File: HISTORY

package info (click to toggle)
dacs 1.4.28b-3
  • links: PTS, VCS
  • area: main
  • in suites: jessie, jessie-kfreebsd
  • size: 18,276 kB
  • ctags: 10,015
  • sloc: ansic: 112,278; xml: 45,433; sh: 11,324; makefile: 2,005; php: 105; java: 38
file content (784 lines) | stat: -rw-r--r-- 39,544 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
* DACS 1.4.28b (1-Mar-2013)
  + added dsvec_ptr_rindex(), strchop()
  + improved debugging output, proxy handling for dacshttp
  + initial support for rule patterns (--enable-rule-patterns)
  + initial support for forward proxy mode (-up flag, Proxy-Authenticate and
    Proxy-Authorization headers)
  + fixes for dacsacl(1) for building/rebuilding index file regardless of
    whether it already exists
  + upgrades: OpenSSL 1.0.1e, Samba 3.6.12

* DACS 1.4.28a (29-Jan-2013)
  + fixed bug in strstr()
  + added optional nocase argument to dacsexpr functions strstr() and strrstr()
  + retired FreeBSD 7.X and 8.X as testing platforms
  + upgrades: CentOS 5.9, FreeBSD 9.1
  + corrected use of --srcdir (@srcdir@) in defs.mk.in, and changed to absolute
    paths for some of the conftools utilities
  + mod_auth_dacs fixes and documentation updates for Apache 2.4; now needs
    "Require dacs-authz" with Apache 2.4
  + fixes to dacsacl(1)
  + fix to configure.ac (quote square brackets in case/esac)
  + important updates and corrections for dacs.quick(7)
  + upgrade to Windows Server 2012 for NTLM/LDAP authentication testing
  + updated some copyright notices

* DACS 1.4.28 (23-Oct-12)
  + renamed http(1) to dacshttp
  + upgrades: OpenSSL 1.0.1c, SQLite 3.7.14.1, Samba 3.6.8, Apache 2.4.3/2.2.23,
    OpenLDAP 2.4.33, BerkeleyDB 5.3.21, libxml2 2.8.0

* DACS 1.4.27b (19-Mar-12)
  + upgrades: OpenSSL 1.0.0h, SQLite 3.7.10, Samba 3.6.3, Apache 2.2.22,
    OpenLDAP 2.4.29
  + minor fixes to misc/Makefile.in
  + use appropriate apr-config command to get Apache APR include flags
  + added OpenLDAP Public License (Version 2.8) to NOTICES to facilitate
    inclusion of OpenLDAP code for Debian GNU/Linux support
  + added OpenLDAP ldif.h and ldif.c to simplify build and allow installed
    OpenLDAP headers and libraries to be used
  + mod_auth_dacs now recognizes the "wsgi-script" executable type

* DACS 1.4.27 (16-Jan-12)
  + upgrades: OpenSSL 1.0.0f, BerkeleyDB 5.3.15, SQLite 3.7.9, Samba 3.6.1,
      OpenLDAP 2.4.28, libxml 2.7.8, xmlsec 1.2.18
  + fixes and extensions to HTTP_AUTH, dacsauth(1), and the dacsauth() function
    and their documentation; the syntax of the HTTP_AUTH directive has been
    modified (the -url flag was removed) and is not backward compatible in
    some instances
  + upgrade and fixes for Mac OS X 10.7.2 (Lion) platform

* DACS 1.4.26 (30-Sep-11)
  + upgrades: Apache 2.2.21, Readline 6.2, Samba 3.6.0,
    OpenSSL-1.0.0e, OpenLDAP-2.4.26, xmlsec1-1.2.18, libxml2-2.7.8
  + extensions to HTTP_AUTH, dacsauth(1), and the dacsauth() function  to
    return role information
  + bug fixes to local_passwd_authenticate and build/configuration procedure
  + Solaris/OpenSolaris no longer an officially supported platform
  + initial OAuth support
  + additional crypto support and self-tests
  + updated copyright notices

* DACS 1.4.25 (23-Jun-10)
  + VFS support for SQLite 3.6.23.1
  + added "user_sufficient" authentication control
  + fixes and improvements to PAM-based authentication
    (see dacs_authenticate(8))
  + upgrades: BerkeleyDB 5.0.21, Apache 2.2.15, Readline 6.1, Samba 3.5.3,
    openssl-1.0.0a, openldap-2.4.21, xmlsec1-1.2.16, libxml2-2.7.7
    note: DACS will no longer build against earlier releases of Samba
    note: it was necessary to rebuild xmlsec1 against OpenSSL 1.0.0
    note: changes made in OpenSSL 0.9.8[mno] are incompatible with DACS; do not
    use them with DACS
  + XML bug fix for dacs_select_credentials and minor (though incompatible)
    change to its DTD (dacs_select_credentials.dtd)
  + bug fixes: URL parsing, VFS rename, dacstransform/dacs_transform,
    function argument type conversion
  + initial, partial support for JSON output
  + minor additions to syntax() function
  + dacsemail(1)
  + added debug_xxx debug flag file mechanism
  + bug fix: the syntax of the id attribute of an Auth/Roles/Transfer clause
    should be restricted to an alphabetic followed by zero or
    more alphanumerics, hyphens, and underscores
  + upgrade: Mac OS X 10.6.4 (x86) platform
  + added RFC 4231 HMAC test vectors
  + added -with-apache-apr-includes build flag
  + many fixes and improvements to OTP token support in dacstoken;
    new dacs_token web service; new support for time-based OTP tokens (TOTP);
    incompatible changes to token account format and command line flags
  + persistent font change capability for HTML manual pages
  + additional build configuration flags for Apache special cases
    (e.g., --with-apache-apr-cpp-defs)
  + internal improvements: mutual exclusion locking, shared memory segments
    (not available on some platforms)
  + Rlinks, dacsrlink: several important bug fixes
  + undocumented dacs_complete word/string completion service (see complete.c)

* DACS 1.4.24 (8-Jan-10)
  + this release subsumes 1.4.23[ab], with additional bug fixes
  + upgrades: xmlsec1-1.2.14
  + support for FreeBSD 8.X (amd64) platform

* DACS 1.4.23b (10-Nov-09)
  + several low-level bugs
  + added --enable-dump command line argument
  + Initial support for the Mac OS X 10.6 on x86 platform
    o if building OpenSSL, you may need to specify the 64-bit architecture
      because its configuration appears to default to 32 bits; use e.g.,
      /usr/bin/perl ./Configure darwin64-x86_64-cc \
          --prefix=/usr/local/openssl-0.9.8l \
          --openssldir=/usr/local/openssl-0.9.8l shared
    o default owner/group of installed DACS files is "_www"; this should
      robably agree with your Apache's httpd.conf settings for User/Group
  + upgrades: openssl-0.9.8l

* DACS 1.4.23a (14-Oct-09)
  + new InfoCard directives:
    INFOCARD_STS_RP_ENDPOINT, INFOCARD_TOKEN_MAX_LENGTH,
    INFOCARD_TOKEN_DRIFT_SECS
  + new general directives:
    ACS_TRACK_ACTIVITY, ACS_INACTIVITY_LIMIT_SECS
  + enhancements to dacs_current_credentials, including ability to report last
    sign on and active sign ons; note: semi backward compatible changes to
    dacs_current_credentials.dtd
  + upgrades: Apache 2.2.14, Samba 3.2.15, BerkeleyDB 4.8.24, GNU Readline 6.0,
    libxml2-2.7.6, xmlsec1-1.2.13
  + Bug fixes:
    o dacs_version/dacsversion: reporting InfoCard enabled
    o low-level database bug could cause random crashes


* DACS 1.4.23 (10-Sep-09), DACS 1.4.22[b-j] (3-Sep-09)
  + initial support for self-issued and managed InfoCards:
    o added --enable-infocard-auth and --with-xmlsec1-config build flags
    o review README in the distribution's infocards directory
    o review dacs_infocard(8), dacsinfocard(1), dacs_managed_infocard(8),
      dacs_mex(8), dacs_sts(8), dacs_authenticate(8), dacs.conf(5),
      dacs.install(7), and "Using InfoCards With DACS"
    o an additional Apache directive is now expected by the default config:
        Alias /infocards "/usr/local/dacs/www/infocards/"
      New installation directory /usr/local/dacs/www/infocards contains
      some default public files and possibly some private (ACL-controlled)
      subdirectories
    o this is a work in progress - everything is subject to change
  + reintroduction of dacs_select_credentials - review
    dacs_select_credentials(8) 
  + special effective url pattern "*" - see dacs.acls(5)
  + extensions to index()
  + fixed elapsed time calculation
  + eliminated potential extraneous semi-colon when zapping DACS cookies
  + the variable previously called JURISDICTION_URI is now called
    JURISDICTION_URI_PREFIX and a new variable called JURISDICTION_URI
    has similar semantics but includes the request's scheme and any port
    number
  + new index table of variables added to the Technical Documentation
    web page
  + new directive: ACS_POST_EXCEPTION_MODE
  + bug fix for handling of -vfs argument (e.g., dacspasswd)
  + bug fix for regmatch() with multiple subexpressions and no namespace arg
  + bug fix: VERBOSE_LEVEL should not increase LOG_LEVEL
  + bug fix: PREDICATE directive in Roles clause
  + bug fix: getsize operation on HTTP types
  + upgrades: openssl-0.9.8k, Apache 2.2.13, OpenLDAP 2.4.17, Samba 3.2.14


* DACS 1.4.22a (20-Mar-09)
  + added CSS for dacs_current_credentials(8)
  + set ACS_CREDENTIALS_LIMIT to 1 as the default
  + added user("mine") variant
  + added ACS_DENIAL_REASON_CREDENTIALS_LIMIT directive
  + fixed potential segfault bug if decode(url, ...) fails, as when
    SERVICE_ARGS is truncated
  + data type names used in casts are now case sensitive (they had been case
    insensitive, although that was not documented)
  + upgrade to openssl-0.9.8j
    (there were some problems with 'make install': Makefiles under the fips
    subdirectory did not have INCLUDES set correctly and some manual
    intervention was required to complete the build)
  + this release includes preliminary code in support of InfoCards/CardSpace
    authentication; this new feature is not fully implemented or documented
    in this release, will not work or may not build, and should not be used;
    all aspects of this feature are subject to change
  + fixes for parsing of Content-Type MIME headers
  + improvements regarding logging of potentially sensitive information,
    lowered priority of most Apache logging messages generated by
    mod_auth_dacs
  + upgrade Solaris 10 test platform to OpenSolaris 2008.11/x86 (SunOS 5.11)


* DACS 1.4.22 (7-Jan-09)
  + fixes for possibly buggy jurisdiction listing in dacs_admin(8)
  + added optional public_key to jurisdiction's group_member element
    in groups.dtd (used by dacs_admin, dacs_list_jurisdictions, dacsinit)
  + dacskey can now print public and private keys, bug fixes
  + local_apache_auth handles large flat-file passwords (htpasswd) quicker
  - upgrade to OpenSSL 0.9.8i
  - upgrade to OpenLDAP 2.3.43
  - upgrade to Apache 2.2.11
  - upgrade to Samba 3.2.7
  - upgrade to Berkeley DB 4.7.25
  - new functions: strtolower(), strtoupper(), strstr(), strrstr()
  - start to separate DACS independent code into its own library, libdss.a
  - upgrade to docbook-xsl-1.74.0 and consequential minor format processing
    changes
  - additional tests for HMAC (FIPS 198-1)
  - added config directive AUTH_CREDENTIALS_ADMIN_LIFETIME_SECS
  - fixes for URI decoding bugs


* DACS 1.4.21 (31-Mar-08)
  + dacs_transform/dacstransform: added expr attribute to insert directive
  + potentially incompatible changes to the UPROXY_APPROVED directive
  + bug fixes for HTTP requests on the (unofficial) Solaris/SPARC platform
  + bug fixes for the SetDACSAuthConf and SetDACSAuthSiteConf directives
    used by mod_auth_dacs
  + language extension allows braces to be omitted in variable references
    in certain cases as a convenience
  + bug fixes for MIME parsing
  + support for DESTDIR in Makefiles; see
    http://www.gnu.org/prep/standards/standards.html#DESTDIR
  + retirement of FreeBSD 4.X, 5.X, 6.X testing platforms,
    addition of FreeBSD 7.X (amd64) platform
  + upgrade to OpenSSL 0.9.8g
    note: when building it on FreeBSD, it was necessary to specify the
    -fPIC flag to its config program
  + upgrade to Samba 3.0.28
  + upgrade to Apache 2.2.8/2.0.63
  + incompatible changes to access control rule processing
    o these changes will only affect users of earlier releases who are using
      customized access control rules
    o the new format preprocesses rules to create an index called INDEX.
      The index is an XML file (with syntax acl_index.dtd) located at the root
      of each ACL directory structure (e.g., /usr/local/dacs/acls/INDEX)
      The dacsacl(1) command should be used to convert from the old format to
      the new format:
        % dacsacl -convert
      Whenever a rule is added, deleted, or modified, dacsacl(1) must always
      be run to rebuild the INDEX files:
        % dacsacl
      this will create new INDEX files or replace any existing ones and
      assumes that rules are in the new format
  + incompatible changes and improvements changes to dacs_admin(8),
    bug fixes and minor improvements, including CSS support
  + re-introduction of the authorization caching feature
  + addition of src/dacsinit, a script to initialize a minimal federation


* DACS 1.4.20 (7-Aug-07)
 + important bug fix to local_passwd_authenticate prevents invalid passwords
   from being accepted
 + canonicalize the DACS error url (avoiding a redundant acknowledgement
   by dacs_notices)
 + added -check argument to dacskey(1) to do cursory key validation
 + bug fix: parsing invalid Content-Type headers
 + bug fix: buffer handling
 + refined and documented dacs_uproxy(8) (not built by default)
 + bug fix: VFS vfs-uri open code
 + new functions: ustamp(), dacs_meta(), dacs_approval()
 + removed deprecated functions: hex_decode(), cescape(), mime_encode(),
   mime_decode(), url_encode(), url_decode() 
 + third-party support upgrades: Samba 3.0.25b, BerkeleyDB 4.6.18,
   OpenLDAP 2.3.37
 + Upgrade to GCC 4.2.1 for development
 + dacs_prenv(8) now sorts list of environment variables
 + assorted corrections to dacs.quick(7)


* DACS 1.4.19 (1-Jul-07)
 + bug fix: -expires date in dacscookie
 + bug fix: dacsvfs(1) must set field separator character properly
 + bug fix: multipart/form-data arguments not handled correctly
 + bug fix: setvar(split, ...) did not handle a trailing null element properly
 + bug fix: authorization tests after an internal redirect may have been
   performed on the request URI again instead of the new target URI
   or an empty string argument
 + assorted bug fixes for dacsrlink(1)
 + bug fix: ACS_ERROR_HANDLER quoted message error-action was broken
 + bug fix: dacs_list_jurisdictions(8) with FORMAT=TEXT
 + bug fix: minor MIME whitespace parsing error
 + bug fix: fix for long-standing bug in dacs_list_jurisdictions(8) and
   dacs_list_jurisdictions.dtd, plus some minor improvements
   Attribute renaming:
    o attribute 'name' renamed to 'jname' (jurisdiction name)
    o attribute 'name' is now the full name of the jurisdiction
    o attribute 'public_key' renamed to 'fed_public_key'
    o attribute 'public_key' is  now the jurisdiction's public key, if known
 + bug fixes and overhaul to dacsexpr(1) command line processing.
   Note: some changes are incompatible, though minor
   Also:
    o a -n flag for syntax checking
    o removed -env flag
    o improved "batch mode" (non-interactive) operation
    o operation as a '#!' script
 + bug fixes for bstring type
 + bug fix: parsing empty blocks, like "if (3) {} print('hi');"
 + bug fix: exec() now sets ${DACS::status} correctly
 + formatting improvements for dacs_conf HTML
 + added expiry element to the concise syntax (an Rlink with an identity
   can now be assigned a lifetime)
 + dacscheck(1) can emit a redirection request (-redirect flag)
 + added "create" operation to counter()
 + added -s flag to dacsexpr
 + added optional limit argument to setvar split/regsplit
 + added source() function
 + added syntax() function
 + extended get() argument for consistency
 + extension to setvar()
 + added AUTH_SINGLE_COOKIE directive
 + added '+' modifier flag to variable references
 + removed obsolete manual pages
 + minor improvements to dacscookie(1)
 + ignore expired rules via expires_expr attribute
 + extended ACS_ERROR_HANDLER to evaluate an expression, backward-compatible
   changes to syntax, clarified documentation
 + added dacslist(1) command version of dacs_list_jurisdictions
 + change to DACS base-64 encoding character set to make encoded
   strings safe in paths (this does not affect Mime base-64 encodings);
   NOTE: the change is (temporarily) "mostly" backward compatible in that
   the old encoding is still recognized, however some things could break
   DACS admins should take this opportunity to regenerate federation and
   jurisdiction keys; user passwords via local_passwd_authenticate
   should also be updated
 + consolidated encoding/decoding functions into encode() and decode(),
   and added dacs64 encoding type - see dacs.exprs(5)
   NOTE: anyone using the old function names must make the obvious edits to
   convert the old names into the new ones; the following functions are
   deprecated and will be removed from a future release:
     cescape(), hex_decode(), mime_encode(), mime_decode(), url_encode(),
     url_decode()
 + new hash() function
 + new transform() and transform_config() functions
 + additional internal PKI support
 + A '#' now introduces a comment in expressions
 + new trim() function
 + added 'z' variable modifier flag
 + extended get() to use 'stdin' item type
 + setvar() extensions (rename, post)
 + changed site.conf defaults for LOG_LEVEL and LOG_FORMAT
 + changes to default log message formats
 + added several new flags to to dacspasswd(1) and various improvements
   Notes: These changes are backward compatible with existing DACS password
   files.  Not all of the new features can be accessed through
   dacs_passwd(8), dacs_admin(8), etc.
 + revisions to dacs_passwd(8) man page
 + extended password()
 + use of DEFAULT_JURISDICTION environment variable - see dacs(1)
 + extensions to vfs()
 + upgrades: expat-2.0.1, samba-3.0.25a, openldap-2.3.35
 + new functionality for cgiparse(8) (should be backward compatible)
 + bug fixes for http(1), including handling binary content
 + minor I/O processing bug fixes 
 + Added DACS_USERNAME to the "url syntax" argument list of
   AUTH_SUCCESS_HANDLER.


* DACS 1.4.18 (3-Apr-07)
  + bug fixes for building shared library
  + bug fix: conditional expressions could sometimes cause a segfault
  + bug fix: application/x-www-form-urlencoded content type was sometimes
    not properly encoded (this broke ampersands in passwords, for example)
  + bug fix: make Args namespace available to configuration processing
  + bug fix: http(1) may write a binary body improperly
  + replaced Configuration.dtd, which seems to have gotten lost, and updated
    dacs_conf_reply.dtd
  + added EXPR (-expr) pseudo-module to dacsauth
  + added strptime() function, changes to time()
  + dacs_authenticate now ignores unrecognized web service arguments
  + tools/DACScheck* moved to tools/perl
  + changes to HTTP_AUTH and HTTP_AUTH_ENABLE directive in support of
    the new pre-authorization testing HTTP authentication feature;
    the changes to these two directives are backward compatible,
    but anyone using either directives should review the updated descriptions
  + added -invisible/-visible flags to DACS_ACS argument, with the former
    being the new default behaviour
  + minimal support for Java via JNI - see dacs.java(7)
  + upgrade to Apache 2.2.4 and OpenSSL 0.9.8e
  + experimental dacsauth() and dacscheck() functions
    note: use with care because they may have reentrancy bugs and may be
    relatively heavy memory users
  + added ACS_PRE_AUTH directive
  + added request_match() function
  + added -rlink flag to DACS_ACS (available as ${ARGS::RLINK} in
    ACS_PRE_AUTH expression
  + added the "n" modifier flag to variables
  + added AUTH_FAIL, ACS_SUCCESS, and ACS_FAIL directives
  + added on_success() function
  + added counter() function
  + minor enhancements to time() function
  + added ability to conditionally include a config directive via undef()
  + minor extensions to acl.dtd for new optional attributes
  + minor experimental addition to acl.dtd (the "identity" element)
  + new var() function
  + new password() function
  + ACL checking extended to look at expires_expr and url_expr attributes
  + new BY_SIMPLE_REDIRECT error code for "pure" redirects
    (this can be used with redirect() and a deny clause to create short links)
  + addition of the "Cookies" namespace
  + new "Rlinks" feature - see dacsrlink(1)
  + minor HTML formatting changes for dacs_prenv
  + minor HTML formatting changes for dacs_list_jurisdictions
  + upgrades to Samba 3.0.24, OpenLDAP 2.3.34

* DACS 1.4.17 (8-Feb-07)
  + added new 'simple' style of authentication via local_simple_authenticate
    for inherently password-less accounts (note that local_passwd_authenticate
    requires a user provided password that cannot be the empty string)
  + bug fix: composing and storing authentication styles in credentials
  + bug fix: bareword not treated as string in some cases
  + bug fix: empty role string from roles module not always handled properly
  + improvements and clarifications to the OPTION Auth/Roles directive,
    new OPTION* directive for better run-time adjustments
  + bug fix: file(basename, ...) function
  + new AUTH_SUCCESS directive gives a post-authentication hook
  + clarifications and fixes to LOG_FILTER directive's behaviour
  + bug fix: variable modifier flag parsing
  + updated copyright notices
  + NOTE: six utilities have been renamed for consistency
    aclcheck(1) to dacsacl(1),
    conf(1) to dacsconf(1),
    cookie(1) to dacscookie(1),
    mkkey(1) to dacskey(1),
    auth_grid(1) to dacsgrid(1),
    auth_token(1) to dacstoken(1)
    also renamed prenv(8) to dacs_prenv(8)
    See dacs(1) for an explanation of the the naming convention.  The original
    names, which may have been confusing or conflicted with non-DACS software,
    are temporarily still available via the dacs(1) command.  Their manual
    pages will be temporarily retained as reminders of the changes.
  + added the unary type cast operator, and sizeof and typeof functions
  + enhancements to the substr() function
  + improved handling of binary data for correct application of url_decode,
    mime_decode, and future functions; new "bstring" data type;
    new functions: hex_decode, bstring, and cescape
  + added hmac(), digest(), and random() functions
  + documented C-style character and numeric escape codes
  + upgrades to samba-3.0.23d, openldap-2.3.31, docbook-xsl-1.71.1
  + fixed local_pam_auth build bug with shared libraries
  + Auth/Roles/Transfer clause id tags are now case sensitive
  + new COOKIE_HTTPONLY directive
  + new local_ldap_roles module can assign LDAP/ADS roles to any user;
    it was previously neccessary to authenticate the user through
    local_ldap_authenticate to obtain these roles
  + Authorization header parsing using setvar()
  + bug fixes for building shared library
  + minor extensions to dacs_version and its DTD

* DACS 1.4.16 (1-Dec-06)
  o bug fix: http_auth_jurisdiction variable didn't set DACS_JURISDICTION
  o bug fixes for building DACS with Samba on Linux
  o bug fixes for building DACS with Samba on Solaris 8 (-lresolv)
  o new authentication module, local_http_authenticate
    (used to authenticate against a Google account, for instance)
  o bug fix for dacs_conf(8) and conf(1) where closing Roles tag may be
    omitted in XML and HTML output; CSS fix
  o upgrade to OpenSSL 0.9.8d
  o upgrade to Berkeley DB 4.5.20
  o fixes to configure.ac: --disable-... flags, --with-iconv processing
  o added DACS_IDENTITY and DACS_CONCISE_IDENTITY environment variables
    (useful with dacscheck)
  o fix to Auth clause's INIT* directive to propagate ${Auth::CURRENT_USERNAME}
  o prototype distributed generation of user info records (login/logout/access
    events), written to "user_info" VFS type (--enable-user-info)
  o minor VFS enhancements and bug fixes (file locking, append mode)
  o bug fix: backslashes within strings were not always handled consistently,
    especially two consecutive backslashes; this fix could possibly break some
    existing strings that contain multiple consecutive backslashes
  o build DACScheck.pm and install it in .../dacs/lib/perl
  o additional test cases
  o fixes for secure -aux prompting by dacsauth
  o added -vfs flag to dacspasswd to specify alternate password file
  o minor improvements to revocation list processing, including account
    disabling
  o built-in versions of roles modules, fixes for enabling/disabling roles
    modules by 'configure'
  o minor build enhancements and simplifications
  o fixes and improvements for local_pam_authenticate, which now appears
    to work
  o added variables to the Conf namespace (such as DACS_SITE_CONF and
    OPENSSL_PROG) and renamed some for consistency (such as SITE_CONF_SPEC to
    DACS_SITE_CONF_SPEC)
  o added ${<namespace>::#} syntax to return the number of variables in
    a namespace
  o bug fixes and enhancements for setvar()
  o minor changes to http(1)
  o minor changes to subset() and contains_any() functions
  o setvar() function:
    + incompatible syntactical changes
    + new operators: copy, delete, load/loadi, regsplit/split
  o user() function addition of "namespace" operator 
  o redirect() function takes an optional error name or code
  o bug fixes: CREDENTIALS_LIFETIME_SECS was ignored by some auth modules

* DACS 1.4.15 (1-Oct-06)
  - upgrades to Apache 2.0.59 and Apache 2.2.3
  - upgrades to Samba 3.0.23c, OpenSSL 0.9.8c, and OpenLDAP 2.3.27
  - minor bug fixes to dacs_conf(8), conf(1), dacsauth(1), dacscheck(1),
    and dacssched(1)
  - renamed html/examples/login.html to html/examples/slogin.html and added
    html/examples/login.html, a JavaScript version of login.php
  - new authentication module to provide software-based, one-time passwords;
    see auth_grid(1)
  - new authentication module to support one-time password token devices;
    see auth_token(1)
  - new dacs_autologin_ssl(8) web service for automagic SSL login
  - PASSWORD_MINIMUM_LENGTH, PASSWORD_NEEDS_MIXED_CASE,
    PASSWORD_NEEDS_PUNCTUATION, and PASSWORD_NEEDS_DIGITS directives have been
    removed - use PASSWORD_CONSTRAINTS; PASSWORD_AUDIT is now an Auth clause
    directive instead of a general directive
  - added --with-cgi-suffix flag to configure
  - extended syntax for ACS_ERROR_HANDLER directive (the optional url_pattern
    element)
  - fixed local_cert_authenticate bug
  - minor corrections and updates for autologin(8)
  - incompatible improvements and simplifications have been made to
    dacs_auth_transfer(8):
    o eliminated directives: AUTH_TRANSFER_ERROR_URL,
      AUTH_TRANSFER_IMPORT_URL, and AUTH_TRANSFER_SUCCESS_URL
    o eliminated VFS item types: auth_transfer_imports, auth_transfer_exports,
      and auth_transfer_cookies item types
    o added directive: AUTH_TRANSFER_EXPORT
    o added: Transfer clause and new directives to dacs.conf

* DACS 1.4.14 (1-Aug-06)
  - bug fixes, minor enhancements, and documentation improvements, including:
    o upgrade to openldap-2.3.24
    o upgrade to samba-3.0.23
    o added rule() predicate, which exposes the rule processing engine
      to expressions
    o http command redirect handling
    o new configuration directives (see dacs.conf(5)):
        PASSWORD_AUDIT, PASSWORD_CONSTRAINTS (replaces PASSWORD_MINIMUM_LENGTH,
        PASSWORD_NEEDS_MIXED_CASE, PASSWORD_NEEDS_PUNCTUATION, and
        PASSWORD_NEEDS_DIGITS directives), VERIFY_UA, UNAUTH_ROLES,
        ACS_CREDENTIALS_LIMIT
    o added ROLE_STRING_MAX_LENGTH directive and improved role string
      error logging
    o boolean value conversion fixes
    o improved request tracking of unauthenticated users
  - new features:
    o added dacs_transform, a prototype web service to demonstrate how the
      DACS rule processing engine can be applied to document transformations
    o added dacstransform, a command analog to dacs_transform
    o added dacssched, a prototype command to demonstrate how the DACS rule
      processing engine can be applied to scheduling command execution

* DACS 1.4.13 (1-Jun-06)
  - bug fixes, minor enhancements, and documentation improvements, including:
    o port to Apache 2.2
      requires --with-apache-apr flag when DACS is configured
    o upgrade to Apache 2.0.58, Apache 2.2.2
    o upgrade to openssl-0.9.8b
    o minor changes to DACS license to clarify redistribution & repackaging
    o new predicates file_owner() and file_group()
    o completed and documented vfs() function
    o added ${DACS::IDENTITY} variable
    o fixed expression evaluation bug causing incorrect True/False result
      from return/exit function
    o fixed expression syntax bug when statement follows a brace-delimited
      block: if (expr) { ... } statement
    o fixed several expression parsing and evaluation bugs
    o added 100+ initial expression test cases ("make tests")
    o added NIST HMAC test vector tests
      ("make tests" or "make crypto; ./crypto")
    o SSL library buffer management bug fix (affects http and sslclient)
  - new authentication features, including:
    o dacsauth, an initial version of a command line authentication program
    o new authentication module, local_cas_authenticate, for authenticating
      through the Central Authentication Service (CAS)
      (http://www.ja-sig.org/products/cas/index.html)

* DACS 1.4.12 (1-May-06)
  - bug fixes, minor enhancements, and documentation improvements, including:
    o added -ssl-flags argument to http(1)
    o bug fix re COMPAT_MODE and old cookie name format
    o bug fix re LOG_SENSITIVE directive
    o bug fix re selection of "audit" log messages by LOG_FILTER
    o minor fixes and improvements to dacscred and its documentation
    o added tools/DACScheck.pm
    o sslclient bug fixes
    o clarification of regsub() behaviour
    o bug fix for rule matching where Jurisdiction uri attribute ends in a slash
    o new check for precondition element error
    o fixes for Solaris 10 x86 platform
    o bug fix re: <user name="any"/>
    o minor improvements to http, including following redirects
    o minor improvements to mkkey and its documentation
    o properly ignore disabled rules
    o upgrade to Samba 3.0.22
    o upgrade to OpenLDAP 2.3.21
  - new authentication features, including:
    o the ability to authenticate against Apache htpasswd and htdbm files
      using any DACS password-oriented authentication module
    o an internal implementation of RFC 2617 HTTP Basic Authentication
      supporting authentication by any password-oriented DACS authentication
      module
    o an internal implementation of RFC 2617 HTTP Digest Authentication for
      authenticating against Apache htdigest files
    o built-in versions of authentication modules can be selected - see
      dacs_authenticate(8)
    o see dacs_acs(8) and dacs_authenticate(8)
  - incompatible change to dacs_auth_agent local mode name mapping for
    improved usability - see dacs_auth_agent(8)
  - configuration processing fixes and documentation clarifications

* DACS 1.4.11 (8-Mar-06)
  - many minor bug fixes and documentation improvements
  - new cross-federation identity transfer capability: dacs_auth_transfer
  - improvements and important extensions to user() predicate to handle
    multiple credentials correctly; compatible except that the optional MODE
    argument is now part of the string argument instead of being a separate
    argument.  The ACL user_list's user element inherits these improvements.
  - expression evaluation fixes and improvements
  - fixes for 64-bit architecture
  - minor changes to revocation list processing
  - uri_expr attribute added to Jurisdiction element (dacs_conf_reply.dtd)
  - dacs_url template expansion by dacs_list_jurisdictions
  - string interpolation enhancements (%u, %s, %U)
  - ability to reference Args namespace during config processing
  - DTD change: dacs_current_credentials.dtd
  - to aid in debugging, dacs_current_credentials can optionally return
    additional detail (by default, limited to priviledged users)
  - ACL changes: acl-current-credentials.0, acl-dacs.0, acl-auth-transfer.0
  - moved dacs.quick(5) to dacs.quick(7)
    Suggestion:
     % rm -f /usr/local/dacs/man/man5/dacs.quick.5 
     % rm -f /usr/local/dacs/man/cat5/dacs.quick.5.gz
  - Cookie naming format change to align with DACS names
    The change is that a second colon follows the <federation_name>
    This also affects NAT cookie names, which are not DACS cookies per se
  - Mostly backward-compatible changes to the Jurisdiction section matching
    algorithm in dacs.conf, improved documentation
    The uri attribute can now include a simple hostname pattern (e.g.,
    uri=*.fedroot.com) and a port number (fedroot.com:8080 and fedroot.com:8081
    can now be different jurisdictions).  Hostname matching is case-insensitive
    but URI path matching is still case-sensitive and is done path
    segment-by-segment rather than as a simple string compare.
    NB: this could potentially break some configuration files
    Note that if you use ports in the uri=, you may need to change
    the -u flag (e.g., in httpd.conf or ssl.conf) to add the port.
    See "The Jurisdiction Section" in dacs.conf(5).
  - bug fix: "sensitive" log messages could incorrectly be emitted
  - bug fix: dacs_version/dacsversion didn't emit detailed version info
    for shared libraries (fix is to always link them statically)
  - bug fix: dacscred always wanted to use SSL
  - many build and install fixes for Solaris 8
  - added 'touch' target to man/Makefile in case make thinks it needs
    to regenerate documentation when it really doesn't

* DACS 1.4.10 (26-Jan-06)
  - added -D as a dacsoption flag  - see dacs(1)
  - optional LOG_FORMAT directive added, LOG_FEDERATION_NAME removed
    (note: remove the latter from configuration files)
  - optional SSL_PROG_ARGS directive added
  - initial implementation of experimental COMPAT_MODE directive
    to prevent DACS 1.2 credentials from being discarded
  - implemented missing assignment operators (+=, -=, etc.) and
    pre/post inc/dec operators for integer variables
  - a default namespace ("Temp") is now allowed as a convenience:
    ${foo} = 17 is equivalent to ${Temp::foo} = 17
    This can be disabled, or the name changed, at compile time
  - added a PHP example to dacscheck(1)
  - added if/elseif/else statement, comma operator
  - added expression testing framework to dacsexpr(1) (see its -et flag)
  - added -uj and -us dacsoptions flags for convenience
  - extensions to the VERIFY_IP directive
  - upgrades to expat-2.0.0, BerkeleyDB 4.4.20, samba-3.0.21a, openldap-2.3.18
  - added STATUS_LINE directive and -status_line/-no_status_line DACS_ACS flags

* DACS 1.4.9 (19-Dec-05)
  - many bug fixes and documentation revisions and improvements
  - fixes and improvements to the dacscheck(1) command and its man page
  - fixes to autologin and exec() function
  - fixes to local_roles, local_unix_roles, and dacs_authenticate
  - added the Env namespace
  - fixes to dacs_notices and its man page
  - fixes to the virtual filestore and its documentation
  - added --with-apache=omit (see INSTALL)
  - added ability to select case sensitive/insensitive comparison of
    federation/jurisdiction/usernames.  See docs for the new NAME_COMPARE
    directive and the revised user() predicate.
    A consequence of this change is that accounts created by dacspasswd
    are now lowercase names; otherwise case-insensitive comparisons will
    consider "Bob" and "bob" equivalent.  Some such existing accounts will
    become inaccessible if the admin changes to case-insensitive names.
  - added DACS-Status-Line with -check_only and -check_fail flags; see
    dacs_acs(1)
  - changes to dacs_acs.dtd

* DACS 1.4.8 (18-Nov-05)
  - many bug fixes and documentation revisions and improvements
  - new dacscheck(1) command
  - changes to various DTDs and default ACLs
  - extensions to DACS names and the user() predicate
  - upgraded to OpenSSL 0.9.8a
  - new configuration directives for password constraints
  - re-enabled permit_chaining and added new PERMIT_CHAINING directive
  - changes/fixes to authentication failure delay handling
  - fixes for Cygwin

* DACS 1.4.7 (20-Oct-05)
  - many bug fixes and documentation revisions
  - some log entries now include a "session tracking identifier"
  - sensible https/SSL defaults for the http command
  - new dacs_auth_agent web service
  - replacement of Store clause with VFS configuration directive
    Note: this may require revisions to dacs.conf and site.conf
  - added version header/footer lines to HTML man pages
  - important bug fixes for local_ntlm_authenticate and local_ldap_authenticate
  - upgrades to samba-3.0.20a, openldap-2.2.26, docbook-xsl-1.69.1,
    openssl-0.9.7i, Apache 2.0.55
  - new delegated ACLs feature
  - aclcheck now also checks the revocation list
  - reworking of the former "url" virtual filestore type (now called "vfs")
  - http/https URI schemes are supported by the new VFS directive

* DACS 1.4.6 (19-Sep-05)
  - many bug fixes and documentation revisions
  - initial version of dacs_notices
  - initial version of dacscred
  - changes to dacs_acs DACS_ACS argument
  - logging enhancements, including support for syslog(3)

* DACS 1.4.5 (17-Aug-05)
  - many bug fixes (including some important ones) and revised documentation
  - acs_expr is now dacsexpr, with some new functions
  - upgrade to openssl-0.9.7g, with preparations for openssl-0.9.8
  - initial development of the new dacs_notices service (not yet complete)
  - continued development of dynamically loadable functions (not yet complete)

* DACS 1.4.4 (20-Jun-05)
  - many bug fixes
  - the Quick Start tutorial
  - continued development of the dacs_admin service (not yet complete)

* DACS 1.4.3 (27-May-05)
  - Upgrade to Apache 2.0.54
  * sslclient client is now installed as a DACS utility and used in
    place of stunnel.  Manual page added for sslclient(1).
    Stunnel is no longer required.
    The SSL_PROG directive in dacs.conf must be changed to something like
      SSL_PROG "/usr/local/dacs/bin/sslclient"
  * ACL filename syntax change
    Enabled rules must begin with "acl-" and disabled rules must begin
    with "disabled-acl-".  All other files and directories are ignored.
  - an ACL's "service" element can supply an expression
    ("url_expr") instead of a simple string ("url_pattern").  One of the two
    attributes must be given, but not both.  If a url_expr is given, it
    is evaluated at the time an ACL is matched against a request; if no error
    occurs, the resulting non-empty string is used instead of url_pattern
    and has the same semantics as url_pattern.  Evaluation errors are fatal.

    The standard set of DACS ACLs (acls/acl-*) no longer have a URL path
    prefix built into them.  They have been changed to use url_expr attributes
    that interpolate either of two new configuration variables, defined in
    conf/site-conf.std:
      EVAL ${Conf::dacs_cgi_bin_prefix} = "/cgi-bin/dacs"
      EVAL ${Conf::dacs_htdocs_prefix} = ""
    Refer to the standard DACS ACLs to see the obvious revisions.
    Administrators can, of course, define similar prefixes for ACLs in their
    site/federation/jurisdictions, making prefix changes simple.
  - local_cert_authenticate added; see dacs_authenticate(1)

* DACS 1.4.2 (14-Apr-05)
  - Added suport for LDAP and Microsoft ADS based authentication
  - improved man pages
  - minor bug fixes
  - minor changes:
    o new and renamed DACS expression functions, including ldap name parsing
    o if -v and --version are given, also print module version stamps
    o an initial version of WWW-Authenticate/Authorization header handling
      (ACS can respond with or accept RFC 2617 headers)
    o added "ndbm" storage method (includes gdbm in compatibility mode)
    o added missing C/C++ bit operators for DACS expressions

* DACS 1.4.1 (16-Mar-05)
  - Added support for Microsoft NTLM authentication
  - Added "bundle=yes" argument to make to build a "dacs" command
  - improved man pages
  - many minor bug fixes

* DACS 1.4.0 (14-Feb-05)
  - Second open source version, based on DACS 1.3.2 functionality

$Id: HISTORY 2650 2013-03-01 18:54:10Z brachman $