libapache2-webauth (4.5.3-3) unstable; urgency=low

  This package has been split into two packages, libapache2-mod-webauth
  and libapache2-mod-webauthldap, as part of the Apache 2.4 transition.
  This matches the standard naming scheme of Apache modules and allows
  better handling of dependencies for the LDAP module.  Once the upgrade
  is complete, you may safely remove the libapache2-webauth package, and
  you can remove the libapache2-mod-webauthldap package if you weren't
  using the LDAP module.

 -- Russ Allbery <rra@debian.org>  Sun, 02 Jun 2013 10:30:41 -0700
  
libapache2-webauth (4.2.0-1) experimental; urgency=low

  Use of AuthType StanfordAuth (instead of AuthType WebAuth) is deprecated
  and will be removed in a subsequent release.  This directive will
  produce a warning in the Apache error log whenever encountered while
  processing a request.  This mode was for compatibility with the
  Stanford-internal WebAuth 2.5 release and was probably not used outside
  of Stanford.

  The special group handling in mod_webauthldap enabled by AuthType
  StanfordAuth is no longer supported and has been removed.  Any access
  restrictions that used "require group" and expected the groups to be
  interpreted as WebAuth privilege groups must be changed to use AuthType
  WebAuth and "require privgroup".

 -- Russ Allbery <rra@debian.org>  Fri, 13 Jul 2012 13:43:13 -0700

libapache2-webauth (3.7.0-1) unstable; urgency=low

  Users of mod_webauthldap should note that WebAuthLdapAuthRule's behavior
  has changed.  Previously, it put just the bare name of the privgroup
  authorizing the user into its environment variable.  Now, it puts the
  string "privgroup <privgroup>" instead.

 -- Russ Allbery <rra@debian.org>  Wed, 07 Jul 2010 14:46:40 -0700

libapache2-webauth (3.5.3-2) unstable; urgency=low

  As of this release, the WebAuth module is built for Apache 2.2 rather
  than Apache 2.0.  Please note that Apache 2.2 moved authentication and
  authorization functionality out of Apache into modules that may not be
  enabled by default.  In particular, directives of the form:

      Require valid-user
      Require user <username>

  will not work unless mod_authz_user is enabled.  To do this, run:

      a2enmod authz_user

  as root.  You do not need to enable this module if you never use
  directives of that type (if, for instance, you only use Require
  privgroup directives), but note that the WebAuth tests expect this
  functionality to be available.

 -- Russ Allbery <rra@debian.org>  Mon, 09 Oct 2006 14:28:00 -0700