Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

ANNOUNCE: WebAuth 3.7.0 released

Russ Allbery eagle at
Thu Jul 8 17:17:21 PDT 2010

The ITS WebAuth team is pleased to announce Stanford WebAuth 3.7.0. This
is a major release with improvements to mod_webauthldap, support for
password expiration and changing in WebLogin, and substantial changes to
the WebAuth build system and underlying libraries.

If you use the WebAuthLdapAuthRule directive for mod_webauthldap, please
take special note of the first change noted below.

For documentation and downloads of WebAuth 3.7.0, see:


New Debian packages have been uploaded to Debian unstable, and updated
versions will be uploaded to once WebAuth 3.7.0 migrates to
Debian testing.

New Red Hat packages will be coming soon.

The user-visible changes in this release are:

    * The WebAuthLdapAuthRule directive in mod_webauthldap has been fixed
      to do something closer to its documentation. Previously, it was
      documented as containing "group <privgroup>" if the user was
      authorized by a privgroup directive, but actually contained only the
      privgroup. Now, it contains "privgroup <privgroup>" if the user was
      authorized by a privgroup directive. Patch from Ian Ward Comfort.

    * mod_webauthldap supports a new WebAuthLdapPrivgroup directive that
      names a list of privgroups against which the authenticated user's
      membership should be checked. All privgroups listed of which the
      user is a member will be put into the WEBAUTH_LDAPPRIVGROUP
      environment variable. Patch from Ian Ward Comfort.

    * The WebAuthLdapAttribute directive can now take multiple attributes
      on the same line. Patch from Ian Ward Comfort.

    * WebLogin now includes a password change script and associated
      template to allow users to change their Kerberos password.

    * WebLogin now supports password expiration. If the account password
      is expired when a user authenticates with a password at the WebLogin
      login screen, they are redirected to the password change screen,
      forced to change their password, and then reauthenticated with their
      new password so that they can continue as normal with their

    * WebLogin can be optionally configured to warn users, via the
      confirmation screen, if their password is about to
      expire. Currently, this warning requires remctl, configuration of a
      Kerberos ticket cache, and the kadmin-remctl backend running
      somewhere for that Kerberos realm.

    * The WebAuth Apache modules are no longer built with apxs, which
      allows a cleaner build and installation process. However, this means
      that the modules are now installed in <libexecdir>/apache2/modules
      by default, where <libexecdir> is specified via the --libexecdir
      flag to configure and defaults to /usr/local/libexec.

    * The --with-apache option has been dropped. Use --with-apxs to
      specify the full path to apxs if it's not in your PATH.

    * The --enable-mod_webkdc flag is now --enable-webkdc, since it also
      controls installation of the WebLogin scripts and templates.

    * The --enable-debug flag has been dropped. Set CFLAGS on the
      configure command line if you want to override the default compiler

    * Catch SIGTERM in the login.fcgi script and only exit once processing
      of the current request has completed. mod_fastcgi restarts FastCGI
      scripts periodically by killing the old one with SIGTERM, which
      previously could result in internal server errors handed back to the
      client if the script was killed in the middle of processing a

    * Correctly encode RT and ST tokens in the URL when redirecting to an
      alternate URL to attempt REMOTE_USER authentication in
      WebLogin. Patch from Ian Ward Comfort.

    * The majority of the WebLogin scripts have been moved into a new
      WebLogin Perl module, which should make it somewhat easier to
      further customize the WebLogin interface if desired.

    * The timestamps output by wa_keyring list now contain dates in the
      ISO format YYYY-MM-DD instead of the US-centric and ambiguous

    * Removed the webauth_krb5_service_principal function from libwebauth
      and from the WebAuth Perl module. This function's API was
      fundamentally flawed since it did not handle realms, and it was not
      used anywhere in the WebAuth code.

    * Change the libwebauth API to use size_t and other data types more
      correctly instead of always using int. This will require updates in
      all calling applications.

    * wa_keyring calls the OpenSSL MD5 functions directly, so explicitly
      link it with libcrypto. Fixes build failures with gold.

    * Lower the logging level of mod_webauth messages about setting
      cookies (to debug) and environment variables (to info, since that's
      the best way right now to see a trace of authenticated users).

    * Avoid importing isa from UNIVERSAL in the WebAuth Perl modules. This
      is deprecated in Perl 5.12 and later.

    * Mention setting $KEYRING_PATH in docs/install-spnego and expand the
      documentation in docs/weblogin-config.

    * Changed terminology in the WebAuth protocol specification to refer
      to a KRB_AP_REQ rather than the results of krb5_mk_req. The latter
      is a call specific to a particular API, whereas the former is the
      term used in the Kerberos protocol documentation. Thanks, Liam

    * The Autoconf probe for the cURL libraries now uses curl-config if
      available. The path to curl-config can be overridden by setting the
      CURL_CONFIG variable on the configure command line or in the

    * Use --with-krb5, --with-krb5-lib, and --with-krb5-include instead of
      --with-kerberos to configure the locations of the Kerberos

Russ Allbery <eagle at>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University

More information about the webauth-announce mailing list