Setting up Shibboleth.

I'm starting with a test installation on my MacBook before we roll it out across our Linux servers. To get a better idea of what's going to be involved I'm building from sources throughout, rather than using the Mac ports option.There's a guide, but I've run into a few problems.

My initial goal is to get the local end-to-end sample running.

Tomcat is up and serving the IdP side of things fine, as far as I can tell - at least I can get an error/login page from the servlet, so it's fine for now.

What I couldn't do last night was to get Apache to load the Shibboleth module. This is the Apache 2.2 which ships on OS X Leopard. Checking the config:

sudo apachectl -t

it failed with:

Syntax error on line 13 of /private/etc/apache2/other/shibboleth.conf: Cannot load /opt/shibboleth-sp/lib/shibboleth/mod_shib_22.so into server: dlopen(/opt/shibboleth-sp/lib/shibboleth/mod_shib_22.so, 10): no suitable image found. Did find:\n\t/opt/shibboleth-sp/lib/shibboleth/mod_shib_22.so: mach-o, but wrong architecture

Checking to see what kind of a module I'd built:

file /opt/shibboleth-sp/lib/shibboleth/mod_shib_22.so

shows

/opt/shibboleth-sp/lib/shibboleth/mod_shib_22.so: Mach-O bundle i386

which seems to be the source of the problem. The Apache shipped with Leopard expects 64-bit modules, and this is 32.

I then went back through the build process, supplying

CFLAGS='-arch x86_64' LDFLAGS='-arch x86_64'

to the "configure" steps:

./configure CFLAGS='-arch x86_64' LDFLAGS='-arch x86_64' APXSLDFLAGS='-arch x86_64' --with-apxs=/usr/sbin/apxs --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp

in the hope building a suitable binary.

One gotcha with this: the test suite for the log4shib package uses C++, and if you forget to add

CXXFLAGS='-arch x86_64'

(ie duplicate the C compilation flags for C++), you'll get link errors like this:

ld: warning in testmain.o, file is not of required architecture
Undefined symbols:
"_main", referenced from:
start in crt1.10.5.o
ld: symbol(s) not found
collect2: ld returned 1 exit status
make: *** [testmain] Error 1

as one architecture bounces off the other...

So: all was going well until I re-ran the shibboleth configuration step. This ended with

checking Xerces version... OK
configure: error: unable to link with Xerces

as Xerces was still 32-bit. Trying to recompile Xerces-C as a 64-bit binary led to all kinds of exciting and seemingly platform-specific problems, like:

MacOSPlatformUtils.cpp: In function ‘XMLCh* xercesc_2_8::XMLCreateFullPathFromFSSpec_Classic(const FSSpec&, xercesc_2_8::MemoryManager*)’:
MacOSPlatformUtils.cpp:1395: error: ‘CInfoPBRec’ was not declared in this scope
MacOSPlatformUtils.cpp:1395: error: expected `;' before ‘catInfo’
MacOSPlatformUtils.cpp:1396: error: ‘catInfo’ was not declared in this scope
MacOSPlatformUtils.cpp:1396: error: ‘struct FSSpec’ has no member named ‘name’
MacOSPlatformUtils.cpp:1397: error: ‘struct FSSpec’ has no member named ‘vRefNum’
MacOSPlatformUtils.cpp:1399: error: ‘struct FSSpec’ has no member named ‘parID’

This was all getting rather deep and distant from my original goal of testing Shibboleth...

Which brings us to the new plan. Build and install a fresh 32-bit apache server and use that for testing. The production server's going to be 32-bit anyway.

T
- posted by Tim Bruce @ 11:57 AM