auth_ldap Change Log

Changes Between Major Revisions

Changes from 1.4 to 1.6

• All changes and bugfixes in the 1.4 releases.
• Completely rewrote the LDAP caching algorithms (see the documentation on caching for more information). Here are the highlights of the changes:
  • All cache sizes are measured in terms of cache entries. Warning!! This affects the AuthLDAPCacheSize directive!! In version 1.4 and before, this directive specified the size in megabytes. Now, it specifies the size in cache entri es. If you currently have this directive in a config file, it is probably set way too high, and will use a significant amount of server memory.
  • Deprecated the AuthLDAPCacheCompareOps directive. Apache will still accept the directive, but it has no effect, other than to generate a warning in the Apache logs.
  • The cache no longer grows without bounds. For servers with a very active cache, this should make a big difference with memory usage.
  • No longer use the cache management routines from the LDAP SDK. All LDAP operations are now cached, using a cache that's specially designed for auth_ldap's authentication methods.
  • If Apache has been compiled with MM support and auth_ldap has been compiled with -DWITH_SHARED_LDAP_CACHE then the cache is shared across all server instances.
  • Added a content handler that can be used to display the cache statistics. To use it, add the following directives:

    <Location /server/auth-ldap-info>
      SetHandler auth-ldap-info
    </Location>

• Added support for a require dn directive, and a AuthLDAPCompareDNOnServer directive. See the documentation for more information.
• auth_ldap now allows the user to specify any attribute when checking for group membership, by using the AuthLDAPGroupAttribute directive. If this directive is not specified, the default continues to be member and uniqueMember. Patch courtesy of Graham Leggett.
• Added another directive, AuthLDAPGroupAttributeIsDN, which says whether to use the DN that was retrieved from the LDAP search, or to use the username passed by the client when doing group authorization. This directive, in conjuction with the previous one, allows us to use things like posixGroups for checks:

  AuthLDAPGroupAttribute memberuid
  AuthLDAPGroupAttributeIsDN off
  	

• Added support for TLS under OpenLDAP. This can be enabled with the AuthLDAPStartTLS directive.
• Added a AuthLDAPEnabled that allows you to enable or disable auth_ldap on a directory-by-directory basis.
• Ensure that auth_ldap will follow referrals under OpenLDAP. This behavior was turned off in previous versions.
• Allow auth_ldap to dereference aliases, using the new AuthLDAPDereferenceAliases directive. By default, this directive is set to always.
• Now use ldap_init() when using OpenLDAP. Unless your OpenLDAP is really old, this probably won't affect you.
• Cleaned up a number of memory leaks.
• Can now be built with autoconf.

Changes from 1.1 to 1.4

• Support for SSL
• LDAP caching
• Improved NT support
• OpenLDAP support
• Added AuthLDAPRemoteUserIsDN directive
• Removed AuthLDAPRedundantServers directive
• Split source into multiple files

Changes Between Minor Versions

Changes from 1.4.2 to 1.4.3

• Added a FAQ.
• Minor bugfixes and changes to documentation.

Changes from 1.4.0 to 1.4.2

Note: Version 1.4.1 was skipped due to a last-minute problem that cropped up just before its release.

• Fixed a bug where multiple users on a require user line would prevent authentication of the users.
• Got rid of the spurious "ldap_init" messages that were showing up in the log.
• Got rid of the meaningless "Could not release configuration mutex. Expect deadlocks." message that appeard on Unix-based versions of auth_ldap.
• Added some new flags to the Makefile for compilation on AIX.
• Made use of the -Wall flag optional, since not everybody uses gcc.
• Fixed some indented compiler directives that caused certain compilers to barf.

Changes from 1.3.4 to 1.4.0

• Production release of 1.3.x series
• Documentation rewrite

Changes from 1.3.3 to 1.3.4

• More Makefile tweaks
• Got rid const-correctness warnings when compiling with OpenLDAP

Changes from 1.3.2 to 1.3.3

• Documentation changes only

Changes from 1.3.1 to 1.3.2

• Fixed bugs with logging so that LogLevels would actually work correctly
• Fixed a bug that caused crashes under WinNT
• More Makefile tweaks
• Added OpenLDAP support
• Fixed potential endless loop if all LDAP servers are down
• Removed AuthLDAPRedundantServers directive

Changes from 1.3.0 to 1.3.1

• Various Makefile tweaks and fixes
• Added more fields to the module struct
• Added eprintf for systems that don't correctly link in the GNU C support library
• Added AuthLDAPRemoteUserIsDN directive

Changes from 1.2.3 to 1.2.4

• Documentation changes only

Changes from 1.2.2 to 1.2.3

• Fixed bug with failover logic that would cause spurious auth failures

Changes from 1.2.1 to 1.2.2

• Fixed string constants in source to be ANSI compliant
• Replaced calls to free() with ldap_memfree().This makes a difference under NT.
• First release tested against Apache 1.3

Changes from 1.1 to 1.2.1

• Started using a different version numbering scheme. The second number is even for production releases and odd for beta releases. The third number is used for incremental fixes in releases. Anyone familiar with the Linux kernel will recognize this convention.
• Fixed a bug with log levels
• Started adding NT support

Changes from 1.0 to 1.1

• Added AuthLDAPRedundantServers directive
• Added support for caching LDAP connections
• Started using Airius in all examples (as per other vendors' LDAP documentation)
• Fixed some bugs with non-authoritative authentication