URL: http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/target/install-target-1.1-debian-stable.html
Author: Valery Tschopp, SWITCH
Contact: aai@switch.ch
Version: 1.0 - 20030930
Installing Shibboleth 1.1 Target on Debian GNU/Linux 3.0r1 (woody)
This guide is only an addition to the original Shibboleth
1.1
Target Deployment Guide.
SWITCH provides a precompiled binary package available for the
stable release Debian 3.0r1 (woody)
on i386 architecture.
The Shibboleth 1.1 Target distribution was build from source,
including needed
libraries that are not available as debian stable package or not
compatible with OpenSAML/Shibboleth source code.
The precompiled binary package contains a directory layout where
everything will be located under opt/shibboleth.
If your platform is RedHat or Solaris, you can get the rpm or tar
binary
packages for the original
Shibboleth distribution.
1. Debian 3.0r1 Configuration
In order to deploy Shibboleth 1.1 Target on debian
stable, some additional system configuration has to be done.
1.1 Syslog Configuration (syslogd)
The remote UDP logging capabilities of syslog should be enabled as
this feature is by default disabled.
Edit
the file /etc/init.d/syslogd and add the -r
option to the SYSLOGD
variable.
# /etc/init.d/sysklogd: start the system log daemon.
PATH=/bin:/usr/bin:/sbin:/usr/sbin
...
# Options for start/restart the daemons
# For remote UDP logging use SYSLOGD="-r"
#
SYSLOGD="-r"
|
1.2 APT Configuration
The Debian 3.0r1 (woody) should be uptodated and the latest security
patches installed (in particular for SSL support). A recommended APT
configuration file /etc/apt/sources.list could contains
the following entries (as used by SWITCH to
install/update
Debian 3.0r1 woody)
# /etc/apt/sources.list: package resource list for APT
#
# Standard package sources for woody distributions
#
deb http://sunsite.cnlab-switch.ch/ftp/mirror/debian/ woody main non-free contrib
deb http://sunsite.cnlab-switch.ch/ftp/mirror/debian-non-US/ woody/non-US main non-free contrib
#
# Standard source package sources for woody distributions
#
deb-src http://sunsite.cnlab-switch.ch/ftp/mirror/debian/ woody main non-free contrib
deb-src http://sunsite.cnlab-switch.ch/ftp/mirror/debian-non-US/ woody/non-US main non-free contrib
#
# Security patches and updates
#
deb ftp://sunsite.cnlab-switch.ch/mirror/debian-security woody/updates main contrib non-free
deb http://security.debian.org/ woody/updates main contrib non-free
|
1.3 Maintain Uptodated System
The Debian 3.0r1 (woody) must be upgraded with the lastest available
packages and security patches (in particular for SSL). If the upgrade
process installs updated packages, you should review them and act
accordingly.
root# apt-get update
...
root# apt-get upgrade
...
|
2. Shibboleth 1.1 Target Installation
The precompiled binary package is build with GCC 2.95.4 and GCC 3.0.4 C/C++ compilers and
libraries,
both available as debian packages for the stable release. Installing
Shibboleth requires to install these specific libraries.
The package is a tarball file with a well known directory structure:
opt/shibboleth/ and should be install under the root /.
If you use a different layout or location, you will need to adjust your
configuration files.
2.1 Required Debian Libraries
The Shibboleth precompiled binary package depends on some standard
libraries, available on the debian stable release. As the binary
package is compiled with GCC 3.0.4 (gcc-3.10 and g++-3.10
debian packages), you need to install the standard C++ 3.0.4 library
package for debian libstdc++3. They can be
installed alongside earlier and later GCC libraries.
For OpenSSL and
curl libraries have been used as standard available libraries, so you
need to install openssl and libcurl2-ssl
debian packages.
libstdc++3 The GNU stdc++ library version 3.
Package version: 1:3.0.4-7openssl Secure Socket Layer (SSL) binary and related
cryptographic tools.
Package version: 0.9.6c-2.woody.3libcurl2-ssl Multi-protocol file transfer library
(SSL support).
Package version: 7.9.5-2
It is convenient to use apt-get to install new debian
packages. Due to package's dependencies, installing the required
libraries will also install some other
packages.
root# apt-get install libstdc++3
...
root# apt-get install openssl
...
root# apt-get install libcurl2-ssl
...
|
2.2 Apache 1.3.26 with pthread Package
On Linux, Shibboleth requires that Apache or Apache-SSL should be
built
with libpthread, or loading the Shibboleth mod_shibrm
or mod_shire modules will cause Apache to stop/crash. So
the Debian's Apache must be rebuild with libpthread.
We provide a special debian
package apache_1.3.26-0woody3_i386.deb that contains the standard Apache
1.3.26
for Debian 3.0r1, recompiled with standard gcc compiler 2.95.4 to use
the libpthread (LDFLAGS=-lpthread) and rebuilt on
i386 architecture.
You could
download
this package directly from our server. Using dpkg will
install/reinstall the debian package on the target host.
If you have any previous Apache installed, please backup your
exisiting configuration files (in particular /etc/apache/httpd.conf)
before reinstalling the package.
root# wget http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/target/apache_1.3.26-0woody3_i386.deb
...
root# dpkg -i apache_1.3.26-0woody3_i386.deb
...
|
2.3 Apache mod_ssl
Apache must be compiled with mod_so for DSO module
support, and must include SSL support (preferably using mod_ssl),
and EAPI support (which mod_ssl requires and provides).
As DSO module support is already enabled in standard debian Apache
1.3.26, you just have to install the libapache-mod-ssl
debian package.
root# apt-get install libapache-mod-ssl
...
|
2.4 Installing Shibboleth 1.1 Tar File
The precompiled binary tarball shib-target-1.1-debian-3.0r1.tar.gz contains the Shibboleth 1.1 Target
distribution for Debian 3.0r1 stable/i386. Notice that the Shibboleth
MySQL cache plugin is not included with this distribution.
You could
download
this package directly from our server.
The package is a tarball file with a well known directory structure:
opt/shibboleth/ and should be install under the root /.
If you use a different layout or location, you will need to adjust your
configuration files.
If you have any previous Shibboleth installed on the target host,
you should backup your existing installation.
root# wget http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/target/shib-target-1.1-debian-3.0r1.tar.gz
...
root# tar xvzCf / shib-target-1.1-debian-3.0r1.tar.gz
...
|
Appendix
A1. Shibboleth Default Directory Layout
Here is the default directory layout after installation of the
Shibboleth precompiled binary package under the root /
directory.
root# dir /opt/shibboleth
total 28
drwxr-xr-x 2 root root 4096 Sep 23 16:38 bin/
drwxr-xr-x 4 root root 4096 Sep 23 16:38 doc/
drwxr-xr-x 4 root root 4096 Sep 23 16:38 etc/
drwxr-xr-x 9 root root 4096 Sep 23 16:38 include/
drwxr-xr-x 2 root root 4096 Sep 23 17:15 lib/
drwxr-xr-x 2 root root 4096 Sep 23 17:15 libexec/
drwxr-xr-x 3 root root 4096 Sep 23 16:00 share/
|
A2. Debian 3.0r1 Packages List
Here is a list of all packages installed on the Debian 3.0r1
stable/i386 host we used to deploy Shibboleth 1.1 Target.
root# dpkg -l
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii adduser 3.47 Add and remove users and groups
ii apache 1.3.26-0woody3 Versatile, high-performance HTTP server
ii apache-common 1.3.26-0woody3 Support files for all Apache webservers
ii apt 0.5.4 Advanced front-end for dpkg
ii apt-show-versi 0.03 Lists available package versions with distri
ii apt-utils 0.5.4 APT utility programs
ii aptitude 0.2.11.1-2 curses-based apt frontend
ii at 3.1.8-11 Delayed job execution and batch processing
ii base-config 1.33.18 Debian base configuration package
ii base-files 3.0.2 Debian base system miscellaneous files
ii base-passwd 3.4.1 Debian Base System Password/Group Files
ii bash 2.05a-11 The GNU Bourne Again SHell
ii bsdmainutils 5.20020211-4.9 More utilities from FreeBSD.
ii bsdutils 2.11n-4 Basic utilities from 4.4BSD-Lite.
ii bzip2 1.0.2-1 A high-quality block-sorting file compressor
ii console-common 0.7.14 Basic infrastructure for text console config
ii console-data 1999.08.29-24 Keymaps, fonts, charset maps, fallback table
ii console-tools 0.2.3-23.3 Linux console and font utilities.
ii console-tools- 0.2.3-23.3 Shared libraries for Linux console and font
ii cpio 2.4.2-39 GNU cpio -- a program to manage archives of
ii cpp 2.95.4-14 The GNU C preprocessor.
ii cpp-2.95 2.95.4-11woody The GNU C preprocessor.
ii cron 3.0pl1-72 management of regular background processing
ii curl 7.9.5-1 Get a file from an FTP, GOPHER, HTTP or HTTP
ii curl-ssl 7.9.5-2 Pseudopackage for migration from Debian 2.2
ii debconf 1.0.32 Debian configuration management system
ii debianutils 1.16 Miscellaneous utilities specific to Debian.
ii dhcp-client 2.0pl5-11 DHCP Client
ii diff 2.7-29 File comparison utilities
ii dpkg 1.9.21 Package maintenance system for Debian
ii e2fsprogs 1.27-2 The EXT2 file system utilities and libraries
ii ed 0.2-19 The classic unix line editor
ii emacs21 21.2-1 The GNU Emacs editor.
ii emacsen-common 1.4.15 Common facilities for all emacsen.
ii exim 3.35-1woody2 An MTA (Mail Transport Agent)
ii fdutils 5.3-7 Linux floppy utilities
ii fileutils 4.1-10 GNU file management utilities
ii findutils 4.1.7-2 utilities for finding files--find, xargs, an
ii ftp 0.17-9 The FTP client.
ii gcc-3.0-base 3.0.4-7 The GNU Compiler Collection (base package).
ii gettext-base 0.10.40-5 GNU Internationalization utilities for the b
ii grep 2.4.2-3 GNU grep, egrep and fgrep.
ii groff-base 1.17.2-15.wood GNU troff text-formatting system (base syste
ii gzip 1.3.2-3woody1 The GNU compression utility.
ii hostname 2.09 A utility to set/show the host name or domai
ii ifupdown 0.6.4-4 High level tools to configure network interf
ii info 4.1-2 Standalone GNU Info documentation browser
ii iptables 1.2.6a-5 IP packet filter administration tools for 2.
ii iputils-ping 20020124-3 The ping utility from iputils
ii iputils-tracep 20020124-3 The tracepath utility from iputils
ii kernel-image-2 3 Linux kernel binary image for version 2.4.20
ii klogd 1.4.1-10 Kernel Logging Daemon
ii less 374-4 A file pager program, similar to more(1)
ii libapache-mod- 2.8.9-2.1 Strong cryptography (HTTPS support) for Apac
ii libapache-mod- 2.8.9-2.1 Documentation for Apache module mod_ssl
ii libbz2-1.0 1.0.2-1 A high-quality block-sorting file compressor
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries and Timezone
ii libcap1 1.10-12 support for getting/setting POSIX.1e capabil
ii libcurl2-ssl 7.9.5-2 Multi-protocol file transfer library. (SSL s
ii libdb2 2.7.7.0-7 The Berkeley database routines (run-time fil
ii libdb3 3.2.9-16 Berkeley v3 Database Libraries [runtime]
ii libdps1 4.1.0-16woody1 Display PostScript (DPS) client library
ii libexpat1 1.95.2-6 XML parsing C library - runtime library
ii libfreetype6 2.0.9-1 FreeType 2 font engine, shared library files
ii libgcc1 3.0.4-7 GCC support library.
ii libgdbmg1 1.7.3-27 GNU dbm database routines (runtime version).
ii libident 0.22-2 simple RFC1413 client library - runtime
ii libjpeg62 6b-5 The Independent JPEG Group's JPEG runtime li
ii libldap2 2.0.23-6.3 OpenLDAP libraries.
ii liblockfile1 1.03 NFS-safe locking library, includes dotlockfi
ii libmime-base64 2.12-4 MIME/Base64 decoding for Perl
ii libmm11 1.1.3-6.1 Shared memory library
ii libncurses5 5.2.20020112a- Shared libraries for terminal handling
ii libnewt0 0.50.17-9.6 Not Erik's Windowing Toolkit - text mode win
ii libpam-modules 0.72-35 Pluggable Authentication Modules for PAM
ii libpam-runtime 0.72-35 Runtime support for the PAM library
ii libpam0g 0.72-35 Pluggable Authentication Modules library
ii libpcap0 0.6.2-2 System interface for user-level packet captu
ii libpcre3 3.4-1.1 Philip Hazel's Perl Compatible Regular Expre
ii libpng2 1.0.12-3.woody PNG library - runtime
ii libpopt0 1.6.2-7 lib for parsing cmdline parameters
ii libreadline4 4.2a-5 GNU readline and history libraries, run-time
ii libsasl7 1.5.27-3 Authentication abstraction library.
ii libsigc++0 1.0.4-3 Type-safe Signal Framework for C++ - runtime
ii libssl0.9.6 0.9.6c-2.woody SSL shared libraries
ii libstdc++2.10- 2.95.4-11woody The GNU stdc++ library
ii libstdc++3 3.0.4-7 The GNU stdc++ library version 3
ii libtiff3g 3.5.5-6 Tag Image File Format library
ii libwrap0 7.6-9 Wietse Venema's TCP wrappers library
ii libxaw7 4.1.0-16woody1 X Athena widget set library
ii lilo 22.2-3 LInux LOader - The Classic OS loader can loa
ii login 20000902-12 System login tools
ii logrotate 3.5.9-8 Log rotation utility
ii lsof 4.57-1 List open files.
ii lynx 2.8.4.1b-3.2 Text-mode WWW Browser
ii mailx 8.1.2-0.200204 A simple mail user agent.
ii make 3.79.1-14 The GNU version of the "make" utility.
ii makedev 2.3.1-58 Creates device files in /dev.
ii man-db 2.3.20-18.wood The on-line manual pager
ii manpages 1.39-1.1 Man pages about using a Linux system.
ii mawk 1.3.3-8 a pattern scanning and text processing langu
ii mbr 1.1.5-1 Master Boot Record for IBM-PC compatible com
ii mime-support 3.18-1.3 MIME files 'mime.types' & 'mailcap', and sup
ii modconf 0.2.43 Device Driver Configuration
ii modutils 2.4.15-1 Linux module utilities.
ii mount 2.11n-4 Tools for mounting and manipulating filesyst
ii nano 1.0.6-2 free Pico clone with some new features
ii ncurses-base 5.2.20020112a- Descriptions of common terminal types
ii ncurses-bin 5.2.20020112a- Terminal-related programs and man pages
ii net-tools 1.60-4 The NET-3 networking toolkit
ii netbase 4.07 Basic TCP/IP networking system
ii netkit-inetd 0.10-9 The Internet Superserver
ii ntp 4.1.0-8 Daemon and utilities for full NTP v4 timekee
ii ntp-simple 4.1.0-8 NTP v4 daemon for simple systems.
ii nvi 1.79-20 4.4BSD re-implementation of vi.
ii openssl 0.9.6c-2.woody Secure Socket Layer (SSL) binary and related
ii passwd 20000902-12 Change and administer password and group dat
ii pciutils 2.1.9-4 Linux PCI Utilities (for 2.[1234].x kernels)
ii perl 5.6.1-8.3 Larry Wall's Practical Extraction and Report
ii perl-base 5.6.1-8.3 The Pathologically Eclectic Rubbish Lister.
ii perl-modules 5.6.1-8.3 Core Perl modules.
ii php4 4.1.2-6woody3 A server-side, HTML-embedded scripting langu
ii procps 2.0.7-8 The /proc file system utilities.
ii psmisc 20.2-2.1 Utilities that use the proc filesystem
ii sed 3.02-8 The GNU sed stream editor.
ii setserial 2.17-24 Controls configuration of serial ports.
ii shellutils 2.0.11-11 The GNU shell programming utilities.
ii slang1 1.4.4-7.2 The S-Lang programming library - runtime ver
ii ssh 3.4p1-1.woody. Secure rlogin/rsh/rcp replacement (OpenSSH)
ii strace 4.4-1.2 A system call tracer.
ii sudo 1.6.6-1.1 Provides limited super user privileges to sp
ii sysklogd 1.4.1-10 System Logging Daemon
ii syslinux 1.66-1 Bootloader for Linux/i386 using MS-DOS flopp
ii sysvinit 2.84-2woody1 System-V like init.
ii tar 1.13.25-2 GNU tar
ii tasksel 1.18 Tool for selecting tasks for installation on
ii tcpd 7.6-9 Wietse Venema's TCP wrapper utilities
ii tcpdump 3.6.2-2.4 A powerful tool for network monitoring and d
ii telnet 0.17-18 The telnet client.
ii textutils 2.0-12 The GNU text file processing utilities.
ii time 1.7-11 The GNU time command.
ii traceroute 1.4a12-9 Traces the route taken by packets over a TCP
ii util-linux 2.11n-4 Miscellaneous system utilities.
ii wget 1.8.1-6.1 retrieves files from the web
ii whiptail 0.50.17-9.6 Displays user-friendly dialog boxes from she
ii zlib1g 1.1.4-1 compression library - runtime
|