian.org/ woody/updates main contrib non-free
|
1.3 Maintain Uptodated System
The Debian 3.0r1 (woody) must be upgraded with the lastest available
packages and security patches (in particular for SSL). If the upgrade
process installs updated packages, you should review them and act
accordingly.
root# apt-get update ... root# apt-get upgrade ...
|
2. Shibboleth 1.1 Target Installation
The precompiled binary package is build with GCC 2.95.4 and GCC 3.0.4 C/C++ compilers and
libraries,
both available as debian packages for the stable release. Installing
Shibboleth requires to install these specific libraries.
The package is a tarball file with a well known directory structure:
opt/shibboleth/
and should be install under the root /
.
If you use a different layout or location, you will need to adjust your
configuration files.
2.1 Required Debian Libraries
The Shibboleth precompiled binary package depends on some standard
libraries, available on the debian stable release. As the binary
package is compiled with GCC 3.0.4 (gcc-3.10
and g++-3.10
debian packages), you need to install the standard C++ 3.0.4 library
package for debian libstdc++3
. They can be
installed alongside earlier and later GCC libraries.
For OpenSSL and
curl libraries have been used as standard available libraries, so you
need to install openssl
and libcurl2-ssl
debian packages.
libstdc++3
The GNU stdc++ library version 3.
Package version: 1:3.0.4-7
openssl
Secure Socket Layer (SSL) binary and related
cryptographic tools.
Package version: 0.9.6c-2.woody.3
libcurl2-ssl
Multi-protocol file transfer library
(SSL support).
Package version: 7.9.5-2
It is convenient to use apt-get
to install new debian
packages. Due to package's dependencies, installing the required
libraries will also install some other
packages.
root# apt-get install libstdc++3 ... root# apt-get install openssl ... root# apt-get install libcurl2-ssl ...
|
2.2 Apache 1.3.26 with pthread
Package
On Linux, Shibboleth requires that Apache or Apache-SSL should be
built
with libpthread
, or loading the Shibboleth mod_shibrm
or mod_shire
modules will cause Apache to stop/crash. So
the Debian's Apache must be rebuild with libpthread
.
We provide a special debian
package apache_1.3.26-0woody3_i386.deb
that contains the standard Apache
1.3.26
for Debian 3.0r1, recompiled with standard gcc compiler 2.95.4 to use
the libpthread
(LDFLAGS=-lpthread) and rebuilt on
i386 architecture.
You could
download
this package directly from our server. Using dpkg
will
install/reinstall the debian package on the target host.
If you have any previous Apache installed, please backup your
exisiting configuration files (in particular /etc/apache/httpd.conf
)
before reinstalling the package.
root# wget http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/target/apache_1.3.26-0woody3_i386.deb ... root# dpkg -i apache_1.3.26-0woody3_i386.deb ...
|
2.3 Apache mod_ssl
Apache must be compiled with mod_so
for DSO module
support, and must include SSL support (preferably using mod_ssl
),
and EAPI support (which mod_ssl
requires and provides).
As DSO module support is already enabled in standard debian Apache
1.3.26, you just have to install the libapache-mod-ssl
debian package.
root# apt-get install libapache-mod-ssl ...
|
2.4 Installing Shibboleth 1.1 Tar File
The precompiled binary tarball shib-target-1.1-debian-3.0r1.tar.gz
contains the Shibboleth 1.1 Target
distribution for Debian 3.0r1 stable/i386. Notice that the Shibboleth
MySQL cache plugin is not included with this distribution.
You could
download
this package directly from our server.
The package is a tarball file with a well known directory structure:
opt/shibboleth/
and should be install under the root /
.
If you use a different layout or location, you will need to adjust your
configuration files.
If you have any previous Shibboleth installed on the target host,
you should backup your existing installation.
root# wget http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/target/shib-target-1.1-debian-3.0r1.tar.gz ... root# tar xvzCf / shib-target-1.1-debian-3.0r1.tar.gz ...
|
Appendix
A1. Shibboleth Default Directory Layout
Here is the default directory layout after installation of the
Shibboleth precompiled binary package under the root /
directory.
root# dir /opt/shibboleth total 28 drwxr-xr-x 2 root root 4096 Sep 23 16:38 bin/ drwxr-xr-x 4 root root 4096 Sep 23 16:38 doc/ drwxr-xr-x 4 root root 4096 Sep 23 16:38 etc/ drwxr-xr-x 9 root root 4096 Sep 23 16:38 include/ drwxr-xr-x 2 root root 4096 Sep 23 17:15 lib/ drwxr-xr-x 2 root root 4096 Sep 23 17:15 libexec/ drwxr-xr-x 3 root root 4096 Sep 23 16:00 share/
|
A2. Debian 3.0r1 Packages List
Here is a list of all packages installed on the Debian 3.0r1
stable/i386 host we used to deploy Shibboleth 1.1 Target.
root# dpkg -l Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============-==============-============================================ ii adduser 3.47 Add and remove users and groups ii apache 1.3.26-0woody3 Versatile, high-performance HTTP server ii apache-common 1.3.26-0woody3 Support files for all Apache webservers ii apt 0.5.4 Advanced front-end for dpkg ii apt-show-versi 0.03 Lists available package versions with distri ii apt-utils 0.5.4 APT utility programs ii aptitude 0.2.11.1-2 curses-based apt frontend ii at 3.1.8-11 Delayed job execution and batch processing ii base-config 1.33.18 Debian base configuration package ii base-files 3.0.2 Debian base system miscellaneous files ii base-passwd 3.4.1 Debian Base System Password/Group Files ii bash 2.05a-11 The GNU Bourne Again SHell ii bsdmainutils 5.20020211-4.9 More utilities from FreeBSD. ii bsdutils 2.11n-4 Basic utilities from 4.4BSD-Lite. ii bzip2 1.0.2-1 A high-quality block-sorting file compressor ii console-common 0.7.14 Basic infrastructure for text console config ii console-data 1999.08.29-24 Keymaps, fonts, charset maps, fallback table ii console-tools 0.2.3-23.3 Linux console and font utilities. ii console-tools- 0.2.3-23.3 Shared libraries for Linux console and font ii cpio 2.4.2-39 GNU cpio -- a program to manage archives of ii cpp 2.95.4-14 The GNU C preprocessor. ii cpp-2.95 2.95.4-11woody The GNU C preprocessor. ii cron 3.0pl1-72 management of regular background processing ii curl 7.9.5-1 Get a file from an FTP, GOPHER, HTTP or HTTP ii curl-ssl 7.9.5-2 Pseudopackage for migration from Debian 2.2 ii debconf 1.0.32 Debian configuration management system ii debianutils 1.16 Miscellaneous utilities specific to Debian. ii dhcp-client 2.0pl5-11 DHCP Client ii diff 2.7-29 File comparison utilities ii dpkg 1.9.21 Package maintenance system for Debian ii e2fsprogs 1.27-2 The EXT2 file system utilities and libraries ii ed 0.2-19 The classic unix line editor ii emacs21 21.2-1 The GNU Emacs editor. ii emacsen-common 1.4.15 Common facilities for all emacsen. ii exim 3.35-1woody2 An MTA (Mail Transport Agent) ii fdutils 5.3-7 Linux floppy utilities ii fileutils 4.1-10 GNU file management utilities ii findutils 4.1.7-2 utilities for finding files--find, xargs, an ii ftp 0.17-9 The FTP client. ii gcc-3.0-base 3.0.4-7 The GNU Compiler Collection (base package). ii gettext-base 0.10.40-5 GNU Internationalization utilities for the b ii grep 2.4.2-3 GNU grep, egrep and fgrep. ii groff-base 1.17.2-15.wood GNU troff text-formatting system (base syste ii gzip 1.3.2-3woody1 The GNU compression utility. ii hostname 2.09 A utility to set/show the host name or domai ii ifupdown 0.6.4-4 High level tools to configure network interf ii info 4.1-2 Standalone GNU Info documentation browser ii iptables 1.2.6a-5 IP packet filter administration tools for 2. ii iputils-ping 20020124-3 The ping utility from iputils ii iputils-tracep 20020124-3 The tracepath utility from iputils ii kernel-image-2 3 Linux kernel binary image for version 2.4.20 ii klogd 1.4.1-10 Kernel Logging Daemon ii less 374-4 A file pager program, similar to more(1) ii libapache-mod- 2.8.9-2.1 Strong cryptography (HTTPS support) for Apac ii libapache-mod- 2.8.9-2.1 Documentation for Apache module mod_ssl ii libbz2-1.0 1.0.2-1 A high-quality block-sorting file compressor ii libc6 2.2.5-11.5 GNU C Library: Shared libraries and Timezone ii libcap1 1.10-12 support for getting/setting POSIX.1e capabil ii libcurl2-ssl 7.9.5-2 Multi-protocol file transfer library. (SSL s ii libdb2 2.7.7.0-7 The Berkeley database routines (run-time fil ii libdb3 3.2.9-16 Berkeley v3 Database Libraries [runtime] ii libdps1 4.1.0-16woody1 Display PostScript (DPS) client library ii libexpat1 1.95.2-6 XML parsing C library - runtime library ii libfreetype6 2.0.9-1 FreeType 2 font engine, shared library files ii libgcc1 3.0.4-7 GCC support library. ii libgdbmg1 1.7.3-27 GNU dbm database routines (runtime version). ii libident 0.22-2 simple RFC1413 client library - runtime ii libjpeg62 6b-5 The Independent JPEG Group's JPEG runtime li ii libldap2 2.0.23-6.3 OpenLDAP libraries. ii liblockfile1 1.03 NFS-safe locking library, includes dotlockfi ii libmime-base64 2.12-4 MIME/Base64 decoding for Perl ii libmm11 1.1.3-6.1 Shared memory library ii libncurses5 5.2.20020112a- Shared libraries for terminal handling ii libnewt0 0.50.17-9.6 Not Erik's Windowing Toolkit - text mode win ii libpam-modules 0.72-35 Pluggable Authentication Modules for PAM ii libpam-runtime 0.72-35 Runtime support for the PAM library ii libpam0g 0.72-35 Pluggable Authentication Modules library ii libpcap0 0.6.2-2 System interface for user-level packet captu ii libpcre3 3.4-1.1 Philip Hazel's Perl Compatible Regular Expre ii libpng2 1.0.12-3.woody PNG library - runtime ii libpopt0 1.6.2-7 lib for parsing cmdline parameters ii libreadline4 4.2a-5 GNU readline and history libraries, run-time ii libsasl7 1.5.27-3 Authentication abstraction library. ii libsigc++0 1.0.4-3 Type-safe Signal Framework for C++ - runtime ii libssl0.9.6 0.9.6c-2.woody SSL shared libraries ii libstdc++2.10- 2.95.4-11woody The GNU stdc++ library ii libstdc++3 3.0.4-7 The GNU stdc++ library version 3 ii libtiff3g 3.5.5-6 Tag Image File Format library ii libwrap0 7.6-9 Wietse Venema's TCP wrappers library ii libxaw7 4.1.0-16woody1 X Athena widget set library ii lilo 22.2-3 LInux LOader - The Classic OS loader can loa ii login 20000902-12 System login tools ii logrotate 3.5.9-8 Log rotation utility ii lsof 4.57-1 List open files. ii lynx 2.8.4.1b-3.2 Text-mode WWW Browser ii mailx 8.1.2-0.200204 A simple mail user agent. ii make 3.79.1-14 The GNU version of the "make" utility. ii makedev 2.3.1-58 Creates device files in /dev. ii man-db 2.3.20-18.wood The on-line manual pager ii manpages 1.39-1.1 Man pages about using a Linux system. ii mawk 1.3.3-8 a pattern scanning and text processing langu ii mbr 1.1.5-1 Master Boot Record for IBM-PC compatible com ii mime-support 3.18-1.3 MIME files 'mime.types' & 'mailcap', and sup ii modconf 0.2.43 Device Driver Configuration ii modutils 2.4.15-1 Linux module utilities. ii mount 2.11n-4 Tools for mounting and manipulating filesyst ii nano 1.0.6-2 free Pico clone with some new features ii ncurses-base 5.2.20020112a- Descriptions of common terminal types ii ncurses-bin 5.2.20020112a- Terminal-related programs and man pages ii net-tools 1.60-4 The NET-3 networking toolkit ii netbase 4.07 Basic TCP/IP networking system ii netkit-inetd 0.10-9 The Internet Superserver ii ntp 4.1.0-8 Daemon and utilities for full NTP v4 timekee ii ntp-simple 4.1.0-8 NTP v4 daemon for simple systems. ii nvi 1.79-20 4.4BSD re-implementation of vi. ii openssl 0.9.6c-2.woody Secure Socket Layer (SSL) binary and related ii passwd 20000902-12 Change and administer password and group dat ii pciutils 2.1.9-4 Linux PCI Utilities (for 2.[1234].x kernels) ii perl 5.6.1-8.3 Larry Wall's Practical Extraction and Report ii perl-base 5.6.1-8.3 The Pathologically Eclectic Rubbish Lister. ii perl-modules 5.6.1-8.3 Core Perl modules. ii php4 4.1.2-6woody3 A server-side, HTML-embedded scripting langu ii procps 2.0.7-8 The /proc file system utilities. ii psmisc 20.2-2.1 Utilities that use the proc filesystem ii sed 3.02-8 The GNU sed stream editor. ii setserial 2.17-24 Controls configuration of serial ports. ii shellutils 2.0.11-11 The GNU shell programming utilities. ii slang1 1.4.4-7.2 The S-Lang programming library - runtime ver ii ssh 3.4p1-1.woody. Secure rlogin/rsh/rcp replacement (OpenSSH) ii strace 4.4-1.2 A system call tracer. ii sudo 1.6.6-1.1 Provides limited super user privileges to sp ii sysklogd 1.4.1-10 System Logging Daemon ii syslinux 1.66-1 Bootloader for Linux/i386 using MS-DOS flopp ii sysvinit 2.84-2woody1 System-V like init. ii tar 1.13.25-2 GNU tar ii tasksel 1.18 Tool for selecting tasks for installation on ii tcpd 7.6-9 Wietse Venema's TCP wrapper utilities ii tcpdump 3.6.2-2.4 A powerful tool for network monitoring and d ii telnet 0.17-18 The telnet client. ii textutils 2.0-12 The GNU text file processing utilities. ii time 1.7-11 The GNU time command. ii traceroute 1.4a12-9 Traces the route taken by packets over a TCP ii util-linux 2.11n-4 Miscellaneous system utilities. ii wget 1.8.1-6.1 retrieves files from the web ii whiptail 0.50.17-9.6 Displays user-friendly dialog boxes from she ii zlib1g 1.1.4-1 compression library - runtime
|