dacs.readme

DACS.README(7)           DACS Miscellaneous Information           DACS.README(7)



NAME
       dacs.readme - DACS README

DESCRIPTION
       This file is part of the DACS suite.

       After reviewing this document, it will be beneficial to look at these
       important documents:

       •   for a brief description of this release, and possibly last minute
           updates, please refer to README[1]

       •   for a technical overview of the system, including a description of
           command line flags common to most DACS programs, please see
           dacs(1)[2]

       •   for information about licensing, please refer to LICENSE[3]

       •   for information about installation, please refer to
           dacs.install(7)[4]

       •   for the Quick Start tutorial, please refer to dacs.quick(7)[5]

       •   for important release notes, please visit
           https://dacs.dss.ca/download.html


           NO WARRANTY
           This software is provided by Dss "as is" and any express or implied
           warranties, including, but not limited to, the implied warranties of
           merchantability, fitness for a particular purpose, or
           non-infringement, are disclaimed. in no event shall dss be liable for
           any direct, indirect, incidental, special, exemplary, or
           consequential damages (including, but not limited to, procurement of
           substitute goods or services; loss of use, data, or profits; or
           business interruption) however caused and on any theory of liability,
           whether in contract, strict liability, or tort (including negligence
           or otherwise) arising in any way out of the use of this software,
           even if advised of the possibility of such damage.

   DACS At a Glance
       DACS is:

       •   a light-weight, open source single sign-on system;

       •   a flexible and powerful attribute- and role-based access control
           system;

       •   a set of feature-rich authentication methods;

       •   an Apache[6] 2.2 and 2.4 module and suite of CGI programs;

       •   able to apply coarse-grained access control to web service requests
           made using standard web browsers;

       •   able to provide fine-grained access control functionality to almost
           any program or script;

       •   a collection of web services that can provide access control and
           identity management functionality to your middleware;

       •   a C/C++ toolkit for building new authentication and access control
           functionality into programs, whether web-based or not;

       •   for Unix-type platforms, such as GNU/Linux, macOS, and FreeBSD.

       For developers, DACS makes access control functionality available through
       the command line, allowing scripts (Perl, PHP, shell, etc.) to make
       data-driven access control decisions rather than program-driven ones.
       This can be used completely independently of the web functionality and
       without dealing with run-time configuration of DACS. Please see
       dacscheck(1)[7].  DACS also provides web services from which single
       sign-on systems can be constructed.

       For web sites, DACS can help manage access to web resources in many
       situations, whether you have just one web server, several web servers at
       one site, or many web servers spread across the Internet. You may find it
       to be useful simply as a universal authentication mechanism for a single
       Apache server or as a full-fledged, single sign-on multi-server identity
       management and access control system.

           Tip
           If you are interested in dacscheck(1)[7] or the general-purpose DACS
           utilities (e.g., dacshttp(1)[8], sslclient(1)[9]) but are not
           interested in web services or Apache, refer to the instructions in
           dacs.install(7)[4].

       The DACS home page is at https://dacs.dss.ca.  DACS was hosted as a
       SourceForge[10] project at http://sourceforge.net/projects/dacs, but that
       has not been used since 2013.

   Supported Platforms
       DACS is currently developed and tested:

       •   with Apache[6] 2.2.31 and 2.4.25 (2.0.X releases, which were once
           supported, are now deprecated and untested)

       •   on platforms:

           •   FreeBSD[11] 10.3 and 11.1 (amd64)

           •   CentOS[12] 7.3 (x86_64, Linux 3.10, built from Red Hat Enterprise
               Linux[13] 7)

           •   macOS Sierra[14] 10.13.3 (Intel Core i7, x86_64)


       •   using GCC 5.4 (and newer), and on some platforms, recent Clang/LLVM
           compilers

       •   using recent Firefox, Safari, Chrome, and Internet Explorer browsers


           Important
           DACS 1.4.40 is the final version to officially support the Apache 2.2
           series. Future releases of DACS will not be maintained, tested, or
           documented with Apache 2.2 series servers.

       FreeBSD 10.3 is the primary development platform. For this reason,
       references to Unix manual pages throughout the DACS documentation cite
       the FreeBSD documentation. This should not matter much if you are using a
       different platform, but keep this in mind.

       Most DACS installations are on Linux or FreeBSD platforms. Support for
       macOS is comparatively recent.

           Note
           •   When building DACS for use with Apache 2.2, you will probably
               need to specify the --with-apache-apr flag, and perhaps other
               Apache-related flags, to configure.

           •   Apache 1.3 and 2.0 are not supported (please refer to the
               FAQ[15]).

           •   DACS has not been tested with Apache 2.1.

   Other Platforms
       DACS is not officially supported on platforms other than those described
       above. Recent releases have built and worked correctly on other
       platforms, but because we do not have ready access to them, or due to
       lack of interest, we no longer test on them.

       Up to and including version 1.4.25, DACS was tested and used on Solaris
       10[16] (OpenSolaris[17] 2008.11, SunOS 5.11, x86[18]).  Solaris is no
       longer supported. Early versions of DACS were used on Solaris 8 (SPARC)
       and Solaris 10 (SPARC) platforms. A wide variety of build, install, and
       run-time problems were encountered with third-party packages on the
       OpenSolaris and SPARC platforms. Depending on which third-party software
       your DACS configuration requires, or if you are prepared to try older
       versions of third-party software or devote extra effort, you may have
       some success running DACS on these platforms, but in general we cannot
       recommend using these platforms for DACS in production settings and they
       are no longer officially supported. Comments specific to Solaris remain
       in the DACS documentation but will likely be removed in a future release,
       as will configuration and build capabilities.

       Earlier releases of DACS compiled and (mostly) installed cleanly on
       WinXP/Cygwin[19] 1.7.5 and later with GCC 4.3, but starting with DACS
       1.4.26, Cygwin[19] is no longer used for testing DACS. Comments specific
       to Cygwin that remain in the DACS documentation will likely be removed in
       a future release, as will configuration and build capabilities. Regarding
       Cygwin and earlier versions of DACS:

       •   mod_auth_dacs does not build as a shared module

       •   there were problems building Expat 2.0.0 from source (2.0.1 is ok)

       •   only limited testing has been performed on this platform

       •   you can't execute src/config.nice; copy it to some other filename and
           execute that instead

       •   when doing "make install", try the username and group
           "Administrators" or "Administrator" when prompted if you don't know
           what else to use (the install procedure should use those names as
           defaults

       We expect that DACS will also run on other varieties of Unix and with
       other browsers. No testing is done with very old browsers, however. We
       would appreciate reports of problems encountered while building or
       running DACS on unofficial platforms so that we can address portability
       issues and support these platforms better.

   Warnings
       Please read this section carefully!

           Security
            1. After obtaining a DACS release, please verify all checksums for
               the file you downloaded. Do not use a download if any checksum
               for it does not match. Checksums are posted at
               https://dacs.dss.ca/download.html immediately after a new release
               is distributed.

               OpenSSL's dgst command can be used to compute checksums; for
               example,

                   % openssl dgst -md5 dacs-1.4.32.tgz
                   % openssl dgst -sha1 dacs-1.4.32.tgz


            2. Improper installation, configuration, or use of DACS may leave
               your system open to various kinds of attacks and exploits.

               Many other systems and software components, including Apache and
               OpenSSL, can also compromise system security if not properly
               installed, configured, and administered; they give similar
               admonishments. Please take appropriate care.

               A DACS administrator ought to have some experience with Apache
               configuration (including its authentication and access control
               directives, and building httpd), and basic knowledge of security
               issues on the installation platform.

            3. The security of DACS depends on the security of the underlying
               operating system, third party software, build, installation, and
               configuration parameters, human factors, and more. In particular,
               ensure that file ownership and modes are appropriate for run-time
               accessible DACS configuration and data files (dacs.conf,
               site.conf, encryption keys, access control rules, group files,
               etc.).

            4. Users of your DACS-wrapped services are responsible for
               maintaining the secrecy of information used to sign on (such as
               passwords) and authentication and authorization information sent
               to them by DACS (such as HTTP cookies). Spyware, and browser
               modifications or improper settings, may compromise security -
               DACS cannot prevent improper use or intentional misuse.

            5. After access is granted to a resource, DACS does nothing to stop
               a user from redistributing whatever is returned by the web
               server. Therefore, strictly speaking, DACS is neither a copyright
               enforcement system nor is it a Digital Rights Management (DRM)
               system[20], although it may be possible to apply DACS in those
               domains.  DACS does have the ability to force a user to view and
               acknowledge a copyright notice or license, however.

            6. Making routine backup copies of your current DACS configuration
               and data files is strongly encouraged. A procedure should be
               established for periodically creating copies of your DACS
               installation and keeping them in a secure, off-site location.
               This is especially important for encryption keys and account
               files, which cannot be recreated if lost.

            7. Please review Section 15 ("Security Considerations") of RFC
               2616[21].

            8. Be sure to check for new releases of DACS regularly. New releases
               may address important bugs and security issues, so keeping your
               installation current is important. You can subscribe to email
               notifications[22].

               You should likewise stay alert to new releases of third-party
               packages that your install of DACS uses.

            9. Note that, because of the enormous number of combinations of
               platforms, versions, third-party packages, build options,
               run-time options, and so on, not every possible DACS deployment
               that can be created and enabled is actually built or tested. This
               is presumably true for nearly every large software package but
               it's worth emphasizing. Therefore, make sure you test carefully
               before putting your DACS deployment into production and after
               making changes to it.

           10. Reiterating, test carefully after making changes to your DACS
               configuration. In particular, make sure that new access control
               rules and user authentication work as you expect.

           11. For DACS to be a secure system, all communication between DACS
               and its users, components, and middleware must take place over a
               secure connection (typically using SSL/TLS and the HTTPS[23]
               method) to safeguard account names, passwords, DACS credentials,
               and so on.  DACS does not require secure network connections,
               however, and can function without them in situations where a
               lower standard of security is acceptable. See SECURE_MODE[24].

               Note that if a client connects from an insecure subnet, various
               man-in-the-middle attacks[25] are possible, even when it appears
               that SSL/TLS is being used (for example, see sslstrip[26]).

           12. In the event of an emergency situation that might be related to
               DACS, you may, of course, stop all Apache processes. It is
               sufficient to make dacs.conf inaccessible to Apache, however,
               whether by renaming the file, changing its ownership, or changing
               its permissions. (Or, you may make the DACS web services
               unavailable using the same methods.) All DACS web services must
               be able to read dacs.conf, so this will effectively turn DACS
               off. More selective ways of limiting access are available, such
               as through the revocation list.

           13. DACS depends mainly on OpenSSL[27], a third-party package that
               you need to obtain separately, for cryptographic functionality.
               Some library functions provided by your operating system (such as
               crypt(3)[28]) are also used.

           14. It is strongly recommended that the Network Time Protocol (NTP,
               RFC 1305[29]) or equivalent be used on any host that runs DACS
               commands or web services. A sudden, large change to a system's
               clock while DACS is operational may have undesirable effects and
               should be avoided. In particular, setting the system's clock
               backward must be avoided as it may make the system more
               vulnerable to attack, such as by effectively extending the
               lifetime of sensitive data or the validity period of certain
               operations.

           15. System administrators should take appropriate steps to ensure
               that Domain Name System (DNS, RFC 1035[30]) lookups are secure.

           16. If you are deploying DACS as part of a publicly accessible web
               site, consider including a notification on your site that it may
               issue cookies. This is commonly mentioned in a site's "Privacy"
               or "Security" page.  DACS may not function as expected if a
               user's browser has disabled cookies or will not accept them; in
               particular, the single sign-on feature generally requires that
               users' browsers accept cookies.

           17. The DACS distribution may include code, features, or
               functionality that is not described in the distribution's
               documentation, or is described as untested, partially
               implemented, or deprecated, or is accompanied by a warning. Such
               code, features, or functionality is subject to change or removal
               without notice and should not be used.

           18. Weaknesses that render cryptographic algorithms unsuitable in
               certain contexts are inevitably discovered and publicly
               announced.  DACS administrators should revise the configuration
               of cryptographic digests and ciphers appropriately over time to
               maintain the security of their system.

           Important
           DACS MAY INCLUDE ITS OWN CRYPTOGRAPHIC FUNCTIONS and may therefore
           fall under certain import, export, and/or use restrictions in other
           parts of the world, even though DACS is developed, maintained, and
           officially distributed from Canada.

           Export and/or import and/or use of strong cryptography software,
           providing cryptography hooks, or merely communicating technical
           details about cryptographic software is illegal in some parts of the
           world. YOU ARE STRONGLY ADVISED to pay close attention to any laws
           that may apply when you import, export, or use DACS, or even
           communicate about it. We are not liable for any violations you make -
           it is your responsibility. For additional information, see the Crypto
           Law Survey[31].

   Release Information
       Information about DACS releases, including the latest release, is
       provided in the Version Guide[32] and on the Download and Release
       Information page.

       To programmatically determine the latest version of DACS and obtain a
       direct link for downloading, you may invoke
       https://dacs.dss.ca/cgi-bin/dacs/latest_dacs, which returns a simple text
       document comprised of name/value pairs.

   Roadmap
       Stability, backward compatibility, portability across supported
       platforms, and keeping up to date with respect to third-party support
       packages are now the primary goals of DACS 1.4 releases. A top priority
       is to fix all known bugs between releases and improve the documentation.

       Please consult the DACS web site for information on upcoming releases.

   Upgrading
           Security
           Because DACS is security software, we strongly recommend that you
           upgrade to the newest release as soon as you are able.

       Upgrading is neither a difficult nor a time consuming procedure most
       times. Sometimes an incompatible change in DACS will require you to
       change a DACS configuration file, but this should not be difficult to do
       and we will try to advise you of such changes.

       The DACS 1.4 releases contain a great many changes and improvements, some
       incompatible with earlier releases of DACS. If you are upgrading from
       DACS 1.3.2 or another older release, you will need to become familiar
       with these changes. You must manually convert your old DACS configuration
       files to the new format, for example. You should not find upgrading to be
       a difficult or time consuming task.

           Important
           Making backup copies of your DACS installation immediately prior to
           upgrading is strongly recommended.

       Some features available in earlier versions of DACS are not available in
       this release, but will be provided as soon as possible.

       Note that DACS 1.4 may not interoperate with prior releases.

       We aim to avoid making any backward incompatible changes within the DACS
       1.4.x releases.

   Add-on Features
       Some features of DACS may be implemented by third parties or as custom
       extensions. They may be included with the open source DACS distribution
       (and therefore fall under the open source LICENSE[3]), or are provided
       separately. The dacsversion[33] command and dacs_version[34] web service
       indicate whether add-ons are enabled (present) in a particular
       installation of DACS; look for +addons or addons="enabled" from the
       former, and ENABLE_ADDONS=1 from the latter.

       While add-ons may provide new capabilities, they should not alter the
       syntax or semantics of capabilities shared with the base DACS
       distribution.

   Administration
       Once installed and configured, DACS requires very little administration.

           Tip
           At higher logging levels, DACS log files can become large quite
           quickly. You should therefore arrange for them to be rotated
           regularly (e.g., using newsyslog(8)[35]). A built-in log rotation
           feature is being considered for DACS.

       If you're creating DACS log files that have names based on their date of
       creation, to expire/rotate/compress them you might periodically run the
       find(1)[36] command to identify old logs. For example, the command

           % find /usr/local/dacs/logs -type f -a -mtime 2 -a -exec gzip {} \;

       will compress any files in the log directory that haven't been modified
       for at least 24 hours.

       There are also Apache modules available to do the rotation:

       •   http://httpd.apache.org/moduleshttp://modules.apache.org


   Related Software
       A variety of other software and resources for DACS can be found in the
       dacs-contrib[37] project at SourceForge[10].

       The DACS Java Library (DJL)
           The DJL is being developed to support the use of DACS in Java client
           applications. It implements Java wrapper classes for selected DACS
           services, and provides an HTTP client through which DACS services may
           be accessed and DACS credentials obtained and managed.

       The FedAdmin Web Application
           FedAdmin is an administrator console for managing the configuration
           of DACS federations and jurisdictions. It is deployed in a servlet
           container such as Tomcat, but must be accessed via an Apache+DACS
           proxy and deployed under a dedicated FEDADMIN DACS application
           jurisdiction.

           FedAdmin implements partial coverage of the most common DACS
           configuration tasks, including viewing federation and jurisdiction
           configuration directives, adding and deleting local DACS users, and
           creating, editing, and deleting ACL rules.

   Support
       An array of technical support is available from DSS[38]. Please see the
       support page[39] for details.  DACS development, maintenance, and free
       support is made possible in part by customers that purchase technical
       support packages or contract for customizations (most of which then
       become available to all free of charge).

   Known Problems
       There are a few defects in the DACS 1.4 releases that administrators
       should be aware of. These are not likely to be addressed in the near
       future.

        1. If the HTTP data stream is compressed or encrypted (other than via
           SSL/TLS), DACS will not be able to access POST arguments and you
           should use the mod_auth_dacs module directive "SetDACSAuthPostBuffer
           0".

        2. In general, DACS does not support IPv6 addresses.

        3. The group management service and group distribution utilities have
           not be tested with this release of DACS.

        4. The man pages are generated from DocBook XML. The docbook-xsl used to
           create [nt]roff source is incomplete and/or buggy. As a result, the
           quality of the formatting is sometimes poor. You will find the HTML
           version of the documentation more readable.

        5. Support for internationalization is poor.

        6. Some configuration directives have global scope (i.e., they apply in
           several contexts) when it might be preferable to have
           context-specific versions of them. For example, the algorithm
           specified by PASSWORD_DIGEST[40] is used for more than one purpose
           within DACS. On the other hand, this reduces the number of
           directives, and therefore helps to contain the complexity of DACS.

   Bugs, Suggestions, and Feedback
       Please see the support page[39] for details.

       Some elements of DACS are less well-travelled than others and users may
       therefore experience problems with them. Please let us know[41] if you
       encounter bugs.

SEE ALSO
       dacs(1)[2], dacs.install(7)[4], dacs.quick(7)[5]

AUTHOR
       Distributed Systems Software (www.dss.ca[38])

COPYING
       Copyright © 2003-2018 Distributed Systems Software. See the LICENSE[3]
       file that accompanies the distribution for licensing information.

NOTES
        1. README
           http://dacs.dss.ca/man/../misc/README

        2. dacs(1)
           http://dacs.dss.ca/man/dacs.1.html

        3. LICENSE
           http://dacs.dss.ca/man/../misc/LICENSE

        4. dacs.install(7)
           http://dacs.dss.ca/man/dacs.install.7.html

        5. dacs.quick(7)
           http://dacs.dss.ca/man/dacs.quick.7.html

        6. Apache
           http://httpd.apache.org

        7. dacscheck(1)
           http://dacs.dss.ca/man/dacscheck.1.html

        8. dacshttp(1)
           http://dacs.dss.ca/man/dacshttp.1.html

        9. sslclient(1)
           http://dacs.dss.ca/man/sslclient.1.html

       10. SourceForge
           http://www.sourceforge.net

       11. FreeBSD
           https://www.freebsd.org

       12. CentOS
           http://www.centos.org

       13. Red Hat Enterprise Linux
           http://www.redhat.com/rhel

       14. macOS Sierra
           http://www.apple.com/macosx

       15. FAQ
           https://dacs.dss.ca/faq.html

       16. Solaris 10
           http://www.sun.com/software/solaris/10/index.jsp

       17. OpenSolaris
           http://www.opensolaris.com

       18. x86
           http://www.solaris-x86.org/

       19. Cygwin
           http://cygwin.com/

       20. Digital Rights Management (DRM) system
           http://en.wikipedia.org/wiki/Digital_rights_management

       21. RFC 2616
           http://www.rfc-editor.org/rfc/rfc2616.txt

       22. subscribe to email notifications
           http://freshmeat.net/projects/dacs/

       23. HTTPS
           http://www.rfc-editor.org/rfc/rfc2818.txt

       24. SECURE_MODE
           http://dacs.dss.ca/man/dacs.conf.5.html#SECURE_MODE

       25. man-in-the-middle attacks
           http://en.wikipedia.org/wiki/Man-in-the-middle_attack

       26. sslstrip
           http://www.thoughtcrime.org/software/sslstrip

       27. OpenSSL
           http://www.openssl.org

       28. crypt(3)
           https://www.freebsd.org/cgi/man.cgi?query=crypt&apropos=0&sektion=3&manpath=FreeBSD+10.3-RELEASE&format=html

       29. RFC 1305
           http://www.rfc-editor.org/rfc/rfc1305.txt

       30. RFC 1035
           http://www.rfc-editor.org/rfc/rfc1035.txt

       31. Crypto Law Survey
            http://www.cryptolaw.org

       32. Version Guide
           https://dacs.dss.ca/versions.html

       33. dacsversion
           http://dacs.dss.ca/man/dacsversion.1.html

       34. dacs_version
           http://dacs.dss.ca/man/dacs_version.8.html

       35. newsyslog(8)
           https://www.freebsd.org/cgi/man.cgi?query=newsyslog&apropos=0&sektion=8&manpath=FreeBSD+10.3-RELEASE&format=html

       36. find(1)
           https://www.freebsd.org/cgi/man.cgi?query=find&apropos=0&sektion=1&manpath=FreeBSD+10.3-RELEASE&format=html

       37. dacs-contrib
           http://sourceforge.net/projects/dacs-contrib

       38. DSS
           http://www.dss.ca

       39. support page
           https://dacs.dss.ca/support.html

       40. PASSWORD_DIGEST
           http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_DIGEST

       41. let us know
           http://www.dss.ca/contactus.html



DACS 1.4.40                        02/19/2019                     DACS.README(7)