Shibboleth Developers

[Peter Schober <>]

I'm relaying an idea from Ronald Schmidt from TU Chemnitz here for
consideration (hoping he doesn't mind also being included in this
conversation).

He mentioned that they installed the openssl-linked libcurl library
(as provided by the project as a replacement for the nss-linked
libcurl in RHEL6) seperately (via cfengine) to some other place in the
filesystem and referenced it via LD_PRELOAD in the rc.d script for
shibd.
(Making the rc.d script then source /etc/sysconfig/shibd where this
could be configured cleanly would be a further and trivial improvement.)

This way the project could still provide a packaged version of
libcurl-openssl (and properly depend on it from the shibboleth
package) but would neither put any files in /usr/lib[64] nor
rpm-replace/provide/conflict the standard libcurl package -- so it
could be installed in parallel.
Also only shibd would use it (or only those executables who explicitly
wanted it) and so people would not need to fear breakage as a result
of replacing a core package from RHEL6.

I'm sure there's no canonical place for something like this in the FHS
(loading libraries from non-canonical places) but I'd still like to
hear thoughts about this as it sounded like it could help reduce the
pain for RHEL6 deployments considerably.
-peter