DACS.README(7) DACS Miscellaneous Information DACS.README(7)
NAME
dacs.readme - DACS README
DESCRIPTION
This file is part of the DACS suite.
Other important documents in this release:
o for a brief description of this release, and possibly last minute updates, please refer to README[1]
o for a technical overview of the system, please see dacs(1)[2]
o for information about licensing, please refer to LICENSE[3]
o for information about installation, please refer to dacs.install(7)[4]
o for the Quick Start tutorial, please refer to dacs.quick(7)[5]
o for important release notes, please visit http://dacs.dss.ca/download.html
NO WARRANTY
This software is provided by Dss "as is" and any express or implied warranties, including, but not limited to, the implied warranties
of merchantability, fitness for a particular purpose, or non-infringement, are disclaimed. in no event shall dss be liable for any
direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute
goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in
contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if
advised of the possibility of such damage.
DACS At a Glance
DACS is:
o a light-weight, open source single sign-on system;
o a flexible and powerful role-based access control system;
o a set of feature-rich authentication methods;
o an Apache[6] 2.0 and 2.2 module and suite of CGI programs;
o able to apply coarse-grained access control to web service requests made using standard web browsers;
o able to provide fine-grained access control functionality to almost any program or script;
o a collection of web services that can provide access control and identity management functionality to your middleware;
o a C/C++ toolkit for building new authentication and access control functionality into programs, whether web-based or not;
o for Unix-type platforms (currently), such as GNU/Linux and FreeBSD.
For developers, DACS makes access control functionality available through the command line, allowing scripts (Perl, PHP, shell, etc.) to
make data-driven access control decisions rather than program-driven ones. This can be used completely independently of the web
functionality and without dealing with run-time configuration of DACS. Please see dacscheck(1)[7]. DACS also provides web services from
which single sign-on systems can be constructed.
For web sites, DACS can help manage access to web resources in many situations, whether you have just one web server, several web servers
at one site, or many web servers spread across the Internet. You may find it to be useful simply as a universal authentication mechanism
for a single Apache server or as a full-fledged, single sign-on multi-server identity management and access control system.
Tip
If you are interested in dacscheck(1)[7] or the general-purpose DACS utilities (e.g., http(1)[8], sslclient(1)[9]) but are not
interested in web services or Apache, refer to the instructions in dacs.install(7)[4].
The DACS home page is at http://dacs.dss.ca. DACS is hosted as a SourceForge[10] project at http://sourceforge.net/projects/dacs.
Supported Platforms
DACS is currently developed and tested:
o with Apache[6] 2.0.64 and 2.2.21
o on platforms:
o FreeBSD[11] 9.0/8.1/7.0 (amd64)
o CentOS[12] 5.7 (x86_64, Linux 2.6.X, built from Red Hat Enterprise Linux[13] 5)
o Mac OS X[14] 10.7.3 (Lion, Intel Core i7, x86_64)
o using GCC 4.2 compilers
o using Firefox 8.x and 9.x browsers, and Internet Explorer 8 browsers
FreeBSD 9.0 is the primary development platform. For this reason, references to Unix manual pages throughout the DACS documentation cite
the FreeBSD documentation. This should not matter much if you are using a different platform, but keep this in mind.
Most DACS installations are on Linux or FreeBSD platforms. Support for Mac OS X is relatively recent.
Note
o When building DACS for use with Apache 2.2, you will probably need to specify the --with-apache-apr flag, and perhaps other
Apache-related flags, to configure.
o Apache 1.3 is not supported (please refer to the FAQ[15]).
o DACS has not been tested with Apache 2.1.
Other Platforms
DACS is not officially supported on platforms other than those mentioned above. Recent releases have built and worked correctly on other
platforms, but because we do not have ready access to them, or due to lack of interest, we no longer test on them.
Up to and including version 1.4.25, DACS was tested and used on Solaris 10[16] (OpenSolaris[17] 2008.11, SunOS 5.11, x86[18]). Solaris is
no longer supported. Early versions of DACS were used on Solaris 8 (SPARC) and Solaris 10 (SPARC) platforms. A wide variety of build,
install, and run-time problems were encountered with third-party packages on the OpenSolaris and SPARC platforms. Depending on which
third-party software your DACS configuration requires, or if you are prepared to try older versions of third-party software or devote extra
effort, you may have some success running DACS on these platforms, but in general we cannot recommend using these platforms for DACS in
production settings and they are no longer officially supported. Comments specific to Solaris remain in the DACS documentation but will
likely be removed in a future release, as will configuration and build capabilities.
Earlier releases of DACS compiled and (mostly) installed cleanly on WinXP/Cygwin[19] 1.7.5 and later with GCC 4.3, but starting with DACS
1.4.26, Cygwin[19] is no longer used for testing DACS. Comments specific to Cygwin that remain in the DACS documentation will likely be
removed in a future release, as will configuration and build capabilities. Regarding Cygwin and earlier versions of DACS:
o mod_auth_dacs does not build as a shared module
o there were problems building Expat 2.0.0 from source (2.0.1 is ok)
o only limited testing has been performed on this platform
o you can't execute src/config.nice; copy it to some other filename and execute that instead
o when doing "make install", try the username and group "Administrators" or "Administrator" when prompted if you don't know what else to
use (the install procedure should use those names as defaults
We expect that DACS will also run on other varieties of Unix and with other browsers. No testing is done with very old browsers, however.
We would appreciate reports of problems encountered while building or running DACS on unofficial platforms so that we can address
portability issues and support these platforms better.
Warnings
Please read this section carefully!
Security
1. After obtaining a DACS release, please verify all checksums for the file you downloaded. Do not use a download if any checksum for
it does not match. Checksums are posted at http://dacs.dss.ca/download.html immediately after a new release is distributed.
OpenSSL's dgst command can be used to compute checksums; for example,
% openssl dgst -md5 dacs-1.4.22.tgz
% openssl dgst -sha1 dacs-1.4.22.tgz
2. Improper installation, configuration, or use of DACS may leave your system open to various kinds of attacks and exploits.
Many other systems and software components, including Apache and OpenSSL, can also compromise system security if not properly
installed, configured, and administered; they give similar admonishments. Please take appropriate care.
A DACS administrator ought to have some experience with Apache configuration (including its authentication and access control
directives, and building httpd), and basic knowledge of security issues on the installation platform.
3. The security of DACS depends on the security of the underlying operating system, third party software, build, installation, and
configuration parameters, human factors, and more. In particular, ensure that file ownership and modes are appropriate for run-time
accessible DACS configuration and data files (dacs.conf, site.conf, encryption keys, access control rules, group files, etc.).
4. Users of your DACS-wrapped services are responsible for maintaining the secrecy of information used to sign on (such as passwords)
and authentication and authorization information sent to them by DACS (such as HTTP cookies). Spyware, and browser modifications or
improper settings, may compromise security - DACS cannot prevent improper use or intentional misuse.
5. After access is granted to a resource, DACS does nothing to stop a user from redistributing whatever is returned by the web server.
Therefore, strictly speaking, DACS is neither a copyright enforcement system nor is it a Digital Rights Management (DRM) system,
although it may be possible to apply DACS in those domains. DACS does have the ability to force a user to view and acknowledge a
copyright notice or license, however.
6. Making routine backup copies of your current DACS configuration and data files is strongly encouraged. A procedure should be
established for periodically creating copies of your DACS installation and keeping them in a secure, off-site location. This is
especially important for encryption keys and account files, which cannot be recreated if lost.
7. Please review Section 15 ("Security Considerations") of RFC 2616[20].
8. Be sure to check for new releases of DACS regularly. New releases may address important bugs and security issues, so keeping your
installation current is important. You can subscribe to email notifications[21].
You should likewise stay alert to new releases of third-party packages that your install of DACS uses.
9. Test carefully after making changes to your DACS configuration. In particular, make sure that new access control rules and user
authentication work as you expect.
10. For DACS to be a secure system, all communication between DACS and its users, components, and middleware must take place over a
secure connection (typically using SSL and the HTTPS[22] method) to safeguard account names, passwords, DACS credentials, and so
on. DACS does not require secure network connections, however, and can function without them in situations where a lower standard
of security is acceptable. See SECURE_MODE[23].
Note that if a client connects from an insecure subnet, various man-in-the-middle attacks[24] are possible, even when it appears
that SSL is being used (for example, see sslstrip[25]).
11. In the event of an emergency situation that might be related to DACS, you may, of course, stop all Apache processes. It is
sufficient to make dacs.conf inaccessible to Apache, however, whether by renaming the file, changing its ownership, or changing its
permissions. (Or, you may make the DACS web services unavailable using the same methods.) All DACS web services must be able to
read dacs.conf, so this will effectively turn DACS off. More selective ways of limiting access are available, such as through the
revocation list.
12. DACS depends mainly on OpenSSL[26], a third-party package that you need to obtain separately, for cryptographic functionality. Some
library functions provided by your operating system (such as crypt(3)[27]) are also used.
13. It is recommended that the Network Time Protocol (RFC 1305[28]) or equivalent be used on any host that runs DACS commands or web
services. A sudden, large change to a system's clock while DACS is operational may have undesirable effects and should be avoided.
14. If you are deploying DACS as part of a publicly accessible web site, consider including a notification on your site that it may
issue cookies. This is commonly mentioned in a site's "Privacy" or "Security" page. DACS may not function as expected if a user's
browser has disabled cookies or will not accept them; in particular, the single sign-on feature generally requires that users'
browsers accept cookies.
Important
DACS MAY INCLUDE ITS OWN CRYPTOGRAPHIC FUNCTIONS and may therefore fall under certain import, export, and/or use restrictions in other
parts of the world, even though DACS is created, maintained, and officially distributed from Canada.
Export and/or import and/or use of strong cryptography software, providing cryptography hooks, or merely communicating technical
details about cryptographic software is illegal in some parts of the world. YOU ARE STRONGLY ADVISED to pay close attention to any laws
that may apply when you import, export, or use DACS, or even communicate about it. We are not liable for any violations you make - it
is your responsibility. For additional information, see the Crypto Law Survey[29].
Roadmap
DACS 1.4 is being released in stages. Our goal is to release new versions on a regular schedule, approximately every two months. Much of
the DACS 1.4 functionality has already been designed and implemented; we merely need time to thoroughly test and document. A top priority
is to fix all known bugs between releases and improve the documentation.
Beyond DACS 1.4, we have many ideas for improving DACS, including adding new features and making it easier to administer.
Please consult the DACS web site for information on upcoming releases.
Upgrading
Security
Because DACS is security software, we strongly recommend that you upgrade to the newest release as soon as you are able.
Upgrading is neither a difficult nor a time consuming procedure most times. Sometimes an incompatible change in DACS will require you to
change a DACS configuration file, but this should not be difficult to do and we will try to advise you of such changes.
The DACS 1.4 releases contain a great many changes and improvements, some incompatible with earlier releases of DACS. If you are upgrading
from DACS 1.3.2 or another older release, you will need to become familiar with these changes. You must manually convert your old DACS
configuration files to the new format, for example. You should not find upgrading to be a difficult or time consuming task.
Important
Making backup copies of your DACS installation immediately prior to upgrading is strongly recommended.
Some features available in earlier versions of DACS are not available in this release, but will be provided as soon as possible.
Note that DACS 1.4 may not interoperate with prior releases.
We aim to avoid making any backward incompatible changes within the DACS 1.4.x releases.
Administration
Once installed and configured, DACS requires very little administration.
Tip
At higher logging levels, DACS log files can become large quite quickly. You should therefore arrange for them to be rotated regularly
(e.g., using newsyslog(8)[30]). A built-in log rotation feature is being considered for DACS.
If you're creating DACS log files that have names based on their date of creation, to expire/rotate/compress them you might periodically
run the find(1)[31] command to identify old logs. For example, the command
% find /usr/local/dacs/logs -type f -a -mtime 2 -a -exec gzip {} ;
will compress any files in the log directory that haven't been modified for at least 24 hours.
There are also Apache modules available to do the rotation:
o http://httpd.apache.org/modules
o http://modules.apache.org
Related Software
A variety of other software and resources for DACS can be found in the dacs-contrib[32] project at SourceForge[10].
The DACS Java Library (DJL)
The DJL is being developed to support the use of DACS in Java client applications. It implements Java wrapper classes for selected DACS
services, and provides an HTTP client through which DACS services may be accessed and DACS credentials obtained and managed.
The FedAdmin Web Application
FedAdmin is an administrator console for managing the configuration of DACS federations and jurisdictions. It is deployed in a servlet
container such as Tomcat, but must be accessed via an Apache+DACS proxy and deployed under a dedicated FEDADMIN DACS application
jurisdiction.
FedAdmin implements partial coverage of the most common DACS configuration tasks, including viewing federation and jurisdiction
configuration directives, adding and deleting local DACS users, and creating, editing, and deleting ACL rules.
Support
An array of technical support is available from DSS[33]. Please see the support page[34] for details.
Known Problems
There are a few defects in the DACS 1.4 releases that administrators should be aware of. These are not likely to be addressed in the near
future.
1. If the HTTP data stream is compressed or encrypted (other than via SSL), DACS will not be able to access POST arguments and you should
use the mod_auth_dacs module directive "SetDACSAuthPostBuffer 0".
2. In general, DACS does not support IPv6 addresses.
3. The group management service and group distribution utilities have not be tested with this release of DACS.
4. The man pages are generated from DocBook XML. The docbook-xsl used to create [nt]roff source is incomplete and/or buggy. As a result,
the quality of the formatting is sometimes poor. You will find the HTML version of the documentation more readable.
5. Support for internationalization is poor.
6. Some configuration directives have global scope (i.e., they apply in several contexts) when it might be preferable to have
context-specific versions of them. For example, the algorithm specified by PASSWORD_DIGEST[35] is used for more than one purpose within
DACS. On the other hand, this reduces the number of directives, and therefore helps to contain the complexity of DACS.
Bugs, Suggestions, and Feedback
Please see the support page[34] for details.
Some elements of DACS are less well-travelled than others and users may therefore experience problems with them. Please let us know[36] if
you encounter bugs.
SEE ALSO
dacs(1)[2], dacs.install(7)[4], dacs.quick(7)[5]
AUTHOR
Distributed Systems Software (www.dss.ca[33])
COPYING
Copyright2003-2012 Distributed Systems Software. See the LICENSE[3] file that accompanies the distribution for licensing information.
NOTES
1. README
http://dacs.dss.ca/man/../misc/README
2. dacs(1)
http://dacs.dss.ca/man/dacs.1.html
3. LICENSE
http://dacs.dss.ca/man/../misc/LICENSE
4. dacs.install(7)
http://dacs.dss.ca/man/dacs.install.7.html
5. dacs.quick(7)
http://dacs.dss.ca/man/dacs.quick.7.html
6. Apache
http://httpd.apache.org
7. dacscheck(1)
http://dacs.dss.ca/man/dacscheck.1.html
8. http(1)
http://dacs.dss.ca/man/http.1.html
9. sslclient(1)
http://dacs.dss.ca/man/sslclient.1.html
10. SourceForge
http://www.sourceforge.net
11. FreeBSD
http://www.freebsd.org
12. CentOS
http://www.centos.org
13. Red Hat Enterprise Linux
http://www.redhat.com/rhel
14. Mac OS X
http://www.apple.com/macosx
15. FAQ
http://dacs.dss.ca/faq.html
16. Solaris 10
http://www.sun.com/software/solaris/10/index.jsp
17. OpenSolaris
http://www.opensolaris.com
18. x86
http://www.solaris-x86.org/
19. Cygwin
http://cygwin.com/
20. RFC 2616
http://www.rfc-editor.org/rfc/rfc2616.txt
21. subscribe to email notifications
http://freshmeat.net/projects/dacs/
22. HTTPS
http://www.rfc-editor.org/rfc/rfc2818.txt
23. SECURE_MODE
http://dacs.dss.ca/man/dacs.conf.5.html#SECURE_MODE
24. man-in-the-middle attacks
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
25. sslstrip
http://www.thoughtcrime.org/software/sslstrip
26. OpenSSL
http://www.openssl.org
27. crypt(3)
http://www.freebsd.org/cgi/man.cgi?query=crypt&apropos=0&sektion=3&manpath=FreeBSD+9.0-RELEASE&format=html
28. RFC 1305
http://www.rfc-editor.org/rfc/rfc1305.txt
29. Crypto Law Survey
http://rechten.uvt.nl/koops/cryptolaw
30. newsyslog(8)
http://www.freebsd.org/cgi/man.cgi?query=newsyslog&apropos=0&sektion=8&manpath=FreeBSD+9.0-RELEASE&format=html
31. find(1)
http://www.freebsd.org/cgi/man.cgi?query=find&apropos=0&sektion=1&manpath=FreeBSD+9.0-RELEASE&format=html
32. dacs-contrib
http://sourceforge.net/projects/dacs-contrib
33. DSS
http://www.dss.ca
34. support page
http://dacs.dss.ca/support.html
35. PASSWORD_DIGEST
http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_DIGEST
36. let us know
http://www.dss.ca/contactus.html
DACS 1.4.27b 10/22/2012 DACS.README(7)