Tuesday, April 27, 2010

Apache 2.3 in Beta

There is good news and bad news. The good news is there is a new version of Apache already in Beta release with some pretty good features. The bad news is there is a new version of Apache and if you are like me you hate migrating or updating.

I didn't make this up and you can view the entire list of updates at this link:
apache updates in 2.3

I am going to list a few of the changes that I will look to test and seem useful to me. Remember to check out my most recent blog performing a complete build of the LDAP client using SSL to authenticate a web user.


* mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to try other providers in the case of an LDAP bind failure.PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]

*) mod_ssl: Add support for OCSP Stapling. PR 43822.
[Dr Stephen Henson
]

* mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge
some cache entries and log a warning. Also increase the default
LDAPSharedCacheSize to 500000. This is a more realistic size suitable
for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
PR 46749. [Stefan Fritsch]

*) mod_ratelimit: New module to do bandwidth rate limiting. [Paul Querna]

*) mod_heartbeat: New module to generate multicast heartbeats to know if a
server is online. [Paul Querna]

*) mod_privileges: new module to make httpd on Solaris privileges-aware
and to enable different virtualhosts to run with different
privileges and Unix user/group IDs [Nick Kew]

*) New module mod_sed: filter Request/Response bodies through sed
[Basant Kumar Kukreja
]

*) mod_auth_form: Add a module capable of allowing end users to log
in using an HTML form, storing the credentials within mod_session.
[Graham Leggett]

*) mod_ldap: Correctly return all requested attribute values
when some attributes have a null value.
PR 44560 [Anders Kaseorg
]

*) mod_ldap: Add support (taking advantage of the new APR capability)
for ldap rebind callback while chasing referrals. This allows direct
searches on LDAP servers (in particular MS Active Directory 2003+)
using referrals without the use of the global catalog.
PRs 26538, 40268, and 42557 [Paul J. Reder]

*) mod_ldap, mod_authnzldap: Add support for nested groups (i.e. the ability to authorize an authenticated user via a "require ldap-group X" directive where the user is not in group X, but is in a subgroup contained in X. PR 42891 [Paul J. Reder]

*) mod_authn_dbd: Export any additional columns queried in the SQL select into the environment with the name AUTHENTICATE_ This brings mod_authn_dbd behaviour in line with mod_authnz_ldap. [Graham Leggett]


These are just a few of the main ones that I think will be very useful. Obviously adding additional functionality with LDAP lookups is great, but the additional ability to use a relational database to retrieve parameters makes the server super flexible. I will have to revisit the build of the mod_dbd. I have not had great success with Oracle connectivity in the past from Apache.

I am also curious about a rate limiter, and a built in login functionality. This sounds like a encroachment into the SSO world by Apache, but I am all for it.











No comments: