1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784
|
* DACS 1.4.28b (1-Mar-2013)
+ added dsvec_ptr_rindex(), strchop()
+ improved debugging output, proxy handling for dacshttp
+ initial support for rule patterns (--enable-rule-patterns)
+ initial support for forward proxy mode (-up flag, Proxy-Authenticate and
Proxy-Authorization headers)
+ fixes for dacsacl(1) for building/rebuilding index file regardless of
whether it already exists
+ upgrades: OpenSSL 1.0.1e, Samba 3.6.12
* DACS 1.4.28a (29-Jan-2013)
+ fixed bug in strstr()
+ added optional nocase argument to dacsexpr functions strstr() and strrstr()
+ retired FreeBSD 7.X and 8.X as testing platforms
+ upgrades: CentOS 5.9, FreeBSD 9.1
+ corrected use of --srcdir (@srcdir@) in defs.mk.in, and changed to absolute
paths for some of the conftools utilities
+ mod_auth_dacs fixes and documentation updates for Apache 2.4; now needs
"Require dacs-authz" with Apache 2.4
+ fixes to dacsacl(1)
+ fix to configure.ac (quote square brackets in case/esac)
+ important updates and corrections for dacs.quick(7)
+ upgrade to Windows Server 2012 for NTLM/LDAP authentication testing
+ updated some copyright notices
* DACS 1.4.28 (23-Oct-12)
+ renamed http(1) to dacshttp
+ upgrades: OpenSSL 1.0.1c, SQLite 3.7.14.1, Samba 3.6.8, Apache 2.4.3/2.2.23,
OpenLDAP 2.4.33, BerkeleyDB 5.3.21, libxml2 2.8.0
* DACS 1.4.27b (19-Mar-12)
+ upgrades: OpenSSL 1.0.0h, SQLite 3.7.10, Samba 3.6.3, Apache 2.2.22,
OpenLDAP 2.4.29
+ minor fixes to misc/Makefile.in
+ use appropriate apr-config command to get Apache APR include flags
+ added OpenLDAP Public License (Version 2.8) to NOTICES to facilitate
inclusion of OpenLDAP code for Debian GNU/Linux support
+ added OpenLDAP ldif.h and ldif.c to simplify build and allow installed
OpenLDAP headers and libraries to be used
+ mod_auth_dacs now recognizes the "wsgi-script" executable type
* DACS 1.4.27 (16-Jan-12)
+ upgrades: OpenSSL 1.0.0f, BerkeleyDB 5.3.15, SQLite 3.7.9, Samba 3.6.1,
OpenLDAP 2.4.28, libxml 2.7.8, xmlsec 1.2.18
+ fixes and extensions to HTTP_AUTH, dacsauth(1), and the dacsauth() function
and their documentation; the syntax of the HTTP_AUTH directive has been
modified (the -url flag was removed) and is not backward compatible in
some instances
+ upgrade and fixes for Mac OS X 10.7.2 (Lion) platform
* DACS 1.4.26 (30-Sep-11)
+ upgrades: Apache 2.2.21, Readline 6.2, Samba 3.6.0,
OpenSSL-1.0.0e, OpenLDAP-2.4.26, xmlsec1-1.2.18, libxml2-2.7.8
+ extensions to HTTP_AUTH, dacsauth(1), and the dacsauth() function to
return role information
+ bug fixes to local_passwd_authenticate and build/configuration procedure
+ Solaris/OpenSolaris no longer an officially supported platform
+ initial OAuth support
+ additional crypto support and self-tests
+ updated copyright notices
* DACS 1.4.25 (23-Jun-10)
+ VFS support for SQLite 3.6.23.1
+ added "user_sufficient" authentication control
+ fixes and improvements to PAM-based authentication
(see dacs_authenticate(8))
+ upgrades: BerkeleyDB 5.0.21, Apache 2.2.15, Readline 6.1, Samba 3.5.3,
openssl-1.0.0a, openldap-2.4.21, xmlsec1-1.2.16, libxml2-2.7.7
note: DACS will no longer build against earlier releases of Samba
note: it was necessary to rebuild xmlsec1 against OpenSSL 1.0.0
note: changes made in OpenSSL 0.9.8[mno] are incompatible with DACS; do not
use them with DACS
+ XML bug fix for dacs_select_credentials and minor (though incompatible)
change to its DTD (dacs_select_credentials.dtd)
+ bug fixes: URL parsing, VFS rename, dacstransform/dacs_transform,
function argument type conversion
+ initial, partial support for JSON output
+ minor additions to syntax() function
+ dacsemail(1)
+ added debug_xxx debug flag file mechanism
+ bug fix: the syntax of the id attribute of an Auth/Roles/Transfer clause
should be restricted to an alphabetic followed by zero or
more alphanumerics, hyphens, and underscores
+ upgrade: Mac OS X 10.6.4 (x86) platform
+ added RFC 4231 HMAC test vectors
+ added -with-apache-apr-includes build flag
+ many fixes and improvements to OTP token support in dacstoken;
new dacs_token web service; new support for time-based OTP tokens (TOTP);
incompatible changes to token account format and command line flags
+ persistent font change capability for HTML manual pages
+ additional build configuration flags for Apache special cases
(e.g., --with-apache-apr-cpp-defs)
+ internal improvements: mutual exclusion locking, shared memory segments
(not available on some platforms)
+ Rlinks, dacsrlink: several important bug fixes
+ undocumented dacs_complete word/string completion service (see complete.c)
* DACS 1.4.24 (8-Jan-10)
+ this release subsumes 1.4.23[ab], with additional bug fixes
+ upgrades: xmlsec1-1.2.14
+ support for FreeBSD 8.X (amd64) platform
* DACS 1.4.23b (10-Nov-09)
+ several low-level bugs
+ added --enable-dump command line argument
+ Initial support for the Mac OS X 10.6 on x86 platform
o if building OpenSSL, you may need to specify the 64-bit architecture
because its configuration appears to default to 32 bits; use e.g.,
/usr/bin/perl ./Configure darwin64-x86_64-cc \
--prefix=/usr/local/openssl-0.9.8l \
--openssldir=/usr/local/openssl-0.9.8l shared
o default owner/group of installed DACS files is "_www"; this should
robably agree with your Apache's httpd.conf settings for User/Group
+ upgrades: openssl-0.9.8l
* DACS 1.4.23a (14-Oct-09)
+ new InfoCard directives:
INFOCARD_STS_RP_ENDPOINT, INFOCARD_TOKEN_MAX_LENGTH,
INFOCARD_TOKEN_DRIFT_SECS
+ new general directives:
ACS_TRACK_ACTIVITY, ACS_INACTIVITY_LIMIT_SECS
+ enhancements to dacs_current_credentials, including ability to report last
sign on and active sign ons; note: semi backward compatible changes to
dacs_current_credentials.dtd
+ upgrades: Apache 2.2.14, Samba 3.2.15, BerkeleyDB 4.8.24, GNU Readline 6.0,
libxml2-2.7.6, xmlsec1-1.2.13
+ Bug fixes:
o dacs_version/dacsversion: reporting InfoCard enabled
o low-level database bug could cause random crashes
* DACS 1.4.23 (10-Sep-09), DACS 1.4.22[b-j] (3-Sep-09)
+ initial support for self-issued and managed InfoCards:
o added --enable-infocard-auth and --with-xmlsec1-config build flags
o review README in the distribution's infocards directory
o review dacs_infocard(8), dacsinfocard(1), dacs_managed_infocard(8),
dacs_mex(8), dacs_sts(8), dacs_authenticate(8), dacs.conf(5),
dacs.install(7), and "Using InfoCards With DACS"
o an additional Apache directive is now expected by the default config:
Alias /infocards "/usr/local/dacs/www/infocards/"
New installation directory /usr/local/dacs/www/infocards contains
some default public files and possibly some private (ACL-controlled)
subdirectories
o this is a work in progress - everything is subject to change
+ reintroduction of dacs_select_credentials - review
dacs_select_credentials(8)
+ special effective url pattern "*" - see dacs.acls(5)
+ extensions to index()
+ fixed elapsed time calculation
+ eliminated potential extraneous semi-colon when zapping DACS cookies
+ the variable previously called JURISDICTION_URI is now called
JURISDICTION_URI_PREFIX and a new variable called JURISDICTION_URI
has similar semantics but includes the request's scheme and any port
number
+ new index table of variables added to the Technical Documentation
web page
+ new directive: ACS_POST_EXCEPTION_MODE
+ bug fix for handling of -vfs argument (e.g., dacspasswd)
+ bug fix for regmatch() with multiple subexpressions and no namespace arg
+ bug fix: VERBOSE_LEVEL should not increase LOG_LEVEL
+ bug fix: PREDICATE directive in Roles clause
+ bug fix: getsize operation on HTTP types
+ upgrades: openssl-0.9.8k, Apache 2.2.13, OpenLDAP 2.4.17, Samba 3.2.14
* DACS 1.4.22a (20-Mar-09)
+ added CSS for dacs_current_credentials(8)
+ set ACS_CREDENTIALS_LIMIT to 1 as the default
+ added user("mine") variant
+ added ACS_DENIAL_REASON_CREDENTIALS_LIMIT directive
+ fixed potential segfault bug if decode(url, ...) fails, as when
SERVICE_ARGS is truncated
+ data type names used in casts are now case sensitive (they had been case
insensitive, although that was not documented)
+ upgrade to openssl-0.9.8j
(there were some problems with 'make install': Makefiles under the fips
subdirectory did not have INCLUDES set correctly and some manual
intervention was required to complete the build)
+ this release includes preliminary code in support of InfoCards/CardSpace
authentication; this new feature is not fully implemented or documented
in this release, will not work or may not build, and should not be used;
all aspects of this feature are subject to change
+ fixes for parsing of Content-Type MIME headers
+ improvements regarding logging of potentially sensitive information,
lowered priority of most Apache logging messages generated by
mod_auth_dacs
+ upgrade Solaris 10 test platform to OpenSolaris 2008.11/x86 (SunOS 5.11)
* DACS 1.4.22 (7-Jan-09)
+ fixes for possibly buggy jurisdiction listing in dacs_admin(8)
+ added optional public_key to jurisdiction's group_member element
in groups.dtd (used by dacs_admin, dacs_list_jurisdictions, dacsinit)
+ dacskey can now print public and private keys, bug fixes
+ local_apache_auth handles large flat-file passwords (htpasswd) quicker
- upgrade to OpenSSL 0.9.8i
- upgrade to OpenLDAP 2.3.43
- upgrade to Apache 2.2.11
- upgrade to Samba 3.2.7
- upgrade to Berkeley DB 4.7.25
- new functions: strtolower(), strtoupper(), strstr(), strrstr()
- start to separate DACS independent code into its own library, libdss.a
- upgrade to docbook-xsl-1.74.0 and consequential minor format processing
changes
- additional tests for HMAC (FIPS 198-1)
- added config directive AUTH_CREDENTIALS_ADMIN_LIFETIME_SECS
- fixes for URI decoding bugs
* DACS 1.4.21 (31-Mar-08)
+ dacs_transform/dacstransform: added expr attribute to insert directive
+ potentially incompatible changes to the UPROXY_APPROVED directive
+ bug fixes for HTTP requests on the (unofficial) Solaris/SPARC platform
+ bug fixes for the SetDACSAuthConf and SetDACSAuthSiteConf directives
used by mod_auth_dacs
+ language extension allows braces to be omitted in variable references
in certain cases as a convenience
+ bug fixes for MIME parsing
+ support for DESTDIR in Makefiles; see
http://www.gnu.org/prep/standards/standards.html#DESTDIR
+ retirement of FreeBSD 4.X, 5.X, 6.X testing platforms,
addition of FreeBSD 7.X (amd64) platform
+ upgrade to OpenSSL 0.9.8g
note: when building it on FreeBSD, it was necessary to specify the
-fPIC flag to its config program
+ upgrade to Samba 3.0.28
+ upgrade to Apache 2.2.8/2.0.63
+ incompatible changes to access control rule processing
o these changes will only affect users of earlier releases who are using
customized access control rules
o the new format preprocesses rules to create an index called INDEX.
The index is an XML file (with syntax acl_index.dtd) located at the root
of each ACL directory structure (e.g., /usr/local/dacs/acls/INDEX)
The dacsacl(1) command should be used to convert from the old format to
the new format:
% dacsacl -convert
Whenever a rule is added, deleted, or modified, dacsacl(1) must always
be run to rebuild the INDEX files:
% dacsacl
this will create new INDEX files or replace any existing ones and
assumes that rules are in the new format
+ incompatible changes and improvements changes to dacs_admin(8),
bug fixes and minor improvements, including CSS support
+ re-introduction of the authorization caching feature
+ addition of src/dacsinit, a script to initialize a minimal federation
* DACS 1.4.20 (7-Aug-07)
+ important bug fix to local_passwd_authenticate prevents invalid passwords
from being accepted
+ canonicalize the DACS error url (avoiding a redundant acknowledgement
by dacs_notices)
+ added -check argument to dacskey(1) to do cursory key validation
+ bug fix: parsing invalid Content-Type headers
+ bug fix: buffer handling
+ refined and documented dacs_uproxy(8) (not built by default)
+ bug fix: VFS vfs-uri open code
+ new functions: ustamp(), dacs_meta(), dacs_approval()
+ removed deprecated functions: hex_decode(), cescape(), mime_encode(),
mime_decode(), url_encode(), url_decode()
+ third-party support upgrades: Samba 3.0.25b, BerkeleyDB 4.6.18,
OpenLDAP 2.3.37
+ Upgrade to GCC 4.2.1 for development
+ dacs_prenv(8) now sorts list of environment variables
+ assorted corrections to dacs.quick(7)
* DACS 1.4.19 (1-Jul-07)
+ bug fix: -expires date in dacscookie
+ bug fix: dacsvfs(1) must set field separator character properly
+ bug fix: multipart/form-data arguments not handled correctly
+ bug fix: setvar(split, ...) did not handle a trailing null element properly
+ bug fix: authorization tests after an internal redirect may have been
performed on the request URI again instead of the new target URI
or an empty string argument
+ assorted bug fixes for dacsrlink(1)
+ bug fix: ACS_ERROR_HANDLER quoted message error-action was broken
+ bug fix: dacs_list_jurisdictions(8) with FORMAT=TEXT
+ bug fix: minor MIME whitespace parsing error
+ bug fix: fix for long-standing bug in dacs_list_jurisdictions(8) and
dacs_list_jurisdictions.dtd, plus some minor improvements
Attribute renaming:
o attribute 'name' renamed to 'jname' (jurisdiction name)
o attribute 'name' is now the full name of the jurisdiction
o attribute 'public_key' renamed to 'fed_public_key'
o attribute 'public_key' is now the jurisdiction's public key, if known
+ bug fixes and overhaul to dacsexpr(1) command line processing.
Note: some changes are incompatible, though minor
Also:
o a -n flag for syntax checking
o removed -env flag
o improved "batch mode" (non-interactive) operation
o operation as a '#!' script
+ bug fixes for bstring type
+ bug fix: parsing empty blocks, like "if (3) {} print('hi');"
+ bug fix: exec() now sets ${DACS::status} correctly
+ formatting improvements for dacs_conf HTML
+ added expiry element to the concise syntax (an Rlink with an identity
can now be assigned a lifetime)
+ dacscheck(1) can emit a redirection request (-redirect flag)
+ added "create" operation to counter()
+ added -s flag to dacsexpr
+ added optional limit argument to setvar split/regsplit
+ added source() function
+ added syntax() function
+ extended get() argument for consistency
+ extension to setvar()
+ added AUTH_SINGLE_COOKIE directive
+ added '+' modifier flag to variable references
+ removed obsolete manual pages
+ minor improvements to dacscookie(1)
+ ignore expired rules via expires_expr attribute
+ extended ACS_ERROR_HANDLER to evaluate an expression, backward-compatible
changes to syntax, clarified documentation
+ added dacslist(1) command version of dacs_list_jurisdictions
+ change to DACS base-64 encoding character set to make encoded
strings safe in paths (this does not affect Mime base-64 encodings);
NOTE: the change is (temporarily) "mostly" backward compatible in that
the old encoding is still recognized, however some things could break
DACS admins should take this opportunity to regenerate federation and
jurisdiction keys; user passwords via local_passwd_authenticate
should also be updated
+ consolidated encoding/decoding functions into encode() and decode(),
and added dacs64 encoding type - see dacs.exprs(5)
NOTE: anyone using the old function names must make the obvious edits to
convert the old names into the new ones; the following functions are
deprecated and will be removed from a future release:
cescape(), hex_decode(), mime_encode(), mime_decode(), url_encode(),
url_decode()
+ new hash() function
+ new transform() and transform_config() functions
+ additional internal PKI support
+ A '#' now introduces a comment in expressions
+ new trim() function
+ added 'z' variable modifier flag
+ extended get() to use 'stdin' item type
+ setvar() extensions (rename, post)
+ changed site.conf defaults for LOG_LEVEL and LOG_FORMAT
+ changes to default log message formats
+ added several new flags to to dacspasswd(1) and various improvements
Notes: These changes are backward compatible with existing DACS password
files. Not all of the new features can be accessed through
dacs_passwd(8), dacs_admin(8), etc.
+ revisions to dacs_passwd(8) man page
+ extended password()
+ use of DEFAULT_JURISDICTION environment variable - see dacs(1)
+ extensions to vfs()
+ upgrades: expat-2.0.1, samba-3.0.25a, openldap-2.3.35
+ new functionality for cgiparse(8) (should be backward compatible)
+ bug fixes for http(1), including handling binary content
+ minor I/O processing bug fixes
+ Added DACS_USERNAME to the "url syntax" argument list of
AUTH_SUCCESS_HANDLER.
* DACS 1.4.18 (3-Apr-07)
+ bug fixes for building shared library
+ bug fix: conditional expressions could sometimes cause a segfault
+ bug fix: application/x-www-form-urlencoded content type was sometimes
not properly encoded (this broke ampersands in passwords, for example)
+ bug fix: make Args namespace available to configuration processing
+ bug fix: http(1) may write a binary body improperly
+ replaced Configuration.dtd, which seems to have gotten lost, and updated
dacs_conf_reply.dtd
+ added EXPR (-expr) pseudo-module to dacsauth
+ added strptime() function, changes to time()
+ dacs_authenticate now ignores unrecognized web service arguments
+ tools/DACScheck* moved to tools/perl
+ changes to HTTP_AUTH and HTTP_AUTH_ENABLE directive in support of
the new pre-authorization testing HTTP authentication feature;
the changes to these two directives are backward compatible,
but anyone using either directives should review the updated descriptions
+ added -invisible/-visible flags to DACS_ACS argument, with the former
being the new default behaviour
+ minimal support for Java via JNI - see dacs.java(7)
+ upgrade to Apache 2.2.4 and OpenSSL 0.9.8e
+ experimental dacsauth() and dacscheck() functions
note: use with care because they may have reentrancy bugs and may be
relatively heavy memory users
+ added ACS_PRE_AUTH directive
+ added request_match() function
+ added -rlink flag to DACS_ACS (available as ${ARGS::RLINK} in
ACS_PRE_AUTH expression
+ added the "n" modifier flag to variables
+ added AUTH_FAIL, ACS_SUCCESS, and ACS_FAIL directives
+ added on_success() function
+ added counter() function
+ minor enhancements to time() function
+ added ability to conditionally include a config directive via undef()
+ minor extensions to acl.dtd for new optional attributes
+ minor experimental addition to acl.dtd (the "identity" element)
+ new var() function
+ new password() function
+ ACL checking extended to look at expires_expr and url_expr attributes
+ new BY_SIMPLE_REDIRECT error code for "pure" redirects
(this can be used with redirect() and a deny clause to create short links)
+ addition of the "Cookies" namespace
+ new "Rlinks" feature - see dacsrlink(1)
+ minor HTML formatting changes for dacs_prenv
+ minor HTML formatting changes for dacs_list_jurisdictions
+ upgrades to Samba 3.0.24, OpenLDAP 2.3.34
* DACS 1.4.17 (8-Feb-07)
+ added new 'simple' style of authentication via local_simple_authenticate
for inherently password-less accounts (note that local_passwd_authenticate
requires a user provided password that cannot be the empty string)
+ bug fix: composing and storing authentication styles in credentials
+ bug fix: bareword not treated as string in some cases
+ bug fix: empty role string from roles module not always handled properly
+ improvements and clarifications to the OPTION Auth/Roles directive,
new OPTION* directive for better run-time adjustments
+ bug fix: file(basename, ...) function
+ new AUTH_SUCCESS directive gives a post-authentication hook
+ clarifications and fixes to LOG_FILTER directive's behaviour
+ bug fix: variable modifier flag parsing
+ updated copyright notices
+ NOTE: six utilities have been renamed for consistency
aclcheck(1) to dacsacl(1),
conf(1) to dacsconf(1),
cookie(1) to dacscookie(1),
mkkey(1) to dacskey(1),
auth_grid(1) to dacsgrid(1),
auth_token(1) to dacstoken(1)
also renamed prenv(8) to dacs_prenv(8)
See dacs(1) for an explanation of the the naming convention. The original
names, which may have been confusing or conflicted with non-DACS software,
are temporarily still available via the dacs(1) command. Their manual
pages will be temporarily retained as reminders of the changes.
+ added the unary type cast operator, and sizeof and typeof functions
+ enhancements to the substr() function
+ improved handling of binary data for correct application of url_decode,
mime_decode, and future functions; new "bstring" data type;
new functions: hex_decode, bstring, and cescape
+ added hmac(), digest(), and random() functions
+ documented C-style character and numeric escape codes
+ upgrades to samba-3.0.23d, openldap-2.3.31, docbook-xsl-1.71.1
+ fixed local_pam_auth build bug with shared libraries
+ Auth/Roles/Transfer clause id tags are now case sensitive
+ new COOKIE_HTTPONLY directive
+ new local_ldap_roles module can assign LDAP/ADS roles to any user;
it was previously neccessary to authenticate the user through
local_ldap_authenticate to obtain these roles
+ Authorization header parsing using setvar()
+ bug fixes for building shared library
+ minor extensions to dacs_version and its DTD
* DACS 1.4.16 (1-Dec-06)
o bug fix: http_auth_jurisdiction variable didn't set DACS_JURISDICTION
o bug fixes for building DACS with Samba on Linux
o bug fixes for building DACS with Samba on Solaris 8 (-lresolv)
o new authentication module, local_http_authenticate
(used to authenticate against a Google account, for instance)
o bug fix for dacs_conf(8) and conf(1) where closing Roles tag may be
omitted in XML and HTML output; CSS fix
o upgrade to OpenSSL 0.9.8d
o upgrade to Berkeley DB 4.5.20
o fixes to configure.ac: --disable-... flags, --with-iconv processing
o added DACS_IDENTITY and DACS_CONCISE_IDENTITY environment variables
(useful with dacscheck)
o fix to Auth clause's INIT* directive to propagate ${Auth::CURRENT_USERNAME}
o prototype distributed generation of user info records (login/logout/access
events), written to "user_info" VFS type (--enable-user-info)
o minor VFS enhancements and bug fixes (file locking, append mode)
o bug fix: backslashes within strings were not always handled consistently,
especially two consecutive backslashes; this fix could possibly break some
existing strings that contain multiple consecutive backslashes
o build DACScheck.pm and install it in .../dacs/lib/perl
o additional test cases
o fixes for secure -aux prompting by dacsauth
o added -vfs flag to dacspasswd to specify alternate password file
o minor improvements to revocation list processing, including account
disabling
o built-in versions of roles modules, fixes for enabling/disabling roles
modules by 'configure'
o minor build enhancements and simplifications
o fixes and improvements for local_pam_authenticate, which now appears
to work
o added variables to the Conf namespace (such as DACS_SITE_CONF and
OPENSSL_PROG) and renamed some for consistency (such as SITE_CONF_SPEC to
DACS_SITE_CONF_SPEC)
o added ${<namespace>::#} syntax to return the number of variables in
a namespace
o bug fixes and enhancements for setvar()
o minor changes to http(1)
o minor changes to subset() and contains_any() functions
o setvar() function:
+ incompatible syntactical changes
+ new operators: copy, delete, load/loadi, regsplit/split
o user() function addition of "namespace" operator
o redirect() function takes an optional error name or code
o bug fixes: CREDENTIALS_LIFETIME_SECS was ignored by some auth modules
* DACS 1.4.15 (1-Oct-06)
- upgrades to Apache 2.0.59 and Apache 2.2.3
- upgrades to Samba 3.0.23c, OpenSSL 0.9.8c, and OpenLDAP 2.3.27
- minor bug fixes to dacs_conf(8), conf(1), dacsauth(1), dacscheck(1),
and dacssched(1)
- renamed html/examples/login.html to html/examples/slogin.html and added
html/examples/login.html, a JavaScript version of login.php
- new authentication module to provide software-based, one-time passwords;
see auth_grid(1)
- new authentication module to support one-time password token devices;
see auth_token(1)
- new dacs_autologin_ssl(8) web service for automagic SSL login
- PASSWORD_MINIMUM_LENGTH, PASSWORD_NEEDS_MIXED_CASE,
PASSWORD_NEEDS_PUNCTUATION, and PASSWORD_NEEDS_DIGITS directives have been
removed - use PASSWORD_CONSTRAINTS; PASSWORD_AUDIT is now an Auth clause
directive instead of a general directive
- added --with-cgi-suffix flag to configure
- extended syntax for ACS_ERROR_HANDLER directive (the optional url_pattern
element)
- fixed local_cert_authenticate bug
- minor corrections and updates for autologin(8)
- incompatible improvements and simplifications have been made to
dacs_auth_transfer(8):
o eliminated directives: AUTH_TRANSFER_ERROR_URL,
AUTH_TRANSFER_IMPORT_URL, and AUTH_TRANSFER_SUCCESS_URL
o eliminated VFS item types: auth_transfer_imports, auth_transfer_exports,
and auth_transfer_cookies item types
o added directive: AUTH_TRANSFER_EXPORT
o added: Transfer clause and new directives to dacs.conf
* DACS 1.4.14 (1-Aug-06)
- bug fixes, minor enhancements, and documentation improvements, including:
o upgrade to openldap-2.3.24
o upgrade to samba-3.0.23
o added rule() predicate, which exposes the rule processing engine
to expressions
o http command redirect handling
o new configuration directives (see dacs.conf(5)):
PASSWORD_AUDIT, PASSWORD_CONSTRAINTS (replaces PASSWORD_MINIMUM_LENGTH,
PASSWORD_NEEDS_MIXED_CASE, PASSWORD_NEEDS_PUNCTUATION, and
PASSWORD_NEEDS_DIGITS directives), VERIFY_UA, UNAUTH_ROLES,
ACS_CREDENTIALS_LIMIT
o added ROLE_STRING_MAX_LENGTH directive and improved role string
error logging
o boolean value conversion fixes
o improved request tracking of unauthenticated users
- new features:
o added dacs_transform, a prototype web service to demonstrate how the
DACS rule processing engine can be applied to document transformations
o added dacstransform, a command analog to dacs_transform
o added dacssched, a prototype command to demonstrate how the DACS rule
processing engine can be applied to scheduling command execution
* DACS 1.4.13 (1-Jun-06)
- bug fixes, minor enhancements, and documentation improvements, including:
o port to Apache 2.2
requires --with-apache-apr flag when DACS is configured
o upgrade to Apache 2.0.58, Apache 2.2.2
o upgrade to openssl-0.9.8b
o minor changes to DACS license to clarify redistribution & repackaging
o new predicates file_owner() and file_group()
o completed and documented vfs() function
o added ${DACS::IDENTITY} variable
o fixed expression evaluation bug causing incorrect True/False result
from return/exit function
o fixed expression syntax bug when statement follows a brace-delimited
block: if (expr) { ... } statement
o fixed several expression parsing and evaluation bugs
o added 100+ initial expression test cases ("make tests")
o added NIST HMAC test vector tests
("make tests" or "make crypto; ./crypto")
o SSL library buffer management bug fix (affects http and sslclient)
- new authentication features, including:
o dacsauth, an initial version of a command line authentication program
o new authentication module, local_cas_authenticate, for authenticating
through the Central Authentication Service (CAS)
(http://www.ja-sig.org/products/cas/index.html)
* DACS 1.4.12 (1-May-06)
- bug fixes, minor enhancements, and documentation improvements, including:
o added -ssl-flags argument to http(1)
o bug fix re COMPAT_MODE and old cookie name format
o bug fix re LOG_SENSITIVE directive
o bug fix re selection of "audit" log messages by LOG_FILTER
o minor fixes and improvements to dacscred and its documentation
o added tools/DACScheck.pm
o sslclient bug fixes
o clarification of regsub() behaviour
o bug fix for rule matching where Jurisdiction uri attribute ends in a slash
o new check for precondition element error
o fixes for Solaris 10 x86 platform
o bug fix re: <user name="any"/>
o minor improvements to http, including following redirects
o minor improvements to mkkey and its documentation
o properly ignore disabled rules
o upgrade to Samba 3.0.22
o upgrade to OpenLDAP 2.3.21
- new authentication features, including:
o the ability to authenticate against Apache htpasswd and htdbm files
using any DACS password-oriented authentication module
o an internal implementation of RFC 2617 HTTP Basic Authentication
supporting authentication by any password-oriented DACS authentication
module
o an internal implementation of RFC 2617 HTTP Digest Authentication for
authenticating against Apache htdigest files
o built-in versions of authentication modules can be selected - see
dacs_authenticate(8)
o see dacs_acs(8) and dacs_authenticate(8)
- incompatible change to dacs_auth_agent local mode name mapping for
improved usability - see dacs_auth_agent(8)
- configuration processing fixes and documentation clarifications
* DACS 1.4.11 (8-Mar-06)
- many minor bug fixes and documentation improvements
- new cross-federation identity transfer capability: dacs_auth_transfer
- improvements and important extensions to user() predicate to handle
multiple credentials correctly; compatible except that the optional MODE
argument is now part of the string argument instead of being a separate
argument. The ACL user_list's user element inherits these improvements.
- expression evaluation fixes and improvements
- fixes for 64-bit architecture
- minor changes to revocation list processing
- uri_expr attribute added to Jurisdiction element (dacs_conf_reply.dtd)
- dacs_url template expansion by dacs_list_jurisdictions
- string interpolation enhancements (%u, %s, %U)
- ability to reference Args namespace during config processing
- DTD change: dacs_current_credentials.dtd
- to aid in debugging, dacs_current_credentials can optionally return
additional detail (by default, limited to priviledged users)
- ACL changes: acl-current-credentials.0, acl-dacs.0, acl-auth-transfer.0
- moved dacs.quick(5) to dacs.quick(7)
Suggestion:
% rm -f /usr/local/dacs/man/man5/dacs.quick.5
% rm -f /usr/local/dacs/man/cat5/dacs.quick.5.gz
- Cookie naming format change to align with DACS names
The change is that a second colon follows the <federation_name>
This also affects NAT cookie names, which are not DACS cookies per se
- Mostly backward-compatible changes to the Jurisdiction section matching
algorithm in dacs.conf, improved documentation
The uri attribute can now include a simple hostname pattern (e.g.,
uri=*.fedroot.com) and a port number (fedroot.com:8080 and fedroot.com:8081
can now be different jurisdictions). Hostname matching is case-insensitive
but URI path matching is still case-sensitive and is done path
segment-by-segment rather than as a simple string compare.
NB: this could potentially break some configuration files
Note that if you use ports in the uri=, you may need to change
the -u flag (e.g., in httpd.conf or ssl.conf) to add the port.
See "The Jurisdiction Section" in dacs.conf(5).
- bug fix: "sensitive" log messages could incorrectly be emitted
- bug fix: dacs_version/dacsversion didn't emit detailed version info
for shared libraries (fix is to always link them statically)
- bug fix: dacscred always wanted to use SSL
- many build and install fixes for Solaris 8
- added 'touch' target to man/Makefile in case make thinks it needs
to regenerate documentation when it really doesn't
* DACS 1.4.10 (26-Jan-06)
- added -D as a dacsoption flag - see dacs(1)
- optional LOG_FORMAT directive added, LOG_FEDERATION_NAME removed
(note: remove the latter from configuration files)
- optional SSL_PROG_ARGS directive added
- initial implementation of experimental COMPAT_MODE directive
to prevent DACS 1.2 credentials from being discarded
- implemented missing assignment operators (+=, -=, etc.) and
pre/post inc/dec operators for integer variables
- a default namespace ("Temp") is now allowed as a convenience:
${foo} = 17 is equivalent to ${Temp::foo} = 17
This can be disabled, or the name changed, at compile time
- added a PHP example to dacscheck(1)
- added if/elseif/else statement, comma operator
- added expression testing framework to dacsexpr(1) (see its -et flag)
- added -uj and -us dacsoptions flags for convenience
- extensions to the VERIFY_IP directive
- upgrades to expat-2.0.0, BerkeleyDB 4.4.20, samba-3.0.21a, openldap-2.3.18
- added STATUS_LINE directive and -status_line/-no_status_line DACS_ACS flags
* DACS 1.4.9 (19-Dec-05)
- many bug fixes and documentation revisions and improvements
- fixes and improvements to the dacscheck(1) command and its man page
- fixes to autologin and exec() function
- fixes to local_roles, local_unix_roles, and dacs_authenticate
- added the Env namespace
- fixes to dacs_notices and its man page
- fixes to the virtual filestore and its documentation
- added --with-apache=omit (see INSTALL)
- added ability to select case sensitive/insensitive comparison of
federation/jurisdiction/usernames. See docs for the new NAME_COMPARE
directive and the revised user() predicate.
A consequence of this change is that accounts created by dacspasswd
are now lowercase names; otherwise case-insensitive comparisons will
consider "Bob" and "bob" equivalent. Some such existing accounts will
become inaccessible if the admin changes to case-insensitive names.
- added DACS-Status-Line with -check_only and -check_fail flags; see
dacs_acs(1)
- changes to dacs_acs.dtd
* DACS 1.4.8 (18-Nov-05)
- many bug fixes and documentation revisions and improvements
- new dacscheck(1) command
- changes to various DTDs and default ACLs
- extensions to DACS names and the user() predicate
- upgraded to OpenSSL 0.9.8a
- new configuration directives for password constraints
- re-enabled permit_chaining and added new PERMIT_CHAINING directive
- changes/fixes to authentication failure delay handling
- fixes for Cygwin
* DACS 1.4.7 (20-Oct-05)
- many bug fixes and documentation revisions
- some log entries now include a "session tracking identifier"
- sensible https/SSL defaults for the http command
- new dacs_auth_agent web service
- replacement of Store clause with VFS configuration directive
Note: this may require revisions to dacs.conf and site.conf
- added version header/footer lines to HTML man pages
- important bug fixes for local_ntlm_authenticate and local_ldap_authenticate
- upgrades to samba-3.0.20a, openldap-2.2.26, docbook-xsl-1.69.1,
openssl-0.9.7i, Apache 2.0.55
- new delegated ACLs feature
- aclcheck now also checks the revocation list
- reworking of the former "url" virtual filestore type (now called "vfs")
- http/https URI schemes are supported by the new VFS directive
* DACS 1.4.6 (19-Sep-05)
- many bug fixes and documentation revisions
- initial version of dacs_notices
- initial version of dacscred
- changes to dacs_acs DACS_ACS argument
- logging enhancements, including support for syslog(3)
* DACS 1.4.5 (17-Aug-05)
- many bug fixes (including some important ones) and revised documentation
- acs_expr is now dacsexpr, with some new functions
- upgrade to openssl-0.9.7g, with preparations for openssl-0.9.8
- initial development of the new dacs_notices service (not yet complete)
- continued development of dynamically loadable functions (not yet complete)
* DACS 1.4.4 (20-Jun-05)
- many bug fixes
- the Quick Start tutorial
- continued development of the dacs_admin service (not yet complete)
* DACS 1.4.3 (27-May-05)
- Upgrade to Apache 2.0.54
* sslclient client is now installed as a DACS utility and used in
place of stunnel. Manual page added for sslclient(1).
Stunnel is no longer required.
The SSL_PROG directive in dacs.conf must be changed to something like
SSL_PROG "/usr/local/dacs/bin/sslclient"
* ACL filename syntax change
Enabled rules must begin with "acl-" and disabled rules must begin
with "disabled-acl-". All other files and directories are ignored.
- an ACL's "service" element can supply an expression
("url_expr") instead of a simple string ("url_pattern"). One of the two
attributes must be given, but not both. If a url_expr is given, it
is evaluated at the time an ACL is matched against a request; if no error
occurs, the resulting non-empty string is used instead of url_pattern
and has the same semantics as url_pattern. Evaluation errors are fatal.
The standard set of DACS ACLs (acls/acl-*) no longer have a URL path
prefix built into them. They have been changed to use url_expr attributes
that interpolate either of two new configuration variables, defined in
conf/site-conf.std:
EVAL ${Conf::dacs_cgi_bin_prefix} = "/cgi-bin/dacs"
EVAL ${Conf::dacs_htdocs_prefix} = ""
Refer to the standard DACS ACLs to see the obvious revisions.
Administrators can, of course, define similar prefixes for ACLs in their
site/federation/jurisdictions, making prefix changes simple.
- local_cert_authenticate added; see dacs_authenticate(1)
* DACS 1.4.2 (14-Apr-05)
- Added suport for LDAP and Microsoft ADS based authentication
- improved man pages
- minor bug fixes
- minor changes:
o new and renamed DACS expression functions, including ldap name parsing
o if -v and --version are given, also print module version stamps
o an initial version of WWW-Authenticate/Authorization header handling
(ACS can respond with or accept RFC 2617 headers)
o added "ndbm" storage method (includes gdbm in compatibility mode)
o added missing C/C++ bit operators for DACS expressions
* DACS 1.4.1 (16-Mar-05)
- Added support for Microsoft NTLM authentication
- Added "bundle=yes" argument to make to build a "dacs" command
- improved man pages
- many minor bug fixes
* DACS 1.4.0 (14-Feb-05)
- Second open source version, based on DACS 1.3.2 functionality
$Id: HISTORY 2650 2013-03-01 18:54:10Z brachman $
|