Changes Between Major Revisions
Changes from 1.4 to 1.6
* All changes and bugfixes in the 1.4 releases.
* Completely rewrote the LDAP caching algorithms (see [1]the
documentation on caching for more information). Here are the
highlights of the changes:
+ All cache sizes are measured in terms of cache entries.
Warning!! This affects the AuthLDAPCacheSize directive!! In
version 1.4 and before, this directive specified the size in
megabytes. Now, it specifies the size in cache entri es. If
you currently have this directive in a config file, it is
probably set way too high, and will use a significant amount
of server memory.
+ Deprecated the AuthLDAPCacheCompareOps directive. Apache will
still accept the directive, but it has no effect, other than
to generate a warning in the Apache logs.
+ The cache no longer grows without bounds. For servers with a
very active cache, this should make a big difference with
memory usage.
+ No longer use the cache management routines from the LDAP
SDK. All LDAP operations are now cached, using a cache that's
specially designed for auth_ldap's authentication methods.
+ If Apache has been compiled with MM support and auth_ldap has
been compiled with -DWITH_SHARED_LDAP_CACHE then the cache is
shared across all server instances.
+ Added a content handler that can be used to display the cache
statistics. To use it, add the following directives:
<Location /server/auth-ldap-info>
SetHandler auth-ldap-info
</Location>
* Added support for a require dn directive, and a
AuthLDAPCompareDNOnServer directive. See the documentation for
more information.
* auth_ldap now allows the user to specify any attribute when
checking for group membership, by using the AuthLDAPGroupAttribute
directive. If this directive is not specified, the default
continues to be member and uniqueMember. Patch courtesy of
Graham Leggett.
* Added another directive, AuthLDAPGroupAttributeIsDN, which says
whether to use the DN that was retrieved from the LDAP search, or
to use the username passed by the client when doing group
authorization. This directive, in conjuction with the previous
one, allows us to use things like posixGroups for checks:
AuthLDAPGroupAttribute memberuid
AuthLDAPGroupAttributeIsDN off
* Ensure that auth_ldap will follow referrals under
OpenLDAP. This behavior was turned off in previous versions.
* Allow auth_ldap to dereference aliases, using the new
AuthLDAPDereferenceAliases directive. By default, this directive
is set to always.
* Now use ldap_init() when using OpenLDAP. Unless your OpenLDAP is
really old, this probably won't affect you.
The socket creation code in fshd was not paranoid enough. There
were are at least two possible attacks:
- If a malicious user has symlinked /tmp/fshd-<UID> to another
file, fshd will chmod 0700 that file.
- A race condition made it possible for an attacker to create an
unsafe socket directory, so that the attacker can access an
fshd tunnel.
The attacker must alread have a local shell on the computer where
fsh or fshd is invoked.
Other changes:
New timeout option, fixed to work with openssh2, now also usable if
you have to enter a password to connect, and some others.
PC virtualization software program which will allow PC and workstation
users to run multiple operating systems concurrently on the same
machine.
Plex86 will run as much of the operating system and application
software natively as possible, the rest being emulated by the PC
virtualization monitor.
A highly visible and often requested use, would be to allow for
Windows software to be run inside of GNU/Linux or other UNIX like
operating system. This gives users a migration path towards UNIX,
allowing them to run legacy software until native ports or
alternatives are available. It also provides a transitionary step for
software vendors who plan to port their product to UNIX, but have not
yet done so. Users could buy the Windows version product and run it at
near native speeds on UNIX, using Plex86, until a UNIX native version
is ready.
PNG is now supported, asynchronous DNS is claimed to be more stable,
couple of SSL crashes were fixed; otherwise the changes are primarily
UI fixes.
However, Asynchronous DNS seems to ignore stuff in /etc/hosts now.
