difficulty building shibboleth SP from source on RHEL6 for Apache 2.4

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

difficulty building shibboleth SP from source on RHEL6 for Apache 2.4

Paul Beckett (ITCS)

I’m running RHEL6, and Apache 2.4.3 (built from source), OpenSSL 1.0.1c (built from source). I would like to use the Shibboleth SP 2.5 for authentication, but haven’t been able to build it successfully. If anyone can help point me in the right direction / tell me what I’m doing wrong etc. I would be extremely grateful.

 

I think the pre-requisites (log4shib-1.0.5, xerces-c-3.1.1, xml-security-c-1.7.0, xmltooling-1.5.0, opensaml-2.5.0 ) are building ok (happy to email output offlist – but too big to be accepted by list), but the shibboleth SP make fails with:

 

In file included from mod_shib_20.cpp:68:

mod_shib.cpp:118: warning: deprecated conversion from string constant to 'char*'

mod_shib.cpp: In member function 'virtual const char* ShibTargetApache::getScheme() const':

mod_shib.cpp:385: error: 'ap_http_method' was not declared in this scope

mod_shib.cpp: In member function 'virtual std::string ShibTargetApache::getRemoteAddr() const':

mod_shib.cpp:417: error: 'struct conn_rec' has no member named 'remote_ip'

In file included from mod_shib_20.cpp:68:

mod_shib.cpp: In function 'int shib_post_read(request_rec*)':

mod_shib.cpp:681: warning: unused variable 'rc'

mod_shib.cpp: In member function 'virtual shibsp::AccessControl::aclresult_t htAccessControl::authorized(const shibsp::SPRequest&, const shibsp::Session*) const':

mod_shib.cpp:1221: error: 'ap_requires' was not declared in this scope

make[2]: *** [mod_shib_20_la-mod_shib_20.lo] Error 1

make[2]: Leaving directory `/usr/local/shib/shibboleth-sp-2.5.0/apache'

make[1]: *** [all-recursive] Error 1

make[1]: Leaving directory `/usr/local/shib/shibboleth-sp-2.5.0'

make: *** [all] Error 2

 

 

 

The commands I’m running to build it are:

#log4shib

./configure --disable-static --disable-doxygen --prefix=/usr/local/shibboleth-sp

make

make install

 

#xerces

./configure --prefix=/usr/local/shibboleth-sp --disable-netaccessor-libcurl

make

make install

 

#xmlsec

./configure --without-xalan --disable-static --prefix=/usr/local/shibboleth-sp --with-xerces=/usr/local/shibboleth-sp

make

make install

 

#xmltooling

./configure --with-log4shib=/usr/local/shibboleth-sp --prefix=/usr/local/shibboleth-sp -C

make

make install

 

#openSAML

./configure --with-log4shib=/usr/local/shibboleth-sp --prefix=/usr/local/shibboleth-sp -C

make

make install

 

#shib SP

./configure --with-log4shib=/usr/local/shibboleth-sp --prefix=/usr/local/shibboleth-sp --enable-apache-20 --with-apxs=/usr/local/apache/bin/apxs --with-apr=/usr/local/apache/bin/apr-1-config --with-apu=/usr/local/apache/bin/apu-1-config

make

 

 

Thanks,

Paul


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: difficulty building shibboleth SP from source on RHEL6 for Apache 2.4

Cantor, Scott E.
On 9/12/12 12:01 PM, "Paul Beckett (ITCS)" <[hidden email]> wrote:
>./configure --with-log4shib=/usr/local/shibboleth-sp
>--prefix=/usr/local/shibboleth-sp --enable-apache-20
>--with-apxs=/usr/local/apache/bin/apxs
>--with-apr=/usr/local/apache/bin/apr-1-config
>--with-apu=/usr/local/apache/bin/apu-1-config

As a starting point, you're telling it to build for Apache 2.0, not 2.4.
Fix that and see what happens. I'd also scour the config log and make sure
it's using the Apache dev files you want it to. Probably making sure the
built-in httpd-dev module isn't there would be good.

As a rule, don't build from source. Install RPMs for everything but the SP
part and then use rpmbuild to rebuild the RPM against your Apache. The
wiki has some material on that I think, as does the list archive.

-- Scott


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: difficulty building shibboleth SP from source on RHEL6 for Apache 2.4

Paul Beckett (ITCS)
Scott,
Thanks for the reply. Sorry I didn't realise there was an --enable-apache-24, I'd just adapted my configure line from the options in the example on https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxSourceBuild

My apache install is the only copy of Apache on the server. The OS (yum / rpm repo's) of httpd and httpd-devel are not installed.

I've re-run the configure with:
./configure --with-log4shib=/usr/local/shibboleth-sp --prefix=/usr/local/shibboleth-sp --with-apr=/usr/local/apache/bin/apr-1-config --with-apu=/usr/local/apache/bin/apu-1-config --with-apxs=/usr/local/apache/bin/apxs --enable-apache-24 --with-openssl=/usr/local/openssl

This still fails, concluding with:
checking default apache version... configure: error: unusable apache versions: . Try setting --with-apxs

The config.log can be viewed at: http://www.uea.ac.uk/~s167/config.log , this seems to contain several errors, but I don't really understand what most of the mean or how I can resolve them.

Thanks,
Paul




>-----Original Message-----
>From: [hidden email] [mailto:[hidden email]]
>On Behalf Of Cantor, Scott
>Sent: Wednesday, September 12, 2012 5:07 PM
>To: Shib Users
>Subject: Re: difficulty building shibboleth SP from source on RHEL6 for
>Apache 2.4
>
>On 9/12/12 12:01 PM, "Paul Beckett (ITCS)" <[hidden email]> wrote:
>>./configure --with-log4shib=/usr/local/shibboleth-sp
>>--prefix=/usr/local/shibboleth-sp --enable-apache-20
>>--with-apxs=/usr/local/apache/bin/apxs
>>--with-apr=/usr/local/apache/bin/apr-1-config
>>--with-apu=/usr/local/apache/bin/apu-1-config
>
>As a starting point, you're telling it to build for Apache 2.0, not 2.4.
>Fix that and see what happens. I'd also scour the config log and make
>sure
>it's using the Apache dev files you want it to. Probably making sure the
>built-in httpd-dev module isn't there would be good.
>
>As a rule, don't build from source. Install RPMs for everything but the
>SP
>part and then use rpmbuild to rebuild the RPM against your Apache. The
>wiki has some material on that I think, as does the list archive.
>
>-- Scott
>
>
>--
>To unsubscribe from this list send an email to users-
>[hidden email]
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: difficulty building shibboleth SP from source on RHEL6 for Apache 2.4

Paul Beckett (ITCS)
In reply to this post by Cantor, Scott E.
I've also given the RPM and SRPM route (rather than building everything from source) Scott suggested a go too, but the rebuild is failing for me... this is not something I've done before, so sorry if I'm doing something obvious wrong. I've read the wiki page, but have had difficulty finding much about it in the list-archive.

To do this I:
- Added RHEL6 repo details.
- Ran (multiple yum installs as I kept realising I still needed more bits):
        yum install log4shib.x86_64 opensaml.x86_64 xerces.x86_64 xml-security.x86_64 xmltooling.x86_64
        yum install rpm-build
        yum install libxerces-c-devel.x86_64 libxml-security-c-devel.x86_64 libxmltooling-devel.x86_64 libsaml-devel.x86_64
        yum install xmltooling-schemas.x86_64
        yum install opensaml-schemas.x86_64

rpmbuild --rebuild --without builtinapache -D 'shib_options --with-apxs=/usr/local/apache/bin/apxs --enable-apache-24 --with-openssl=/usr/local/openssl' shibboleth-2.5.0-2.1.el6.src.rpm

This failed, concluding with:

checking if default apache needed... yes
checking default apache version... configure: error: unusable apache versions: . Try setting --with-apxs
error: Bad exit status from /var/tmp/rpm-tmp.O1w8DW (%build)


RPM build errors:
    line 14: prereq is deprecated: PreReq:              xmltooling-schemas(x86-64) >= 1.5.0, opensaml-schemas(x86-64) >= 2.5.0
    Bad exit status from /var/tmp/rpm-tmp.O1w8DW (%build)

Any help will be greatly appreciated. Thanks,
Paul




>-----Original Message-----
>From: [hidden email] [mailto:[hidden email]]
>On Behalf Of Cantor, Scott
>Sent: Wednesday, September 12, 2012 5:07 PM
>To: Shib Users
>Subject: Re: difficulty building shibboleth SP from source on RHEL6 for
>Apache 2.4
>
>On 9/12/12 12:01 PM, "Paul Beckett (ITCS)" <[hidden email]> wrote:
>>./configure --with-log4shib=/usr/local/shibboleth-sp
>>--prefix=/usr/local/shibboleth-sp --enable-apache-20
>>--with-apxs=/usr/local/apache/bin/apxs
>>--with-apr=/usr/local/apache/bin/apr-1-config
>>--with-apu=/usr/local/apache/bin/apu-1-config
>
>As a starting point, you're telling it to build for Apache 2.0, not 2.4.
>Fix that and see what happens. I'd also scour the config log and make
>sure
>it's using the Apache dev files you want it to. Probably making sure the
>built-in httpd-dev module isn't there would be good.
>
>As a rule, don't build from source. Install RPMs for everything but the
>SP
>part and then use rpmbuild to rebuild the RPM against your Apache. The
>wiki has some material on that I think, as does the list archive.
>
>-- Scott
>
>
>--
>To unsubscribe from this list send an email to users-
>[hidden email]
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: difficulty building shibboleth SP from source on RHEL6 for Apache 2.4

Cantor, Scott E.
On 9/13/12 7:12 AM, "Paul Beckett (ITCS)" <[hidden email]> wrote:

>rpmbuild --rebuild --without builtinapache -D 'shib_options
>--with-apxs=/usr/local/apache/bin/apxs --enable-apache-24
>--with-openssl=/usr/local/openssl' shibboleth-2.5.0-2.1.el6.src.rpm
>
>This failed, concluding with:
>
>checking if default apache needed... yes
>checking default apache version... configure: error: unusable apache
>versions: . Try setting --with-apxs

That's the same error, so that means it's more or less workable. You're
using the wrong apxs option, it should be --with-apxs24.

I'll review the configure messages to see if they're improvable, or you
can file a bug so I remember to check them.

I wouldn't really advise using a custom OpenSSL. While that gets you more
features it also means you're stuck keeping it up to date. Is there some
reason you're doing that?

-- Scott


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: difficulty building shibboleth SP from source on RHEL6 for Apache 2.4

Paul Beckett (ITCS)
I've corrected my rpmbuild to use --with-apxs24:

rpmbuild --rebuild --without builtinapache -D 'shib_options --with-apxs24=/usr/local/apache/bin/apxs --enable-apache-24 --with-openssl=/usr/local/openssl' shibboleth-2.5.0-2.1.el6.src.rpm

But it still fails, with a fairly similar error message:

checking if default apache needed... yes
checking for apxs2... no
checking for apxs... /usr/local/apache/bin/apxs
checking default apache version... configure: error: unusable apache versions: . Try setting --with-apxs
error: Bad exit status from /var/tmp/rpm-tmp.0qfXFV (%build)


RPM build errors:
    line 14: prereq is deprecated: PreReq:              xmltooling-schemas(x86-64) >= 1.5.0, opensaml-schemas(x86-64) >= 2.5.0
    Bad exit status from /var/tmp/rpm-tmp.0qfXFV (%build)



I'm a bit suspicious about "checking if default apache needed... yes", is it trying to use the OS apache (which doesn't exist)?


The main reason I built openSSL from source, was so that I could have the newer TLSv1.2 protocols available (which aren't supported in the earlier RHEL6 version). I figured as I was taking the decision to build HTTPD from source (for a number of performance and feature improvements it offered over 2.2) I would have to rebuild that to keep it up-to-date, it didn't seem too much extra effort to have to rebuild openSSL from time to time.

Thanks,
Paul




>That's the same error, so that means it's more or less workable. You're
>using the wrong apxs option, it should be --with-apxs24.
>
>I'll review the configure messages to see if they're improvable, or you
>can file a bug so I remember to check them.
>
>I wouldn't really advise using a custom OpenSSL. While that gets you
>more
>features it also means you're stuck keeping it up to date. Is there some
>reason you're doing that?
>
>-- Scott
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: difficulty building shibboleth SP from source on RHEL6 for Apache 2.4

Cantor, Scott E.
On 9/13/12 9:58 AM, "Paul Beckett (ITCS)" <[hidden email]> wrote:
>
>But it still fails, with a fairly similar error message:
>
>checking if default apache needed... yes
>checking for apxs2... no
>checking for apxs... /usr/local/apache/bin/apxs
>checking default apache version... configure: error: unusable apache
>versions: . Try setting --with-apxs
>error: Bad exit status from /var/tmp/rpm-tmp.0qfXFV (%build)

I'll have to review the script, that doesn't look quite right to me.

>I'm a bit suspicious about "checking if default apache needed... yes", is
>it trying to use the OS apache (which doesn't exist)?

No.

>The main reason I built openSSL from source, was so that I could have the
>newer TLSv1.2 protocols available (which aren't supported in the earlier
>RHEL6 version).

Ok.

There's not much I can say other than you'll have to file a bug and attach
your log (just use the original source build) and I'll review it when I
have a chance. If I can find a bug I'll fix it, or I'll mark it invalid
and identify the problem.

If you post back with a link to a configure log from this set of options
then perhaps somebody else might also be able to take a look before I can
get to it.

-- Scott


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: difficulty building shibboleth SP from source on RHEL6 for Apache 2.4

Paul Beckett (ITCS)
Thanks for all you time and effort for looking at this. I'll file a bug as you suggest.

In case, anyone else wants to take a look, the config.log output from running the configure with:

./configure --with-apxs24=/usr/local/apache/bin/apxs --enable-apache-24 --with-openssl=/usr/local/openssl

is available at: http://www.uea.ac.uk/~s167/config_2.log

Thanks,
Paul

>-----Original Message-----
>From: [hidden email] [mailto:[hidden email]]
>On Behalf Of Cantor, Scott
>Sent: Thursday, September 13, 2012 3:11 PM
>To: Shib Users
>Subject: Re: difficulty building shibboleth SP from source on RHEL6 for
>Apache 2.4
>
>On 9/13/12 9:58 AM, "Paul Beckett (ITCS)" <[hidden email]> wrote:
>>
>>But it still fails, with a fairly similar error message:
>>
>>checking if default apache needed... yes
>>checking for apxs2... no
>>checking for apxs... /usr/local/apache/bin/apxs
>>checking default apache version... configure: error: unusable apache
>>versions: . Try setting --with-apxs
>>error: Bad exit status from /var/tmp/rpm-tmp.0qfXFV (%build)
>
>I'll have to review the script, that doesn't look quite right to me.
>
>>I'm a bit suspicious about "checking if default apache needed... yes",
>is
>>it trying to use the OS apache (which doesn't exist)?
>
>No.
>
>>The main reason I built openSSL from source, was so that I could have
>the
>>newer TLSv1.2 protocols available (which aren't supported in the
>earlier
>>RHEL6 version).
>
>Ok.
>
>There's not much I can say other than you'll have to file a bug and
>attach
>your log (just use the original source build) and I'll review it when I
>have a chance. If I can find a bug I'll fix it, or I'll mark it invalid
>and identify the problem.
>
>If you post back with a link to a configure log from this set of options
>then perhaps somebody else might also be able to take a look before I
>can
>get to it.
>
>-- Scott
>
>
>--
>To unsubscribe from this list send an email to users-
>[hidden email]
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: difficulty building shibboleth SP from source on RHEL6 for Apache 2.4

Paul Beckett (ITCS)
In reply to this post by Cantor, Scott E.
Looking at the configure script, the section that is failing is:
     v=`$httpd -v|$SED -n -e 's/.*Apache\/\.*//p'`
     case $v in
       1.3*)   enable_apache_13=yes
               with_apxs=$xs
               { $as_echo "$as_me:${as_lineno-$LINENO}: result: 1.3" >&5
$as_echo "1.3" >&6; }
               ;;
       2.0*)   enable_apache_20=yes
               with_apxs2=$xs
               { $as_echo "$as_me:${as_lineno-$LINENO}: result: 2.0" >&5
$as_echo "2.0" >&6; }
               ;;
       2.2*)   enable_apache_22=yes
               with_apxs22=$xs
               { $as_echo "$as_me:${as_lineno-$LINENO}: result: 2.2" >&5
$as_echo "2.2" >&6; }
               ;;
       *)      as_fn_error $? "unusable apache versions: $v. Try setting --with-apxs" "$LINENO" 5



It appears the case statement doesn't support 2.4.

Cheers,
Paul





>-----Original Message-----
>From: [hidden email] [mailto:[hidden email]]
>On Behalf Of Cantor, Scott
>Sent: Thursday, September 13, 2012 3:11 PM
>To: Shib Users
>Subject: Re: difficulty building shibboleth SP from source on RHEL6 for
>Apache 2.4
>
>On 9/13/12 9:58 AM, "Paul Beckett (ITCS)" <[hidden email]> wrote:
>>
>>But it still fails, with a fairly similar error message:
>>
>>checking if default apache needed... yes
>>checking for apxs2... no
>>checking for apxs... /usr/local/apache/bin/apxs
>>checking default apache version... configure: error: unusable apache
>>versions: . Try setting --with-apxs
>>error: Bad exit status from /var/tmp/rpm-tmp.0qfXFV (%build)
>
>I'll have to review the script, that doesn't look quite right to me.
>
>>I'm a bit suspicious about "checking if default apache needed... yes",
>is
>>it trying to use the OS apache (which doesn't exist)?
>
>No.
>
>>The main reason I built openSSL from source, was so that I could have
>the
>>newer TLSv1.2 protocols available (which aren't supported in the
>earlier
>>RHEL6 version).
>
>Ok.
>
>There's not much I can say other than you'll have to file a bug and
>attach
>your log (just use the original source build) and I'll review it when I
>have a chance. If I can find a bug I'll fix it, or I'll mark it invalid
>and identify the problem.
>
>If you post back with a link to a configure log from this set of options
>then perhaps somebody else might also be able to take a look before I
>can
>get to it.
>
>-- Scott
>
>
>--
>To unsubscribe from this list send an email to users-
>[hidden email]
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: difficulty building shibboleth SP from source on RHEL6 for Apache 2.4

Cantor, Scott E.
On 9/13/12 10:56 AM, "Paul Beckett (ITCS)" <[hidden email]> wrote:
>
>It appears the case statement doesn't support 2.4.

I commented in the bug, that's just for autodetect. You're not doing that
because the enable-apache option is used instead.

-- Scott


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: difficulty building shibboleth SP from source on RHEL6 for Apache 2.4

Cantor, Scott E.
On 9/13/12 11:29 AM, "Cantor, Scott" <[hidden email]> wrote:

>On 9/13/12 10:56 AM, "Paul Beckett (ITCS)" <[hidden email]> wrote:
>>
>>It appears the case statement doesn't support 2.4.
>
>I commented in the bug, that's just for autodetect. You're not doing that
>because the enable-apache option is used instead.

But I think you're right. My sandbox that's working must have worked
because I built both the 2.4 module and defaulted to one of the older ones
from the Apple install.

I would guess fixing the switch statement up should fix it, I'm testing
that now.

-- Scott


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: difficulty building shibboleth SP from source on RHEL6 for Apache 2.4

Paul Beckett (ITCS)
Scott,
Have added below message to bug report: SSPCPP-500, but also sending to list for benefit of anyone following this (hope thats ok):

Fixing that case statement allowed my configure to proceed further.... however I then encountered another problem:

checking for user-specified Apache 2.4 apxs name/location... "/usr/local/apache/bin/apxs"
checking to see if Apache 2.4 apxs was located... /usr/local/apache/bin/apxs
checking for apr-1-config... ./configure: line 21124: -q: command not found
no
configure: error: Unable to locate apr-1-config, may need --with-apr1 option.

If I further modify the configure script, replacing:
21092 # If we haven't done this work already for Apache 2.2
21093 if test "$WANT_APACHE_22" != "yes" ; then
21094 # APR1 settings
with:
21092 # If we haven't done this work already for Apache 2.2
21093 if test "$WANT_APACHE_24" != "yes" ; then
21094 # APR1 settings

I've no idea whether this is really ok, but doing so results in my configure completing, although I get scary looking warning:
==================================================================
WARNING: You have chosen to compile Apache-2.4 modules with a different
compiler than the one used to compile Apache.

Current compiler: gcc
Apache's compiler: gcc -std=gnu99

This could cause problems.
==================================================================

Do you know if this is really likely to be a problem? If so, any idea how I solve it?

I can then run the make which results in mod_shib_24.so , which I can successfully include in my Apache config with the LoadModule line. I haven't got as far as trying to configure the Apache to actually use it yet though - so don't know whether it really functions.

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: difficulty building shibboleth SP from source on RHEL6 for Apache 2.4

Cantor, Scott E.
In reply to this post by Paul Beckett (ITCS)
Paul, I've packaged up the fixed configure script for you into a source
tarball here after marking the bug resolved.

http://shibboleth.net/downloads/service-provider/unreleased/

It seems useful to have a place to post fixed sources for critical bugs
like that one ahead of getting patch releases done.

-- Scott


--
To unsubscribe from this list send an email to [hidden email]