* DACS 1.4.27b (19-Mar-12) + upgrades: OpenSSL 1.0.0h, SQLite 3.7.10, Samba 3.6.3, Apache 2.2.22, OpenLDAP 2.4.29 + minor fixes to misc/Makefile.in + use appropriate apr-config command to get Apache APR include flags + added OpenLDAP Public License (Version 2.8) to NOTICES to facilitate inclusion of OpenLDAP code for Debian GNU/Linux support + added OpenLDAP ldif.h and ldif.c to simplify build and allow installed OpenLDAP headers and libraries to be used + mod_auth_dacs now recognizes the "wsgi-script" executable type * DACS 1.4.27 (16-Jan-12) + upgrades: OpenSSL 1.0.0f, BerkeleyDB 5.3.15, SQLite 3.7.9, Samba 3.6.1, OpenLDAP 2.4.28, libxml 2.7.8, xmlsec 1.2.18 + fixes and extensions to HTTP_AUTH, dacsauth(1), and the dacsauth() function and their documentation; the syntax of the HTTP_AUTH directive has been modified (the -url flag was removed) and is not backward compatible in some instances + upgrade and fixes for Mac OS X 10.7.2 (Lion) platform * DACS 1.4.26 (30-Sep-11) + upgrades: Apache 2.2.21, Readline 6.2, Samba 3.6.0, OpenSSL-1.0.0e, OpenLDAP-2.4.26, xmlsec1-1.2.18, libxml2-2.7.8 + extensions to HTTP_AUTH, dacsauth(1), and the dacsauth() function to return role information + bug fixes to local_passwd_authenticate and build/configuration procedure + Solaris/OpenSolaris no longer an officially supported platform + initial OAuth support + additional crypto support and self-tests + updated copyright notices * DACS 1.4.25 (23-Jun-10) + VFS support for SQLite 3.6.23.1 + added "user_sufficient" authentication control + fixes and improvements to PAM-based authentication (see dacs_authenticate(8)) + upgrades: BerkeleyDB 5.0.21, Apache 2.2.15, Readline 6.1, Samba 3.5.3, openssl-1.0.0a, openldap-2.4.21, xmlsec1-1.2.16, libxml2-2.7.7 note: DACS will no longer build against earlier releases of Samba note: it was necessary to rebuild xmlsec1 against OpenSSL 1.0.0 note: changes made in OpenSSL 0.9.8[mno] are incompatible with DACS; do not use them with DACS + XML bug fix for dacs_select_credentials and minor (though incompatible) change to its DTD (dacs_select_credentials.dtd) + bug fixes: URL parsing, VFS rename, dacstransform/dacs_transform, function argument type conversion + initial, partial support for JSON output + minor additions to syntax() function + dacsemail(1) + added debug_xxx debug flag file mechanism + bug fix: the syntax of the id attribute of an Auth/Roles/Transfer clause should be restricted to an alphabetic followed by zero or more alphanumerics, hyphens, and underscores + upgrade: Mac OS X 10.6.4 (x86) platform + added RFC 4231 HMAC test vectors + added -with-apache-apr-includes build flag + many fixes and improvements to OTP token support in dacstoken; new dacs_token web service; new support for time-based OTP tokens (TOTP); incompatible changes to token account format and command line flags + persistent font change capability for HTML manual pages + additional build configuration flags for Apache special cases (e.g., --with-apache-apr-cpp-defs) + internal improvements: mutual exclusion locking, shared memory segments (not available on some platforms) + Rlinks, dacsrlink: several important bug fixes + undocumented dacs_complete word/string completion service (see complete.c) * DACS 1.4.24 (8-Jan-10) + this release subsumes 1.4.23[ab], with additional bug fixes + upgrades: xmlsec1-1.2.14 + support for FreeBSD 8.X (amd64) platform * DACS 1.4.23b (10-Nov-09) + several low-level bugs + added --enable-dump command line argument + Initial support for the Mac OS X 10.6 on x86 platform o if building OpenSSL, you may need to specify the 64-bit architecture because its configuration appears to default to 32 bits; use e.g., /usr/bin/perl ./Configure darwin64-x86_64-cc \ --prefix=/usr/local/openssl-0.9.8l \ --openssldir=/usr/local/openssl-0.9.8l shared o default owner/group of installed DACS files is "_www"; this should robably agree with your Apache's httpd.conf settings for User/Group + upgrades: openssl-0.9.8l * DACS 1.4.23a (14-Oct-09) + new InfoCard directives: INFOCARD_STS_RP_ENDPOINT, INFOCARD_TOKEN_MAX_LENGTH, INFOCARD_TOKEN_DRIFT_SECS + new general directives: ACS_TRACK_ACTIVITY, ACS_INACTIVITY_LIMIT_SECS + enhancements to dacs_current_credentials, including ability to report last sign on and active sign ons; note: semi backward compatible changes to dacs_current_credentials.dtd + upgrades: Apache 2.2.14, Samba 3.2.15, BerkeleyDB 4.8.24, GNU Readline 6.0, libxml2-2.7.6, xmlsec1-1.2.13 + Bug fixes: o dacs_version/dacsversion: reporting InfoCard enabled o low-level database bug could cause random crashes * DACS 1.4.23 (10-Sep-09), DACS 1.4.22[b-j] (3-Sep-09) + initial support for self-issued and managed InfoCards: o added --enable-infocard-auth and --with-xmlsec1-config build flags o review README in the distribution's infocards directory o review dacs_infocard(8), dacsinfocard(1), dacs_managed_infocard(8), dacs_mex(8), dacs_sts(8), dacs_authenticate(8), dacs.conf(5), dacs.install(7), and "Using InfoCards With DACS" o an additional Apache directive is now expected by the default config: Alias /infocards "/usr/local/dacs/www/infocards/" New installation directory /usr/local/dacs/www/infocards contains some default public files and possibly some private (ACL-controlled) subdirectories o this is a work in progress - everything is subject to change + reintroduction of dacs_select_credentials - review dacs_select_credentials(8) + special effective url pattern "*" - see dacs.acls(5) + extensions to index() + fixed elapsed time calculation + eliminated potential extraneous semi-colon when zapping DACS cookies + the variable previously called JURISDICTION_URI is now called JURISDICTION_URI_PREFIX and a new variable called JURISDICTION_URI has similar semantics but includes the request's scheme and any port number + new index table of variables added to the Technical Documentation web page + new directive: ACS_POST_EXCEPTION_MODE + bug fix for handling of -vfs argument (e.g., dacspasswd) + bug fix for regmatch() with multiple subexpressions and no namespace arg + bug fix: VERBOSE_LEVEL should not increase LOG_LEVEL + bug fix: PREDICATE directive in Roles clause + bug fix: getsize operation on HTTP types + upgrades: openssl-0.9.8k, Apache 2.2.13, OpenLDAP 2.4.17, Samba 3.2.14 * DACS 1.4.22a (20-Mar-09) + added CSS for dacs_current_credentials(8) + set ACS_CREDENTIALS_LIMIT to 1 as the default + added user("mine") variant + added ACS_DENIAL_REASON_CREDENTIALS_LIMIT directive + fixed potential segfault bug if decode(url, ...) fails, as when SERVICE_ARGS is truncated + data type names used in casts are now case sensitive (they had been case insensitive, although that was not documented) + upgrade to openssl-0.9.8j (there were some problems with 'make install': Makefiles under the fips subdirectory did not have INCLUDES set correctly and some manual intervention was required to complete the build) + this release includes preliminary code in support of InfoCards/CardSpace authentication; this new feature is not fully implemented or documented in this release, will not work or may not build, and should not be used; all aspects of this feature are subject to change + fixes for parsing of Content-Type MIME headers + improvements regarding logging of potentially sensitive information, lowered priority of most Apache logging messages generated by mod_auth_dacs + upgrade Solaris 10 test platform to OpenSolaris 2008.11/x86 (SunOS 5.11) * DACS 1.4.22 (7-Jan-09) + fixes for possibly buggy jurisdiction listing in dacs_admin(8) + added optional public_key to jurisdiction's group_member element in groups.dtd (used by dacs_admin, dacs_list_jurisdictions, dacsinit) + dacskey can now print public and private keys, bug fixes + local_apache_auth handles large flat-file passwords (htpasswd) quicker - upgrade to OpenSSL 0.9.8i - upgrade to OpenLDAP 2.3.43 - upgrade to Apache 2.2.11 - upgrade to Samba 3.2.7 - upgrade to Berkeley DB 4.7.25 - new functions: strtolower(), strtoupper(), strstr(), strrstr() - start to separate DACS independent code into its own library, libdss.a - upgrade to docbook-xsl-1.74.0 and consequential minor format processing changes - additional tests for HMAC (FIPS 198-1) - added config directive AUTH_CREDENTIALS_ADMIN_LIFETIME_SECS - fixes for URI decoding bugs * DACS 1.4.21 (31-Mar-08) + dacs_transform/dacstransform: added expr attribute to insert directive + potentially incompatible changes to the UPROXY_APPROVED directive + bug fixes for HTTP requests on the (unofficial) Solaris/SPARC platform + bug fixes for the SetDACSAuthConf and SetDACSAuthSiteConf directives used by mod_auth_dacs + language extension allows braces to be omitted in variable references in certain cases as a convenience + bug fixes for MIME parsing + support for DESTDIR in Makefiles; see http://www.gnu.org/prep/standards/standards.html#DESTDIR + retirement of FreeBSD 4.X, 5.X, 6.X testing platforms, addition of FreeBSD 7.X (amd64) platform + upgrade to OpenSSL 0.9.8g note: when building it on FreeBSD, it was necessary to specify the -fPIC flag to its config program + upgrade to Samba 3.0.28 + upgrade to Apache 2.2.8/2.0.63 + incompatible changes to access control rule processing o these changes will only affect users of earlier releases who are using customized access control rules o the new format preprocesses rules to create an index called INDEX. The index is an XML file (with syntax acl_index.dtd) located at the root of each ACL directory structure (e.g., /usr/local/dacs/acls/INDEX) The dacsacl(1) command should be used to convert from the old format to the new format: % dacsacl -convert Whenever a rule is added, deleted, or modified, dacsacl(1) must always be run to rebuild the INDEX files: % dacsacl this will create new INDEX files or replace any existing ones and assumes that rules are in the new format + incompatible changes and improvements changes to dacs_admin(8), bug fixes and minor improvements, including CSS support + re-introduction of the authorization caching feature + addition of src/dacsinit, a script to initialize a minimal federation * DACS 1.4.20 (7-Aug-07) + important bug fix to local_passwd_authenticate prevents invalid passwords from being accepted + canonicalize the DACS error url (avoiding a redundant acknowledgement by dacs_notices) + added -check argument to dacskey(1) to do cursory key validation + bug fix: parsing invalid Content-Type headers + bug fix: buffer handling + refined and documented dacs_uproxy(8) (not built by default) + bug fix: VFS vfs-uri open code + new functions: ustamp(), dacs_meta(), dacs_approval() + removed deprecated functions: hex_decode(), cescape(), mime_encode(), mime_decode(), url_encode(), url_decode() + third-party support upgrades: Samba 3.0.25b, BerkeleyDB 4.6.18, OpenLDAP 2.3.37 + Upgrade to GCC 4.2.1 for development + dacs_prenv(8) now sorts list of environment variables + assorted corrections to dacs.quick(7) * DACS 1.4.19 (1-Jul-07) + bug fix: -expires date in dacscookie + bug fix: dacsvfs(1) must set field separator character properly + bug fix: multipart/form-data arguments not handled correctly + bug fix: setvar(split, ...) did not handle a trailing null element properly + bug fix: authorization tests after an internal redirect may have been performed on the request URI again instead of the new target URI or an empty string argument + assorted bug fixes for dacsrlink(1) + bug fix: ACS_ERROR_HANDLER quoted message error-action was broken + bug fix: dacs_list_jurisdictions(8) with FORMAT=TEXT + bug fix: minor MIME whitespace parsing error + bug fix: fix for long-standing bug in dacs_list_jurisdictions(8) and dacs_list_jurisdictions.dtd, plus some minor improvements Attribute renaming: o attribute 'name' renamed to 'jname' (jurisdiction name) o attribute 'name' is now the full name of the jurisdiction o attribute 'public_key' renamed to 'fed_public_key' o attribute 'public_key' is now the jurisdiction's public key, if known + bug fixes and overhaul to dacsexpr(1) command line processing. Note: some changes are incompatible, though minor Also: o a -n flag for syntax checking o removed -env flag o improved "batch mode" (non-interactive) operation o operation as a '#!' script + bug fixes for bstring type + bug fix: parsing empty blocks, like "if (3) {} print('hi');" + bug fix: exec() now sets ${DACS::status} correctly + formatting improvements for dacs_conf HTML + added expiry element to the concise syntax (an Rlink with an identity can now be assigned a lifetime) + dacscheck(1) can emit a redirection request (-redirect flag) + added "create" operation to counter() + added -s flag to dacsexpr + added optional limit argument to setvar split/regsplit + added source() function + added syntax() function + extended get() argument for consistency + extension to setvar() + added AUTH_SINGLE_COOKIE directive + added '+' modifier flag to variable references + removed obsolete manual pages + minor improvements to dacscookie(1) + ignore expired rules via expires_expr attribute + extended ACS_ERROR_HANDLER to evaluate an expression, backward-compatible changes to syntax, clarified documentation + added dacslist(1) command version of dacs_list_jurisdictions + change to DACS base-64 encoding character set to make encoded strings safe in paths (this does not affect Mime base-64 encodings); NOTE: the change is (temporarily) "mostly" backward compatible in that the old encoding is still recognized, however some things could break DACS admins should take this opportunity to regenerate federation and jurisdiction keys; user passwords via local_passwd_authenticate should also be updated + consolidated encoding/decoding functions into encode() and decode(), and added dacs64 encoding type - see dacs.exprs(5) NOTE: anyone using the old function names must make the obvious edits to convert the old names into the new ones; the following functions are deprecated and will be removed from a future release: cescape(), hex_decode(), mime_encode(), mime_decode(), url_encode(), url_decode() + new hash() function + new transform() and transform_config() functions + additional internal PKI support + A '#' now introduces a comment in expressions + new trim() function + added 'z' variable modifier flag + extended get() to use 'stdin' item type + setvar() extensions (rename, post) + changed site.conf defaults for LOG_LEVEL and LOG_FORMAT + changes to default log message formats + added several new flags to to dacspasswd(1) and various improvements Notes: These changes are backward compatible with existing DACS password files. Not all of the new features can be accessed through dacs_passwd(8), dacs_admin(8), etc. + revisions to dacs_passwd(8) man page + extended password() + use of DEFAULT_JURISDICTION environment variable - see dacs(1) + extensions to vfs() + upgrades: expat-2.0.1, samba-3.0.25a, openldap-2.3.35 + new functionality for cgiparse(8) (should be backward compatible) + bug fixes for http(1), including handling binary content + minor I/O processing bug fixes + Added DACS_USERNAME to the "url syntax" argument list of AUTH_SUCCESS_HANDLER. * DACS 1.4.18 (3-Apr-07) + bug fixes for building shared library + bug fix: conditional expressions could sometimes cause a segfault + bug fix: application/x-www-form-urlencoded content type was sometimes not properly encoded (this broke ampersands in passwords, for example) + bug fix: make Args namespace available to configuration processing + bug fix: http(1) may write a binary body improperly + replaced Configuration.dtd, which seems to have gotten lost, and updated dacs_conf_reply.dtd + added EXPR (-expr) pseudo-module to dacsauth + added strptime() function, changes to time() + dacs_authenticate now ignores unrecognized web service arguments + tools/DACScheck* moved to tools/perl + changes to HTTP_AUTH and HTTP_AUTH_ENABLE directive in support of the new pre-authorization testing HTTP authentication feature; the changes to these two directives are backward compatible, but anyone using either directives should review the updated descriptions + added -invisible/-visible flags to DACS_ACS argument, with the former being the new default behaviour + minimal support for Java via JNI - see dacs.java(7) + upgrade to Apache 2.2.4 and OpenSSL 0.9.8e + experimental dacsauth() and dacscheck() functions note: use with care because they may have reentrancy bugs and may be relatively heavy memory users + added ACS_PRE_AUTH directive + added request_match() function + added -rlink flag to DACS_ACS (available as ${ARGS::RLINK} in ACS_PRE_AUTH expression + added the "n" modifier flag to variables + added AUTH_FAIL, ACS_SUCCESS, and ACS_FAIL directives + added on_success() function + added counter() function + minor enhancements to time() function + added ability to conditionally include a config directive via undef() + minor extensions to acl.dtd for new optional attributes + minor experimental addition to acl.dtd (the "identity" element) + new var() function + new password() function + ACL checking extended to look at expires_expr and url_expr attributes + new BY_SIMPLE_REDIRECT error code for "pure" redirects (this can be used with redirect() and a deny clause to create short links) + addition of the "Cookies" namespace + new "Rlinks" feature - see dacsrlink(1) + minor HTML formatting changes for dacs_prenv + minor HTML formatting changes for dacs_list_jurisdictions + upgrades to Samba 3.0.24, OpenLDAP 2.3.34 * DACS 1.4.17 (8-Feb-07) + added new 'simple' style of authentication via local_simple_authenticate for inherently password-less accounts (note that local_passwd_authenticate requires a user provided password that cannot be the empty string) + bug fix: composing and storing authentication styles in credentials + bug fix: bareword not treated as string in some cases + bug fix: empty role string from roles module not always handled properly + improvements and clarifications to the OPTION Auth/Roles directive, new OPTION* directive for better run-time adjustments + bug fix: file(basename, ...) function + new AUTH_SUCCESS directive gives a post-authentication hook + clarifications and fixes to LOG_FILTER directive's behaviour + bug fix: variable modifier flag parsing + updated copyright notices + NOTE: six utilities have been renamed for consistency aclcheck(1) to dacsacl(1), conf(1) to dacsconf(1), cookie(1) to dacscookie(1), mkkey(1) to dacskey(1), auth_grid(1) to dacsgrid(1), auth_token(1) to dacstoken(1) also renamed prenv(8) to dacs_prenv(8) See dacs(1) for an explanation of the the naming convention. The original names, which may have been confusing or conflicted with non-DACS software, are temporarily still available via the dacs(1) command. Their manual pages will be temporarily retained as reminders of the changes. + added the unary type cast operator, and sizeof and typeof functions + enhancements to the substr() function + improved handling of binary data for correct application of url_decode, mime_decode, and future functions; new "bstring" data type; new functions: hex_decode, bstring, and cescape + added hmac(), digest(), and random() functions + documented C-style character and numeric escape codes + upgrades to samba-3.0.23d, openldap-2.3.31, docbook-xsl-1.71.1 + fixed local_pam_auth build bug with shared libraries + Auth/Roles/Transfer clause id tags are now case sensitive + new COOKIE_HTTPONLY directive + new local_ldap_roles module can assign LDAP/ADS roles to any user; it was previously neccessary to authenticate the user through local_ldap_authenticate to obtain these roles + Authorization header parsing using setvar() + bug fixes for building shared library + minor extensions to dacs_version and its DTD * DACS 1.4.16 (1-Dec-06) o bug fix: http_auth_jurisdiction variable didn't set DACS_JURISDICTION o bug fixes for building DACS with Samba on Linux o bug fixes for building DACS with Samba on Solaris 8 (-lresolv) o new authentication module, local_http_authenticate (used to authenticate against a Google account, for instance) o bug fix for dacs_conf(8) and conf(1) where closing Roles tag may be omitted in XML and HTML output; CSS fix o upgrade to OpenSSL 0.9.8d o upgrade to Berkeley DB 4.5.20 o fixes to configure.ac: --disable-... flags, --with-iconv processing o added DACS_IDENTITY and DACS_CONCISE_IDENTITY environment variables (useful with dacscheck) o fix to Auth clause's INIT* directive to propagate ${Auth::CURRENT_USERNAME} o prototype distributed generation of user info records (login/logout/access events), written to "user_info" VFS type (--enable-user-info) o minor VFS enhancements and bug fixes (file locking, append mode) o bug fix: backslashes within strings were not always handled consistently, especially two consecutive backslashes; this fix could possibly break some existing strings that contain multiple consecutive backslashes o build DACScheck.pm and install it in .../dacs/lib/perl o additional test cases o fixes for secure -aux prompting by dacsauth o added -vfs flag to dacspasswd to specify alternate password file o minor improvements to revocation list processing, including account disabling o built-in versions of roles modules, fixes for enabling/disabling roles modules by 'configure' o minor build enhancements and simplifications o fixes and improvements for local_pam_authenticate, which now appears to work o added variables to the Conf namespace (such as DACS_SITE_CONF and OPENSSL_PROG) and renamed some for consistency (such as SITE_CONF_SPEC to DACS_SITE_CONF_SPEC) o added ${::#} syntax to return the number of variables in a namespace o bug fixes and enhancements for setvar() o minor changes to http(1) o minor changes to subset() and contains_any() functions o setvar() function: + incompatible syntactical changes + new operators: copy, delete, load/loadi, regsplit/split o user() function addition of "namespace" operator o redirect() function takes an optional error name or code o bug fixes: CREDENTIALS_LIFETIME_SECS was ignored by some auth modules * DACS 1.4.15 (1-Oct-06) - upgrades to Apache 2.0.59 and Apache 2.2.3 - upgrades to Samba 3.0.23c, OpenSSL 0.9.8c, and OpenLDAP 2.3.27 - minor bug fixes to dacs_conf(8), conf(1), dacsauth(1), dacscheck(1), and dacssched(1) - renamed html/examples/login.html to html/examples/slogin.html and added html/examples/login.html, a JavaScript version of login.php - new authentication module to provide software-based, one-time passwords; see auth_grid(1) - new authentication module to support one-time password token devices; see auth_token(1) - new dacs_autologin_ssl(8) web service for automagic SSL login - PASSWORD_MINIMUM_LENGTH, PASSWORD_NEEDS_MIXED_CASE, PASSWORD_NEEDS_PUNCTUATION, and PASSWORD_NEEDS_DIGITS directives have been removed - use PASSWORD_CONSTRAINTS; PASSWORD_AUDIT is now an Auth clause directive instead of a general directive - added --with-cgi-suffix flag to configure - extended syntax for ACS_ERROR_HANDLER directive (the optional url_pattern element) - fixed local_cert_authenticate bug - minor corrections and updates for autologin(8) - incompatible improvements and simplifications have been made to dacs_auth_transfer(8): o eliminated directives: AUTH_TRANSFER_ERROR_URL, AUTH_TRANSFER_IMPORT_URL, and AUTH_TRANSFER_SUCCESS_URL o eliminated VFS item types: auth_transfer_imports, auth_transfer_exports, and auth_transfer_cookies item types o added directive: AUTH_TRANSFER_EXPORT o added: Transfer clause and new directives to dacs.conf * DACS 1.4.14 (1-Aug-06) - bug fixes, minor enhancements, and documentation improvements, including: o upgrade to openldap-2.3.24 o upgrade to samba-3.0.23 o added rule() predicate, which exposes the rule processing engine to expressions o http command redirect handling o new configuration directives (see dacs.conf(5)): PASSWORD_AUDIT, PASSWORD_CONSTRAINTS (replaces PASSWORD_MINIMUM_LENGTH, PASSWORD_NEEDS_MIXED_CASE, PASSWORD_NEEDS_PUNCTUATION, and PASSWORD_NEEDS_DIGITS directives), VERIFY_UA, UNAUTH_ROLES, ACS_CREDENTIALS_LIMIT o added ROLE_STRING_MAX_LENGTH directive and improved role string error logging o boolean value conversion fixes o improved request tracking of unauthenticated users - new features: o added dacs_transform, a prototype web service to demonstrate how the DACS rule processing engine can be applied to document transformations o added dacstransform, a command analog to dacs_transform o added dacssched, a prototype command to demonstrate how the DACS rule processing engine can be applied to scheduling command execution * DACS 1.4.13 (1-Jun-06) - bug fixes, minor enhancements, and documentation improvements, including: o port to Apache 2.2 requires --with-apache-apr flag when DACS is configured o upgrade to Apache 2.0.58, Apache 2.2.2 o upgrade to openssl-0.9.8b o minor changes to DACS license to clarify redistribution & repackaging o new predicates file_owner() and file_group() o completed and documented vfs() function o added ${DACS::IDENTITY} variable o fixed expression evaluation bug causing incorrect True/False result from return/exit function o fixed expression syntax bug when statement follows a brace-delimited block: if (expr) { ... } statement o fixed several expression parsing and evaluation bugs o added 100+ initial expression test cases ("make tests") o added NIST HMAC test vector tests ("make tests" or "make crypto; ./crypto") o SSL library buffer management bug fix (affects http and sslclient) - new authentication features, including: o dacsauth, an initial version of a command line authentication program o new authentication module, local_cas_authenticate, for authenticating through the Central Authentication Service (CAS) (http://www.ja-sig.org/products/cas/index.html) * DACS 1.4.12 (1-May-06) - bug fixes, minor enhancements, and documentation improvements, including: o added -ssl-flags argument to http(1) o bug fix re COMPAT_MODE and old cookie name format o bug fix re LOG_SENSITIVE directive o bug fix re selection of "audit" log messages by LOG_FILTER o minor fixes and improvements to dacscred and its documentation o added tools/DACScheck.pm o sslclient bug fixes o clarification of regsub() behaviour o bug fix for rule matching where Jurisdiction uri attribute ends in a slash o new check for precondition element error o fixes for Solaris 10 x86 platform o bug fix re: o minor improvements to http, including following redirects o minor improvements to mkkey and its documentation o properly ignore disabled rules o upgrade to Samba 3.0.22 o upgrade to OpenLDAP 2.3.21 - new authentication features, including: o the ability to authenticate against Apache htpasswd and htdbm files using any DACS password-oriented authentication module o an internal implementation of RFC 2617 HTTP Basic Authentication supporting authentication by any password-oriented DACS authentication module o an internal implementation of RFC 2617 HTTP Digest Authentication for authenticating against Apache htdigest files o built-in versions of authentication modules can be selected - see dacs_authenticate(8) o see dacs_acs(8) and dacs_authenticate(8) - incompatible change to dacs_auth_agent local mode name mapping for improved usability - see dacs_auth_agent(8) - configuration processing fixes and documentation clarifications * DACS 1.4.11 (8-Mar-06) - many minor bug fixes and documentation improvements - new cross-federation identity transfer capability: dacs_auth_transfer - improvements and important extensions to user() predicate to handle multiple credentials correctly; compatible except that the optional MODE argument is now part of the string argument instead of being a separate argument. The ACL user_list's user element inherits these improvements. - expression evaluation fixes and improvements - fixes for 64-bit architecture - minor changes to revocation list processing - uri_expr attribute added to Jurisdiction element (dacs_conf_reply.dtd) - dacs_url template expansion by dacs_list_jurisdictions - string interpolation enhancements (%u, %s, %U) - ability to reference Args namespace during config processing - DTD change: dacs_current_credentials.dtd - to aid in debugging, dacs_current_credentials can optionally return additional detail (by default, limited to priviledged users) - ACL changes: acl-current-credentials.0, acl-dacs.0, acl-auth-transfer.0 - moved dacs.quick(5) to dacs.quick(7) Suggestion: % rm -f /usr/local/dacs/man/man5/dacs.quick.5 % rm -f /usr/local/dacs/man/cat5/dacs.quick.5.gz - Cookie naming format change to align with DACS names The change is that a second colon follows the This also affects NAT cookie names, which are not DACS cookies per se - Mostly backward-compatible changes to the Jurisdiction section matching algorithm in dacs.conf, improved documentation The uri attribute can now include a simple hostname pattern (e.g., uri=*.fedroot.com) and a port number (fedroot.com:8080 and fedroot.com:8081 can now be different jurisdictions). Hostname matching is case-insensitive but URI path matching is still case-sensitive and is done path segment-by-segment rather than as a simple string compare. NB: this could potentially break some configuration files Note that if you use ports in the uri=, you may need to change the -u flag (e.g., in httpd.conf or ssl.conf) to add the port. See "The Jurisdiction Section" in dacs.conf(5). - bug fix: "sensitive" log messages could incorrectly be emitted - bug fix: dacs_version/dacsversion didn't emit detailed version info for shared libraries (fix is to always link them statically) - bug fix: dacscred always wanted to use SSL - many build and install fixes for Solaris 8 - added 'touch' target to man/Makefile in case make thinks it needs to regenerate documentation when it really doesn't * DACS 1.4.10 (26-Jan-06) - added -D as a dacsoption flag - see dacs(1) - optional LOG_FORMAT directive added, LOG_FEDERATION_NAME removed (note: remove the latter from configuration files) - optional SSL_PROG_ARGS directive added - initial implementation of experimental COMPAT_MODE directive to prevent DACS 1.2 credentials from being discarded - implemented missing assignment operators (+=, -=, etc.) and pre/post inc/dec operators for integer variables - a default namespace ("Temp") is now allowed as a convenience: ${foo} = 17 is equivalent to ${Temp::foo} = 17 This can be disabled, or the name changed, at compile time - added a PHP example to dacscheck(1) - added if/elseif/else statement, comma operator - added expression testing framework to dacsexpr(1) (see its -et flag) - added -uj and -us dacsoptions flags for convenience - extensions to the VERIFY_IP directive - upgrades to expat-2.0.0, BerkeleyDB 4.4.20, samba-3.0.21a, openldap-2.3.18 - added STATUS_LINE directive and -status_line/-no_status_line DACS_ACS flags * DACS 1.4.9 (19-Dec-05) - many bug fixes and documentation revisions and improvements - fixes and improvements to the dacscheck(1) command and its man page - fixes to autologin and exec() function - fixes to local_roles, local_unix_roles, and dacs_authenticate - added the Env namespace - fixes to dacs_notices and its man page - fixes to the virtual filestore and its documentation - added --with-apache=omit (see INSTALL) - added ability to select case sensitive/insensitive comparison of federation/jurisdiction/usernames. See docs for the new NAME_COMPARE directive and the revised user() predicate. A consequence of this change is that accounts created by dacspasswd are now lowercase names; otherwise case-insensitive comparisons will consider "Bob" and "bob" equivalent. Some such existing accounts will become inaccessible if the admin changes to case-insensitive names. - added DACS-Status-Line with -check_only and -check_fail flags; see dacs_acs(1) - changes to dacs_acs.dtd * DACS 1.4.8 (18-Nov-05) - many bug fixes and documentation revisions and improvements - new dacscheck(1) command - changes to various DTDs and default ACLs - extensions to DACS names and the user() predicate - upgraded to OpenSSL 0.9.8a - new configuration directives for password constraints - re-enabled permit_chaining and added new PERMIT_CHAINING directive - changes/fixes to authentication failure delay handling - fixes for Cygwin * DACS 1.4.7 (20-Oct-05) - many bug fixes and documentation revisions - some log entries now include a "session tracking identifier" - sensible https/SSL defaults for the http command - new dacs_auth_agent web service - replacement of Store clause with VFS configuration directive Note: this may require revisions to dacs.conf and site.conf - added version header/footer lines to HTML man pages - important bug fixes for local_ntlm_authenticate and local_ldap_authenticate - upgrades to samba-3.0.20a, openldap-2.2.26, docbook-xsl-1.69.1, openssl-0.9.7i, Apache 2.0.55 - new delegated ACLs feature - aclcheck now also checks the revocation list - reworking of the former "url" virtual filestore type (now called "vfs") - http/https URI schemes are supported by the new VFS directive * DACS 1.4.6 (19-Sep-05) - many bug fixes and documentation revisions - initial version of dacs_notices - initial version of dacscred - changes to dacs_acs DACS_ACS argument - logging enhancements, including support for syslog(3) * DACS 1.4.5 (17-Aug-05) - many bug fixes (including some important ones) and revised documentation - acs_expr is now dacsexpr, with some new functions - upgrade to openssl-0.9.7g, with preparations for openssl-0.9.8 - initial development of the new dacs_notices service (not yet complete) - continued development of dynamically loadable functions (not yet complete) * DACS 1.4.4 (20-Jun-05) - many bug fixes - the Quick Start tutorial - continued development of the dacs_admin service (not yet complete) * DACS 1.4.3 (27-May-05) - Upgrade to Apache 2.0.54 * sslclient client is now installed as a DACS utility and used in place of stunnel. Manual page added for sslclient(1). Stunnel is no longer required. The SSL_PROG directive in dacs.conf must be changed to something like SSL_PROG "/usr/local/dacs/bin/sslclient" * ACL filename syntax change Enabled rules must begin with "acl-" and disabled rules must begin with "disabled-acl-". All other files and directories are ignored. - an ACL's "service" element can supply an expression ("url_expr") instead of a simple string ("url_pattern"). One of the two attributes must be given, but not both. If a url_expr is given, it is evaluated at the time an ACL is matched against a request; if no error occurs, the resulting non-empty string is used instead of url_pattern and has the same semantics as url_pattern. Evaluation errors are fatal. The standard set of DACS ACLs (acls/acl-*) no longer have a URL path prefix built into them. They have been changed to use url_expr attributes that interpolate either of two new configuration variables, defined in conf/site-conf.std: EVAL ${Conf::dacs_cgi_bin_prefix} = "/cgi-bin/dacs" EVAL ${Conf::dacs_htdocs_prefix} = "" Refer to the standard DACS ACLs to see the obvious revisions. Administrators can, of course, define similar prefixes for ACLs in their site/federation/jurisdictions, making prefix changes simple. - local_cert_authenticate added; see dacs_authenticate(1) * DACS 1.4.2 (14-Apr-05) - Added suport for LDAP and Microsoft ADS based authentication - improved man pages - minor bug fixes - minor changes: o new and renamed DACS expression functions, including ldap name parsing o if -v and --version are given, also print module version stamps o an initial version of WWW-Authenticate/Authorization header handling (ACS can respond with or accept RFC 2617 headers) o added "ndbm" storage method (includes gdbm in compatibility mode) o added missing C/C++ bit operators for DACS expressions * DACS 1.4.1 (16-Mar-05) - Added support for Microsoft NTLM authentication - Added "bundle=yes" argument to make to build a "dacs" command - improved man pages - many minor bug fixes * DACS 1.4.0 (14-Feb-05) - Second open source version, based on DACS 1.3.2 functionality $Id: HISTORY 2590 2012-03-19 18:06:05Z brachman $