Skip navigation



WebAuth 3.1.0 Announcement

The ITSS WebAuth team is pleased to announce the release of Stanford WebAuth 3.1.0, a new major release with integrated LDAP support. This version of WebAuth fully replaces the functionality of WebAuth 2.5, but uses the new OpenLDAP directory servers and Kerberos v5.

For documentation and downloads of WebAuth 3.1.0, see:


In this release we've made available pre-built Apache 2.0.45 and WebAuth 3.1.0 binaries for Solaris 8 and 9, which should prove a convenience for Solaris administrators on campus.

Among the new features of this version of WebAuth over 3.0.0 are:

  • Added a new Apache module, mod_webauthldap, for LDAP directory information lookups via Kerberos v5 GSS-API binds. This module provides the same directory lookup capability as older versions of WebAuth, but does so against OpenLDAP servers, via Kerberos v5 authentication, and with considerably more flexible support for what attributes to query. See the mod_webauthldap manual for more details.

  • Added WebAuthSSLRedirect and WebAuthSSLRedirectPort directives so that users can be redirected from http to https when accessing a WebAuth-protected resource.

  • Added a WebAuthAuthType directive to help people transition to mod_webauth from older versions. This directive allows you to specify an additional AuthType name that will be treated the same as WebAuth. If this directive is set to StanfordAuth, it will also set two extra environment variables: SU_AUTH_USER and SU_AUTH_AGE (these were set by WebAuth 2.5).

  • Add more backward compatibility support for WebAuth 2.5 by allowing additional directives to appear in .htaccess files. See the documentation on upgrading from WebAuth 2.5 for more details.

  • Allowed these directives to present in .htaccess files (they were previously only allowed in <Directory>/<Location> directives):


    This is in partial support of backward compatibility.

  • Added WebAuthProxyHeaders directive to pass WebAuth information to a proxied server. See the WebAuth module documentation for more information.

  • Add WebAuthWebKdcSSLCertCheck directive to enable/disable checking of the WebKDC SSL certificate. Defaults to "on" and should only be turned off for debugging/testing purposes.

  • Added new WebAuthDontCache directive, which signals a browser not to cache those web pages. Defaults to 0 (allow documents to be cached).

  • Modified WebAuthKeytab and WebKdcKeytab directives so you can optionally specify which principal to use with the specified keytab, instead of using the first principal found. This is useful if the keytab contains multiple keys.

  • Removed the service token cache on restarts, so that a restart will clear up any inconsistencies between the server and the WebKDC.

  • Have the WebKDC re-read the token ACL file if its mtime changes.

  • Added --with-apxs configure option to set the path to apxs independently from the path to the Apache installation. This was needed in order to easily build WebAuth on Linux distributions that install Apache following the Linux Filesystem Standard.

  • Bug fixed in scrubbing WebAuth tokens from the URL.

Last modified Friday, 12-Dec-2014 02:31:14 PM

Stanford University Home Page