Release 0.29: * remove ldap_enable_cache code * add extern keyword to module record, apparently the Mac OS X linker fatally dislikes the duplicate common symbol that ensues if this is missing (the GNU linker had no problem with it). Release 0.28: * remove apache 1 stuff * update for apache 2.2, 2.0 may no longer work * renamed functions from the apache runtime appropriately * documentation updated * LDAP_DEPRECATED defined so that the ldap libraries will not complain about the deprecated API we are using Release 0.27: * some cleanup in makefiles: dont install module as a library, dont build static versions * introduced variadic macro AUTHZ_DEBUG in place of the old AUTHZ_DEBUGn. If your compiler does not support them, get a new compiler, there is a free one out there. * replaced the fprintf statements in modconfig.c by ap_log_error * converted all internal functions to use authz_ldap_config_rec as the first argument, saving lots of calls just to retrieve the config rec. (think of sec as the this pointer) Release 0.26: * fixed some minor bugs * fixed some compile time problems * Bernd Strebel contributed the AuthzLDAPSetGroupAuth directive, also fixes LDAP schema to work with newer OpenLDAP Release 0.25: * added new method that also does ldap but uses the mapped name to bind, which is required for Active directory. It seems that once more Microsoft has gotten the bind syntax all wrong. Release 0.24: * changed logic for configuration of authentication method and certificate mapping, I believe it is now much more transparent, but some directives have disappeared or changed AuthzLDAPEngine -> AuthzLDAPMethod -> AuthzLDAPMapMethod AuthzLDAPSetAuthorization -> AuthzLDAPSetAuthorization AuthzLDAPUseSerial -> (use mapmethod issuerserial) AuthzLDAPUseCertificate -> (use method certificate) AuthzLDAPUseLDAP -> (use method ldap) * change syntax for issuerDN and subjectDN to directoryString and caseExactMatch for EQUALITY. (Suggested by Christian Claveleira) * added support for satisfy any/all in the authz functions * added uid and cn as optional arguments to the map, because newer versions of OpenLDAP require that the naming attribute also be an attribute * fixed cert2ldap to set the protocol version Release 0.23: * fix a bug in configureit that cause -D flags to go to CFLAGS instead of CPPFLAGS. As a result, the module could not be compiled fuer Apache2 * converted to libtool, no longer using apxs to compile the module, as apache's libtool did not work in many situations. We are imitating what the PHP group is doing here * added a patch by Victor S Grishchenko: allow a user to still log in with userid and password if she does not present a cert, thanks Victor * added a (large) patch by Julio Sanchez: allow mapping of certificates in active directory, and allow to map the user name that should overwrite the basic authentication header to any ldap attribute. Thanks Julio! Release 0.22: * fixed download page (which still pointed to 0.20) * documentation changes to reflect all the changes in this release * some small bug fixes * add configuration directive AuthzLDAPCacheConnection for caching connections (to allow .htaccess files to use mod_authz_ldap, which previously caused a file descriptor leak) * changes for Apache 2: mod_ssl in Apache 2 does no longer use the EAPI, which was used in Apache 1 to store information about the client certificate. Instead, the client certificate data is accessible via the ssl_var_lookup function defined in mod_ssl.h. As a consequence, the logic previously handled in the mod_ssl patch has been folded into certmap.c (for apache2). Fortunately, this also works for apache1 (with the exception that there is no official header to define ssl_var_lookup, so we have to do it ourselves in the certmap.c file). * converted from EAPI context variables for authz_ldap::userdn to apache notes table (which still works in apache2) * added a configuration directive AuthzLDAPEngine that must be set to on if mod_authz_ldap should become active (allows AuthzLDAPServer to have a more reasonable default) * added configuration directive to set ldap protocol version, required for OpenLDAP 2.1.5. Default set so that if LDAP_VERSION3 symbol is defined, protocol version 3 is used. Otherwise, protocol version is not set at all. * fix authzldap.ldif, the sample LDAP directory contents so that it becomes acceptable for OpenLDAP 2.1.5 * fix authzldap.schema so that it becomes acceptable for OpenLDAP 2.1.5 * updated autoconf/automake to new versions Release 0.21: * improve logging when entering and leaving the authz and auth methods so that it becomes easier to debug calls to handlers (prompted by a problem with coldfusion) * improve debugging code in the filterexpand.c so that debugging filters becomes simpler Release 0.20: * improved the READMEs in the subdirectories * fixed two bugs pointed out by Michael Snell * started adding filter expansions (%. expressions in filter requirements) * upgraded autoconf to 1.6 and automake to 2.? Release 0.19: * documentation fix: AuthzLDAPMemberKey _has_ a default: member * fix useldap to default to off (as documented), pointed out by Julio Sanchez Fernandez * fix some debug messages that were produced even if debug code was not included * make sure the group search scope is BASE if GroupBase and GroupKey are not set * fix a documentation bug: if either GroupBase or GroupKey are not configured, the full group DN must be specified on require group statements Release 0.18: * added a directive AuthzLDAPMemberKey for directories that don't use member as the attribute containing group member DNs * fix a bug in group requirements that lead to multiple groups not working (related to next item), pointed out by Julio Sanchez Fernandez * make requirements more consistent: requirements on the same line are or'ed together, as in other apache modules (suggested by Julio Sanchez Fernandez) * fixed some alignments in configure.in * updated the HOWTO which now is much more clear about the compiler and linker flag settings (suggested by Samuel Comte) * module/Makefile now installs the module with make install, no separate make install-module needed any longer. Release 0.17: * fix a bug pointed out by Michael Snell, dnp referenced in auth.c after it was freed. * added a double authentication feature: verify a certificate, map it to a user node in LDAP, and verify the users's password. Feature suggested by Damien Awog-boro (Damien.Awog-boro AT barclayscapital.com) Release 0.16: * reorganized the distribution with separate directories for module, tools, documentation, ldap related stuff and mod_ssl patches * changed naming of procedures and global variables so that all names begin with authz_ldap: when you pollute the namespace you should at least do it consistently * split the very large mod_authz_ldap.c into several much smaller files * Changed ap_getword_white to ap_getword_conf to allow for whitespace in user/group/etc requirements (problem noted and fix suggested by Matthew Stevenson) * Modify the requirement for groupowner to group-owner to be more in line with require valid-user * insert ap_note_basic_auth_failure(r) to produce a behaviour on authentication failures more consistent with other modules (problem reported by Eugene E. Prigorodov and some others, hope I got it right) Release 0.15: * fix a bug in cert2ldap which caused binary certficates not to be added correctly to the directory * add new authorization methods: filter, owner and groupowner, (features suggested by Tim Tassonis and Sean Marshall) * fix a small bug in role authorization * did some code cleanup Release 0.14: * new authorization method: roles (feature suggested by Tim Tassonis) * added missing file mod_authz_ldap.png to the distribution Release 0.13: * produce a patch for apache_1.3.19 and mod_ssl-2.8.1-1.3.19 * the module cannot be compiled with openssl 0.9.3, as the macro PEM_read_bio_X509 nowadays uses a different number of parameters * fix cert2ldap.c and certfind.c to use PEM_read_bio_X509 instead of PEM_read_bio_X509 * fix x509tomem.c to use BIO_get_mem_data * fix a broken link in the documentation Release 0.12: * fix missing checks for ldap_memfree and such things in the new utility programs. * fix a missing include for openssl/err.h in certfind.c Release 0.11: * added manual pages for the two standalone programs * added a program certfind that allows to search the directory for a certificate or a map entry. * added a program cert2ldap which allows to add a certificate or the attributes needed for a authzLDAPmap entry to the directory. * fixed the serial number conversion code that was broken in 0.10. * added an option AuthzLDAPDirect, which directs mod_authz_ldap to take the user base DN and search with the scope specified there for the certificate received from the SSL connection. This is likely to be simpler, but not necessarily faster. Release 0.10: * added experimental support to use the serial number from the ceritificate for the mapping. While issuerDN and subjectDN cannot guarantee uniqueness, issuerDN and serial can. Open issue: how to formulate the filter if the serial number is larger than an unsigned long? Release 0.9: * fixed some typos in the documentation. * modssl-patch.html was available on the web site, but missing from the distribution. Tried to make it more visible in the documentation. Release 0.8: * clean up the configure script to use more standard functions to detect various ldap library calls * added use of the ldap cache if available in the library. Note that the cache in openldap-2.0.7 does not really work. So production use of this feature should not be attempted at this time. This also includes two new configuration options to configure the cache. * added a reconnect function in case the LDAP library doesn't handle this by itself * BUG: the context variable authz_ldap::username was not properly initialized in an initial request, resulting in spurious data being returned. This caused the authentication to sometimes fail. Note that subrequests do not map the user again, if it was already mapped in the main request. * Improved the log so that the PID is now always included with the log message. This should simplify debugging of problems that relate to an individual LDAP connection. Release 0.7: * fix a bug found by Torsten Hilbrich (torsten.hilbrich AT secunet.de): ldap_memfree was used to incorrectly free a pointer returned by ldap_first_attribute (author auf mod_authz_ldap should RTFM). Release 0.6: * some typos in the documentation * important bug: zero passwords correspond to anonymous binds and always succeed. (My opinion is that the RFC is not careful enough about this point. It says that the return code should inform the application about the state of the connection after the bind. However, it is quite a difference between an anonymous bind and a user having a 0 password, the result code should distinguish between the two). Release 0.5: * removed a leftover fprintf statement * explained the necessary indexing for good performance Release 0.4: * improve debugging for initialization functions * improved search algorithm for required libraries in configure under Solaris * fixed two declaration bugs, missing prototypes and cast problems * finally had a look at the request record, where one can easily determine whether a request is a proxy request or not from the proxyrequest member. Automatic detection of Proxy Authentication now works correctly. However, it does not work for reverse proxies, so the AuthzLDAPProxyAuthentication option will stay * realized that for a correct certificate check, subject dn AND issuer DN have to be taken into account, this lead to many other changes * redesigned the group checking code * improve change log, which was not properly updated in previous releases * certificate authentication does not necessarily set the authorization header, this must explicitely be required by the AuthzLDAPSetAuthorization directive * updated documentation * added a HTML file describing how to patch mod_ssl to work with mod_authz_ldap Release 0.3: * password aging had quite distorted logic, and was rewritten Release 0.2: * fixed some bugs with not properly initialized variables, causing the server to seg fault Release 0.1: * first release (version 0.1) of mod_authz_ldap