.\" Copyright (c) 2003-2012
.\" Distributed Systems Software.  All rights reserved.
.\" See the file LICENSE for redistribution information.
.\" $Id: copyright-nr 2564 2012-03-02 00:17:08Z brachman $
'\" t
.\"     Title: dacs.install
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\"      Date: 02/19/2019
.\"    Manual: DACS Miscellaneous Information Manual
.\"    Source: DACS 1.4.40
.\"  Language: English
.\"
.TH "DACS\&.INSTALL" "7" "02/19/2019" "DACS 1.4.40" "DACS Miscellaneous Information"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dacs.install \- \fBDACS\fR installation guide
.SH "DESCRIPTION"
.PP
This document describes how to build and install this release of
\fBDACS\fR\&. Please read it carefully\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
.PP
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Installation requires the GNU
\fBmake\fR
command (\m[blue]\fBgmake\fR\m[]\&\s-2\u[1]\d\s+2) and
\m[blue]\fBGCC\fR\m[]\&\s-2\u[2]\d\s+2\&. On
macOS,
\m[blue]\fBLLVM/Clang\fR\m[]\&\s-2\u[3]\d\s+2
is used\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Our philosophy is that
\fBDACS\fR
should be used with the most recent stable versions of third\-party packages (such as
\fBOpenSSL\fR) available at the time
\fBDACS\fR
is released\&. This helps to ensure that a
\fBDACS\fR
deployment has the latest security features and bug fixes\&. A
\fBDACS\fR
release will most likely not have been tested with older (or newer) third\-party packages, and the
\fBDACS\fR
instructions for configuring or building an older release may be incorrect\&. You may save yourself time and headaches if you just use the recommended releases\&.
.sp
That said, third\-party software used by
\fBDACS\fR
is often already installed or readily obtained using
\fByum\fR,
\fBrpm\fR,
\fBpkg\fR, or a similar package manager\&. These are often not the latest versions, but sometimes convenience outweighs other factors\&. Provided the
\fBDACS\fR
documentation does not forbid a particular version and
\fBDACS\fR
seems to build and test correctly with it, you may elect to use it\&.
.sp
For a very few third\-party packages, it is important that you use the
\fIexact version\fR
that is mentioned\&. Do not use anything newer or older\&.
.sp
For some third\-party packages, a particular release is
\fIrecommended\fR\&. It is less critical that you use the recommended release\&.
.sp
Sometimes the recommended version of a third\-party package will be fine on some platforms but is buggy or will not build on another platform\&. Whenever possible, the
\fBDACS\fR
installation instructions suggest an alternative version, and you may proceed with that version, or a recent version of your choice \- but keep the preceding comments regarding older releases in mind and ensure that a "\fBgmake test\fR" of
\fBDACS\fR
completes successfully\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Should a critical bug in a third\-party package be found, the
\m[blue]\fBPost\-Release Notes\fR\m[]\&\s-2\u[4]\d\s+2
section will provide instructions\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
You should build third\-party packages in the order in which they are discussed below because packages that are discussed earlier may require some that appear later\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
The examples here and in other
\fBDACS\fR
documentation assume that
\fBDACS\fR
is installed in its default location,
/usr/local/dacs\&. If you specify a different location at build time, please keep this in mind as you read the documentation\&. This also applies to third\-party packages, which you may install where convenient, provided you are careful not to confuse or combine different versions of the same package; in this document\*(Aqs examples we install them under
/usr/local
and unpack their source code under
/local/src\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
In some examples, long lines have been split to improve readability\&. Copy\-and\-paste with care\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Whenever you upgrade to a more recent version of
\fBDACS\fR, do not forget to install the
\fBmod_auth_dacs\fR
module that comes with your new version of
\fBDACS\fR\&.
\fBDACS\fR
web\-based access control (\m[blue]\fBdacs_acs(8)\fR\m[]\&\s-2\u[5]\d\s+2) will deny all access if it detects an incompatible version of
\fBmod_auth_dacs\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
On
macOS
you will probably need to install the
\m[blue]\fBXcode\fR\m[]\&\s-2\u[6]\d\s+2
development environment\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
On some platforms, the PAM development environment is required if you need
\fBDACS\fR
to authenticate against Unix accounts\&. If
security/pam_appl\&.h
is in a standard
include
directory, as is often the case, it has probably been installed and no action is necessary\&. On platforms where this development environment is optional (CentOS), it may be necessary to install it; for example,
.sp
.if n \{\
.RS 4
.\}
.nf
# yum install pam\-devel\&.x86_64
.fi
.if n \{\
.RE
.\}
.sp
For details, refer to
\m[blue]\fBUsing Pluggable Authentication Modules (PAM)\fR\m[]\&\s-2\u[7]\d\s+2\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
On some systems it will be necessary to use
\m[blue]\fBldconfig(8)\fR\m[]\&\s-2\u[8]\d\s+2
(or equivalent) so that your system finds the correct shared libraries for programs that are executed by the web server, including the
\fBDACS\fR
web services\&. Command such as
\m[blue]\fBldd(1)\fR\m[]\&\s-2\u[9]\d\s+2
and
\fBotool\fR
may be helpful\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Solaris
and
OpenSolaris
are no longer supported\&. Notes regarding these unsupported platforms and deprecated releases of supported platforms may appear in the
\fBDACS\fR
documentation and source code\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBDACS\fR
is not supported on
Microsoft Windows
platforms\&.
\m[blue]\fBCygwin\fR\m[]\&\s-2\u[10]\d\s+2, which provides a
GNU/Linux\-like environment for
Windows, is not an officially\-supported platform, but earlier
\fBDACS\fR
releases would usually build on it\&. At that time, running
\fBDACS\fR
utilities and commands on
Windows
(such as
\fBdacscheck\fR) required installing the binaries along with the
Cygwin
run\-time libraries, such as
/bin/cygwin1\&.dll
and
/bin/cygcrypt\-0\&.dll\&.
.RE
.sp .5v
.RE
.SS "Trying DACS"
.PP
If at this time you only want to try
\fBDACS\fR
rather than doing a full install, review the information below regarding third\-party packages and then proceed to follow the instructions you will find in
\m[blue]\fBdacs\&.quick(7)\fR\m[]\&\s-2\u[11]\d\s+2, which is a step\-by\-step tutorial for installing and configuring
\fBDACS\fR\&.
.SS "Upgrading DACS"
.PP
If
\fBDACS\fR
1\&.4 is already installed on your system and you are not changing any third\-party packages or installation options, for a "quick and dirty" upgrade you can often install a new release on top of a previous release\&. While this will leave your existing
\fBDACS\fR
configuration files alone, it will also leave files that are no longer needed by the new
\fBDACS\fR\&. Be sure to check the new distribution\*(Aqs release notes,
HISTORY
file, and the rest of this manual page for any notable changes and incompatibilities \- you may need to make some adjustments to your pre\-existing installation\&.
.PP
It is possible for minor, incompatible changes introduced by a new release to cause temporary, user\-visible problems\&. For example, changes to the format of credentials might invalidate sessions (i\&.e\&.,
\fBDACS\fR
HTTP cookies) issued by the earlier release, requiring users to reauthenticate\&.
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  1." 4.2
.\}
Make a backup copy of the previous install, just in case\&.
\fIIt is especially important to make copies of all data files (such as \fR\fI\fBDACS\fR\fR\fI password files, other kinds of account files, encryption keys) and any custom configuration (such as access control rules)\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  2." 4.2
.\}
Obtain and unpack the new distribution and
\fBchdir\fR
to it;
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  3." 4.2
.\}
Review
\m[blue]\fBdacs\&.readme(7)\fR\m[]\&\s-2\u[12]\d\s+2
and the instructions in this document;
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  4." 4.2
.\}
Copy
src/config\&.nice
from your installed version to the new
src
directory, make any updates and corrections that are necessary, and configure
\fBDACS\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd src; sh \&./config\&.nice
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 5.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  5." 4.2
.\}
Build
\fBDACS\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 6.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  6." 4.2
.\}
We recommend that you remove some of the files from the previous release in case they are no longer required or have been renamed\&. Unless you have put non\-standard files in them or made non\-standard customizations, it is safe to simply delete these directories and their contents:
.sp
.if n \{\
.RS 4
.\}
.nf
% rm \-f \-r /usr/local/dacs/{acls,bin,include,lib,man,www}
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 7.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  7." 4.2
.\}
Stop
\fBhttpd\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% apachectl stop
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 8.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  8." 4.2
.\}
Install
\fBDACS\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake install
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 9.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  9." 4.2
.\}
Make and install the latest
\m[blue]\fBmod_auth_dacs module\fR\m[]\&\s-2\u[13]\d\s+2:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd \&.\&./apache; gmake tag install
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'10.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "10." 4.2
.\}
Restart
\fBhttpd\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% apachectl start
.fi
.if n \{\
.RE
.\}
.sp
or
.sp
.if n \{\
.RS 4
.\}
.nf
% apachectl startssl
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'11.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "11." 4.2
.\}
Check that
\fBDACS\fR
appears to be working correctly\&. You may find it handy to construct a set of links or bookmarks that you can use after installing or configuring
\fBDACS\fR
to invoke various
\fBDACS\fR
web services with appropriate arguments; for instance, try
\m[blue]\fBdacs_authenticate(8)\fR\m[]\&\s-2\u[14]\d\s+2
\m[blue]\fBdacs_current_credentials(8)\fR\m[]\&\s-2\u[15]\d\s+2,
\m[blue]\fBdacs_prenv(8)\fR\m[]\&\s-2\u[16]\d\s+2,
\m[blue]\fBdacs_list_jurisdictions(8)\fR\m[]\&\s-2\u[17]\d\s+2,
\m[blue]\fBdacs_conf(8)\fR\m[]\&\s-2\u[18]\d\s+2,
\m[blue]\fBdacs_signout(8)\fR\m[]\&\s-2\u[19]\d\s+2, and
\m[blue]\fBdacs_version(8)\fR\m[]\&\s-2\u[20]\d\s+2\&. Review the
\fBDACS\fR
log file for any error messages or warnings\&.
.RE
.SS "Installation Layout Overview"
.PP
By default,
\fBDACS\fR
is installed under
/usr/local/dacs\&. It is sometimes installed as
/usr/local/dacs\-\fIversion\fR
(e\&.g\&.,
/usr/local/dacs\-1\&.4\&.30) with the current version symbolically linked to, and referenced as,
/usr/local/dacs\&. In the documentation and
\fBDACS\fR
configuration files, the root directory used is referred to as
\m[blue]\fBDACS_HOME\fR\m[]\&\s-2\u[21]\d\s+2
or the
\m[blue]\fBconfiguration variable\fR\m[]\&\s-2\u[22]\d\s+2
\fI${Conf::DACS_HOME}\fR\&. The locations of other components are usually specified relative to the actual root directory, as in
site\&.conf
(and its template,
conf/site\&.conf\-std) and
dacs\&.conf\&. While the default layout of directories and files is adequate, system administrators often customize it, which is not difficult to do\&. Customization might be desirable for security, availability, aesthetic, or performance reasons\&.
.PP
Briefly, the default directory layout is as follows\&. The organization of files and directories within these directories can be customized by system administrators through changes to
site\&.conf
and
dacs\&.conf
and largely depends on how many federations and jurisdictions will be configured and how much configuration is shared by different federations and jurisdictions\&. Also see
\m[blue]\fBConfiguration Variables\fR\m[]\&\s-2\u[22]\d\s+2\&.
.PP
/usr/local/dacs
.RS 4
The installation root directory\&.
.RE
.PP
/usr/local/dacs/acls
.RS 4
Default access control list files for
\fBDACS\fR
web services and resources, copied from the distribution\*(Aqs
acls
directory\&.
.RE
.PP
/usr/local/dacs/bin
.RS 4
This contains
\fBDACS\fR
commands and utilities (and excludes the
\m[blue]\fBmod_auth_dacs module\fR\m[]\&\s-2\u[13]\d\s+2, which is installed in
\fBApache\fR\*(Aqs
modules
directory)\&.
.RE
.PP
/usr/local/dacs/etc
.RS 4
Currently unused\&.
.RE
.PP
/usr/local/dacs/federations
.RS 4
This directory will contain one directory per federation, and each of those subdirectories will contain one directory per jurisdiction\&. The following example shows a default configuration for a site that belongs to two federations, having domains
fed1\&.example\&.com
and
fed2\&.example\&.com\&. The site has two jurisdictions (JUR1
and
JUR2) at this site that belong to the former federation and one jurisdiction (JUR8) in the latter federation\&.
.sp
.if n \{\
.RS 4
.\}
.nf
  /usr/local/dacs/federations/fed1\&.example\&.com
  /usr/local/dacs/federations/fed1\&.example\&.com/federation_keyfile
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR1
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR1/jurisdiction_keyfile
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR1/acls
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR1/acls/revocations
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR1/auth_tokens
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR1/auth_token_keys
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR1/auth_token_keys\&.prev
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR1/groups
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR1/passwd
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR1/roles
  
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR2
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR2/jurisdiction_keyfile
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR2/acls
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR2/acls/revocations
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR2/auth_tokens
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR2/auth_token_keys
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR2/auth_token_keys\&.prev
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR2/groups
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR2/passwd
  /usr/local/dacs/federations/fed1\&.example\&.com/JUR2/roles
  

  /usr/local/dacs/federations/fed2\&.example\&.com
  /usr/local/dacs/federations/fed2\&.example\&.com/federation_keyfile
  /usr/local/dacs/federations/fed2\&.example\&.com/JUR8
  /usr/local/dacs/federations/fed2\&.example\&.com/JUR8/jurisdiction_keyfile
  /usr/local/dacs/federations/fed2\&.example\&.com/JUR8/acls
  /usr/local/dacs/federations/fed2\&.example\&.com/JUR8/acls/revocations
  /usr/local/dacs/federations/fed2\&.example\&.com/JUR8/auth_tokens
  /usr/local/dacs/federations/fed2\&.example\&.com/JUR8/auth_token_keys
  /usr/local/dacs/federations/fed2\&.example\&.com/JUR8/auth_token_keys\&.prev
  /usr/local/dacs/federations/fed2\&.example\&.com/JUR8/groups
  /usr/local/dacs/federations/fed2\&.example\&.com/JUR8/passwd
  /usr/local/dacs/federations/fed2\&.example\&.com/JUR8/roles
  
.fi
.if n \{\
.RE
.\}
.sp


If additional data or configuration files are needed,
an administrator is free to place them wherever convenient within this
hierarchy by referencing them using appropriate configuration directives in
dacs\&.conf\&.
.RE
.PP
/usr/local/dacs/include
.RS 4
This directory contains header files for use with custom
\fBDACS\fR
code\&.
.RE
.PP
/usr/local/dacs/lib
.RS 4
Run\-time libraries are installed here\&.
.RE
.PP
/usr/local/dacs/logs
.RS 4
Run\-time log files are written here by
\m[blue]\fBdacs_acs(8)\fR\m[]\&\s-2\u[5]\d\s+2
and
\fBDACS\fR
commands\&.
.RE
.PP
/usr/local/dacs/sbin
.RS 4
Analogous to
/usr/sbin, system administrative commands are installed here\&.
.RE
.PP
/usr/local/dacs/share/man
.RS 4
\fBDACS\fR
manual pages for use by
\m[blue]\fBman(1)\fR\m[]\&\s-2\u[23]\d\s+2
are installed here\&.
.RE
.PP
/usr/local/dacs/tmp
.RS 4
Various temporary run\-time files, such as lock files, are kept in this directory\&.
.RE
.PP
/usr/local/dacs/www
.RS 4
\fBDACS\fR
HTML documentation is installed here\&.
.RE
.SS "Installing DACS"
.PP
The following describes how to install
\fBDACS\fR\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
.PP
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If another release of
\fBDACS\fR
is present, rename your previous release, install the new release, and then copy any site\-specific configuration files from the previous release to the new release\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Be careful not to mix
\fBDACS\fR
binaries and support files from different releases\&. This can lead to strange behaviour that is often hard to resolve\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If you are installing or upgrading a third\-party package, make sure that you are building it against the correct include files and libraries (e\&.g\&., ensure that the
\fBDACS\fR
build is not finding an old version, or using include files from one version and library files from a different version, or that
\fBhttpd\fR
is trying to use the wrong version of an
\fBOpenSSL\fR
library)\&. This is frequently the cause of build and run\-time problems\&.
.RE
.sp .5v
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  1." 4.2
.\}
Unpack the
\fBDACS\fR
distribution and move to its root directory\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  2." 4.2
.\}
Familiarize yourself with the system by:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
reading this document;
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
running:
.sp
.if n \{\
.RS 4
.\}
.nf
% src/configure \-\-help
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
browsing through the documentation (best done by loading
\m[blue]\fBman/index\&.html\fR\m[]\&\s-2\u[24]\d\s+2
into your browser);
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
deciding where you want the various components to be installed; and
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
considering which optional features you may want (you can easily make changes at any time, so do not be too concerned about this)\&.
.RE
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  3." 4.2
.\}
A few third\-party packages are
\fIrequired\fR
by
\fBDACS\fR
and must be built before
\fBDACS\fR
can be configured and built\&. Please note carefully if any special exceptions apply to your particular platform and third\-party package needs\&. Although you may have better luck, sometimes we experienced problems building the recommended packages (or combinations of packages) on certain platforms; whenever possible, we try to provide a workable alternative\&. Late\-breaking updates are sometimes available in the release\*(Aqs
\m[blue]\fBPost\-Release Notes\fR\m[]\&\s-2\u[4]\d\s+2\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
It is not necessary to actually
\fIinstall\fR
these packages, you only have to
\fIbuild\fR
them so that the
\fBDACS\fR
build can use their libraries, include files, and so on, directly from where you build the packages\&. You may chose to do this if you do not want to upgrade an existing version of the package, or if you are unable to do so\&.
.sp
Shared libraries belonging to these packages must be accessible at run\-time, so
\fIplease make sure that their path permissions enable them to be read by a program executing with \fR\fI\fBApache\fR\fR\fI\*(Aqs CGI permissions\fR\&.
.sp
Build these packages
\fIin the order in which they are listed below\fR\&.
.sp
If you install a package, you may need to be root or use
\m[blue]\fBsudo(8)\fR\m[]\&\s-2\u[25]\d\s+2
(e\&.g\&., "\fBsudo make install\fR")\&.
.sp
These packages are not distributed with
\fBDACS\fR
and have licensing terms completely separate from those of
\fBDACS\fR
that are your responsibility\&.
.sp .5v
.RE
.PP
\fBThird\-Party Package Index:\fR
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBExpat\fR: XML parser
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBOpenSSL\fR: Crytographic toolkit
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBApache\fR: Web server
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Berkeley DB, gdbm, ndbm: dbm\-type database libraries
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBSQLite\fR: SQL database engine
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBlibdsm/Samba\fR: NTLM authentication protocol client
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
libxml2, xmlsec1: XML toolkit and security libraries
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBOpenLDAP\fR: Lightweight Directory Access Protocol software
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Readline: Command line history and editing
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  1." 4.2
.\}
Install the
Expat
XML parser
.sp
This release of
\fBDACS\fR
has been tested with
\m[blue]\fBExpat\fR\m[]\&\s-2\u[26]\d\s+2
2\&.2\&.5
and we recommend that you use that release\&.
.sp
For use with
\fBDACS\fR,
\fBExpat\fR
can either be built with
\fB\-prefix=/usr/local\fR
or something like
\fB\-prefix=/usr/local/expat\-2\&.2\&.5\fR, whichever you prefer\&. In the former case, you can omit the
\fB\-\-with\-expat\fR
when configuring
\fBDACS\fR
or use
\fB\-\-with\-expat=/usr/local\fR, and in the latter case you must use
\fB\-\-with\-expat=/usr/local/expat\-2\&.2\&.5\fR\&. Here is how we usually build
\fBExpat\fR
after unpacking it:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd expat\-2\&.2\&.5
% \&./configure \-\-prefix=/usr/local/expat\-2\&.2\&.5
% make
(All should go well\&.)
% make install
(All should go well here, too\&.)
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
On
Win2K/Cygwin, only a static library is needed\&. From the root of the
\fBexpat\fR
distribution directory:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd lib; ar rv libexpat\&.a *\&.o; ranlib libexpat\&.a
.fi
.if n \{\
.RE
.\}
.sp
If the build fails, reconfigure using
\fB\-\-enable\-shared=no\fR
and
\fB\-\-enable\-static=yes\fR
and try to build it again\&.
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  2." 4.2
.\}
Install
\fBOpenSSL\fR
.sp
\fBDACS\fR
uses cryptographic functionality provided by
\m[blue]\fBOpenSSL\fR\m[]\&\s-2\u[27]\d\s+2\&. This release of
\fBDACS\fR
has been tested with
openssl\-1\&.0\&.2n
and we recommend that you use that release with
\fBDACS\fR\&.
\fBApache\fR
should be built using the version of
\fBOpenSSL\fR
recommended by the particular
\fBApache\fR
release \- using a more recent version of
\fBOpenSSL\fR
may introduce build problems or run\-time bugs in
\fBApache\fR\&.
\fIIt is not necessary for \fR\fI\fBApache\fR\fR\fI and \fR\fI\fBDACS\fR\fR\fI to use the same release of \fR\fI\fBOpenSSL\fR\fR\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNotes\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBDACS\fR
will likely work with recent
openssl\-1\&.0\&.1x
releases, although those versions are no longer officially supported and may have important security issues\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If you are enabling
\fBDACS\fR
support for Java, add the
\fB\-fPIC\fR
flag to
\fBconfig\fR
when you are building
\fBOpenSSL\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
In some configurations you may want or require shared
\fBOpenSSL\fR
libraries; if so, add the
\fBshared\fR
command line flag to
\fBconfig\fR
when building
\fBOpenSSL\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Here is how we built
\fBOpenSSL\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./config \-\-prefix=/usr/local/openssl\-1\&.0\&.2n \-\-openssldir=/usr/local/openssl\-1\&.0\&.2n \e
    \-fPIC shared
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
On
macOS, however, it was necessary to explicitly request a 64\-bit build of
\fBOpenSSL\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./Configure darwin64\-x86_64\-cc \-\-prefix=/usr/local/openssl\-1\&.0\&.2n \e
    \-\-openssldir=/usr/local/openssl\-1\&.0\&.2n \-fPIC shared
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  3." 4.2
.\}
Install
Apache
2\&.4\&.29
or
2\&.2\&.34
.sp
You will need an SSL/TLS\-capable
\m[blue]\fBApache\fR\m[]\&\s-2\u[28]\d\s+2
server (build
\fBApache\fR
with
\fB\-\-enable\-ssl\fR) that uses a recent version of
\fBOpenSSL\fR
(build
\fBApache\fR
using
\fB\-\-with\-ssl=\fR\fB\fIpath\fR\fR, see
\m[blue]\fBabove\fR\m[]\&\s-2\u[29]\d\s+2)\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
\fBDACS\fR
1\&.4\&.40
is the final version to officially support the Apache 2\&.2 series\&. Future releases of
\fBDACS\fR
will not be maintained, tested, or documented with Apache 2\&.2 series servers\&.
.sp .5v
.RE
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
You can install a subset of
\fBDACS\fR
that does not require
\fBApache\fR
and does not require
\fIany\fR
\fBDACS\fR
configuration\&. These stand\-alone, general\-purpose utility commands, such as
\fBdacshttp\fR
and
\fBsslclient\fR, might be of interest to you even if you are not interested in any other parts of
\fBDACS\fR\&. Look for
BASIC_PROGS
in
Makefile\&.in
to see which commands will be installed\&.
.sp
To build this subset, use
\fB\-\-with\-apache=omit\fR
when running
\fBconfigure\fR\&. Please continue to review the information about third\-party packages in this document, but you can ignore anything that follows that is related to
\fBApache\fR
and
\fBmod_auth_dacs\fR\&.
.sp .5v
.RE
If you want to use
\m[blue]\fBmod_auth_dacs\fR\m[]\&\s-2\u[13]\d\s+2
as a dynamic module, which is the recommended configuration, make sure that
\fBmod_so\fR
is built\-in to your
\fBhttpd\fR
("httpd \-l" displays a list)\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
This release of
\fBDACS\fR
has been tested with both
\fBApache\fR
2\&.2\&.34
and
\fBApache\fR
2\&.4\&.29\&. We now strongly recommend that you use
2\&.4\&.29\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If suitable
APR,
APR\-UTIL, and other support libraries have already been installed on your system, you may be able to perform a basic build and install of
\fBApache\fR
2\&.4
with a command like:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd httpd\-2\&.4\&.29
% \&./configure \-\-prefix=/usr/local/apache2\-2\&.4\&.29 \-\-enable\-ssl \e
      \-\-with\-ssl=/usr/local/openssl\-1\&.0\&.2n
% make install
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Detailed instructions for building
\fBApache\fR
2\&.4\&.29
can be found in Apache\*(Aqs
INSTALL
file\&. For the testing platforms, we get the
APR
and
APR\-UTIL
libraries from
\m[blue]\fBapr\&.apache\&.org\fR\m[]\&\s-2\u[30]\d\s+2
and unpack them in the Apache distribution\*(Aqs
srclib
directory, then rename them
srclib/apr
and
srclib/apr\-util, respectively, as it says in
INSTALL\&. We currently use
apr\-1\&.6\&.3
and
apr\-util\-1\&.6\&.1\&. If you are building
\fBhttpd\fR
this way, include the
\fB\-\-with\-included\-apr\fR
flag with
\fBconfigure\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
On
CentOS
5\&.9
and later, the
\fBApache\fR
build initially failed with a complaint about not finding
\fBpcre\-config\fR\&. To solve this, we did:
.sp
.if n \{\
.RS 4
.\}
.nf
# yum install pcre\-devel\&.x86_64
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
We sometimes run into minor problems configuring or building
\fBApache\fR
2\&.4
on
macOS, especially after a recent
\m[blue]\fBXcode\fR\m[]\&\s-2\u[6]\d\s+2
upgrade\&. Ensure your
\fBPATH\fR
is correct\&. It is sometimes necessary to make a symbolic link from an
\m[blue]\fBXcode\fR\m[]\&\s-2\u[6]\d\s+2
directory
/Applications/Xcode\&.app/Contents/Developer/Toolchains/XcodeDefault\&.xctoolchain/\&.\&.\&.
to a more conventional path so that it is found\&. If necessary, obtain Perl Compatible Regular Expressions (PCRE) from
\m[blue]\fBhttp://pcre\&.org\fR\m[]
and install it, then make sure that
\fBpcre\-config\fR
is on your
\fBPATH\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
When building
\fBApache\fR
2\&.2, running
\fBconfigure\fR
as shown above will work in some cases (distributions of the
2\&.2
branch include the
APR
and
APR\-UTIL
libraries, currently
apr\-1\&.6\&.3
and
apr\-util\-1\&.6\&.1)\&. If you decide not to use the
APR
and
APR\-UTIL
libraries that ship with
\fBApache\fR, remove or rename the existing directories and install the fresh copies, which is the procedure we usually follow\&.
.sp
After unpacking fresh copies of
APR
(as
srclib/apr) and
APR\-UTIL
(as
srclib/apr\-util), configure, build, and install them\&. We then build
\fBhttpd\fR
using the
\fB\-\-with\-apr\fR
and
\fB\-\-with\-apr\-util\fR
flags\&. When you build
\fBDACS\fR
in an upcoming step, you will probably need to use the
\fB\-\-with\-apache\fR
and
\fB\-\-with\-apache\-apr\fR
flags (see
\m[blue]\fBThird\-party support options\fR\m[]\&\s-2\u[31]\d\s+2)\&. If you are going to use the
\fB\-\-with\-berkeley\-db\fR
flag when building
APR\-UTIL
(e\&.g\&.,
\fB\-\-with\-berkeley\-db=/usr/local/BerkeleyDB\&.5\&.3\fR), you may want to temporarily skip ahead to
\m[blue]\fBbuild Berkeley DB\fR\m[]\&\s-2\u[32]\d\s+2
before returning here to continue your
\fBApache\fR
build\&. (Note:
apr\-util
will sometimes not work with the latest versions of
Berkeley DB; refer to documentation for its
\fB\-\-with\-dbm\fR
flag)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Here is how we built
\fBApache\fR
2\&.2
after unpacking it and the correct versions of the
APR
and
APR\-UTIL
libraries:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd httpd\-2\&.2\&.34
% cd srclib/apr
% \&./configure \-\-prefix=/usr/local/apache2\-2\&.2\&.34/apr\-httpd \-\-disable\-lfs CFLAGS=\-fPIC
% make install
% cd \&.\&./apr\-util
# See notes below for adding LDFLAGS
% \&./configure \-\-prefix=/usr/local/apache2\-2\&.2\&.34/apr\-util\-httpd
       \-\-with\-apr=/usr/local/apache2\-2\&.2\&.34/apr\-httpd
       \-\-with\-expat=/usr/local/expat\-2\&.2\&.5
       \-\-with\-dbm=db53
% make install
% cd \&.\&./\&.\&.
# See notes below for adding LDFLAGS
% \&./configure \-\-prefix=/usr/local/apache2\-2\&.2\&.34 \-\-enable\-ssl
       \-\-with\-ssl=/usr/local/openssl\-1\&.0\&.2n
       \-\-with\-apr=/usr/local/apache2\-2\&.2\&.34/apr\-httpd
       \-\-with\-apr\-util=/usr/local/apache2\-2\&.2\&.34/apr\-util\-httpd
       LDFLAGS="\-rpath /usr/local/db\-5\&.3\&.28/lib \-rpath /usr/local/openssl\-1\&.0\&.2n/lib"
% make install
.fi
.if n \{\
.RE
.\}
.sp
This builds a very basic server; you can enable other options if you want\&.
.sp
Because we deal with multiple versions of third\-party packages, each release is installed separately, hence the version numbers in the pathnames\&.
.sp
If you encounter problems building
\fBdacsversion\fR, it may be necessary for you to go back and build
APR
with the
\fB\-\-disable\-lfs\fR
flag to disable large file support on your platform\&.
.sp
On
FreeBSD, when doing the top level
\fBApache\fR
configuration above it was necessary to add "\-rpath /usr/local/db\-5\&.3\&.28/lib \-rpath /usr/local/openssl\-1\&.0\&.2n/lib" to
\fILDFLAGS\fR
so that Apache commands could find shared libraries at run time\&.
.sp
On
CentOS, when building
apr\-util, and at the top level, it was necessary to use (instead of the
\-rpath
flags) "\-Wl,\-rpath /usr/local/db\-5\&.3\&.28/lib \-Wl,\-rpath /usr/local/openssl\-1\&.0\&.2n/lib" to
\fILDFLAGS\fR\&.
.sp
Alternatively, on either platform the
\fBldconfig\fR
command or
\fBLD_LIBRARY_PATH\fR
might be used\&. It appears that the
\fILDFLAGS\fR
above should be omitted on
macOS\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
In some configurations an "undefined ssl_hook_Fixup symbol" error or "Cannot load modules/mod_ssl\&.so into server" error is produced by
\fBhttpd\fR
when it starts up\&. This was also seen in earlier releases of
\fBApache\fR\&. These errors can be due to an apparent bug in the
\fBApache\fR
build procedure that results in the
\fBmod_ssl\fR
module not knowing where
libssl\&.so
and
libcrypto\&.so
are, even though the correct path was specified at Apache build time through the
\fB\-\-with\-ssl\fR
flag to
\fBconfigure\fR\&.
.sp
One solution is to make
\fBmod_ssl\fR
a built\-in module instead of a dynamically loaded module\&. Build
\fBApache\fR
using something similar to this (using the
\fB\-\-enable\-ssl=static\fR
flag is the important change):
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure \-\-prefix=/usr/local/apache2\-2\&.4\&.29 \e
    \-\-with\-ssl=/usr/local/openssl\-1\&.0\&.2n \-\-enable\-ssl=static
.fi
.if n \{\
.RE
.\}
.sp
Then do a "\fBmake install\fR"\&. Note that you will need to comment out the
httpd\&.conf
directive that loads
\fBmod_ssl\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
# LoadModule ssl_module modules/mod_ssl\&.so
.fi
.if n \{\
.RE
.\}
.sp
Now, from the
\fBApache\fR
installation directory, try:
.sp
.if n \{\
.RS 4
.\}
.nf
% bin/httpd \-l
% bin/httpd \-M
.fi
.if n \{\
.RE
.\}
.sp
If
\fBhttpd\fR
cannot find your
\fBOpenSSL\fR
libraries, you will see an error message like this:
.sp
.if n \{\
.RS 4
.\}
.nf
error while loading shared libraries: libssl\&.so\&.1\&.0\&.0: cannot open
  shared object file: No such file or directory
.fi
.if n \{\
.RE
.\}
.sp
Tell the linker where the
\fBOpenSSL\fR
libraries are by setting the
\fBLD_LIBRARY_PATH\fR
environment variable for
\fBhttpd\fR; for example:
.sp
.if n \{\
.RS 4
.\}
.nf
%  sh \-c "export LD_LIBRARY_PATH=/usr/local/openssl\-1\&.0\&.2n/lib; bin/httpd \-M"
.fi
.if n \{\
.RE
.\}
.sp
You may also be able to resolve the problem using the
\fBldconfig\fR
command, but we don\*(Aqt know if that could possibly break other programs that expect a different version of the
\fBOpenSSL\fR
library\&. You will need to always set
\fBLD_LIBRARY_PATH\fR
before running
\fBhttpd\fR, maybe using an alias or script\&. If you use
\fBapachectl\fR
to manage
\fBApache\fR, you could simply have it set
\fBLD_LIBRARY_PATH\fR
(also see the
\fBApache\fR
\fBenvvars\fR
script, which is sourced by
\fBapachectl\fR)\&.
.sp
Another thing to try if
\fBApache\fR
is unable to load a shared library is to re\-run
\fBconfigure\fR
without the
\fB\-\-with\-dbm\fR
flag\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Sometimes the
\fBApache\fR
build procedure
\fIinsists\fR
on using the system\*(Aqs version of
apr
or
apr\-util
rather than the version you explicitly asked
\fBconfigure\fR
to use with
\fB\-\-with\-apr\fR
or
\fB\-\-with\-apr\-util\fR
(check using:
\fBldd bin/httpd\fR
or
\fBotool bin/httpd\fR)\&. If the linker complains about an undefined symbol when you attempt to start
\fBApache\fR, this may be the reason\&. The easiest solution is to temporarily hide the system libraries that you don\*(Aqt want
\fBconfigure\fR
to use and then re\-make
\fBApache\fR, checking that
\fBbin/httpd\fR
is now referencing the expected libraries and restoring the system libraries\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If you find that your
\fBApache\fR
server on
CentOS
does not accept requests coming from the network (non\-localhost requests) it may be because the operating system\*(Aqs security policy is disallowing them\&. As
root, do:
.sp
.if n \{\
.RS 4
.\}
.nf
# system\-config\-firewall
.fi
.if n \{\
.RE
.\}
.sp
(This command is sometimes named
\fBsystem\-config\-securitylevel\fR, or
\fBsystem\-config\-firewall\-tui\fR
in various releases of
CentOS)\&. In the "Other ports" section of the "Firewall Options", add the HTTP/HTTPS port(s) you want to use for protocol TCP\&. Once the change is applied it is persistent\&. Another option, if it is safe to do so, is to totally disable the firewall\&. On
CentOS:
.sp
.if n \{\
.RS 4
.\}
.nf
# service iptables stop
.fi
.if n \{\
.RE
.\}
.sp
(Alternative:
\fBsystemctl disable firewalld\fR) Note that this change is not persistent, however\&. Another alternative, for
CentOS
and other systems, is to use the appropriate command (e\&.g\&.,
\fBiptables\fR,
\fBipfw\fR, or
\fBpfctl\fR) to add a firewall rule to allow TCP access to your HTTP/HTTPS port(s)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
One difference to be aware of between the
\fBApache\fR
2\&.0
branch and subsequent branches is that the default
\fBApache\fR
configuration of the newer branches may deny all access by default; some
\fBDACS\fR
files should be publicly accessible, however, so you may need to explicitly allow this\&. For example, in
httpd\&.conf:
.sp
.if n \{\
.RS 4
.\}
.nf
<Directory /usr/local/dacs/www>
  Satisfy Any
  Allow from all
  Options Indexes FollowSymLinks
</Directory>
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBApache\fR
1\&.3
is
\fInot\fR
supported; please consult the
\m[blue]\fBFAQ\fR\m[]\&\s-2\u[33]\d\s+2\&.
\fBDACS\fR
has not been tested with
\fBApache\fR
2\&.3
or
2\&.4\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
We do not support using
\fBmod_auth_dacs\fR
with a non\-source install of
\fBApache\fR; we have received feedback that it can be done manually without much effort, however\&. In this case, we believe that the install may go more smoothly if you use the configure flag
\fB\-\-disable\-shared\fR\&.
.RE
.sp .5v
.RE
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
Check that
\fBApache\fR
is working properly and that it is actually using the version of
\fBOpenSSL\fR
that you are expecting\&. It is important to confirm that your server is working correctly with your web resources
\fIbefore\fR
\fBDACS\fR
gets involved\&. Doing so can save you time and frustration\&.
.sp
You can see your
\fBhttpd\*(Aqs\fR
Server
response\-header by connecting to your server (e\&.g\&., using
\fBtelnet\fR) and engaging in an interaction with it similar to the following (note the last line of output):
.sp
.if n \{\
.RS 4
.\}
.nf
% telnet localhost 80
Trying 127\&.0\&.0\&.1\&.\&.\&.
Connected to localhost\&.
Escape character is \*(Aq^]\*(Aq\&.
GET / HTTP/1\&.0

HTTP/1\&.1 200 OK
Date: Tue, 20 Jan 2018 18:08:11 GMT
Server: Apache/2\&.4\&.29 (Unix) OpenSSL/1\&.0\&.2n mod_auth_dacs/1\&.4\&.40(Release date 31\-Jan\-2018 09:49:34) PHP/5\&.6\&.14
.fi
.if n \{\
.RE
.\}
.sp .5v
.RE
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  4." 4.2
.\}
A few third\-party packages are
\fIoptional\fR
and whether you need them depends on which optional features of
\fBDACS\fR
you require\&. These packages must be built before
\fBDACS\fR
can be configured and built\&. If you decide you want to add or remove optional capabilities after building
\fBDACS\fR, it is easy to do so later\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
If you are new to
\fBDACS\fR, it may be a good idea to first build it without any optional packages\&. After you have gotten the basic system working to your satisfaction, rebuild
\fBDACS\fR
with the optional components you need\&. Or, if you are not sure at this time which optional packages you need, return to this step later\&.
.sp .5v
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  1." 4.2
.\}
Berkeley DB,
gdbm,
ndbm DB
(dbm\-type databases)
.sp
If you want to be able to store
\fBDACS\fR
configuration information in a database or need to access files managed by
\fBApache\*(Aqs\fR
\fBmod_auth_dbm\fR, you may use
\m[blue]\fBBerkeley DB\fR\m[]\&\s-2\u[34]\d\s+2
from
\m[blue]\fBOracle Corporation\fR\m[]\&\s-2\u[35]\d\s+2
(Sleepy Cat Software was acquired by Oracle in February, 2006)\&. A suitable version may already be installed on your system\&. Typically,
\fBApache\fR
will only build with a version of
Berkeley DB
that is somewhat older than the latest\&. Neither
\fBDACS\fR
nor
\fBApache\fR
require
Berkeley DB, and they do not need to use the same version of
Berkeley DB\&. Version
db\-5\&.3\&.28
is being used for testing, but somewhat older versions should be fine\&. See the
\fBDACS\fR
configure arguments:
\m[blue]\fB\-\-enable\-bdb\fR\m[]\&\s-2\u[36]\d\s+2,
\m[blue]\fB\-\-disable\-bdb\fR\m[]\&\s-2\u[37]\d\s+2, and
\m[blue]\fB\-\-with\-bdb\fR\m[]\&\s-2\u[38]\d\s+2\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNotes\fR
.ps -1
.br
Note that starting with
db\-6\&.x, licensing for
Berkeley DB
\m[blue]\fBchanged\fR\m[]\&\s-2\u[39]\d\s+2
from the
\m[blue]\fBSleepycat License\fR\m[]\&\s-2\u[40]\d\s+2
to the
\m[blue]\fBGNU AGPL v3\fR\m[]\&\s-2\u[41]\d\s+2\&. Installations should consider whether they should use
db\-5\&.3\&.28
or switch to another supported dbm\-type database\&.
.sp .5v
.RE
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
You may find that you must sign on to the Oracle site before you are allowed to download
Berkeley DB\&. You may be able to avoid this by using a URL such as:
.sp
.if n \{\
.RS 4
.\}
.nf
\m[blue]\fBhttp://download\&.oracle\&.com/berkeley\-db/db\-5\&.3\&.28\&.tar\&.gz\fR\m[]
.fi
.if n \{\
.RE
.\}
.sp
You may also be able to obtain
Berkeley DB
elsewhere, such as at
linux\&.softpedia\&.com,
pkgs\&.fedoraproject\&.org, or
fossies\&.org\&. Consider validating the downloaded file using a checksum published on a different site, however\&.
.sp .5v
.RE
The default is to use
Berkeley DB
if it is available\&. If you do not want to use
Berkeley DB
you must disable it (\m[blue]\fB\-\-disable\-bdb\fR\m[]\&\s-2\u[37]\d\s+2)\&. Similar functionality is provided by the
NDBM
library and from
GNU GDBM
(versions
1\&.8\&.3
through
1\&.14, the latter being the version tested against)\&.
GNU GDBM
must be built with its
NDBM
compatibility mode\&. These libraries may already be installed on your system\&. Get
GDBM
from
\m[blue]\fBftp://ftp\&.gnu\&.org/gnu/gdbm\fR\m[]\&\s-2\u[42]\d\s+2\&. See the
\m[blue]\fB\-\-enable\-ndbm\fR\m[]\&\s-2\u[43]\d\s+2,
\m[blue]\fB\-\-with\-gdbm\-lib\fR\m[]\&\s-2\u[44]\d\s+2, and
\m[blue]\fB\-\-with\-gdbm\-includes\fR\m[]\&\s-2\u[44]\d\s+2
configure flags\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNotes\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
It may be necessary to create (or update) links to the
Berkeley DB
installation directory to avoid problems when building other packages\&. For example, if you install it in
/usr/local/db\-5\&.3\&.28:
.sp
.if n \{\
.RS 4
.\}
.nf
% ln \-sf /usr/local/db\-5\&.3\&.28 /usr/local/BerkeleyDB\&.5\&.3
% ln \-sf /usr/local/db\-5\&.3\&.28 /usr/local/db53
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Here is how we built
Berkeley DB
for
\fBDACS\fR
after unpacking it:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd build_unix
% \&.\&./dist/configure \-\-prefix=/usr/local/db\-5\&.3\&.28
% make
(All should go well\&.)
% make install
(All should go well here, too\&.)
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
On some platforms, applications (including
\fBDACS\fR) that use
Berkeley DB
may need to be linked with the
\fB\-lpthread\fR
flag\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
You cannot enable the
NDBM
library and
GNU GDBM\&. You can use either one with
Berkeley DB\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
GNU GDBM
1\&.9\&.1
and newer may not interoperate correctly with databases created by older versions of
GNU GDBM; consult its source code and documentation for details\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
A deficiency in configuration processing is that the location of the
NDBM
library cannot be specified; the standard configuration search path is used\&. A future version should provide a
\fB\-\-with\-ndbm\fR
flag\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
The
NDBM\-workalike,
\m[blue]\fBsdbm\fR\m[]\&\s-2\u[45]\d\s+2, is not currently supported\&. It may be added to a future release if it is requested\&.
.RE
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  2." 4.2
.\}
SQLite
.sp
The
\m[blue]\fBSQLite\fR\m[]\&\s-2\u[46]\d\s+2
database, which can be used together with the
\m[blue]\fBdbm\-type databases\fR\m[]\&\s-2\u[32]\d\s+2, is another option for storing
\fBDACS\fR
configuration information\&. Version
3\&.22\&.0
is being used for testing (we use the "sqlite\-autoconf" amalgamation tarball)\&. See the
\fBDACS\fR
configure arguments:
\m[blue]\fB\-\-enable\-sqlite\fR\m[]\&\s-2\u[47]\d\s+2,
\m[blue]\fB\-\-disable\-sqlite\fR\m[]\&\s-2\u[48]\d\s+2, and
\m[blue]\fB\-\-with\-sqlite\fR\m[]\&\s-2\u[49]\d\s+2\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNotes\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
On
FreeBSD
at least, an apparent bug in the
SQlite
build procedure can cause a compilation error\&. To avoid the error, edit the definition of the
DEFS
symbol in the
Makefile
to remove the embedded space by changing:
.sp
.if n \{\
.RS 4
.\}
.nf
  \-DPACKAGE_STRING=\e"sqlite 3\&.22\&.0\e"
.fi
.if n \{\
.RE
.\}
.sp
to:
.sp
.if n \{\
.RS 4
.\}
.nf
  \-DPACKAGE_STRING=\e"sqlite\-3\&.22\&.0\e"
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Here is how we built
SQlite:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure \-\-prefix=/usr/local/sqlite\-3\&.22\&.0
% make
% make install
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  3." 4.2
.\}
\fBlibdsm/Samba\fR
.sp
If you want to be able to authenticate using Microsoft\*(Aqs
\m[blue]\fBSMB\fR\m[]\&\s-2\u[50]\d\s+2/\m[blue]\fBNTLM\fR\m[]\&\s-2\u[51]\d\s+2
protocol (see
\m[blue]\fBlocal_ntlm_authenticate\fR\m[]\&\s-2\u[52]\d\s+2), you must either configure
\fBDACS\fR
to use the custom implementation of the
libdsm
library that ships with
\fBDACS\fR
or obtain
\m[blue]\fBSamba\fR\m[]\&\s-2\u[53]\d\s+2, a Microsoft Windows interoperability suite\&.
.sp
\fBDACS\fR
NTLM authentication is currently tested against services provided by
Windows Server 2012
but
\fBDACS\fR
should also interoperate with other
MS Windows
platforms\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
For a very long time,
\fBSamba 3\&.x\fR
provided NTLM client authentication for
\fBDACS\fR
and was the only option\&. But because
\fBSamba\fR
3\&.x
has not been supported by the
\fBSamba\fR
team for quite some time, and
\fBSamba\fR
4\&.x
has proved to be difficult to build on
\fBDACS\fR
platforms and is not a drop\-in replacement for
\fBSamba\fR
3\&.x
in any case, the smaller and simpler
libdsm
will replace
\fBSamba\fR\&.
\fBSamba\fR
3\&.x
can still be used by this version of
\fBDACS\fR
but support for
\fBSamba\fR
\fIwill be removed\fR\&.
.sp .5v
.RE
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBlibdsm Notes\fR
.ps -1
.br
Although the library is currently functional and tested, configuration of
libdsm
is not quite fully integrated or documented within the main
\fBDACS\fR
build\&. To use
libdsm:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  1." 4.2
.\}
Unpack the
\fBDACS\fR
tarfile
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  2." 4.2
.\}
\fBchdir\fR
to
dacs\-1\&.4\&.40/src/libdsm
and refer to the
README
in that directory for detailed instructions\&.
.sp
We continue here with a brief outline of the procedure to build the library\&. If you are going to enable NTLM authentication, or think you might do so later, build the library before running
\fBconfigure\fR
for
\fBDACS\fR\&. If you do not need NTLM authentication, you need not build the library\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  3." 4.2
.\}
Obtain the GNU libraries
\m[blue]\fBlibtasn1\fR\m[]\&\s-2\u[54]\d\s+2
and
\m[blue]\fBlibiconv\fR\m[]\&\s-2\u[55]\d\s+2\&. No changes to those libraries are required\&. Build both libraries in place\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  4." 4.2
.\}
Configure and make the modified
libdsm\&. The library is installed in its root directory and no system files or directories are modified\&. A program called
\fBntlmauth\fR
will be built\&. You should use it to test authentication against your Windows server\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 5.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  5." 4.2
.\}
If all goes well, build
\fBDACS\fR
as you normally would, except instead of configuring it using
.sp
.if n \{\
.RS 4
.\}
.nf
\fB\-\-with\-samba\fR
.fi
.if n \{\
.RE
.\}
.sp
use
.sp
.if n \{\
.RS 4
.\}
.nf
\fB\-\-with\-libdsm=\&./libdsm\fR
.fi
.if n \{\
.RE
.\}
.sp
Test authentication again, this time using
\fBdacsauth\fR
(refer to
\m[blue]\fBdacsauth(1)\fR\m[]\&\s-2\u[56]\d\s+2
and
\m[blue]\fBlocal_ntlm_authenticate\fR\m[]\&\s-2\u[57]\d\s+2
for examples)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 6.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  6." 4.2
.\}
If you are satisfied with the results of your testing, complete your installation of
\fBDACS\fR
and verify that
\m[blue]\fBdacs_authenticate\fR\m[]\&\s-2\u[58]\d\s+2
also works correctly\&. The only change you may need to make to
dacs\&.conf
is to specify
.sp
.if n \{\
.RS 4
.\}
.nf
OPTION \*(AqSAMBA_PORT="0"\*(Aq
.fi
.if n \{\
.RE
.\}
.sp
in the appropriate
Auth
clause\&. If you are using the standard ports, you may delete that option entirely since the library knows which port(s) to try\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 7.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  7." 4.2
.\}
Please report any problems so that they can be addressed in the next release\&.
.RE
.sp .5v
.RE
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBSamba Notes\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
This release of
\fBDACS\fR
has been tested with
samba\-3\&.6\&.25
and that is the only version officially supported\&. If you use Samba, we strongly recommend that you use that version\&. It is not known whether this release of
\fBDACS\fR
will work with any other version of
\fBSamba\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBDACS\fR
requires the
\fBSamba\fR
source distribution to be
\fIbuilt\fR
but it does not matter if
\fBSamba\fR
is
\fIinstalled\fR\&. The
\fBDACS\fR
build procedure looks for include files and libraries relative to the
\fBSamba\fR
distribution\*(Aqs root directory\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
On systems where
libexecinfo
has been installed (FreeBSD), when building
\fBDACS\fR
it may be necessary to add
\fB\-lexecinfo\fR
to
\fILDFLAGS\fR
if
\fBbacktrace\fR
or
\fBbacktrace_symbols\fR
are referenced by
\fBSamba\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
The
\fBSamba\fR
4\&.X releases use a different build system than earlier releases, unfortunately\&.
\fBDACS\fR
does not currently work with the 4\&.X releases, mainly because we have had no success getting a clean build of any 4\&.X release on either
FreeBSD
or
macOS\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
To build
\fBSamba\fR
for
\fBDACS\fR, from your
\fBSamba\fR
distribution\*(Aqs
\&./source3
directory do:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure \-\-enable\-static=yes \-\-with\-ads=no \-\-with\-ldap=no \-\-disable\-swat \-\-disable\-cups \-\-disable\-pie \e
      \-\-enable\-external\-libtalloc=no \-\-enable\-external\-libtdb=no
% make
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Then, when configuring
\fBDACS\fR, specify the directory where
\fBSamba\fR
was unpacked, for example:
.sp
.if n \{\
.RS 4
.\}
.nf
\-\-with\-samba=/local/src/samba\-3\&.6\&.25
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp .5v
.RE
See the
\fBDACS\fR
configure arguments:
\m[blue]\fB\-\-enable\-ntlm\-auth\fR\m[]\&\s-2\u[59]\d\s+2,
\m[blue]\fB\-\-with\-samba\fR\m[]\&\s-2\u[60]\d\s+2, and
\m[blue]\fB\-\-with\-libdsm\fR\m[]\&\s-2\u[61]\d\s+2\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  4." 4.2
.\}
libxml2
and
xmlsec1
.sp
InfoCard support
\fIis now deprecated and therefore these libraries are no longer needed\fR\&. This section may be removed in a future release\&.
.sp
See
\m[blue]\fBlocal_infocard_authenticate\fR\m[]\&\s-2\u[62]\d\s+2\&.
.sp
InfoCard support requires
\m[blue]\fBlibxml2\fR\m[]\&\s-2\u[63]\d\s+2
and
\m[blue]\fBxmlsec1\fR\m[]\&\s-2\u[64]\d\s+2
are required\&. Build
libxml2
and
\fBOpenSSL\fR
first, because
\m[blue]\fBxmlsec1\fR\m[]\&\s-2\u[64]\d\s+2
depends on both of them\&. This release of
\fBDACS\fR
has been tested with
libxml2\-2\&.8\&.0
or
libxml2\-2\&.9\&.1, and
xmlsec1\-1\&.2\&.20, and we strongly recommend that you use those versions\&. It is not known whether this release of
\fBDACS\fR
will work with any other versions \- we do not officially support them\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNotes\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Here is how we built
libxml2:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure \-\-prefix=/usr/local/libxml2\-2\&.9\&.1
.fi
.if n \{\
.RE
.\}
.sp
Due to an apparent bug in the code (in
threads\&.c) that results in a syntax error, it was necessary to add
\fB\-\-with\-threads=no\fR
on some platforms, such as
macOS\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Here is how we built
xmlsec1:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure \-\-prefix=/usr/local/xmlsec1\-1\&.2\&.20
    \-\-with\-libxml=/usr/local/libxml2\-2\&.9\&.1
    \-\-with\-openssl=/usr/local/openssl\-1\&.0\&.2n \-\-with\-gnu\-ld
    \-\-enable\-static\-linking  \-\-disable\-crypto\-dl \-\-disable\-apps\-crypto\-dl 
.fi
.if n \{\
.RE
.\}
.sp
Except on
macOS:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure \-\-prefix=/usr/local/xmlsec1\-1\&.2\&.20 \e
      \-\-with\-libxml=/usr/local/libxml2\-2\&.9\&.1 \-\-with\-gnu\-ld \-\-enable\-static=yes \e
      \-\-enable\-shared=yes \-\-with\-nss=/Applications/Firefox\&.app/Contents/MacOS \e
      \-\-with\-nspr=/Applications/Firefox\&.app/Contents/MacOS \e
      \-\-with\-openssl=/usr/local/openssl\-1\&.0\&.2n \e
      \-\-disable\-crypto\-dl
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Due to an apparent error in its build procedure, we sometimes encountered the following error message:
.sp
.if n \{\
.RS 4
.\}
.nf
*** Warning: Linking the shared library libxmlsec1\-openssl\&.la against the
*** static library /local/openssl\-1\&.0\&.2n/lib/libcrypto\&.a is not portable!
.fi
.if n \{\
.RE
.\}
.sp
After ensuring that
libcrypto\&.so
(or
libcrypto\&.dylib) had been installed when building
\fBOpenSSL\fR, to correct the
xmlsec1
build problem we did "\fBmake clean\fR", re\-ran
\fBconfigure\fR
as above, and edited
src/openssl/Makefile
under the root of the
xmlsec1
distribution directory to change all occurrences of "libcrypto\&.a" to "libcrypto\&.so"\&. It was sometimes also necessary to delete the
\-ldl
flag on those same lines, and in other
Makefile
files in the distribution (and making sure the flag was not specified by
xmlsec1\-config)\&. After those changes, we ran
\fBmake\fR
again\&. Additionally, it was sometimes necessary to specify
CFLAGS="\-I/usr/local/include \-L/usr/local/lib"\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Another problem related to this library on a
CentOS
platform resulted in an error message similar to this:
.sp
.if n \{\
.RS 4
.\}
.nf
Cannot restore segment prot after reloc: Permission denied
.fi
.if n \{\
.RE
.\}
.sp
The solution was to issue the command (adjust the path as necessary):
.sp
.if n \{\
.RS 4
.\}
.nf
% chcon \-t texrel_shlib_t /usr/local/xmlsec1\-1\&.2\&.20/lib/libxmlsec1\-openssl\&.so
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
When including InfoCard support on
macOS, it was necessary to tell the dynamic linker where to find the
xmlsec1
library (despite using the
\fB\-rpath\fR
flag during the build)\&. To work around this, do something like the following (or equivalent):
.sp
.if n \{\
.RS 4
.\}
.nf
% setenv DYLD_LIBRARY_PATH /usr/local/xmlsec1\-1\&.2\&.20/lib
.fi
.if n \{\
.RE
.\}
.sp
Ensure that "\fBgmake test\fR" does not fail\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Due to an apparent bug in
configure\&.in, on
FreeBSD
\fBconfigure\fR
may incorrectly use the
\fB\-ldl\fR
flag in generated
Makefiles\&. Either edit all
Makefiles
to remove all occurrences of the
\fB\-ldl\fR
flag, or edit
configure\&.in, add a "*\-*\-freebsd*" case like the others in the "OpenSSL" section, run
\fBautoconf\fR
to regenerate
\fBconfigure\fR, and then "\fBmake clean\fR" and re\-run
\fBconfigure\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Your experience may differ, but we found
xmlsec1
to not cooperate when we wanted to work with multiple installations of
libxml2
\- apparently if a
libxml2
directory or link has been installed, its build procedure seems to use that version, regardless of what is specified on the command line, requiring manual editing of its
Makefiles\&. Check that the correct instance of
\fBxml2\-config\fR
is being used\&. Unfortunately, it may be necessary to remove (or temporarily rename) older installed versions, or fall back to using an older version already installed on your system\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
We also found it sometimes necessary to also upgrade the version of the
libxslt
library (also available
\m[blue]\fBhere\fR\m[]\&\s-2\u[65]\d\s+2) to build against the same
libxml2
as
xmlsec1
library, otherwise multiple versions of
libxml2
may be referenced, leading to undefined symbols during the
\fBDACS\fR
build procedure\&. We have had success using
libxslt\-1\&.1\&.28
(and then adding
\-\-with\-libxslt=/usr/local/libxslt\-1\&.1\&.28
when configuring
libxslt)\&.
.RE
.sp .5v
.RE
The
\fBDACS\fR
build procedure uses
\fBxmlsec1\-config\fR, a program that comes with
xmlsec1\&. If InfoCard support is enabled, the build procedure will look in some standard places for this command\&. You can specify its location with the
\m[blue]\fB\-\-with\-xmlsec1\-config\fR\m[]\&\s-2\u[66]\d\s+2
flag\&.
.sp
See the
\fBDACS\fR
configure arguments:
\m[blue]\fB\-\-enable\-infocard\-auth\fR\m[]\&\s-2\u[67]\d\s+2
and
\m[blue]\fB\-\-with\-xmlsec1\-config\fR\m[]\&\s-2\u[66]\d\s+2
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 5.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  5." 4.2
.\}
\fBOpenLDAP\fR
.sp
Authentication through
LDAP
or
Microsoft Active Directory
(see
\m[blue]\fBlocal_ldap_authenticate\fR\m[]\&\s-2\u[68]\d\s+2) is implemented using
\m[blue]\fBOpenLDAP\fR\m[]\&\s-2\u[69]\d\s+2\&. This release of
\fBDACS\fR
has been tested only with
openldap\-2\&.4\&.45
and we strongly recommend that you use that version\&.
.sp
It is not known whether this release of
\fBDACS\fR
will work with any other version of
\fBOpenLDAP\fR
\- we do not support them\&.
\fBDACS\fR
may work properly with
\fBOpenLDAP\fR
versions at least as old as
2\&.2\&.24, if you really must use one of them\&.
.sp
\fBDACS\fR
LDAP
authentication and role retrieval is currently tested against directory services provided by
Windows Server 2012
but
\fBDACS\fR
should also interoperate with other
LDAP
implementations\&.
.sp
If the
\fB\-\-with\-ldap\fR
flag is
\fInot\fR
given (in which case
LDAP
authentication must be enabled; e\&.g\&., via
\fB\-\-enable\-ldap\-auth\fR),
\fBconfigure\fR
will search for
\fBOpenLDAP\fR
headers and libraries; if found, it will assume they are a suitable version and use them\&.
.sp
If
\fB\-\-with\-ldap\fR
is given (either because
\fBOpenLDAP\fR
is not installed or an unsuitable version is installed), headers and libraries relative to the root of the specified directory will be used rather than any installed
\fBOpenLDAP\fR
files; it is not necessary to
\fIinstall\fR
\fBOpenLDAP\fR, you only need to
\fIbuild\fR
it \- so you do not need to be concerned about hassles associated with upgrading or any other versions that might already be installed on your system\&.
.sp
To build
\fBOpenLDAP\fR
for
\fBDACS\fR, from the root of your
\fBOpenLDAP\fR
distribution do:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure \-\-with\-tls=openssl \-\-disable\-slapd \-\-enable\-static \e
    CFLAGS=\-I/usr/local/openssl\-1\&.0\&.2n/include \e
    LDFLAGS=\-L/usr/local/openssl\-1\&.0\&.2n/lib
% make
.fi
.if n \{\
.RE
.\}
.sp
If so instructed, do a "\fBmake depend\fR" before the
\fBmake\fR\&.
.sp
See the
\fBDACS\fR
configure arguments:
\m[blue]\fB\-\-enable\-ldap\-auth\fR\m[]\&\s-2\u[70]\d\s+2
and
\m[blue]\fB\-\-with\-ldap\fR\m[]\&\s-2\u[71]\d\s+2
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 6.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  6." 4.2
.\}
Readline
.sp
The history and editing functionality provided by the
\m[blue]\fBGNU Readline Library\fR\m[]\&\s-2\u[72]\d\s+2
is entirely optional but can be nice to have when using
\m[blue]\fBdacsexpr(1)\fR\m[]\&\s-2\u[73]\d\s+2
interactively\&. This release of
\fBDACS\fR
has been tested with version 7\&.0, although we have used
readline\-6\&.X
with recent releases of
\fBDACS\fR\&. Note that you may need to compile
Readline
with the
\fB\-fPIC\fR
flag ("\fBmake CFLAGS=\-fPIC\fR")\&.
.sp
It is not necessary for you to
\fIinstall\fR
readline, you only need to
\fIbuild\fR
it \- so you do not need to be concerned about hassles associated with upgrading or any other versions that might already be installed on your system\&. If
readline/readline\&.h
is in a standard
include
directory, it has probably been installed and no action is necessary\&. On platforms where it is missing, it may be simple to install using a command such as:
.sp
.if n \{\
.RS 4
.\}
.nf
# yum install readline\-devel\&.x86_64
.fi
.if n \{\
.RE
.\}
.sp
or
.sp
.if n \{\
.RS 4
.\}
.nf
# pkg install readline
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNotes\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
When building on
macOS, it was sometimes necessary to fix a bug by editing
shlib/Makefile
and making this change:
.sp
.if n \{\
.RS 4
.\}
.nf
#SHOBJ_LDFLAGS = \-dynamic
SHOBJ_LDFLAGS = \-dynamiclib
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp .5v
.RE
See the
\fBDACS\fR
configure arguments:
\m[blue]\fB\-\-with\-readline\fR\m[]\&\s-2\u[74]\d\s+2
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 5.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  5." 4.2
.\}
Configure and build
\fBDACS\fR
libraries, services, commands, and utilities
.sp
See
\m[blue]\fBBuild Options\fR\m[]\&\s-2\u[75]\d\s+2
for build alternatives and options to
\fBconfigure\fR\&.
.sp
.if n \{\
.RS 4
.\}
.nf
% cd src
% \&./configure
% gmake
.fi
.if n \{\
.RE
.\}
.sp
To confirm that
\fBDACS\fR
has been built with the third\-party packages that you intended, from the run:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./version \-v
.fi
.if n \{\
.RE
.\}
.sp
You should ensure that the
\fBsslclient\fR
utility is working correctly\&. From the
src
directory, you can test it using the following command:
.sp
.if n \{\
.RS 4
.\}
.nf
% printf "GET https://dacs\&.dss\&.ca:8443 HTTP/1\&.0\er\en\er\en" | \&./sslclient dacs\&.dss\&.ca:443
.fi
.if n \{\
.RE
.\}
.sp
which should print the contents of
\m[blue]\fBhttps://dacs\&.dss\&.ca\fR\m[]
to the standard output\&. You should repeat this test substituting the name of your server and port\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
After building
\fBDACS\fR, it is strongly recommended that you run the self\-tests (expression evaluation, crypto code, string handling, and so on) from the
src
directory:
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake test
.fi
.if n \{\
.RE
.\}
.sp
If any error occurs during testing, testing will stop immediately and a message will be displayed\&. In this event, first check that you are using the recommended software packages and that your build flags are correct\&. Most often, problems are the result of mixing header files or library files from different versions of a third\-party package (e\&.g\&.,
\fBOpenSSL\fR) or incorrect file permissions\&. If you cannot find anything wrong with your configuration, please submit a bug report that includes the self test output and describes your platform (you can include the output of "\&./version \-v")\&.
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 6.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  6." 4.2
.\}
If all looks good, install
\fBDACS\fR
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake install
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNotes\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If
\fBgmake\fR
complains about not being able to find
\fBxsltproc\fR,
docbook\&.xsl, or something that might be related to installing the documentation, try:
.sp
.if n \{\
.RS 4
.\}
.nf
% (cd \&.\&./man; gmake touch)
% gmake install
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
This will install the rules for the standard
\fBDACS\fR
web services and run
\m[blue]\fBdacsacl(1)\fR\m[]\&\s-2\u[76]\d\s+2
to create and install an index for them\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
You can specify
\m[blue]\fBDESTDIR\fR\m[]\&\s-2\u[77]\d\s+2
to
\fBgmake\fR
when installing or uninstalling:
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake DESTDIR=/tmp/mydacs install
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp .5v
.RE
The installation process may prompt you for the owner name and group name to use for files and directories; it will guess at reasonable defaults for your platform\&. The appropriate responses will depend on local conventions, but to start with you might set the owner to your login name or
root, and the group name to the same name that is used by
\fBApache\fR
(specified by the
\m[blue]\fBGroup\fR\m[]\&\s-2\u[78]\d\s+2
directive in
httpd\&.conf)\&. For the group, it may help to look at
/etc/group\&. If you need to change your owner or group selection, remove
src/\&.ownername
or
src/\&.groupname
and try again\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
While running "\fBgmake install\fR", important instructions regarding manual installation steps may be displayed\&. A copy is written to
\&.build_notes, truncating any previous contents\&.
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 7.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  7." 4.2
.\}
As part of the installation procedure, the
\fBDACS\fR
manual pages are copied into the
\fBDACS\fR
man
directory (default:
/usr/local/dacs/man)\&. If you adjust your
\fBMANPATH\fR
environment variable to include that directory, try:
.sp
.if n \{\
.RS 4
.\}
.nf
% man dacs
.fi
.if n \{\
.RE
.\}
.sp
While it is occasionally handy to view the manual pages using the
\fBman\fR
command, the HTML documentation is far superior\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 8.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  8." 4.2
.\}
Build a
\fBDACS\fR\-enabled
\fBhttpd\fR
.sp
Please consult
apache/README
in the
\fBDACS\fR
distribution for details and, from the
apache
directory, do:
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake help
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBSecurity\fR
.ps -1
.br
You can build the
\m[blue]\fBmod_auth_dacs module\fR\m[]\&\s-2\u[13]\d\s+2
with a module identification string (a "version tag") with varying amounts of detail, or without a tag\&. For a full\-length tag, use "\fBgmake tag\fR", for a simple tag use "\fBgmake smalltag\fR", or to disable the tag use "\fBgmake notag\fR" or "\fBgmake module\fR"\&. We suggest that you compile
\fBmod_auth_dacs\fR
with a tag so that
\fBApache\*(Aqs\fR
\fBSERVER_SIGNATURE\fR
and
Server
response header field can include
\fBDACS\fR
version identification; this makes it easy to tell which version of
\fBDACS\fR
the server is running and helps to detect mismatches\&. If
\fBmod_auth_dacs\fR
is compiled with debugging enabled or if the
\m[blue]\fBSetDACSAuthDebug\fR\m[]\&\s-2\u[79]\d\s+2
directive enables debugging, additional version information is added to the tag\&. For production use, identifying the modules in your
\fBApache\fR
server is considered by some to be a potential security weakness \- you may reasonably choose not to include the version tag\&. For some versions of
\fBApache\fR, module identification can be suppressed at runtime through its
\m[blue]\fBServerTokens\fR\m[]\&\s-2\u[80]\d\s+2
directive\&.
.sp .5v
.RE
If you want
\m[blue]\fBmod_auth_dacs\fR\m[]\&\s-2\u[13]\d\s+2
to be a dynamic module, which is recommended, do:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd apache
% gmake tag
% gmake install
.fi
.if n \{\
.RE
.\}
.sp
Check that your
httpd\&.conf
has the appropriate
LoadModule
directive\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNotes\fR
.ps -1
.br
When installing
\fBmod_auth_dacs\fR
on some platforms (such as
FreeBSD
10\&.0), messages similar to the following may be seen:
.sp
.if n \{\
.RS 4
.\}
.nf
Warning!  dlname not found in /usr/local/apache2\&.2/modules/mod_auth_dacs\&.la\&.
Assuming installing a \&.so rather than a libtool archive\&.
chmod 755 /usr/local/apache2\&.2/modules/mod_auth_dacs\&.so
chmod: /usr/local/apache2\&.2/modules/mod_auth_dacs\&.so: No such file or directory
apxs:Error: Command failed with rc=65536
.fi
.if n \{\
.RE
.\}
.sp
In this situation you should notice that a shared library (a
\&.so
file) has not been created in the
\fBApache\fR
modules
directory\&. This problem is apparently caused by a buggy version of
\fBlibtool\fR
that ships with
\fBApache\fR
(e\&.g\&.,
/usr/local/apache2\&.2/apr\-httpd/build\-1/libtool) and is invoked by
\fBapxs\fR
by
\fBgmake install\fR\&. To work around this issue, edit the
\fBapxs\fR
command that is run from the
Makefile
in the
\fBDACS\fR
apache
directory (e\&.g\&.,
\fB/usr/local/apache2\&.2/bin/apxs\fR)\&. Modify the
\fBapxs\fR
script to execute the system\*(Aqs
\fBlibtool\fR
instead of
\fBApache\*(Aqs\fR\&. This change will suffice, for example:
.sp
.if n \{\
.RS 4
.\}
.nf
#my $libtool = `$apr_config \-\-apr\-libtool`;
my $libtool = "/usr/local/bin/libtool";
.fi
.if n \{\
.RE
.\}
.sp
After the change, repeat the
\fBgmake install\fR\&. If this fails with the error message:
.sp
.if n \{\
.RS 4
.\}
.nf
libtool: compile: unable to infer tagged configuration
.fi
.if n \{\
.RE
.\}
.sp
try:
.sp
.if n \{\
.RS 4
.\}
.nf
my $libtool = "/usr/local/bin/libtool \-\-tag=CC";
.fi
.if n \{\
.RE
.\}
.sp .5v
.RE
If you want
\m[blue]\fBmod_auth_dacs module\fR\m[]\&\s-2\u[13]\d\s+2
to be a static module:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  1." 4.2
.\}
Copy
apache/mod_auth_dacs\&.c
to
\fBApache\*(Aqs\fR
modules/aaa
directory
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  2." 4.2
.\}
Re\-run
\fBApache\fR\*(Aqs configure, adding
\fBmod_auth_dacs\fR
(\fB\-\-with\-module=aaa:auth_dacs\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  3." 4.2
.\}
Reinstall
\fBApache\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% make install
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  4." 4.2
.\}
Verify that
\fBmod_auth_dacs\fR
appears in the list of
\fBApache\fR
modules:
.sp
.if n \{\
.RS 4
.\}
.nf
% httpd \-l
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
Because
\m[blue]\fBmod_auth_dacs\fR\m[]\&\s-2\u[13]\d\s+2
references symbols in
\fBmod_ssl\fR, apparently those symbols must be loaded
\fIbefore\fR
\fBmod_auth_dacs\fR
is loaded\&. This can be ensured by statically compiling
\fBmod_ssl\fR
into
\fBhttpd\fR
(configure
\fBhttpd\fR
with
\fB\-\-enable\-ssl\fR
and verify with "\fBhttpd \-l\fR") and using the following directive in
httpd\&.conf
to dynamically load the
\fBmod_auth_dacs\fR
module:
.sp
.if n \{\
.RS 4
.\}
.nf
LoadModule auth_dacs_module modules/mod_auth_dacs\&.so
.fi
.if n \{\
.RE
.\}
.sp
Alternatively, it may be sufficient to dynamically load
\fBmod_ssl\fR
\fIbefore\fR
\fBmod_auth_dacs\fR\&.
.sp
If
\fBmod_ssl\fR
symbols are unavailable when they are needed, you\*(Aqll probably see a message like the following when you try to start
\fBhttpd\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
mod_auth_dacs\&.so: undefined symbol: ssl_hook_Fixup
.fi
.if n \{\
.RE
.\}
.sp .5v
.RE
After you\*(Aqve installed
\fBmod_auth_dacs\fR, restart
\fBhttpd\fR\&.
.sp
If you built the module with a tag, verify that the
\fBDACS\fR
version identifier appears in
\fBSERVER_SIGNATURE\fR\&. You can do this by hitting
\fBApache\*(Aqs\fR
\fBprintenv\fR
CGI program from your browser or using a command like:
.sp
.if n \{\
.RS 4
.\}
.nf
% dacshttp "http://\fImyserver\fR:\fImyserverport\fR/cgi\-bin/printenv"
.fi
.if n \{\
.RE
.\}
.sp
(first making sure that
\fBApache\*(Aqs\fR
\fBprintenv\fR
CGI is executable) and examining the
\fBSERVER_SIGNATURE\fR
environment variable, or by running:
.sp
.if n \{\
.RS 4
.\}
.nf
% telnet \fImyserver\fR \fImyserverport\fR
.fi
.if n \{\
.RE
.\}
.sp
and typing:
.sp
.if n \{\
.RS 4
.\}
.nf
OPTIONS * HTTP/1\&.0
.fi
.if n \{\
.RE
.\}
.sp
followed by a blank line and examining the
Server
response header\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
The URLs that follow will use
http
and omit
\fImyserverport\fR\&. Substitute
https
and/or include
\fImyserverport\fR
as necessary for your configuration\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If you install a new version of
\fBDACS\fR, please make sure that you use the
\fBmod_auth_dacs\fR
module that comes with it\&. Follow the instructions above\&.
.RE
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 9.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  9." 4.2
.\}
An assortment of
\fBDACS\fR
files, including HTML documentation and CSS files, are copied into the
\fBDACS\fR
www
directory (default:
/usr/local/dacs/www)\&.
.sp
While you can view the documentation simply by pointing your web browser at the
\fBDACS\fR
www
directory, it is recommended that you make it available through
\fBApache\fR
using its
\m[blue]\fBAlias\fR\m[]\&\s-2\u[81]\d\s+2
directive because the default site configuration (site\&.conf\-std) expects handlers and DTDs to be available using certain URLs\&.
.sp
Add lines like the following to your
httpd\&.conf:
.sp
.if n \{\
.RS 4
.\}
.nf
Alias /dacs      "/usr/local/dacs/www/"
Alias /css       "/usr/local/dacs/www/css/"
Alias /dtd\-xsd   "/usr/local/dacs/www/dtd\-xsd/"
Alias /examples  "/usr/local/dacs/www/examples/"
Alias /handlers  "/usr/local/dacs/www/handlers/"
Alias /infocards "/usr/local/dacs/www/infocards/"
Alias /man       "/usr/local/dacs/www/man/"
Alias /misc      "/usr/local/dacs/www/misc/"
Alias /mod       "/usr/local/dacs/www/mod/"
.fi
.if n \{\
.RE
.\}
.sp
To see the
\fBDACS\fR
DTD files from your browser, you can also add:
.sp
.if n \{\
.RS 4
.\}
.nf
AddType text/plain      \&.dtd
.fi
.if n \{\
.RE
.\}
.sp
These
\&.dtd
files are only used to document XML structures and messages used by
\fBDACS\fR
and are cited in the documentation\&.
.sp
You should also uncomment these two directives in your
site\&.conf
file:
.sp
.if n \{\
.RS 4
.\}
.nf
XSD_BASE_URL "/dacs/dtd\-xsd"
DTD_BASE_URL "/dacs/dtd\-xsd"
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
After restarting
\fBhttpd\fR, you can view the documentation using a URL that looks like
http://\fImyserver\fR/dacs/man
or simply
http://\fImyserver\fR/man\&.
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04'10.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "10." 4.2
.\}
Access to all
\fBDACS\fR
web services (everything installed in the
\&.\&.\&./cgi\-bin/dacs
directory)
\fImust\fR
be controlled by
\fBDACS\fR; that is, they must be "\fBDACS\fR\-wrapped"\&. Assuming you are following the defaults for installing
\fBDACS\fR, these are the only files that are required to be
\fBDACS\fR\-wrapped\&.
.sp
\fBDACS\fR\-wrapping a resource or set of related resources involves:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Configuring
\fBApache\fR
so that it uses
\fBDACS\fR
to manage access to the contents of a directory or portion of URL space and
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Configuring one or more
\fBDACS\fR
access control rules for the jurisdiction responsible for the resources (this is done for the
\fBDACS\fR
web services by the default ACLs)\&.
.RE
.sp
Configuring
\fBApache\fR
involves, at minimum, adding directives like the following to the appropriate
VirtualHost
section of
httpd\&.conf:
.sp
.if n \{\
.RS 4
.\}
.nf
AddDACSAuth dacs\-acs /usr/local/dacs/bin/dacs_acs "\-t \-v"
SetDACSAuthMethod dacs\-acs external
SetDACSAuthConf dacs\-acs "/usr/local/dacs/dacs\&.conf"
<Location /cgi\-bin/dacs>
   AuthType DACS
   AuthDACS dacs\-acs
   Require valid\-user
# Note: For Apache 2\&.4, instead use:
# Require dacs\-authz
   Options ExecCGI
</Location>
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
Remember to restart
\fBApache\fR
after making changes to
httpd\&.conf\&.
.sp .5v
.RE
Some administrators may choose to make
\fIall\fR
content or
\fIall\fR
CGIs
\fBDACS\fR\-wrapped\&. That is probably a more secure approach, although of course it can be somewhat less efficient than segmenting the server\*(Aqs URL space into "secure" and "insecure" areas\&. Content that is not
\fBDACS\fR\-wrapped is totally oblivious to
\fBDACS\fR
and incurs no overhead due to
\fBDACS\fR\&. Also, this approach may necessitate making "holes" in the URL space for non\-access controlled resources, which must be done with care\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
If you decide to
\fBDACS\fR\-wrap everything, you will likely want to add rules to grant access to various public resources, such as CSS files,
robots\&.txt,
favicon\&.ico, and various public
\fBDACS\fR
resources, such as its
man,
dtd\-xsd, etc\&. directories (see the instructions for the
Alias
directive above)\&. The default ACL
acl\-stddocs\&.0
does this for some resources, but you may need to extend the list to grant access to additional public resources\&.
.sp .5v
.RE
.RE
.SS "Initial Configuration"
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
.PP
At this point, reviewing
\m[blue]\fBdacs\&.quick(7)\fR\m[]\&\s-2\u[11]\d\s+2
is strongly recommended\&. It provides a detailed example of what needs to be done to make your
\fBDACS\fR
operational and how to do some basic testing\&. If you encounter problems installing or running
\fBApache\fR
or
\fBDACS\fR, please refer to
\m[blue]\fBdacs\&.quick(7)\fR\m[]\&\s-2\u[11]\d\s+2\&.
.sp .5v
.RE
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
.PP
The interactive
\fBdacsinit\fR
utility can perform the steps described below quickly\&. You will find
\fBdacsinit\fR
in the installation
bin
directory\&. It can be run anytime after
\fBDACS\fR
has been built and installed\&. It produces a directory structure for the federation, copies the distribution\*(Aqs site configuration file, creates a minimal
dacs\&.conf
for the federation and one jurisdiction, makes federation and jurisdiction encryption keys, and generates metadata for the jurisdiction\&. The resulting configuration can be used immediately by
\fBDACS\fR
commands and by
\fBDACS\fR
web services after
\fBApache\fR
has been configured for
\fBDACS\fR\&.
.PP
Passing the
\fB\-d\fR
flag to
\fBdacsinit\fR
causes it to append a string to certain paths and filenames so that, for debugging or test purposes, it is unlikely to overwrite any "real" configuration files\&. Passing it the
\fB\-n\fR
flag causes it to display what it would do without performing any of the actions\&.
.sp .5v
.RE
.PP
Having installed
\fBDACS\fR, the next major step is to do some initial configuration of your federation and jurisdiction(s)\&. At each jurisdiction in your federation you will need to do the following:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  1." 4.2
.\}
Install the default site configuration file\&. The distribution comes with a default site configuration file found in the distribution\*(Aqs
conf/site\&.conf\-std
file\&. The installation procedure copies this file into the
\fBDACS\fR
federations
directory\&. After making a backup copy of any
federations/site\&.conf
file that is already there, copy
federations/site\&.conf\-std
to
federations/site\&.conf, applying any customizations you require (customizations are usually done in
dacs\&.conf
though, so that you can simply copy on top of the previous
site\&.conf)\&. Note that
conf/site\&.conf\-std
may well change in a new release and you should use the latest version\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  2." 4.2
.\}
As part of the installation procedure, a default set of access control rules is copied into the
\fBDACS\fR
acls
directory (default:
/usr/local/dacs/acls)\&. The default
site\&.conf
file (site\&.conf\-std) configures
\fBDACS\fR
to look in that directory for the default rules\&. These rules control access to
\fBDACS\fR
web services and are sufficient for proper operation\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
If your installed
\fBDACS\fR
web services have a filename suffix (e\&.g\&.,
\&.cgi, you should probably build
\fBDACS\fR
with an appropriate
\fB\-\-with\-cgi\-suffix\fR
flag or customize the rules manually\&. If it is necessary to change the default rules, consider overriding them at the jurisdiction level instead of editing a default ACL file \- this will make it easier for you to upgrade because you will not have to carry these changes forward to future releases of
\fBDACS\fR\&.
.sp .5v
.RE
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBSecurity\fR
.ps -1
.br
Access to some administrative and experimental
\fBDACS\fR
web services is completely disabled or restricted by default;
\fIchange these with care and at your own risk, particularly if your web server is reachable from the Internet\fR\&.
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  3." 4.2
.\}
Configure your
dacs\&.conf
file at each jurisdiction\&. At the very least, you must provide
\m[blue]\fBFEDERATION_DOMAIN\fR\m[]\&\s-2\u[82]\d\s+2,
\m[blue]\fBFEDERATION_NAME\fR\m[]\&\s-2\u[83]\d\s+2, and
\m[blue]\fBJURISDICTION_NAME\fR\m[]\&\s-2\u[84]\d\s+2
directives; all other required directives will come from the
site\&.conf
file installed in an earlier step if you do not specify them\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  4." 4.2
.\}
Use
\m[blue]\fBdacskey(1)\fR\m[]\&\s-2\u[85]\d\s+2
to make encryption keys for the federation (if you are creating a new federation) or obtain a copy of the federation\*(Aqs encryption keys for each new jurisdiction (if you are joining an existing federation)\&. Each jurisdiction in a federation must have a copy of the same federation keys\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 5.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  5." 4.2
.\}
Use
\m[blue]\fBdacskey(1)\fR\m[]\&\s-2\u[85]\d\s+2
to make encryption keys for each new jurisdiction (each jurisdiction will have different keys)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 6.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  6." 4.2
.\}
Create a group definition that describes your jurisdictions \- see
\m[blue]\fBdacs\&.groups(5)\fR\m[]\&\s-2\u[86]\d\s+2
\- and install an identical copy at each jurisdiction\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 7.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  7." 4.2
.\}
Check ownership and permissions on
\fBDACS\fR
executables and data files\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBSecurity\fR
.ps -1
.br
All access to
\fBDACS\fR
configuration files (dacs\&.conf,
site\&.conf) and keys must be limited to the
\fBDACS\fR
administrator and the
\fBDACS\fR
CGI programs called by
\fBApache\fR\&. The installation process tries to set this reasonably, but you should re\-check now and after making changes because it is vital to maintain a secure system (e\&.g\&.,
ls \-lR /usr/local/dacs)\&.
.sp .5v
.RE
.RE
.sp
.SS "Initial Testing"
.PP
Having configured
\fBApache\fR
and
\fBDACS\fR, you should try some basic
\fBDACS\fR
web services to make sure that they are working properly before you go on to make customizations\&.
.PP
For example, invoke
\m[blue]\fBdacs_version(8)\fR\m[]\&\s-2\u[20]\d\s+2
from your browser to check that it is properly
\fBDACS\fR\-wrapped (adjust the URL for your environment):
.sp
.if n \{\
.RS 4
.\}
.nf
% dacshttp "http://\fImyserver\fR/cgi\-bin/dacs/dacs_version"
.fi
.if n \{\
.RE
.\}
.sp
Review the
\fBDACS\fR
log files (default:
/usr/local/dacs/logs/*) to see what happened\&. The
\fBApache\fR
log files can also be helpful, as messages from
\fBmod_auth_dacs\fR
can be found there if they have been enabled\&.
.PP
You can also try
\m[blue]\fBdacsversion(1)\fR\m[]\&\s-2\u[87]\d\s+2
from the command line\&.
.PP
You should verify that
\m[blue]\fBdacs_list_jurisdictions(8)\fR\m[]\&\s-2\u[17]\d\s+2
works properly\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBSecurity\fR
.ps -1
.br
.PP
If your browser successfully retrieves a
\fBDACS\fR\-wrapped resource it may retain a copy in its cache\&. A later attempt to retrieve the same resource may appear to succeeed, because the cached copy is returned, even if the
\fBDACS\fR
configuration or other context has changed so that access to the resource should be denied\&. To ensure that
\fBDACS\fR
is handling every request when testing, always clear or disable your browser\*(Aqs cache before beginning\&. If a request is granted when you expect it to be denied, try the request again, making sure that your browser sends the request to the web server\&.
.sp .5v
.RE
.PP
The next step is to configure an authentication method \- see
\m[blue]\fBdacs_authenticate(8)\fR\m[]\&\s-2\u[14]\d\s+2
and try to authenticate\&. Once that appears to be working, you can try
\m[blue]\fBdacs_current_credentials(8)\fR\m[]\&\s-2\u[15]\d\s+2,
\m[blue]\fBdacs_prenv(8)\fR\m[]\&\s-2\u[16]\d\s+2,
\m[blue]\fBdacs_conf(8)\fR\m[]\&\s-2\u[18]\d\s+2, and
\m[blue]\fBdacs_signout(8)\fR\m[]\&\s-2\u[19]\d\s+2\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBSecurity\fR
.ps -1
.br
.PP
Before deploying your
\fBDACS\fR\-enabled system, after an upgrade, or following configuration changes, always carefully test to ensure that resources are being protected as you require\&. It is best to configure and test
\fBDACS\fR
on a development platform that looks as much as possible like the intended production platform\&. When you are satisfied, a clone of the development platform can become the new production platform, which should also be tested\&.
.sp .5v
.RE
.SS "Build Options"
.PP
Running
\fBconfigure\fR
generates
config\&.nice
(over\-writing any previous contents), which can be executed at some later time if you want to re\-run
\fBconfigure\fR
with the same arguments\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
.PP
After you are happy with your configuration, consider squirrelling away a copy of
config\&.nice
in case you want to reconfigure
\fBDACS\fR
or for use with later releases of
\fBDACS\fR\&.
.sp .5v
.RE
.PP
It is possible to "bundle" several of the
\fBDACS\fR
utility programs together into a single binary called
\fBdacs\fR\&. This is similar to what
\fBOpenSSL\fR
does with its
\fBopenssl\fR
command\&. Instead of running:
.sp
.if n \{\
.RS 4
.\}
.nf
% dacsacl \&.\&.\&.
.fi
.if n \{\
.RE
.\}
.sp
you would run:
.sp
.if n \{\
.RS 4
.\}
.nf
% dacs dacsacl \&.\&.\&.
.fi
.if n \{\
.RE
.\}
.sp
Running
\fBdacs\fR
without arguments displays the list of built\-in utilities\&. Some utilities have multiple names that are equivalent; these appear in a comma\-separated list\&. To build this combined command, add the flag
bundle=yes
to command lines when building and installing:
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake bundle=yes
% gmake bundle=yes install
.fi
.if n \{\
.RE
.\}
.sp
The commands that are bundled into the
\fBdacs\fR
command won\*(Aqt be built as separate programs\&. To build and install both bundled and unbundled commands:
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake bundle=both
% gmake bundle=both install
.fi
.if n \{\
.RE
.\}
.sp

.PP
Command: gmake or "\fBgmake build\fR"
.RS 4
This will build libraries, services, and utilities in the source directory\&. By default, the build process will create shared libraries and binaries if they are supported on your platform\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
If you encounter problems while building
\fBDACS\fR
with shared libraries, use
\fB\-\-disabled\-shared\fR
and
\fB\-\-enable\-static\fR
with
\fBconfigure\fR
and try building it again\&.
.sp .5v
.RE
.RE
.PP
Command: "\fBgmake install\fR"
.RS 4
This will install all
\fBDACS\fR
components\&. We recommend that everything other than CGI binaries be put under
/usr/local/dacs, which is the default\&. The CGI binaries are by default installed in
\&.\&.\&./\fIyour\-apache\-dir\fR/cgi\-bin/dacs\&. By default,
\fBDACS\fR
utilities will be installed in
/usr/local/dacs/bin, which you may want to put on your
\fBPATH\fR
for convenience\&.
.RE
.PP
Command: "\fBgmake clean\fR"
.RS 4
Removes binaries, object files, and other junk in the build directory
.RE
.PP
Command: "\fBgmake distclean\fR"
.RS 4
Does a "\fBgmake clean\fR" and cleans up so that
\fBconfigure\fR
can be re\-done\&.
.RE
.PP
Command: "\fBgmake extraclean\fR"
.RS 4
Does a "\fBgmake distclean\fR" and removes
configure\&. After this, do:
.sp
.if n \{\
.RS 4
.\}
.nf
% autoconf \-I\&.\&./include
.fi
.if n \{\
.RE
.\}
.sp
and then run
\fBconfigure\fR\&.
.RE
.PP
Command: "\fBgmake uninstall\fR"
.RS 4
Removes installed binaries, include files, and libraries
.RE
.PP
Other useful build commands (these should be self\-explanatory):
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake build\-services
% gmake build\-progs
% gmake build\-static
% gmake build\-shared
% gmake build\-static\-services
% gmake build\-shared\-services
% gmake build\-static\-progs
% gmake build\-shared\-progs
% gmake build\-shared\-lib
% gmake install\-libs
% gmake install\-shared\-lib
% gmake install\-static\-lib
% gmake install\-progs
% gmake install\-services
.fi
.if n \{\
.RE
.\}
.sp
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBConfigure Options\fR
.RS 4
.PP
To verify that this documentation is up\-to\-date, please run:
.sp
.if n \{\
.RS 4
.\}
.nf
% configure \-\-help
.fi
.if n \{\
.RE
.\}
.sp
This will also tell you which features are enabled (or disabled) by default\&.
Standard build and install options.PP
.PP
\fB\-\-prefix=\fR\fB\fIPREFIX\fR\fR
.RS 4
The root for the installation hierarchy [/usr/local/dacs], which is referred to as the symbol and variable
\m[blue]\fBDACS_HOME\fR\m[]\&\s-2\u[21]\d\s+2\&.
.RE
.PP
\fB\-\-exec\-prefix=\fR\fB\fIEPREFIX\fR\fR
.RS 4
The root for the architecture\-dependent hierarchy [\fIPREFIX\fR]\&.
.RE
.PP
\fB\-\-bindir=\fR\fB\fIDIR\fR\fR
.RS 4
Where
\fBDACS\fR
utilities are installed [\fIEPREFIX\fR/bin]\&.
.RE
.PP
\fB\-\-libdir=\fR\fB\fIDIR\fR\fR
.RS 4
Where
\fBDACS\fR
libraries are installed [\fIEPREFIX\fR/lib]\&.
.RE
.PP
\fB\-\-includedir=\fR\fB\fIDIR\fR\fR
.RS 4
Where
\fBDACS\fR
include files are installed [\fIEPREFIX\fR/include]\&.
.RE
.PP
\fB\-\-mandir=\fR\fB\fIDIR\fR\fR
.RS 4
Where
\fBDACS\fR
manual pages are installed [\fIEPREFIX\fR/man]\&.
.RE
.PP
\fB\-\-enable\-shared\fR
.RS 4
Generate shared libraries\&.
.RE
.PP
\fB\-\-enable\-static\fR
.RS 4
Generate static libraries\&.
.RE
.PP
\fB\-\-disable\-prefix\-check\fR
.RS 4
Disable prefix path check; the prefix path check does some sanity tests on
\fIPREFIX\fR\&.
.RE
Feature selection options.PP
.PP
\fB\-\-enable\-access\-tokens\fR
.RS 4
Compile with the authorization caching feature\&.
.RE
.PP
\fB\-\-enable\-addons\fR
.RS 4
Compile with optional
\m[blue]\fBadd\-on features\fR\m[]\&\s-2\u[88]\d\s+2; add\-on source code files for the version of
\fBDACS\fR
being built must be present in the
src
directory\&.
.RE
.PP
\fB\-\-enable\-all\-auth\fR
.RS 4
Enable all authentication methods; you can use this flag and then individually disable methods (e\&.g\&.,
\fB\-\-enable\-all\-auth\fR
\fB\-\-disable\-apache\-auth\fR
would enable all methods except
\fBApache\fR
password authentication\&.
.RE
.PP
\fB\-\-enable\-apache\-auth\fR
.RS 4
Enable
\fBApache\fR
password authentication directly through
\fBDACS\fR\&.
.RE
.PP
\fB\-\-enable\-bdb\fR
.RS 4
Enable
Berkeley DB
support (default is
yes); if you don\*(Aqt want it, use the
\fB\-\-disable\-bdb\fR
flag\&.
.RE
.PP
\fB\-\-enable\-cas\-auth\fR
.RS 4
Enable CAS authentication\&.
.RE
.PP
\fB\-\-enable\-cert\-auth\fR
.RS 4
Enable X\&.509 client certificate authentication\&.
.RE
.PP
\fB\-\-enable\-dacs\-conf\fR
.RS 4
Specify default
\fBDACS\fR
config file\&.
.RE
.PP
\fB\-\-enable\-dacs\-log\fR
.RS 4
Specify initial
\fBDACS\fR
log file\&.
.RE
.PP
\fB\-\-enable\-debug\fR
.RS 4
Compile with debugging\&.
.RE
.PP
\fB\-\-enable\-developer\fR
.RS 4
Compile with development flags\&.
.RE
.PP
\fB\-\-enable\-fts\fR
.RS 4
Use the included
\m[blue]\fBfts(3)\fR\m[]\&\s-2\u[89]\d\s+2
library\&.
.RE
.PP
\fB\-\-enable\-grid\-auth\fR
.RS 4
Enable one\-time password grid authentication\&.
.RE
.PP
\fB\-\-enable\-hush\-startup\-logging\fR
.RS 4
Enable suppression of informational log messages at startup\&.
.RE
.PP
\fB\-\-enable\-infocard\-auth\fR
.RS 4
Enable InfoCard authentication and support\&. Deprecated\&.
.RE
.PP
\fB\-\-enable\-java\fR
.RS 4
Enable Java support\&.
.RE
.PP
\fB\-\-enable\-ldap\-auth\fR
.RS 4
Enable
LDAP
authentication and roles\&.
.RE
.PP
\fB\-\-enable\-local\-roles\fR
.RS 4
Enable private
\fBDACS\fR
roles module\&. (enabled by default)
.RE
.PP
\fB\-\-enable\-native\-auth\fR
.RS 4
Enable authentication via
\fBApache\fR
modules\&.
.RE
.PP
\fB\-\-enable\-ndbm\fR
.RS 4
Enable native Unix ndbm API support (this is often supplied by the
Berkeley DB
compatibility API)\&.
.RE
.PP
\fB\-\-enable\-ntlm\-auth\fR
.RS 4
Enable NTLM authentication\&.
.RE
.PP
\fB\-\-enable\-pam\-auth\fR
.RS 4
Enable PAM authentication\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
The PAM module should be considered experimental\&. Test it carefully before production use\&.
.sp .5v
.RE
.RE
.PP
\fB\-\-enable\-passwd\-auth\fR
.RS 4
Enable DACS password\-protected account authentication\&.
.RE
.PP
\fB\-\-enable\-radius\-auth\fR
.RS 4
Enable
RADIUS
authentication\&.
.RE
.PP
\fB\-\-enable\-rule\-patterns\fR
.RS 4
Enable extended URL patterns when matching a request against ACLs (this is an
\m[blue]\fBadd\-on feature\fR\m[]\&\s-2\u[88]\d\s+2)\&.
.RE
.PP
\fB\-\-enable\-simple\-auth\fR
.RS 4
Enable simple DACS account authentication\&.
.RE
.PP
\fB\-\-enable\-sqlite\fR
.RS 4
Enable
SQLite
support (default is
no)\&. If you don\*(Aqt want it, use the
\fB\-\-disable\-sqlite\fR
flag\&.
.RE
.PP
\fB\-\-enable\-system\-libradius\fR
.RS 4
Link to the system
libradius
library (which must provide a BSD\-style RADIUS client API)\&. If RADIUS authentication is enabled and this flag is not given, the portable implementation of the library that is included with
\fBDACS\fR
is configured, built, and used as a
\fBDACS\fR
component\&. Only BSD systems are likely to use this flag\&.
.RE
.PP
\fB\-\-enable\-token\-auth\fR
.RS 4
Enable one\-time password token authentication\&.
.RE
.PP
\fB\-\-enable\-unix\-roles\fR
.RS 4
Enable Unix groups roles module (enabled by default on Unix platforms)\&.
.RE
.PP
\fB\-\-enable\-user\-info\fR
.RS 4
Compile with the user information reporting feature\&.
.RE
Third\-party support options.PP
.PP
\fB\-\-with\-apache=\fR\fB\fIDIR\fR\fR
.RS 4
Root
\fBApache\fR
install directory; if
\fIDIR\fR
is "omit", however, a basic subset of
\fBDACS\fR
will be installed (\m[blue]\fBalso see above\fR\m[]\&\s-2\u[90]\d\s+2) (example: if
\fBApache\fR
files have been installed in
/usr/local/apache2\&.2/include,
/usr/local/apache2\&.2/conf, etc\&., use
\fB\-\-with\-apache\fR=/usr/local/apache2\&.2)\&.
.RE
.PP
\fB\-\-with\-apache\-apr=\fR\fB\fIDIR\fR\fR
.RS 4
Root
\fBApache\fR
APR
install directory; required only when
\fBApache\fR
2\&.2
or
2\&.4
are used (example:
\fB\-\-with\-apache\-apr\fR=/usr/local/apache2\&.2/apr\-httpd)\&.
.RE
.PP
\fB\-\-with\-apache\-apr\-config=\fR\fB\fIPATH\fR\fR
.RS 4
\fBApache\fR
APR
configuration program; required only when
\fBApache\fR
2\&.2
or
2\&.4
are used and the correct program is not on the search path; this flag may be required if the build system has more than one instance of
\fBApache\fR
installed or if you have installed
\fBApache\fR
in a non\-standard location (example:
\fB\-\-with\-apache\-apr\-config\fR=/usr/local/apache2\&.2/apr\-httpd/bin/apr\-1\-config)\&.
.RE
.PP
\fB\-\-with\-apache\-apr\-cpp\-defs=\fR\fB\fIFLAGS\fR\fR
.RS 4
Preprocessor flags required when compiling files that include
\fBApache\fR
APR
code; may be required with some "non\-standard" cases when
\fBApache\fR
2\&.2
or
2\&.4
are used and "\fBapr\-1\-config \-\-cppflags\fR" is unavailable or does not report the correct flags (example:
\fB\-\-with\-apache\-apr\-cpp\-defs\fR=\-D_LARGEFILE64_SOURCE)\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
It has been reported that on some
GNU/Linux
platforms, such as Ubuntu, it is necessary to define these symbols when building
\fBDACS\fR
code that includes
APR
header files (such as
\fBdacsversion\fR):
.sp
.if n \{\
.RS 4
.\}
.nf
#define LINUX 2
#define _REENTRANT
#define _GNU_SOURCE
#define _LARGEFILE64_SOURCE
.fi
.if n \{\
.RE
.\}
.sp .5v
.RE
.RE
.PP
\fB\-\-with\-apache\-apr\-includes=\fR\fB\fIDIR\fR\fR
.RS 4
\fBApache\fR
APR
include files directory; required with some "non\-standard" cases when
\fBApache\fR
2\&.2
or
2\&.4
are used and
\fBapr\-1\-config\fR
is unavailable or does not report the correct directory (example:
\fB\-\-with\-apache\-apr\-includes\fR=/usr/bin/include/apr\-1\&.0)\&.
.RE
.PP
\fB\-\-with\-apache\-apu\-config=\fR\fB\fIPATH\fR\fR
.RS 4
\fBApache\fR
APU
configuration program; required only when
\fBApache\fR
2\&.2
or
2\&.4
are used and the correct program is not on the search path; this flag may be required if the build system has more than one instance of
\fBApache\fR
installed or if you have installed
\fBApache\fR
in a non\-standard location (example:
\fB\-\-with\-apache\-apu\-config\fR=/usr/local/apache2\&.2/apr\-util\-httpd/bin/apu\-1\-config)\&.
.RE
.PP
\fB\-\-with\-apache\-apu\-includes=\fR\fB\fIDIR\fR\fR
.RS 4
\fBApache\fR
APU
include files directory; required with some "non\-standard" cases when
\fBApache\fR
2\&.2
or
2\&.4
are used and
\fBapu\-1\-config\fR
is unavailable or does not report the correct directory (example:
\fB\-\-with\-apache\-apu\-includes\fR=/usr/bin/include/apr\-util\-1\&.0)\&.
.RE
.PP
\fB\-\-with\-apxs=\fR\fB\fIPATH\fR\fR
.RS 4
By default, the build procedure expects the
\fBApache\fR
\fBapxs\fR
utility to be
bin/apxs, relative to
\fBApache\*(Aqs\fR
installation directory\&. On systems where this is incorrect, you must specifically configure the path for
\fBapxs\fR\&. (example:
\fB\-\-with\-apxs\fR=/usr/sbin/apxs2)\&.
.RE
.PP
\fB\-\-with\-bdb=\fR\fB\fIDIR\fR\fR
.RS 4
Location of the root of the installed
Berkeley DB
libraries, include files, etc\&.; for example
\fB\-\-with\-bdb\fR=/usr/local/db\-5\&.3\&.28\&. This implies
\fB\-\-enable\-bdb\fR\&.
.RE
.PP
\fB\-\-with\-cgi\-bin=\fR\fB\fIDIR\fR\fR
.RS 4
Location of
\fBApache\fR
CGI files for
\fBDACS\fR
web services\&. This will resolve to
\fIDIR\fR/cgi\-bin/dacs
if it exists, or
\fIDIR\fR/dacs
if that exists, or
\fIDIR\fR
if its last component is "dacs"\&.
.RE
.PP
\fB\-\-with\-cgi\-suffix=\fR\fB\fISUFFIX\fR\fR
.RS 4
When installing CGI executables, add
\fISUFFIX\fR
as the file extension\&. A typical value for
\fISUFFIX\fR
is "\&.cgi"\&. The default access control rules for
\fBDACS\fR
web services (via the VFS item type
dacs_acls) respect this suffix\&. On
Windows
platforms, where "\&.exe" is the standard extension for programs,
\fISUFFIX\fR
is set to that by default\&. Using a
\fISUFFIX\fR
of "no" sets the extension to the null string\&.
.RE
.PP
\fB\-\-with\-dacs\-conf=\fR\fB\fIPATH\fR\fR
.RS 4
Specify default
\fBDACS\fR
config file (default:
\fIPREFIX\fR/federations/dacs\&.conf)\&.
.RE
.PP
\fB\-\-with\-dacs\-log=\fR\fB\fIPATH\fR\fR
.RS 4
Specify initial
\fBDACS\fR
log file (default:
\fIPREFIX\fR/logs/error_log)\&.
.RE
.PP
\fB\-\-with\-default\-cipher\-list=\fR\fB\fICIPHERSTRING\fR\fR
.RS 4
Specify a default
\fBOpenSSL\fR
cipher string specification (the argument to
\m[blue]\fB\fBSSL_CTX_set_cipher_list()\fR\fR\m[]\&\s-2\u[91]\d\s+2) to be used with
\m[blue]\fBsslclient(1)\fR\m[]\&\s-2\u[92]\d\s+2
and therefore by SSL/TLS connections internal to
\fBDACS\fR\&. By default, these connections may use SSLv3 or TLS\&. By setting
\fICIPHERSTRING\fR
appropriately, connections can be restricted to TLS, for instance\&. This is separate from any
\fBApache\fR
SSL/TLS configuration\&.
.RE
.PP
\fB\-\-with\-expat=\fR\fB\fIDIR\fR\fR
.RS 4
Root directory of installed
\fBExpat\fR
libraries and include files\&. If Expat files have been installed in
/usr/local/expat/include,
/usr/local/expat/lib, etc\&., use
\fB\-\-with\-expat\fR=/usr/local/expat\&.
.RE
.PP
\fB\-\-with\-federations\-root=\fR\fB\fIDIR\fR\fR
.RS 4
Location of
\fBDACS\fR
federations root directory (default:
\fIPREFIX\fR/federations)\&.
.RE
.PP
\fB\-\-with\-gdbm\-includes\fR=\fIDIR\fR
.RS 4
Enable ndbm support using gdbm\*(Aqs compatibility API (\m[blue]\fBgdbm(3)\fR\m[]\&\s-2\u[93]\d\s+2), specifying the include flags to use\&. (Example:
\fB\-\-with\-gdbm\-includes=\-I/local/src/gdbm\-1\&.13/include\fR)\&. (CentOS Example:
\fB\-\-with\-gdbm\-includes=\-I/usr/include/gdbm\fR)\&.
.RE
.PP
\fB\-\-with\-gdbm\-lib\fR=\fILIB\fR
.RS 4
Enable ndbm support using gdbm\*(Aqs compatibility API (\m[blue]\fBgdbm(3)\fR\m[]\&\s-2\u[93]\d\s+2), specifying the link flags to use, the pathname for the library, and any other necessary flags\&. (FreeBSD Example:
\fB\-\-with\-gdbm\-lib="\-Wl,\-rpath,/local/src/gdbm\-1\&.13/lib \-L/local/src/gdbm\-1\&.13/lib \-lgdbm"\fR)\&. (CentOS Example:
\fB\-\-with\-gdbm\-lib="\-L/usr/lib64 \-lgdbm"\fR)\&.
.RE
.PP
\fB\-\-with\-htdocs=\fR\fB\fIDIR\fR\fR
.RS 4
Location of
\fBApache\fR
\fBDACS\fR
files if not the
htdocs
subdirectory of the
\fBApache\fR
install directory\&.
.RE
.PP
\fB\-\-with\-iconv=\fR\fB\fIDIR\fR\fR
.RS 4
Path to parent of
iconv
installation\&. This flag may be required if you are enabling
\fBSamba\fR
support\&.
.RE
.PP
\fB\-\-with\-jdk\-bin\fR
.RS 4
If Java support is enabled, this identifies the directory containing the
\fBjava\fR,
\fBjavac\fR,
\fBjavah\fR, and
\fBjar\fR
commands\&. If this flag is absent,
\fBconfigure\fR
will look for those programs using the current
\fBPATH\fR
variable\&. (Example:
\fB\-\-with\-jdk\-bin=/usr/local/java/bin\fR)\&.
.RE
.PP
\fB\-\-with\-jdk\-includes\fR
.RS 4
If Java support is enabled, this is a list of one or more
\fBGCC\fR
include flags for JDK include directories (Example:
\fB\-\-with\-jdk\-includes="\-I/usr/local/jdk/include \-I/usr/local/jdk/include/freebsd"\fR)\&.
.RE
.PP
\fB\-\-with\-ldap=\fR\fB\fIDIR\fR\fR
.RS 4
Location of
\fBOpenLDAP\fR
\fIsource\fR
files\&. This is the root directory for the OpenLDAP source distribution (Example:
/local/src/openldap\-2\&.4\&.45)\&. This implies
\fB\-\-enable\-ldap\-auth\fR\&.
.RE
.PP
\fB\-\-with\-libdsm=\fR\fB\fIDIR\fR\fR
.RS 4
Location of the
libdsm
library (which will be used instead of Samba)\&. This is the root directory of the library\*(Aqs source distribution\&. This option implies
\fB\-\-enable\-ntlm\-auth\fR, which may also appear explicitly, but is incompatible with
\fB\-\-with\-samba\fR\&.
.RE
.PP
\fB\-\-with\-mailer\-prog=\fR\fB\fIPATH\fR\fR
.RS 4
Location of a mailer program to use instead of
\fBsendmail\fR\&. This is only needed if email support is required\&. If
\fB\-\-with\-mailer\-args\fR
is also specified, it will be used as the command line arguments\&. See
\m[blue]\fBdacsemail(1)\fR\m[]\&\s-2\u[94]\d\s+2
for a description of how the mailer is expected to behave\&.
.RE
.PP
\fB\-\-with\-mailer\-args=\fR\fB\fISTRING\fR\fR
.RS 4
Command line arguments to use with the selected mailer program\&. This is only required if email support is required\&. See
\m[blue]\fBdacsemail(1)\fR\m[]\&\s-2\u[94]\d\s+2
for a description of how the mailer is expected to behave\&.
.RE
.PP
\fB\-\-with\-readline=\fR\fB\fILIB\fR\fR
.RS 4
Use
\m[blue]\fBGNU Readline\fR\m[]\&\s-2\u[72]\d\s+2
when available\&. If
\fILIB\fR
is given, it is the link flag to use or the pathname for the library (other flags may also be specified)\&. (Example:
\fB\-\-with\-readline="\-Wl,\-rpath,/local/src/readline\-7\&.0/lib \-L/local/src/readline\-7\&.0/lib \-I/local/src/readline\-7\&.0/include"\fR)\&.
.RE
.PP
\fB\-\-with\-samba=\fR\fB\fIDIR\fR\fR
.RS 4
Location of Samba
\fIsource\fR
files\&. This is the root directory for the Samba source distribution (Example:
/local/src/samba\-3\&.6\&.25)\&. This implies
\fB\-\-enable\-ntlm\-auth\fR\&.
.RE
.PP
\fB\-\-with\-sendmail=\fR\fB\fIPATH\fR\fR
.RS 4
Location of
\m[blue]\fBsendmail(8)\fR\m[]\&\s-2\u[95]\d\s+2\&. This is only needed if email support is required and the location of the
\fBsendmail\fR
command found at configuration time must be overridden\&. If
\fB\-\-with\-mailer\-args\fR
is also specified, it will be used instead of the default
\fBsendmail\fR
command line arguments\&. See
\m[blue]\fBdacsemail(1)\fR\m[]\&\s-2\u[94]\d\s+2
for additional details\&.
.RE
.PP
\fB\-\-with\-sqlite=\fR\fB\fIDIR\fR\fR
.RS 4
Location of the root of the installed
SQLite
libraries, include files, etc\&.; for example
\fB\-\-with\-sqlite\fR=/usr/local/sqlite\-3\&.14\&.2\&. This implies
\fB\-\-enable\-sqlite\fR\&.
.RE
.PP
\fB\-\-with\-ssl=\fR\fB\fIDIR\fR\fR
.RS 4
Location of the root of the installed
\fBOpenSSL\fR
libraries and include files\&. If
\fBOpenSSL\fR
files have been installed in
/usr/local/openssl/include,
/usr/local/openssl/lib, etc\&., use
\fB\-\-with\-expat\fR=/usr/local/openssl\&.
.RE
.PP
\fB\-\-with\-xmlsec1\-config=\fR\fB\fIPATH\fR\fR
.RS 4
If the build procedure cannot find
\fBxmlsec1\-config\fR, or if it finds the wrong one, you can specify its location as
\fIPATH\fR\&. This may only be required if InfoCard authentication has been enabled\&.
.RE
.PP
To specify additional flags for compiling or linking
\fBDACS\fR, set
\fICFLAGS\fR
or
\fILDFLAGS\fR, respectively\&.
.PP
To specify additional flags for compiling or linking the
\m[blue]\fBmod_auth_dacs module\fR\m[]\&\s-2\u[13]\d\s+2, set
\fIAPACHE_CFLAGS\fR
or
\fIAPACHE_LDFLAGS\fR, respectively\&. For example, this command will cause
\fBmod_auth_dacs\fR
to be built with the
\fB\-m64\fR
flag and
\fBDACS\fR
to be built with both the
\fB\-m64\fR
flag and the
\fB\-O3\fR
flag:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure "APACHE_CFLAGS=\-m64" "CFLAGS=\-O3 \-m64" \&.\&.\&.
.fi
.if n \{\
.RE
.\}
.sp
.RE
.SH "SEE ALSO"
.PP
\m[blue]\fBdacs(1)\fR\m[]\&\s-2\u[96]\d\s+2,
\m[blue]\fBdacs\&.readme(7)\fR\m[]\&\s-2\u[12]\d\s+2,
\m[blue]\fBdacs\&.quick(7)\fR\m[]\&\s-2\u[11]\d\s+2
.SH "AUTHOR"
.PP
Distributed Systems Software (\m[blue]\fBwww\&.dss\&.ca\fR\m[]\&\s-2\u[97]\d\s+2)
.SH "COPYING"
.PP
Copyright \(co 2003\-2018 Distributed Systems Software\&. See the
\m[blue]\fBLICENSE\fR\m[]\&\s-2\u[98]\d\s+2
file that accompanies the distribution for licensing information\&.
.SH "NOTES"
.IP " 1." 4
gmake
.RS 4
\%http://directory.fsf.org/project/make
.RE
.IP " 2." 4
GCC
.RS 4
\%http://gcc.gnu.org
.RE
.IP " 3." 4
LLVM/Clang
.RS 4
\%http://llvm.org
.RE
.IP " 4." 4
Post-Release Notes
.RS 4
\%http://dacs.dss.ca/download.html
.RE
.IP " 5." 4
dacs_acs(8)
.RS 4
\%http://dacs.dss.ca/man/dacs_acs.8.html
.RE
.IP " 6." 4
Xcode
.RS 4
\%https://developer.apple.com/xcode
.RE
.IP " 7." 4
Using Pluggable Authentication Modules (PAM)
.RS 4
\%https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Pluggable_Authentication_Modules.html
.RE
.IP " 8." 4
ldconfig(8)
.RS 4
\%https://www.freebsd.org/cgi/man.cgi?query=ldconfig&apropos=0&sektion=8&manpath=FreeBSD+10.3-RELEASE&format=html
.RE
.IP " 9." 4
ldd(1)
.RS 4
\%https://www.freebsd.org/cgi/man.cgi?query=ldd&apropos=0&sektion=1&manpath=FreeBSD+10.3-RELEASE&format=html
.RE
.IP "10." 4
Cygwin
.RS 4
\%http://cygwin.com
.RE
.IP "11." 4
dacs.quick(7)
.RS 4
\%http://dacs.dss.ca/man/dacs.quick.7.html
.RE
.IP "12." 4
dacs.readme(7)
.RS 4
\%http://dacs.dss.ca/man/dacs.readme.7.html
.RE
.IP "13." 4
mod_auth_dacs module
.RS 4
\%http://dacs.dss.ca/man/mod_auth_dacs.html
.RE
.IP "14." 4
dacs_authenticate(8)
.RS 4
\%http://dacs.dss.ca/man/dacs_authenticate.8.html
.RE
.IP "15." 4
dacs_current_credentials(8)
.RS 4
\%http://dacs.dss.ca/man/dacs_current_credentials.8.html
.RE
.IP "16." 4
dacs_prenv(8)
.RS 4
\%http://dacs.dss.ca/man/dacs_prenv.8.html
.RE
.IP "17." 4
dacs_list_jurisdictions(8)
.RS 4
\%http://dacs.dss.ca/man/dacs_list_jurisdictions.8.html
.RE
.IP "18." 4
dacs_conf(8)
.RS 4
\%http://dacs.dss.ca/man/dacs_conf.8.html
.RE
.IP "19." 4
dacs_signout(8)
.RS 4
\%http://dacs.dss.ca/man/dacs_signout.8.html
.RE
.IP "20." 4
dacs_version(8)
.RS 4
\%http://dacs.dss.ca/man/dacs_version.8.html
.RE
.IP "21." 4
DACS_HOME
.RS 4
\%http://dacs.dss.ca/man/dacs.conf.5.html#var_dacs_home
.RE
.IP "22." 4
configuration variable
.RS 4
\%http://dacs.dss.ca/man/dacs.conf.5.html#config-vars
.RE
.IP "23." 4
man(1)
.RS 4
\%https://www.freebsd.org/cgi/man.cgi?query=man&apropos=0&sektion=1&manpath=FreeBSD+10.3-RELEASE&format=html
.RE
.IP "24." 4
man/index.html
.RS 4
\%http://dacs.dss.ca/man/index.html
.RE
.IP "25." 4
sudo(8)
.RS 4
\%https://www.freebsd.org/cgi/man.cgi?query=sudo&apropos=0&sektion=8&manpath=FreeBSD+10.3-RELEASE&format=html
.RE
.IP "26." 4
Expat
.RS 4
\%https://libexpat.github.io/
.RE
.IP "27." 4
OpenSSL
.RS 4
\%http://www.openssl.org
.RE
.IP "28." 4
Apache
.RS 4
\%http://httpd.apache.org
.RE
.IP "29." 4
above
.RS 4
\%http://dacs.dss.ca/man/#install-openssl
.RE
.IP "30." 4
apr.apache.org
.RS 4
\%http://apr.apache.org
.RE
.IP "31." 4
Third-party support options
.RS 4
\%http://dacs.dss.ca/man/#third-party-support-options
.RE
.IP "32." 4
build Berkeley DB
.RS 4
\%http://dacs.dss.ca/man/#dbm-databases
.RE
.IP "33." 4
FAQ
.RS 4
\%http://dacs.dss.ca/man//faq.html
.RE
.IP "34." 4
Berkeley DB
.RS 4
\%http://www.oracle.com/us/products/database/berkeley-db/overview/index.html
.RE
.IP "35." 4
Oracle Corporation
.RS 4
\%http://www.oracle.com
.RE
.IP "36." 4
--enable-bdb
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--enable-bdb
.RE
.IP "37." 4
--disable-bdb
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--disable-bdb
.RE
.IP "38." 4
--with-bdb
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--with-bdb
.RE
.IP "39." 4
changed
.RS 4
\%http://www.infoworld.com/article/2611450/open-source-software/oracle-switches-berkeley-db-license.html
.RE
.IP "40." 4
Sleepycat License
.RS 4
\%http://opensource.org/licenses/Sleepycat
.RE
.IP "41." 4
GNU AGPL v3
.RS 4
\%http://www.oracle.com/technetwork/products/berkeleydb/downloads/oslicense-093458.html
.RE
.IP "42." 4
ftp://ftp.gnu.org/gnu/gdbm
.RS 4
\%ftp://ftp.gnu.org/gnu/gdbm/
.RE
.IP "43." 4
--enable-ndbm
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--enable-ndbm
.RE
.IP "44." 4
--with-gdbm-lib
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--with-gdbm-lib
.RE
.IP "45." 4
sdbm
.RS 4
\%http://search.cpan.org/src/NWCLARK/perl-5.8.8/ext/SDBM_File/sdbm/README
.RE
.IP "46." 4
SQLite
.RS 4
\%http://www.sqlite.org
.RE
.IP "47." 4
--enable-sqlite
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--enable-sqlite
.RE
.IP "48." 4
--disable-sqlite
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--disable-sqlite
.RE
.IP "49." 4
--with-sqlite
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--with-sqlite
.RE
.IP "50." 4
SMB
.RS 4
\%https://en.wikipedia.org/wiki/Server_Message_Block
.RE
.IP "51." 4
NTLM
.RS 4
\%https://en.wikipedia.org/wiki/NT_LAN_Manager
.RE
.IP "52." 4
local_ntlm_authenticate
.RS 4
\%http://dacs.dss.ca/man/dacs_authenticate.8.html#local_ntlm_authenticate
.RE
.IP "53." 4
Samba
.RS 4
\%http://www.samba.org
.RE
.IP "54." 4
libtasn1
.RS 4
\%https://www.gnu.org/software/libtasn1
.RE
.IP "55." 4
libiconv
.RS 4
\%https://www.gnu.org/software/libiconv
.RE
.IP "56." 4
dacsauth(1)
.RS 4
\%https://dacs.dss.ca/man/dacsauth.1.html
.RE
.IP "57." 4
local_ntlm_authenticate
.RS 4
\%https://dacs.dss.ca/man/dacs_authenticate.8.html#local_ntlm_authenticate
.RE
.IP "58." 4
dacs_authenticate
.RS 4
\%https://dacs.dss.ca/man/dacs_authenticate.8.html
.RE
.IP "59." 4
--enable-ntlm-auth
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--enable-ntlm-auth
.RE
.IP "60." 4
--with-samba
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--with-samba
.RE
.IP "61." 4
--with-libdsm
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--with-libdsm
.RE
.IP "62." 4
local_infocard_authenticate
.RS 4
\%http://dacs.dss.ca/man/dacs_authenticate.8.html#local_infocard_authenticate
.RE
.IP "63." 4
libxml2
.RS 4
\%http://xmlsoft.org
.RE
.IP "64." 4
xmlsec1
.RS 4
\%http://www.aleksey.com/xmlsec
.RE
.IP "65." 4
here
.RS 4
\%ftp://xmlsoft.org/libxslt/
.RE
.IP "66." 4
--with-xmlsec1-config
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--with-xmlsec1-config
.RE
.IP "67." 4
--enable-infocard-auth
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--enable-infocard-auth
.RE
.IP "68." 4
local_ldap_authenticate
.RS 4
\%http://dacs.dss.ca/man/dacs_authenticate.8.html#local_ldap_authenticate
.RE
.IP "69." 4
OpenLDAP
.RS 4
\%http://www.openldap.org
.RE
.IP "70." 4
--enable-ldap-auth
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--enable-ldap-auth
.RE
.IP "71." 4
--with-ldap
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--with-ldap
.RE
.IP "72." 4
GNU Readline Library
.RS 4
\%https://tiswww.case.edu/php/chet/readline/rltop.html
.RE
.IP "73." 4
dacsexpr(1)
.RS 4
\%http://dacs.dss.ca/man/dacsexpr.1.html
.RE
.IP "74." 4
--with-readline
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--with-readline
.RE
.IP "75." 4
Build Options
.RS 4
\%http://dacs.dss.ca/man/#build_options
.RE
.IP "76." 4
dacsacl(1)
.RS 4
\%http://dacs.dss.ca/man/dacsacl.1.html
.RE
.IP "77." 4
DESTDIR
.RS 4
\%http://www.gnu.org/prep/standards/standards.html#DESTDIR
.RE
.IP "78." 4
Group
.RS 4
\%http://httpd.apache.org/docs/2.4/mod/mod_unixd.html#group
.RE
.IP "79." 4
SetDACSAuthDebug
.RS 4
\%http://dacs.dss.ca/man/mod_auth_dacs.html#SetDACSAuthDebug
.RE
.IP "80." 4
ServerTokens
.RS 4
\%http://httpd.apache.org/docs/current/mod/core.html#servertokens
.RE
.IP "81." 4
Alias
.RS 4
\%http://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias
.RE
.IP "82." 4
FEDERATION_DOMAIN
.RS 4
\%http://dacs.dss.ca/man/dacs.conf.5.html#FEDERATION_DOMAIN
.RE
.IP "83." 4
FEDERATION_NAME
.RS 4
\%http://dacs.dss.ca/man/dacs.conf.5.html#FEDERATION_NAME
.RE
.IP "84." 4
JURISDICTION_NAME
.RS 4
\%http://dacs.dss.ca/man/dacs.conf.5.html#JURISDICTION_NAME
.RE
.IP "85." 4
dacskey(1)
.RS 4
\%http://dacs.dss.ca/man/dacskey.1.html
.RE
.IP "86." 4
dacs.groups(5)
.RS 4
\%http://dacs.dss.ca/man/dacs.groups.5.html#dacs_metadata
.RE
.IP "87." 4
dacsversion(1)
.RS 4
\%http://dacs.dss.ca/man/dacsversion.1.html
.RE
.IP "88." 4
add-on features
.RS 4
\%http://dacs.dss.ca/man/dacs.readme.7.html#addons
.RE
.IP "89." 4
fts(3)
.RS 4
\%https://www.freebsd.org/cgi/man.cgi?query=fts&apropos=0&sektion=3&manpath=FreeBSD+10.3-RELEASE&format=html
.RE
.IP "90." 4
also see above
.RS 4
\%http://dacs.dss.ca/man/#building_subset
.RE
.IP "91." 4
\fBSSL_CTX_set_cipher_list()\fR
.RS 4
\%http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html
.RE
.IP "92." 4
sslclient(1)
.RS 4
\%http://dacs.dss.ca/man/sslclient.1.html
.RE
.IP "93." 4
gdbm(3)
.RS 4
\%http://directory.fsf.org/gdbm.html
.RE
.IP "94." 4
dacsemail(1)
.RS 4
\%http://dacs.dss.ca/man/dacsemail.1.html
.RE
.IP "95." 4
sendmail(8)
.RS 4
\%https://www.freebsd.org/cgi/man.cgi?query=sendmail&apropos=0&sektion=8&manpath=FreeBSD+10.3-RELEASE&format=html
.RE
.IP "96." 4
dacs(1)
.RS 4
\%http://dacs.dss.ca/man/dacs.1.html
.RE
.IP "97." 4
www.dss.ca
.RS 4
\%http://www.dss.ca
.RE
.IP "98." 4
LICENSE
.RS 4
\%http://dacs.dss.ca/man/../misc/LICENSE
.RE