.\" Copyright (c) 2003-2012
.\" Distributed Systems Software. All rights reserved.
.\" See the file LICENSE for redistribution information.
.\" $Id: copyright-nr 2564 2012-03-02 00:17:08Z brachman $
'\" t
.\" Title: dacs.install
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1
.\" Date: 07/17/2013
.\" Manual: DACS Miscellaneous Information Manual
.\" Source: DACS 1.4.28b
.\" Language: English
.\"
.TH "DACS\&.INSTALL" "7" "07/17/2013" "DACS 1.4.28b" "DACS Miscellaneous Information"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dacs.install \- \fBDACS\fR installation guide
.SH "DESCRIPTION"
.PP
This document describes how to configure and install this release of
\fBDACS\fR\&. Please read it carefully\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
.PP
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Installation requires the GNU
\fBmake\fR
command (\m[blue]\fBgmake\fR\m[]\&\s-2\u[1]\d\s+2) and
\m[blue]\fBGCC\fR\m[]\&\s-2\u[2]\d\s+2\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
The examples here and in other
\fBDACS\fR
documentation assume that
\fBDACS\fR
is installed in its default location,
/usr/local/dacs\&. If you specify a different location at build time, please keep this in mind as you read the documentation\&. This also applies to third\-party packages, which you may install where convenient, provided you are careful not to confuse or combine different versions of the same package; in this document\*(Aqs examples we install them under
/usr/local
and unpack their source code under
/local/src\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
In some command line examples, long lines have been split to improve readability; copying and pasting may not work\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Whenever you upgrade to a more recent version of
\fBDACS\fR, please do not forget to install the
\fBmod_auth_dacs\fR
module that comes with your new version of
\fBDACS\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Please pay careful attention to the descriptions of the third\-party packages below\&. Our philosophy is that
\fBDACS\fR
should be used with the most recent stable versions of third\-party packages available at the time
\fBDACS\fR
is released\&. This helps to ensure that a
\fBDACS\fR
deployment has the latest security features and bug fixes\&.
.sp
You should build third\-party packages in the order in which they are discussed below because packages that are discussed earlier may require some that appear later\&.
.sp
For a few third\-party packages, it is important that you use the
\fIexact version\fR
that is mentioned\&. Do not use anything newer or older\&.
.sp
For some third\-party packages, a particular release is
\fIrecommended\fR\&. It is less critical that you use the recommended release, but older releases may have important bugs, including security problems\&. A release newer than the one(s) specified will not have been tested with
\fBDACS\fR
\- and a release older than the one(s) specified may not have been tested with
\fBDACS\fR
\- so if you choose to use such a release you are on your own\&.
.sp
You may save yourself time and headaches if you just use the recommended releases\&.
.sp
Sometimes the recommended version of a third\-party package will be fine on some platforms but will not build or is buggy on another platform\&. Whenever possible, the
\fBDACS\fR
installation instructions suggest an alternative version, and you may proceed with that version, or a recent version of your choice \- but keep the preceding comments regarding older releases in mind and ensure that a "\fBgmake test\fR" of
\fBDACS\fR
completes successfully\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
On
Mac OS X
you will probably need to install the
\m[blue]\fBXcode\fR\m[]\&\s-2\u[3]\d\s+2
development environment\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
On some systems it will be necessary to use
\m[blue]\fBldconfig(8)\fR\m[]\&\s-2\u[4]\d\s+2
(or equivalent) so that your system finds the correct shared libraries for programs that are executed by the web server, including the
\fBDACS\fR
web services\&.
.RE
.sp .5v
.RE
.SS "Trying DACS"
.PP
If at this time you only want to try
\fBDACS\fR
rather than doing a full install, review the information below regarding third\-party packages and then proceed to follow the instructions you will find in
\m[blue]\fBdacs\&.quick(7)\fR\m[]\&\s-2\u[5]\d\s+2, which is a step\-by\-step tutorial for installing and configuring
\fBDACS\fR\&.
.SS "Upgrading DACS"
.PP
If
\fBDACS\fR
1\&.4 is already installed on your system and you are not changing any third\-party packages or installation options, for a "quick and dirty" upgrade you can often install a new release on top of a previous release\&. While this will leave your existing
\fBDACS\fR
configuration files alone, it will also leave files that are no longer needed by the new
\fBDACS\fR\&. Be sure to check the new distribution\*(Aqs release notes and the rest of this manual page for any notable differences and incompatibilities \- you may need to make some adjustments to your pre\-existing installation\&.
.PP
It is possible for minor, incompatible changes introduced by a new release to cause temporary, user\-visible problems\&. For example, changes to the format of credentials might invalidate sessions (i\&.e\&.,
\fBDACS\fR
HTTP cookies) issued by the earlier release, requiring users to reauthenticate\&.
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 1." 4.2
.\}
Make a backup copy of the previous install, just in case\&.
\fIIt is especially important to make copies of all data files (such as \fR\fI\fBDACS\fR\fR\fI password files, other kinds of account files, encryption keys) and any custom configuration (such as access control rules)\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 2." 4.2
.\}
Obtain and unpack the new distribution and
\fBchdir\fR
to it;
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 3." 4.2
.\}
Review
\m[blue]\fBdacs\&.readme(7)\fR\m[]\&\s-2\u[6]\d\s+2
and the instructions in this document;
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 4." 4.2
.\}
Copy
src/config\&.nice
from your installed version to the new
src
directory, make any updates and corrections that are necessary, and configure
\fBDACS\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd src; sh \&./config\&.nice
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 5.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 5." 4.2
.\}
Build
\fBDACS\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 6.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 6." 4.2
.\}
We recommend that you remove some of the files from the previous release in case they are no longer required or have been renamed\&. Unless you have put non\-standard files in them or made non\-standard customizations, it is safe to simply delete these directories and their contents:
.sp
.if n \{\
.RS 4
.\}
.nf
% rm \-f \-r /usr/local/dacs/{acls,bin,include,lib,man,www}
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 7.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 7." 4.2
.\}
Stop
\fBhttpd\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% apachectl stop
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 8.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 8." 4.2
.\}
Install
\fBDACS\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake install
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 9.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 9." 4.2
.\}
Make and install the latest
\m[blue]\fBmod_auth_dacs module\fR\m[]\&\s-2\u[7]\d\s+2:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd \&.\&./apache; gmake tag install
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'10.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "10." 4.2
.\}
Restart
\fBhttpd\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% apachectl start
.fi
.if n \{\
.RE
.\}
.sp
or
.sp
.if n \{\
.RS 4
.\}
.nf
% apachectl startssl
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'11.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "11." 4.2
.\}
Check that
\fBDACS\fR
appears to be working correctly\&. You may find it handy to construct a set of links or bookmarks that you can use after installing or configuring
\fBDACS\fR
to invoke various
\fBDACS\fR
web services with appropriate arguments; for instance, try
\m[blue]\fBdacs_authenticate(8)\fR\m[]\&\s-2\u[8]\d\s+2\m[blue]\fBdacs_current_credentials(8)\fR\m[]\&\s-2\u[9]\d\s+2,
\m[blue]\fBdacs_prenv(8)\fR\m[]\&\s-2\u[10]\d\s+2,
\m[blue]\fBdacs_list_jurisdictions(8)\fR\m[]\&\s-2\u[11]\d\s+2,
\m[blue]\fBdacs_conf(8)\fR\m[]\&\s-2\u[12]\d\s+2,
\m[blue]\fBdacs_signout(8)\fR\m[]\&\s-2\u[13]\d\s+2, and
\m[blue]\fBdacs_version(8)\fR\m[]\&\s-2\u[14]\d\s+2\&. Review the
\fBDACS\fR
log file for any error messages or warnings\&.
.RE
.SS "DACS on Windows"
.PP
\fBDACS\fR
is not currently supported on
Microsoft Windows
platforms\&.
\m[blue]\fBCygwin\fR\m[]\&\s-2\u[15]\d\s+2, which provides a
GNU/Linux\-like environment for
Windows, is not an officially\-supported platform, but
\fBDACS\fR
releases usually build on it\&.
.PP
To run
\fBDACS\fR
utilities and commands on
Windows
(such as
\fBdacscheck\fR), it appears to be sufficient to install the binaries along with the
Cygwin
run\-time libraries that they require, such as
/bin/cygwin1\&.dll
and
/bin/cygcrypt\-0\&.dll\&.
.SS "Installing DACS"
.PP
The following describes how to install
\fBDACS\fR\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
.PP
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If another release of
\fBDACS\fR
is present, rename your previous release, install the new release, and then copy any site\-specific configuration files from the previous release to the new release\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Be careful not to mix
\fBDACS\fR
binaries and support files from different releases; this can lead to strange behaviour that is often hard to resolve\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If you are installing or upgrading a third\-party package, make sure that you are building it against the correct include files and libraries (e\&.g\&., that the
\fBDACS\fR
build is not finding an old version, or using include files from one version and library files from a different version, or that
\fBhttpd\fR
is trying to use the wrong version of an
\fBOpenSSL\fR
library)\&. This is frequently the cause of build and run\-time problems\&.
.RE
.sp .5v
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 1." 4.2
.\}
Unpack the
\fBDACS\fR
distribution and move to its root directory\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 2." 4.2
.\}
Familiarize yourself with the system by:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
reading this document;
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
running:
.sp
.if n \{\
.RS 4
.\}
.nf
% src/configure \-\-help
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
browsing through the documentation (best done by loading
\m[blue]\fBman/index\&.html\fR\m[]\&\s-2\u[16]\d\s+2
into your browser);
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
deciding where you want the various components to be installed; and
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
considering which optional features you may want (you can easily make changes at any time, so do not be too concerned about this)\&.
.RE
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 3." 4.2
.\}
A few third\-party packages are
\fIrequired\fR
by
\fBDACS\fR
and must be built before
\fBDACS\fR
can be configured and built\&. Please note carefully if any special exceptions apply to your particular platform and third\-party package needs\&. Although you may have better luck, sometimes we experienced problems building the recommended packages (or combinations of packages) on certain platforms; whenever possible, we try to provide a workable alternative\&. Late\-breaking updates are sometimes available in the release\*(Aqs
\m[blue]\fBPost\-Release Notes\fR\m[]\&\s-2\u[17]\d\s+2\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
It is not necessary to actually
\fIinstall\fR
these packages, you only have to
\fIbuild\fR
them so that the
\fBDACS\fR
build can use their libraries, include files, and so on, directly from where you build the packages\&. You may chose to do this if you do not want to upgrade an existing version of the package, or if you are unable to do so\&.
.sp
Build these packages
\fIin the order in which they are listed below\fR\&.
.sp
If you install a package, you may need to be root or use
\m[blue]\fBsudo(8)\fR\m[]\&\s-2\u[18]\d\s+2
(e\&.g\&., "\fBsudo make install\fR")\&.
.sp
These packages are not distributed with
\fBDACS\fR
and have licensing terms completely separate from those of
\fBDACS\fR
that are your responsibility\&.
.sp .5v
.RE
.PP
\fBThird\-Party Package Index:\fR
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBExpat\fR: XML parser
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBOpenSSL\fR: Crytographic toolkit
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBApache\fR: Web server
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Berkeley DB, gdbm, ndbm: dbm-type database libraries
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBSQLite\fR: SQL database engine
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBSamba\fR: Microsoft Windows interoperability suite
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
libxml2, xmlsec1: XML toolkit and security libraries
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBOpenLDAP\fR: Lightweight Directory Access Protocol software
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Readline: Command line history and editing
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 1." 4.2
.\}
Install the
Expat
XML parser
.sp
This release of
\fBDACS\fR
has been tested with
\m[blue]\fBExpat\fR\m[]\&\s-2\u[19]\d\s+22\&.1\&.0
and we recommend that you use that release\&.
.sp
For use with
\fBDACS\fR,
\fBExpat\fR
can either be built with
\fB\-prefix=/usr/local\fR
or something like
\fB\-prefix=/usr/local/expat\-2\&.1\&.0\fR, whichever you prefer\&. In the former case, you can omit the
\fB\-\-with\-expat\fR
when configuring
\fBDACS\fR
or use
\fB\-\-with\-expat=/usr/local\fR, and in the latter case you must use
\fB\-\-with\-expat=/usr/local/expat\-2\&.1\&.0\fR\&. Here is how we usually build
\fBExpat\fR
after unpacking it:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd expat\-2\&.1\&.0
% \&./configure \-\-prefix=/usr/local/expat\-2\&.1\&.0
% make
(All should go well\&.)
% make install
(All should go well here, too\&.)
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
On
Win2K/Cygwin, only a static library is needed\&. From the root of the
\fBexpat\fR
distribution directory:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd lib; ar rv libexpat\&.a *\&.o; ranlib libexpat\&.a
.fi
.if n \{\
.RE
.\}
.sp
If the build fails, reconfigure using
\fB\-\-enable\-shared=no\fR
and
\fB\-\-enable\-static=yes\fR
and try to build it again\&.
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 2." 4.2
.\}
Install
\fBOpenSSL\fR
.sp
\fBDACS\fR
uses cryptographic functionality provided by
\m[blue]\fBOpenSSL\fR\m[]\&\s-2\u[20]\d\s+2\&. This release of
\fBDACS\fR
has been tested with
openssl\-1\&.0\&.1e
and we recommend that you use that release with
\fBDACS\fR\&.
\fBApache\fR
should be built using the version of
\fBOpenSSL\fR
recommended by the particular
\fBApache\fR
release \- using a more recent version of
\fBOpenSSL\fR
may introduce build problems or run\-time bugs in
\fBApache\fR\&.
\fIIt is not necessary for \fR\fI\fBApache\fR\fR\fI and \fR\fI\fBDACS\fR\fR\fI to use the same release of \fR\fI\fBOpenSSL\fR\fR\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNotes\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Releases of
\fBApache\fR
prior to
2\&.0\&.55
do not work (as shipped) with
\fBOpenSSL\fR0\&.9\&.8
or newer\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBDACS\fR
will probably work with
openssl\-1\&.0\&.0x, although those versions are no longer officially supported\&.
\fBDACS\fR
will not work with
openssl\-0\&.9\&.8[mno]
("\fBgmake test\fR" fails);
openssl\-0\&.9\&.8l
is the last of the pre\-openssl\-1\&.0\&.0x
releases at one time known to work correctly with
\fBDACS\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If you need InfoCard support and you have upgraded to
openssl\-1\&.0\&.0
or newer, it may be necessary to rebuild
\m[blue]\fBxmlsec1\fR\m[]\&\s-2\u[21]\d\s+2
against the new library (if you need to rebuild, "\fBgmake test\fR" will fail)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
When building
openssl\-0\&.9\&.8j
on
FreeBSD7\&.0, problems were encountered that caused "\fBmake install\fR" to fail; corrections to
Makefiles
under the
fips
subdirectory solved the problem\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
On
OpenSolaris, more serious problems building
openssl\-0\&.9\&.8j
and
openssl\-0\&.9\&.8k
were found and neither could be successfully completed; with the same options and environment,
openssl\-0\&.9\&.8i
and
openssl\-0\&.9\&.8l
built without incident, however, and the latter was used for testing on that platform\&. There were also problems forcing the runtime linker to use
\fBOpenSSL\fR
libraries other than the default system versions, despite the guidance of the relevant manual pages; it was necessary to set
\fBLD_LIBRARY_PATH\fR
appropriately (use
\fBdacsversion \fR\fB\fB\-v\fR\fR
to verify that the expected libraries are being used at runtime)\&. Note that
OpenSolaris
is no longer a supported platform\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If you are enabling
\fBDACS\fR
support for Java, add the
\fB\-fPIC\fR
flag to
\fBconfig\fR
when you are building
\fBOpenSSL\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
In some configurations you may want or require shared
\fBOpenSSL\fR
libraries; if so, add the
\fBshared\fR
command line flag to
\fBconfig\fR
when building
\fBOpenSSL\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Solaris
8 (and perhaps other platforms) may require
\m[blue]\fBa patch\fR\m[]\&\s-2\u[22]\d\s+2
before
\fBOpenSSL\fR
will work properly\&. Please consult the latest
\fBOpenSSL\fR
documentation\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
For
Solaris
10 x86, review
\fBOpenSSL\*(Aqs\fRPROBLEMS
file to see if you must apply a patch before
\fBOpenSSL\fR
will compile correctly with
\fBGCC\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Here is how we built
\fBOpenSSL\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./config \-\-prefix=/usr/local/openssl\-1\&.0\&.1e \-\-openssldir=/usr/local/openssl\-1\&.0\&.1e \-fPIC shared
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
On
Mac OS X, however, it was necessary to explicitly request a 64\-bit build of
\fBOpenSSL\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./Configure darwin64\-x86_64\-cc \-\-prefix=/usr/local/openssl\-1\&.0\&.1e \-\-openssldir=/usr/local/openssl\-1\&.0\&.1e \-fPIC shared
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 3." 4.2
.\}
Install
Apache2\&.4\&.3
or
2\&.2\&.23
.sp
You will need an SSL\-capable
\m[blue]\fBApache\fR\m[]\&\s-2\u[23]\d\s+2
server (build
\fBApache\fR
with
\fB\-\-enable\-ssl\fR) that uses a recent version of
\fBOpenSSL\fR
(build
\fBApache\fR
using
\fB\-\-with\-ssl=\fR\fB\fIpath\fR\fR, see
\m[blue]\fBabove\fR\m[]\&\s-2\u[24]\d\s+2)\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
You can install a subset of
\fBDACS\fR
that does not require
\fBApache\fR
and does not require
\fIany\fR\fBDACS\fR
configuration\&. These stand\-alone, general\-purpose utility commands, such as
\fBdacshttp\fR
and
\fBsslclient\fR, might be of interest to you even if you are not interested in any other parts of
\fBDACS\fR\&. Look for
BASIC_PROGS
in
Makefile\&.in
to see which commands will be installed\&.
.sp
To build this subset, use
\fB\-\-with\-apache=omit\fR
when running
\fBconfigure\fR\&. Please continue to review the information about third\-party packages in this document, but you can ignore anything that follows that is related to
\fBApache\fR
and
\fBmod_auth_dacs\fR\&.
.sp .5v
.RE
If you want to use
\m[blue]\fBmod_auth_dacs\fR\m[]\&\s-2\u[7]\d\s+2
as a dynamic module, which is the recommended configuration, make sure that
\fBmod_so\fR
is built\-in to your
\fBhttpd\fR
("httpd \-l" displays a list)\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
This release of
\fBDACS\fR
has been tested with both
\fBApache\fR2\&.2\&.23
and
\fBApache\fR2\&.4\&.3\&. We strongly recommend that you use either of those versions\&. If necessary,
\fBDACS\fR
will probably also work with
2\&.0\&.51
and newer, or
2\&.2\&.2
and newer, but not with releases older than that\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If suitable
APR,
APR\-UTIL, and other support libraries have already been installed on your system, you may be able to perform a basic build and install of
\fBApache\fR2\&.4
with a command like:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd httpd\-2\&.4\&.3
% \&./configure \-\-prefix=/usr/local/apache2\-2\&.4\&.3 \-\-enable\-ssl \e
\-\-with\-ssl=/usr/local/openssl\-1\&.0\&.1e
% make install
.fi
.if n \{\
.RE
.\}
.sp
Detailed instructions for building
\fBApache\fR2\&.4\&.3
can be found in Apache\*(Aqs
INSTALL
file\&. For the testing platforms, we get the
APR
and
APR\-UTIL
libraries from
\m[blue]\fBapr\&.apache\&.org\fR\m[]\&\s-2\u[25]\d\s+2
and unpack them in the Apache distribution\*(Aqs
srclib
directory, then rename them
srclib/apr
and
srclib/apr\-util, respectively, as it says in
INSTALL\&. We currently use
apr\-1\&.4\&.6
and
apr\-util\-1\&.5\&.1\&. When building
\fBhttpd\fR, run
\fBconfigure\fR
with the
\fB\-\-with\-included\-apr\fR
flag\&.
.sp
On
CentOS5\&.9, the
\fBApache\fR
build initially failed with a complaint about not finding
\fBpcre\-config\fR\&. To solve this, we did:
.sp
.if n \{\
.RS 4
.\}
.nf
yum install pcre\-devel\&.x86_64
.fi
.if n \{\
.RE
.\}
.sp
When configuring for the
\fBDACS\fR
build it was not necessary to use the
\fB\-\-with\-apache\-apr\fR
flag\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
When building
\fBApache\fR2\&.2, running
\fBconfigure\fR
as shown above will work in some cases (distributions of the
2\&.2
branch include the
APR
and
APR\-UTIL
libraries)\&. Nevertheless, we usually first build and install
APR
(srclib/apr) and
APR\-UTIL
(srclib/apr\-util), and then build
\fBhttpd\fR
using the
\fB\-\-with\-apr\fR
and
\fB\-\-with\-apr\-util\fR
flags\&. This may be helpful to know if you run into problems\&. Also, if you encounter problems building
\fBdacsversion\fR, it may be necessary for you to go back and build
APR
with the
\fB\-\-disable\-lfs\fR
flag to disable large file support on your platform\&. When you build
\fBDACS\fR
in an upcoming step, you will probably need to use the
\fB\-\-with\-apache\fR
and
\fB\-\-with\-apache\-apr\fR
flags (see
\m[blue]\fBThird\-party support options\fR\m[]\&\s-2\u[26]\d\s+2)\&. If you are going to use the
\fB\-\-with\-berkeley\-db\fR
flag when building
APR\-UTIL
(e\&.g\&.,
\fB\-\-with\-berkeley\-db=/usr/local/BerkeleyDB\&.5\&.1\fR), you may want to temporarily skip ahead to
\m[blue]\fBbuild Berkeley DB\fR\m[]\&\s-2\u[27]\d\s+2
before returning here to continue your
\fBApache\fR
build\&. (Note: it appears that
apr\-util2\&.2\&.23
will not work with versions of
Berkeley DB
newer than
5\&.1; refer to documentation for its
\fB\-\-with\-dbm\fR
flag)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Here is how we built
\fBApache\fR2\&.2
after unpacking it:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd httpd\-2\&.2\&.23
% cd srclib/apr
% \&./configure \-\-prefix=/usr/local/apache2\-2\&.2\&.23/apr\-httpd \-\-disable\-lfs CFLAGS=\-fPIC
% make install
% cd \&.\&./apr\-util
# See notes below for adding LDFLAGS
% \&./configure \-\-prefix=/usr/local/apache2\-2\&.2\&.23/apr\-util\-httpd
\-\-with\-apr=/usr/local/apache2\-2\&.2\&.23/apr\-httpd
\-\-with\-expat=/usr/local/expat\-2\&.0\&.1
\-\-with\-dbm=db51
% make install
% cd \&.\&./\&.\&.
# See notes below for adding LDFLAGS
% \&./configure \-\-prefix=/usr/local/apache2\-2\&.2\&.23 \-\-enable\-ssl
\-\-with\-ssl=/usr/local/openssl\-1\&.0\&.1e
\-\-with\-apr=/usr/local/apache2\-2\&.2\&.23/apr\-httpd
\-\-with\-apr\-util=/usr/local/apache2\-2\&.2\&.23/apr\-util\-httpd
LDFLAGS="\-rpath /usr/local/db\-5\&.1\&.29/lib \-rpath /usr/local/openssl\-1\&.0\&.1e/lib"
% make install
.fi
.if n \{\
.RE
.\}
.sp
This builds a very basic server; you can enable other options if you want\&.
.sp
Because we deal with multiple versions of third\-party packages, each release is installed separately, hence the version numbers in the pathnames\&.
.sp
Your mileage may vary, but when doing the top level
\fBApache\fR
configuration above on
FreeBSD
it was necessary to add "\-rpath /usr/local/db\-5\&.1\&.29/lib \-rpath /usr/local/openssl\-1\&.0\&.1e/lib" to
\fILDFLAGS\fR
so that Apache commands could find shared libraries at run time\&.
.sp
On
Linux, it was necessary to add "\-Wl,\-rpath /usr/local/db\-5\&.1\&.29/lib \-Wl,\-rpath /usr/local/openssl\-1\&.0\&.1e/lib" to
\fILDFLAGS\fR
when building
apr\-util
and at the top level\&.
.sp
Alternatively, on either platform the
\fBldconfig\fR
command or
\fBLD_LIBRARY_PATH\fR
might be used\&.
.sp
It appears that the
\fILDFLAGS\fR
above should be omitted on
Mac OS X\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
In some configurations an "undefined ssl_hook_Fixup symbol" error or "Cannot load modules/mod_ssl\&.so into server" error is produced by
\fBhttpd\fR
when it starts up\&. This was also seen in earlier releases of
\fBApache\fR\&. These errors can be due to an apparent bug in the
\fBApache\fR
build procedure that results in the
\fBmod_ssl\fR
module not knowing where
libssl\&.so
and
libcrypto\&.so
are, even though the correct path was specified at Apache build time through the
\fB\-\-with\-ssl\fR
flag to
\fBconfigure\fR\&.
.sp
One solution is to make
\fBmod_ssl\fR
a built\-in module instead of a dynamically loaded module\&. Build
\fBApache\fR
using something similar to this (using the
\fB\-\-enable\-ssl=static\fR
flag is the important change):
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure \-\-prefix=/usr/local/apache2\-2\&.4\&.3 \-\-with\-ssl=/usr/local/openssl\-1\&.0\&.1e \-\-enable\-ssl=static
.fi
.if n \{\
.RE
.\}
.sp
Then do a "\fBmake install\fR"\&. Note that you will need to comment out the
httpd\&.conf
directive that loads
\fBmod_ssl\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
# LoadModule ssl_module modules/mod_ssl\&.so
.fi
.if n \{\
.RE
.\}
.sp
Now, from the
\fBApache\fR
installation directory, try:
.sp
.if n \{\
.RS 4
.\}
.nf
% bin/httpd \-l
.fi
.if n \{\
.RE
.\}
.sp
If
\fBhttpd\fR
cannot find your
\fBOpenSSL\fR
libraries, you will see an error message like this:
.sp
.if n \{\
.RS 4
.\}
.nf
error while loading shared libraries: libssl\&.so\&.1\&.0\&.0: cannot open shared object file: No such file or directory
.fi
.if n \{\
.RE
.\}
.sp
Tell the linker where the
\fBOpenSSL\fR
libraries are by setting the
\fBLD_LIBRARY_PATH\fR
environment variable for
\fBhttpd\fR; for example:
.sp
.if n \{\
.RS 4
.\}
.nf
% sh \-c "export LD_LIBRARY_PATH=/usr/local/openssl\-1\&.0\&.1e/lib; bin/httpd \-M"
.fi
.if n \{\
.RE
.\}
.sp
You may also be able to resolve the problem using the
\fBldconfig\fR
command, but we don\*(Aqt know if that could possibly break other programs that expect a different version of the
\fBOpenSSL\fR
library\&. You will need to always set
\fBLD_LIBRARY_PATH\fR
before running
\fBhttpd\fR, maybe using an alias or script\&. If you use
\fBapachectl\fR
to manage
\fBApache\fR, you could simply have it set
\fBLD_LIBRARY_PATH\fR
(also see the
\fBApache\fR\fBenvvars\fR
script, which is sourced by
\fBapachectl\fR)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
One difference to be aware of between the
\fBApache\fR2\&.0
branch and subsequent branches is that the default
\fBApache\fR
configuration of the newer branches may deny all access by default; some
\fBDACS\fR
files should be publicly accessible, however, so you may need to explicitly allow this\&. For example, in
httpd\&.conf:
.sp
.if n \{\
.RS 4
.\}
.nf
Satisfy Any
Allow from all
Options Indexes FollowSymLinks
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBApache\fR1\&.3
is
\fInot\fR
supported; please consult the
\m[blue]\fBFAQ\fR\m[]\&\s-2\u[28]\d\s+2\&.
\fBDACS\fR
has not been tested with
\fBApache\fR2\&.3
or
2\&.4\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
We do not support using
\fBmod_auth_dacs\fR
with a non\-source install of
\fBApache\fR; we have received feedback that it can be done manually without much effort, however\&. In this case, we believe that the install may go more smoothly if you use the configure flag
\fB\-\-disable\-shared\fR\&.
.RE
.sp .5v
.RE
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
Check that
\fBApache\fR
is working properly and that it is actually using the version of
\fBOpenSSL\fR
that you are expecting\&. It is important to confirm that your server is working correctly with your web resources
\fIbefore\fR\fBDACS\fR
gets involved \- doing so can save you time and frustration\&.
.sp
You can see your
\fBhttpd\*(Aqs\fRServer
response\-header by connecting to your server (e\&.g\&., using
\fBtelnet\fR) and engaging in an interaction with it similar to the following (note the last line of output):
.sp
.if n \{\
.RS 4
.\}
.nf
% telnet localhost 80
Trying 127\&.0\&.0\&.1\&.\&.\&.
Connected to localhost
Escape character is \*(Aq^]\*(Aq\&.
GET / HTTP/1\&.0
HTTP/1\&.1 200 OK
Date: Tue, 30 Aug 2011 21:27:17 GMT
Server: Apache/2\&.2\&.23 (Unix) mod_auth_dacs/1\&.4\&.27(Release date 17\-Oct\-2012 00:00:01) mod_ssl/2\&.2\&.23 OpenSSL/1\&.0\&.1c
.fi
.if n \{\
.RE
.\}
.sp .5v
.RE
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 4." 4.2
.\}
A few third\-party packages are
\fIoptional\fR
and whether you need them depends on which optional features of
\fBDACS\fR
you require\&. These packages must be built before
\fBDACS\fR
can be configured and built\&. If you decide you want to add or remove optional capabilities after building
\fBDACS\fR, it is easy to do so later\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
If you are new to
\fBDACS\fR, it may be a good idea to first build it without any optional packages\&. After you have gotten the basic system working to your satisfaction, rebuild
\fBDACS\fR
with the optional components you need\&. Or, if you are not sure at this time which optional packages you need, return to this step later\&.
.sp .5v
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 1." 4.2
.\}
Berkeley DB,
gdbm,
ndbm DB
(dbm\-type databases)
.sp
If you want to be able to store
\fBDACS\fR
configuration information in a database or need to access files managed by
\fBApache\*(Aqs\fR\fBmod_auth_dbm\fR, you may use
\m[blue]\fBBerkeley DB\fR\m[]\&\s-2\u[29]\d\s+2
from
\m[blue]\fBOracle Corporation\fR\m[]\&\s-2\u[30]\d\s+2
(Sleepy Cat Software was acquired by Oracle in February, 2006)\&. A suitable version may already be installed on your system\&. Version
db\-5\&.3\&.21
is being used for testing, but somewhat older or newer versions should be fine\&. See the
\fBDACS\fR
configure arguments:
\m[blue]\fB\-\-enable\-bdb\fR\m[]\&\s-2\u[31]\d\s+2,
\m[blue]\fB\-\-disable\-bdb\fR\m[]\&\s-2\u[32]\d\s+2, and
\m[blue]\fB\-\-with\-bdb\fR\m[]\&\s-2\u[33]\d\s+2\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
You may find that you must sign on to the Oracle site before it allows you to download Berkeley DB\&. You may be able to avoid this by using a URL such as
http://download\&.oracle\&.com/berkeley\-db/db\-5\&.3\&.21\&.tar\&.gz, or you may be able to obtain BDB elsewhere (such as at
linux\&.softpedia\&.com,
pkgs\&.fedoraproject\&.org, or
fossies\&.org)\&. Consider validating the downloaded file using a checksum published on a different site, however\&.
.sp .5v
.RE
The default is to use
Berkeley DB
if it is available, but if you do not want to use
Berkeley DB
you can disable it (\m[blue]\fB\-\-disable\-bdb\fR\m[]\&\s-2\u[32]\d\s+2) and get similar functionality from the
NDBM
library, or from
GNU GDBM
(version
1\&.8\&.3,
1\&.9\&.1, or
1\&.10) in its
NDBM
compatibility mode\&. These libraries may already be installed on your system\&. Get
GDBM
from
\m[blue]\fBftp://ftp\&.gnu\&.org/gnu/gdbm\fR\m[]\&\s-2\u[34]\d\s+2\&. See the
\m[blue]\fB\-\-enable\-ndbm\fR\m[]\&\s-2\u[35]\d\s+2
and
\m[blue]\fB\-\-enable\-gdbm\fR\m[]\&\s-2\u[36]\d\s+2
configure flags\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNotes\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
It may be necessary to create (or update) links to the
Berkeley DB
installation directory to avoid problems when building other packages\&. For example, if you install it in
/usr/local/bdb\-5\&.3\&.21:
.sp
.if n \{\
.RS 4
.\}
.nf
% ln \-sf /usr/local/bdb\-5\&.3\&.21 /usr/local/BerkeleyDB\&.5\&.3
% ln \-sf /usr/local/bdb\-5\&.3\&.21 /usr/local/db53
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Here is how we built
Berkeley DB
for
\fBDACS\fR
after unpacking it:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd build_unix
% \&.\&./dist/configure \-\-prefix=/usr/local/bdb\-5\&.3\&.21
% make
(All should go well\&.)
% make install
(All should go well here, too\&.)
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
You cannot use both
\fB\-\-enable\-ndbm\fR\fIand\fR\fB\-\-enable\-gdbm\fR, but you can use either one along with
\fB\-\-enable\-bdb\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
GNU GDBM1\&.9\&.1
and newer may not interoperate correctly with databases created by older versions of
GNU GDBM; consult its source code and documentation for details\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
A deficiency in configuration processing is that the locations of the
GNU GDBM
and
NDBM
libraries cannot be specified; the standard configuration search path is used\&. A future version should provide
\fB\-\-with\-gdbm\fR
and
\fB\-\-with\-ndbm\fR
flags\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
The
NDBM\-workalike,
\m[blue]\fBsdbm\fR\m[]\&\s-2\u[37]\d\s+2, is not currently supported\&. It may be added to a future release, however, particularly if it is requested\&.
.RE
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 2." 4.2
.\}
SQLite
.sp
The
\m[blue]\fBSQLite\fR\m[]\&\s-2\u[38]\d\s+2
database, which can be used together with the
\m[blue]\fBdbm\-type databases\fR\m[]\&\s-2\u[27]\d\s+2, is another option for storing
\fBDACS\fR
configuration information\&. Version
3\&.7\&.14\&.1
is being used for testing (we use the "autoconf" tarball)\&. See the
\fBDACS\fR
configure arguments:
\m[blue]\fB\-\-enable\-sqlite\fR\m[]\&\s-2\u[39]\d\s+2,
\m[blue]\fB\-\-disable\-sqlite\fR\m[]\&\s-2\u[40]\d\s+2, and
\m[blue]\fB\-\-with\-sqlite\fR\m[]\&\s-2\u[41]\d\s+2\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNotes\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Here is how we built
SQlite:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure \-\-prefix=/usr/local/sqlite\-3\&.7\&.14\&.1
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 3." 4.2
.\}
\fBSamba\fR
.sp
If you want to be able to authenticate against
Microsoft NTLM
(see
\m[blue]\fBlocal_ntlm_authenticate\fR\m[]\&\s-2\u[42]\d\s+2), you must obtain
\m[blue]\fBSamba\fR\m[]\&\s-2\u[43]\d\s+2\&. This release of
\fBDACS\fR
has been tested with
samba\-3\&.6\&.12, and we strongly recommend that you use that version\&. It is not known whether this release of
\fBDACS\fR
will work with any other version of
\fBSamba\fR
\- we do not officially support them\&.
.sp
\fBDACS\fR
NTLM authentication has been tested against
Windows Server 2012\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
\fBDACS\fR
requires the
\fBSamba\fR
source distribution to be
\fIbuilt\fR
but it does not matter if
\fBSamba\fR
is
\fIinstalled\fR\&. The
\fBDACS\fR
build procedure looks for include files and libraries relative to the
\fBSamba\fR
distribution\*(Aqs root directory\&.
.sp .5v
.RE
To build
\fBSamba\fR
for
\fBDACS\fR, from your
\fBSamba\fR
distribution\*(Aqs
\&./source3
directory do:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure \-\-enable\-static=yes \-\-with\-ads=no \-\-with\-ldap=no \-\-disable\-swat \-\-disable\-cups \-\-disable\-pie \e
\-\-enable\-external\-libtalloc=no \-\-enable\-external\-libtdb=no
% make
.fi
.if n \{\
.RE
.\}
.sp
Then, when configuring
\fBDACS\fR, specify the directory where
\fBSamba\fR
was unpacked, for example:
.sp
.if n \{\
.RS 4
.\}
.nf
\-\-with\-samba=/local/src/samba\-3\&.6\&.12
.fi
.if n \{\
.RE
.\}
.sp
See the
\fBDACS\fR
configure arguments:
\m[blue]\fB\-\-enable\-ntlm\-auth\fR\m[]\&\s-2\u[44]\d\s+2
and
\m[blue]\fB\-\-with\-samba\fR\m[]\&\s-2\u[45]\d\s+2\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 4." 4.2
.\}
libxml2
and
xmlsec1
.sp
If you need InfoCard support (see
\m[blue]\fBlocal_infocard_authenticate\fR\m[]\&\s-2\u[46]\d\s+2),
\m[blue]\fBlibxml2\fR\m[]\&\s-2\u[47]\d\s+2
and
\m[blue]\fBxmlsec1\fR\m[]\&\s-2\u[21]\d\s+2
are required\&. Build
libxml2
and
\fBOpenSSL\fR
first, because
\m[blue]\fBxmlsec1\fR\m[]\&\s-2\u[21]\d\s+2
depends on both of them\&. This release of
\fBDACS\fR
has been tested with
libxml2\-2\&.9\&.0
and
xmlsec1\-1\&.2\&.18, and we strongly recommend that you use those versions\&. It is not known whether this release of
\fBDACS\fR
will work with any other versions \- we do not officially support them\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNotes\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Here is how we built
libxml2:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure \-\-prefix=/usr/local/libxml2\-2\&.9\&.0
.fi
.if n \{\
.RE
.\}
.sp
Due to an apparent bug in the code (in
threads\&.c) that results in a syntax error, it was necessary to add
\fB\-\-with\-threads=no\fR
on some platforms, such as
Mac OS X\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Here is how we built
xmlsec1:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure \-\-prefix=/usr/local/xmlsec1\-1\&.2\&.18
\-\-with\-libxml=/usr/local/libxml2\-2\&.9\&.0
\-\-with\-openssl=/usr/local/openssl\-1\&.0\&.1e \-\-with\-gnu\-ld
\-\-enable\-static\-linking \-\-disable\-crypto\-dl \-\-disable\-apps\-crypto\-dl
.fi
.if n \{\
.RE
.\}
.sp
Except on
Mac OS X:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure \-\-prefix=/usr/local/xmlsec1\-1\&.2\&.18 \e
\-\-with\-libxml=/usr/local/libxml2\-2\&.9\&.0 \-\-with\-gnu\-ld \-\-enable\-static=yes \e
\-\-enable\-shared=yes \-\-with\-nss=/Applications/Firefox\&.app/Contents/MacOS \e
\-\-with\-nspr=/Applications/Firefox\&.app/Contents/MacOS \e
\-\-with\-openssl=/usr/local/openssl\-1\&.0\&.1e \e
\-\-disable\-crypto\-dl
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Due to an apparent error in its build procedure, we sometimes encountered the following error message:
.sp
.if n \{\
.RS 4
.\}
.nf
*** Warning: Linking the shared library libxmlsec1\-openssl\&.la against the
*** static library /local/openssl\-1\&.0\&.1e/lib/libcrypto\&.a is not portable!
.fi
.if n \{\
.RE
.\}
.sp
After ensuring that
libcrypto\&.so
(or
libcrypto\&.dylib) had been installed when building
\fBOpenSSL\fR, to correct the
xmlsec1
build problem we did "\fBmake clean\fR", re\-ran
\fBconfigure\fR
as above, and edited
src/openssl/Makefile
under the root of the
xmlsec1
distribution directory to change all occurrences of "libcrypto\&.a" to "libcrypto\&.so"\&. It was sometimes also necessary to delete the
\-ldl
flag on those same lines, and in other
Makefile
files in the distribution (and making sure the flag was not specified by
xmlsec1\-config)\&. After those changes, we ran
\fBmake\fR
again\&. Additionally, it was sometimes necessary to specify
CFLAGS="\-I/usr/local/include \-L/usr/local/lib"\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Another problem related to this library on a
CentOS
platform resulted in an error message similar to this:
.sp
.if n \{\
.RS 4
.\}
.nf
Cannot restore segment prot after reloc: Permission denied
.fi
.if n \{\
.RE
.\}
.sp
The solution was to issue the command (adjust the path as necessary):
.sp
.if n \{\
.RS 4
.\}
.nf
% chcon \-t texrel_shlib_t /usr/local/xmlsec1\-1\&.2\&.18/lib/libxmlsec1\-openssl\&.so
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
When including InfoCard support on
Mac OS X, it was necessary to tell the dynamic linker where to find the
xmlsec1
library (despite using the
\fB\-rpath\fR
flag during the build)\&. To work around this, do something like the following (or equivalent):
.sp
.if n \{\
.RS 4
.\}
.nf
% setenv DYLD_LIBRARY_PATH /usr/local/xmlsec1\-1\&.2\&.18/lib
.fi
.if n \{\
.RE
.\}
.sp
Ensure that "\fBgmake test\fR" does not fail\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Due to an apparent bug in
configure\&.in, on
FreeBSD\fBconfigure\fR
may incorrectly use the
\fB\-ldl\fR
flag in generated
Makefiles\&. Either edit all
Makefiles
to remove all occurrences of the
\fB\-ldl\fR
flag, or edit
configure\&.in, add a "*\-*\-freebsd*" case like the others in the "OpenSSL" section, run
\fBautoconf\fR
to regenerate
\fBconfigure\fR, and then "\fBmake clean\fR" and re\-run
\fBconfigure\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Your experience may differ, but we found
xmlsec1
to not cooperate when we wanted to work with multiple installations of
libxml2
\- apparently if a
libxml2
directory or link has been installed, its build procedure seems to use that version, regardless of what is specified on the command line, requiring manual editing of its
Makefiles\&. Check that the correct instance of
\fBxml2\-config\fR
is being used\&.
.RE
.sp .5v
.RE
The
\fBDACS\fR
build procedure uses
\fBxmlsec1\-config\fR, a program that comes with
xmlsec1\&. If InfoCard support is enabled, the build procedure will look in some standard places for this command\&. You can specify its location with the
\m[blue]\fB\-\-with\-xmlsec1\-config\fR\m[]\&\s-2\u[48]\d\s+2
flag\&.
.sp
See the
\fBDACS\fR
configure arguments:
\m[blue]\fB\-\-enable\-infocard\-auth\fR\m[]\&\s-2\u[49]\d\s+2
and
\m[blue]\fB\-\-with\-xmlsec1\-config\fR\m[]\&\s-2\u[48]\d\s+2
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 5.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 5." 4.2
.\}
\fBOpenLDAP\fR
.sp
Authentication through
LDAP
or
Microsoft Active Directory
(see
\m[blue]\fBlocal_ldap_authenticate\fR\m[]\&\s-2\u[50]\d\s+2) is implemented using
\m[blue]\fBOpenLDAP\fR\m[]\&\s-2\u[51]\d\s+2\&. This release of
\fBDACS\fR
has been tested only with
openldap\-2\&.4\&.33
and we strongly recommend that you use that version\&.
.sp
It is not known whether this release of
\fBDACS\fR
will work with any other version of
\fBOpenLDAP\fR
\- we do not support them\&.
\fBDACS\fR
may work properly with
\fBOpenLDAP\fR
versions at least as old as
2\&.2\&.24, if you really must use one of them\&.
.sp
\fBDACS\fR
has been tested against
Windows 2000 Server SP4\&.
.sp
If the
\fB\-\-with\-ldap\fR
flag is
\fInot\fR
given (in which case LDAP authentication must be enabled; e\&.g\&., via
\fB\-\-enable\-ldap\-auth\fR),
\fBconfigure\fR
will search for
\fBOpenLDAP\fR
headers and libraries; if found, it will assume they are a suitable version and use them\&.
.sp
If
\fB\-\-with\-ldap\fR
is given (either because
\fBOpenLDAP\fR
is not installed or an unsuitable version is installed), headers and libraries relative to the root of the specified directory will be used rather than any installed
\fBOpenLDAP\fR
files; it is not necessary to
\fIinstall\fR\fBOpenLDAP\fR, you only need to
\fIbuild\fR
it \- so you do not need to be concerned about hassles associated with upgrading or any other versions that might already be installed on your system\&.
.sp
To build
\fBOpenLDAP\fR
for
\fBDACS\fR, from the root of your
\fBOpenLDAP\fR
distribution do:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure \-\-disable\-slapd \-\-enable\-static
% make
.fi
.if n \{\
.RE
.\}
.sp
If so instructed, do a "\fBmake depend\fR" before the
\fBmake\fR\&.
.sp
See the
\fBDACS\fR
configure arguments:
\m[blue]\fB\-\-enable\-ldap\-auth\fR\m[]\&\s-2\u[52]\d\s+2
and
\m[blue]\fB\-\-with\-ldap\fR\m[]\&\s-2\u[53]\d\s+2
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 6.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 6." 4.2
.\}
Readline
.sp
The history and editing functionality provided by the
\m[blue]\fBGNU Readline Library\fR\m[]\&\s-2\u[54]\d\s+2
can be nice to have when using
\m[blue]\fBdacsexpr(1)\fR\m[]\&\s-2\u[55]\d\s+2
interactively\&. This release of
\fBDACS\fR
has been tested with version 6\&.2, although we have used
readline\-6\&.0
and
readline\-6\&.1
with recent releases of
\fBDACS\fR\&. Note that you may need to compile
Readline
with the
\fB\-fPIC\fR
flag ("\fBmake CFLAGS=\-fPIC\fR")\&.
.sp
It is not necessary for you to
\fIinstall\fRreadline, you only need to
\fIbuild\fR
it \- so you do not need to be concerned about hassles associated with upgrading or any other versions that might already be installed on your system\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNotes\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
When building on
Mac OS X, it was necessary to fix a bug by editing
shlib/Makefile
and making this change:
.sp
.if n \{\
.RS 4
.\}
.nf
#SHOBJ_LDFLAGS = \-dynamic
SHOBJ_LDFLAGS = \-dynamiclib
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp .5v
.RE
See the
\fBDACS\fR
configure arguments:
\m[blue]\fB\-\-with\-readline\fR\m[]\&\s-2\u[56]\d\s+2
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 5.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 5." 4.2
.\}
Configure and build
\fBDACS\fR
libraries, services, commands, and utilities
.sp
See
\m[blue]\fBBuild Options\fR\m[]\&\s-2\u[57]\d\s+2
for build alternatives and options to
\fBconfigure\fR\&.
.sp
.if n \{\
.RS 4
.\}
.nf
% cd src
% \&./configure
% gmake
.fi
.if n \{\
.RE
.\}
.sp
To confirm that
\fBDACS\fR
has been built with the third\-party packages that you intended, from the run:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./version \-v
.fi
.if n \{\
.RE
.\}
.sp
You should ensure that the
\fBsslclient\fR
utility is working correctly\&. From the
src
directory, you can test it using the following command:
.sp
.if n \{\
.RS 4
.\}
.nf
% perl \-e \*(Aqprintf "GET / HTTP/1\&.0\en\en";\*(Aq | \&./sslclient dacs\&.dss\&.ca:443
.fi
.if n \{\
.RE
.\}
.sp
which should print the contents of
\m[blue]\fBhttps://dacs\&.dss\&.ca\fR\m[]
to the standard output\&. You should repeat this test substituting the name of your server and port\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
After building
\fBDACS\fR, it is strongly recommended that you run the self\-tests (expression evaluation, crypto code, string handling, and so on) from the
src
directory:
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake test
.fi
.if n \{\
.RE
.\}
.sp
If any error occurs during testing, testing will stop immediately and a message will be displayed\&. In this event, first check that you are using the recommended software packages and that your build flags are correct\&. Most often, problems are the result of mixing header files or library files from different versions of a third\-party package (e\&.g\&.,
\fBOpenSSL\fR) or incorrect file permissions\&. If you cannot find anything wrong with your configuration, please submit a bug report that includes the self test output and describes your platform (you can include the output of "\&./version \-v")\&.
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 6.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 6." 4.2
.\}
If all looks good, install
\fBDACS\fR
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake install
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNotes\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If
\fBgmake\fR
complains about not being able to find
\fBxsltproc\fR,
docbook\&.xsl, or something that might be related to installing the documentation, try:
.sp
.if n \{\
.RS 4
.\}
.nf
% (cd \&.\&./man; gmake touch)
% gmake install
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
This will install the rules for the standard
\fBDACS\fR
web services and run
\m[blue]\fBdacsacl(1)\fR\m[]\&\s-2\u[58]\d\s+2
to create and install an index for them\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
You can specify
\m[blue]\fBDESTDIR\fR\m[]\&\s-2\u[59]\d\s+2
to
\fBgmake\fR
when installing or uninstalling:
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake DESTDIR=/tmp/mydacs install
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp .5v
.RE
The installation process may prompt you for the owner name and group name to use for files and directories; it will guess at reasonable defaults for your platform\&. The appropriate responses will depend on local conventions, but to start with you might set the owner to your login name or
root, and the group name to the same name that is used by
\fBApache\fR
(specified by the
\m[blue]\fBGroup\fR\m[]\&\s-2\u[60]\d\s+2
directive in
httpd\&.conf)\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
While running "\fBgmake install\fR", important instructions regarding manual installation steps may be displayed\&. A copy is written to
\&.build_notes, truncating any previous contents\&.
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 7.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 7." 4.2
.\}
As part of the installation procedure, the
\fBDACS\fR
manual pages are copied into the
\fBDACS\fRman
directory (default:
/usr/local/dacs/man)\&. If you adjust your
\fBMANPATH\fR
environment variable to include that directory, try:
.sp
.if n \{\
.RS 4
.\}
.nf
% man dacs
.fi
.if n \{\
.RE
.\}
.sp
While it is occasionally handy to view the manual pages using the
\fBman\fR
command, the HTML documentation is far superior\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 8.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 8." 4.2
.\}
Build a
\fBDACS\fR\-enabled
\fBhttpd\fR
.sp
Please consult
apache/README
in the
\fBDACS\fR
distribution for details and, from the
apache
directory, do:
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake help
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBSecurity\fR
.ps -1
.br
You can build the
\m[blue]\fBmod_auth_dacs module\fR\m[]\&\s-2\u[7]\d\s+2
with a module identification string (a "version tag") with varying amounts of detail, or without a tag\&. For a full\-length tag, use "\fBgmake tag\fR", for a simple tag use "\fBgmake smalltag\fR", or to disable the tag use "\fBgmake notag\fR" or "\fBgmake module\fR"\&. We suggest that you compile
\fBmod_auth_dacs\fR
with a tag so that
\fBApache\*(Aqs\fR\fBSERVER_SIGNATURE\fR
and
Server
response header field can include
\fBDACS\fR
version identification; this makes it easy to tell which version of
\fBDACS\fR
the server is running and helps to detect mismatches\&. If
\fBmod_auth_dacs\fR
is compiled with debugging enabled or if the
\m[blue]\fBSetDACSAuthDebug\fR\m[]\&\s-2\u[61]\d\s+2
directive enables debugging, additional version information is added to the tag\&. For production use, identifying the modules in your
\fBApache\fR
server is considered by some to be a potential security weakness \- you may reasonably choose not to include the version tag\&. For some versions of
\fBApache\fR, module identification can be suppressed at runtime through its
\m[blue]\fBServerTokens\fR\m[]\&\s-2\u[62]\d\s+2
directive\&.
.sp .5v
.RE
If you want
\m[blue]\fBmod_auth_dacs\fR\m[]\&\s-2\u[7]\d\s+2
to be a dynamic module, which is recommended, do:
.sp
.if n \{\
.RS 4
.\}
.nf
% cd apache
% gmake tag
% gmake install
.fi
.if n \{\
.RE
.\}
.sp
Check that your
httpd\&.conf
has the appropriate
LoadModule
directive\&.
.sp
If you want
\m[blue]\fBmod_auth_dacs module\fR\m[]\&\s-2\u[7]\d\s+2
to be a static module:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 1." 4.2
.\}
Copy
apache/mod_auth_dacs\&.c
to
\fBApache\*(Aqs\fRmodules/aaa
directory
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 2." 4.2
.\}
Re\-run
\fBApache\fR\*(Aqs configure, adding
\fBmod_auth_dacs\fR
(\fB\-\-with\-module=aaa:auth_dacs\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 3." 4.2
.\}
Reinstall
\fBApache\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
% make install
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 4." 4.2
.\}
Verify that
\fBmod_auth_dacs\fR
appears in the list of
\fBApache\fR
modules:
.sp
.if n \{\
.RS 4
.\}
.nf
% httpd \-l
.fi
.if n \{\
.RE
.\}
.sp
.RE
.sp
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
Because
\m[blue]\fBmod_auth_dacs\fR\m[]\&\s-2\u[7]\d\s+2
references symbols in
\fBmod_ssl\fR, apparently those symbols must be loaded
\fIbefore\fR\fBmod_auth_dacs\fR
is loaded\&. This can be ensured by statically compiling
\fBmod_ssl\fR
into
\fBhttpd\fR
(configure
\fBhttpd\fR
with
\fB\-\-enable\-ssl\fR
and verify with "\fBhttpd \-l\fR") and using the following directive in
httpd\&.conf
to dynamically load the
\fBmod_auth_dacs\fR
module:
.sp
.if n \{\
.RS 4
.\}
.nf
LoadModule auth_dacs_module modules/mod_auth_dacs\&.so
.fi
.if n \{\
.RE
.\}
.sp
Alternatively, it may be sufficient to dynamically load
\fBmod_ssl\fR\fIbefore\fR\fBmod_auth_dacs\fR\&.
.sp
If
\fBmod_ssl\fR
symbols are unavailable when they are needed, you\*(Aqll probably see a message like the following when you try to start
\fBhttpd\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
mod_auth_dacs\&.so: undefined symbol: ssl_hook_Fixup
.fi
.if n \{\
.RE
.\}
.sp .5v
.RE
After you\*(Aqve installed
\fBmod_auth_dacs\fR, restart
\fBhttpd\fR\&.
.sp
If you built the module with a tag, verify that the
\fBDACS\fR
version identifier appears in
\fBSERVER_SIGNATURE\fR\&. You can do this by hitting
\fBApache\*(Aqs\fR\fBprintenv\fR
CGI program from your browser or using a command like:
.sp
.if n \{\
.RS 4
.\}
.nf
% http "http://\fImyserver\fR:\fImyserverport\fR/cgi\-bin/printenv"
.fi
.if n \{\
.RE
.\}
.sp
(first making sure that
\fBApache\*(Aqs\fR\fBprintenv\fR
CGI is executable) and examining the
\fBSERVER_SIGNATURE\fR
environment variable, or by running:
.sp
.if n \{\
.RS 4
.\}
.nf
% telnet \fImyserver\fR \fImyserverport\fR
.fi
.if n \{\
.RE
.\}
.sp
and typing:
.sp
.if n \{\
.RS 4
.\}
.nf
OPTIONS * HTTP/1\&.0
.fi
.if n \{\
.RE
.\}
.sp
followed by a blank line and examining the
Server
response header\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
The URLs that follow will use
http
and omit
\fImyserverport\fR\&. Substitute
https
and/or include
\fImyserverport\fR
as necessary for your configuration\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If you install a new version of
\fBDACS\fR, please make sure that you use the
\fBmod_auth_dacs\fR
module that comes with it\&. Follow the instructions above\&.
.RE
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 9.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 9." 4.2
.\}
An assortment of
\fBDACS\fR
files, including HTML documentation and CSS files, are copied into the
\fBDACS\fRwww
directory (default:
/usr/local/dacs/www)\&.
.sp
While you can view the documentation simply by pointing your web browser at the
\fBDACS\fRwww
directory, it is recommended that you make it available through
\fBApache\fR
using its
\m[blue]\fBAlias\fR\m[]\&\s-2\u[63]\d\s+2
directive because the default site configuration (site\&.conf\-std) expects handlers and DTDs to be available using certain URLs\&.
.sp
Add lines like the following to your
httpd\&.conf:
.sp
.if n \{\
.RS 4
.\}
.nf
Alias /dacs "/usr/local/dacs/www/"
Alias /css "/usr/local/dacs/www/css/"
Alias /dtd\-xsd "/usr/local/dacs/www/dtd\-xsd/"
Alias /examples "/usr/local/dacs/www/examples/"
Alias /handlers "/usr/local/dacs/www/handlers/"
Alias /infocards "/usr/local/dacs/www/infocards/"
Alias /man "/usr/local/dacs/www/man/"
Alias /misc "/usr/local/dacs/www/misc/"
Alias /mod "/usr/local/dacs/www/mod/"
.fi
.if n \{\
.RE
.\}
.sp
To see the
\fBDACS\fR
DTD files from your browser, you can also add:
.sp
.if n \{\
.RS 4
.\}
.nf
AddType text/plain \&.dtd
.fi
.if n \{\
.RE
.\}
.sp
These
\&.dtd
files are only used to document XML structures and messages used by
\fBDACS\fR
and are cited in the documentation\&.
.sp
You should also uncomment these two directives in your
site\&.conf
file:
.sp
.if n \{\
.RS 4
.\}
.nf
XSD_BASE_URL "/dacs/dtd\-xsd"
DTD_BASE_URL "/dacs/dtd\-xsd"
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
After restarting
\fBhttpd\fR, you can view the documentation using a URL that looks like
http://\fImyserver\fR/dacs/man
or simply
http://\fImyserver\fR/man\&.
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04'10.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "10." 4.2
.\}
Access to all
\fBDACS\fR
web services (everything installed in the
\&.\&.\&./cgi\-bin/dacs
directory)
\fImust\fR
be controlled by
\fBDACS\fR; that is, they must be "\fBDACS\fR\-wrapped"\&. Assuming you are following the defaults for installing
\fBDACS\fR, these are the only files that are required to be
\fBDACS\fR\-wrapped\&.
.sp
\fBDACS\fR\-wrapping a resource or set of related resources involves:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Configuring
\fBApache\fR
so that it uses
\fBDACS\fR
to manage access to the contents of a directory or portion of URL space and
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Configuring one or more
\fBDACS\fR
access control rules for the jurisdiction responsible for the resources (this is done for the
\fBDACS\fR
web services by the default ACLs)\&.
.RE
.sp
Configuring
\fBApache\fR
involves, at minimum, adding directives like the following to the appropriate
VirtualHost
section of
httpd\&.conf:
.sp
.if n \{\
.RS 4
.\}
.nf
AddDACSAuth dacs\-acs /usr/local/dacs/bin/dacs_acs "\-t \-v"
SetDACSAuthMethod dacs\-acs external
SetDACSAuthConf dacs\-acs "/usr/local/dacs/dacs\&.conf"
AuthType DACS
AuthDACS dacs\-acs
Require valid\-user
# Note: For Apache 2\&.4, instead use:
# Require dacs\-authz
Options ExecCGI
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
Remember to restart
\fBApache\fR
after making changes to
httpd\&.conf\&.
.sp .5v
.RE
Some administrators may choose to make
\fIall\fR
content or
\fIall\fR
CGIs
\fBDACS\fR\-wrapped\&. That is probably a more secure approach, although of course it can be somewhat less efficient than segmenting the server\*(Aqs URL space into "secure" and "insecure" areas\&. Content that is not
\fBDACS\fR\-wrapped is totally oblivious to
\fBDACS\fR
and incurs no overhead due to
\fBDACS\fR\&. Also, this approach may necessitate making "holes" in the URL space for non\-access controlled resources, which must be done with care\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
If you decide to
\fBDACS\fR\-wrap everything, you will likely want to add rules to grant access to various public resources, such as CSS files,
robots\&.txt,
favicon\&.ico, and various public
\fBDACS\fR
resources, such as its
man,
dtd\-xsd, etc\&. directories (see the instructions for the
Alias
directive above)\&. The default ACL
acl\-stddocs\&.0
does this for some resources, but you may need to extend the list to grant access to additional public resources\&.
.sp .5v
.RE
.RE
.SS "Initial Configuration"
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
.PP
At this point, reviewing
\m[blue]\fBdacs\&.quick(7)\fR\m[]\&\s-2\u[5]\d\s+2
is strongly recommended\&. It provides a detailed example of what needs to be done to make your
\fBDACS\fR
operational and how to do some basic testing\&.
.sp .5v
.RE
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
.PP
The interactive
\fBdacsinit\fR
utility can perform the steps described below quickly\&. You will find
\fBdacsinit\fR
in the distribution\*(Aqs
src
directory\&. It can be run anytime after
\fBDACS\fR
has been built and installed\&. It produces a directory structure for the federation, copies the distribution\*(Aqs site configuration file, creates a minimal
dacs\&.conf
for the federation and one jurisdiction, makes federation and jurisdiction encryption keys, and generates metadata for the jurisdiction\&. The resulting configuration can be used immediately by
\fBDACS\fR
commands and by
\fBDACS\fR
web services after
\fBApache\fR
has been configured for
\fBDACS\fR\&.
.PP
Passing the
\fB\-d\fR
flag to
\fBdacsinit\fR
causes it to append a string to certain paths and filenames so that, for debugging or test purposes, it is unlikely to overwrite any "real" configuration files\&. Passing it the
\fB\-n\fR
flag causes it to display what it would do without performing any of the actions\&.
.sp .5v
.RE
.PP
Having installed
\fBDACS\fR, the next major step is to do some initial configuration of your federation and jurisdiction(s)\&. At each jurisdiction in your federation you will need to do the following:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 1." 4.2
.\}
Install the default site configuration file\&. The distribution comes with a default site configuration file found in the distribution\*(Aqs
conf/site\&.conf\-std
file\&. The installation procedure copies this file into the
\fBDACS\fRfederations
directory\&. After making a backup copy of any
federations/site\&.conf
file that is already there, copy
federations/site\&.conf\-std
to
federations/site\&.conf, applying any customizations you require (customizations are usually done in
dacs\&.conf
though, so that you can simply copy on top of the previous
site\&.conf)\&. Note that
conf/site\&.conf\-std
may well change in a new release and you should use the latest version\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 2." 4.2
.\}
As part of the installation procedure, a default set of access control rules is copied into the
\fBDACS\fRacls
directory (default:
/usr/local/dacs/acls)\&. The default
site\&.conf
file (site\&.conf\-std) configures
\fBDACS\fR
to look in that directory for the default rules\&. These rules control access to
\fBDACS\fR
web services and are sufficient for proper operation\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
If your installed
\fBDACS\fR
web services have a filename suffix (e\&.g\&.,
\&.cgi, you should probably build
\fBDACS\fR
with an appropriate
\fB\-\-with\-cgi\-suffix\fR
flag or customize the rules manually\&. If it is necessary to change the default rules, consider overriding them at the jurisdiction level instead of editing a default ACL file \- this will make it easier for you to upgrade because you will not have to carry these changes forward to future releases of
\fBDACS\fR\&.
.sp .5v
.RE
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBSecurity\fR
.ps -1
.br
Access to some administrative and experimental
\fBDACS\fR
web services is completely disabled or restricted by default;
\fIchange these with care and at your own risk, particularly if your web server is reachable from the Internet\fR\&.
.sp .5v
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 3." 4.2
.\}
Configure your
dacs\&.conf
file at each jurisdiction\&. At the very least, you must provide
\m[blue]\fBFEDERATION_DOMAIN\fR\m[]\&\s-2\u[64]\d\s+2,
\m[blue]\fBFEDERATION_NAME\fR\m[]\&\s-2\u[65]\d\s+2, and
\m[blue]\fBJURISDICTION_NAME\fR\m[]\&\s-2\u[66]\d\s+2
directives; all other required directives will come from the
site\&.conf
file installed in an earlier step if you do not specify them\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 4." 4.2
.\}
Use
\m[blue]\fBdacskey(1)\fR\m[]\&\s-2\u[67]\d\s+2
to make encryption keys for the federation (if you are creating a new federation) or obtain a copy of the federation\*(Aqs encryption keys for each new jurisdiction (if you are joining an existing federation)\&. Each jurisdiction in a federation must have a copy of the same federation keys\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 5.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 5." 4.2
.\}
Use
\m[blue]\fBdacskey(1)\fR\m[]\&\s-2\u[67]\d\s+2
to make encryption keys for each new jurisdiction (each jurisdiction will have different keys)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 6.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 6." 4.2
.\}
Create a group definition that describes your jurisdictions \- see
\m[blue]\fBdacs\&.groups(5)\fR\m[]\&\s-2\u[68]\d\s+2
\- and install an identical copy at each jurisdiction\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 7.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 7." 4.2
.\}
Check ownership and permissions on
\fBDACS\fR
executables and data files\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBSecurity\fR
.ps -1
.br
All access to
\fBDACS\fR
configuration files (dacs\&.conf,
site\&.conf) and keys must be limited to the
\fBDACS\fR
administrator and the
\fBDACS\fR
CGI programs called by
\fBApache\fR\&. The installation process tries to set this reasonably, but you should re\-check now and after making changes because it is vital to maintain a secure system (e\&.g\&.,
ls \-lR /usr/local/dacs)\&.
.sp .5v
.RE
.RE
.sp
.SS "Initial Testing"
.PP
Having configured
\fBApache\fR
and
\fBDACS\fR, you should try some basic
\fBDACS\fR
web services to make sure that they are working properly before you go on to make customizations\&.
.PP
For example, invoke
\m[blue]\fBdacs_version(8)\fR\m[]\&\s-2\u[14]\d\s+2
from your browser to check that it is properly
\fBDACS\fR\-wrapped (adjust the URL for your environment):
.sp
.if n \{\
.RS 4
.\}
.nf
% http "http://\fImyserver\fR/cgi\-bin/dacs/dacs_version"
.fi
.if n \{\
.RE
.\}
.sp
Review the
\fBDACS\fR
log files (default:
/usr/local/dacs/logs/*) to see what happened\&. You can also try
\m[blue]\fBdacsversion(1)\fR\m[]\&\s-2\u[69]\d\s+2
from the command line\&.
.PP
You should verify that
\m[blue]\fBdacs_list_jurisdictions(8)\fR\m[]\&\s-2\u[11]\d\s+2
works properly\&.
.PP
The next step is to configure an authentication method \- see
\m[blue]\fBdacs_authenticate(8)\fR\m[]\&\s-2\u[8]\d\s+2
and try to authenticate\&. Once that appears to be working, you can try
\m[blue]\fBdacs_current_credentials(8)\fR\m[]\&\s-2\u[9]\d\s+2,
\m[blue]\fBdacs_prenv(8)\fR\m[]\&\s-2\u[10]\d\s+2,
\m[blue]\fBdacs_conf(8)\fR\m[]\&\s-2\u[12]\d\s+2, and
\m[blue]\fBdacs_signout(8)\fR\m[]\&\s-2\u[13]\d\s+2\&.
.SS "Build Options"
.PP
Running
\fBconfigure\fR
generates
config\&.nice
(over\-writing any previous contents), which can be executed at some later time if you want to re\-run
\fBconfigure\fR
with the same arguments\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
.PP
After you are happy with your configuration, consider squirrelling away a copy of
config\&.nice
in case you want to reconfigure
\fBDACS\fR
or for use with later releases of
\fBDACS\fR\&.
.sp .5v
.RE
.PP
It is possible to "bundle" several of the
\fBDACS\fR
utility programs together into a single binary called
\fBdacs\fR\&. This is similar to what
\fBOpenSSL\fR
does with its
\fBopenssl\fR
command\&. Instead of running:
.sp
.if n \{\
.RS 4
.\}
.nf
% dacsacl \&.\&.\&.
.fi
.if n \{\
.RE
.\}
.sp
you would run:
.sp
.if n \{\
.RS 4
.\}
.nf
% dacs dacsacl \&.\&.\&.
.fi
.if n \{\
.RE
.\}
.sp
Running
\fBdacs\fR
without arguments displays the list of built\-in utilities\&. Some utilities have multiple names that are equivalent; these appear in a comma\-separated list\&. To build this combined command, add the flag
bundle=yes
to command lines when building and installing:
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake bundle=yes
% gmake bundle=yes install
.fi
.if n \{\
.RE
.\}
.sp
The commands that are bundled into the
\fBdacs\fR
command won\*(Aqt be built as separate programs\&. To build and install both bundled and unbundled commands:
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake bundle=both
% gmake bundle=both install
.fi
.if n \{\
.RE
.\}
.sp
.PP
Command: gmake or "\fBgmake build\fR"
.RS 4
This will build libraries, services, and utilities in the source directory\&. By default, the build process will create shared libraries and binaries if they are supported on your platform\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBTip\fR
.ps -1
.br
If you encounter problems while building
\fBDACS\fR
with shared libraries, use
\fB\-\-disabled\-shared\fR
and
\fB\-\-enable\-static\fR
with
\fBconfigure\fR
and try building it again\&.
.sp .5v
.RE
.RE
.PP
Command: "\fBgmake install\fR"
.RS 4
This will install all
\fBDACS\fR
components\&. We recommend that everything other than CGI binaries be put under
/usr/local/dacs, which is the default\&. The CGI binaries are by default installed in
\&.\&.\&./\fIyour\-apache\-dir\fR/cgi\-bin/dacs\&. By default,
\fBDACS\fR
utilities will be installed in
/usr/local/dacs/bin, which you may want to put on your
\fBPATH\fR
for convenience\&.
.RE
.PP
Command: "\fBgmake clean\fR"
.RS 4
Removes binaries, object files, and other junk in the build directory
.RE
.PP
Command: "\fBgmake distclean\fR"
.RS 4
Does a "\fBgmake clean\fR" and cleans up so that
\fBconfigure\fR
can be re\-done\&.
.RE
.PP
Command: "\fBgmake extraclean\fR"
.RS 4
Does a "\fBgmake distclean\fR" and removes
configure\&. After this, do:
.sp
.if n \{\
.RS 4
.\}
.nf
% autoconf \-I\&.\&./include
.fi
.if n \{\
.RE
.\}
.sp
and then run
\fBconfigure\fR\&.
.RE
.PP
Command: "\fBgmake uninstall\fR"
.RS 4
Removes installed binaries, include files, and libraries
.RE
.PP
Other useful build commands (these should be self\-explanatory):
.sp
.if n \{\
.RS 4
.\}
.nf
% gmake build\-services
% gmake build\-progs
% gmake build\-static
% gmake build\-shared
% gmake build\-static\-services
% gmake build\-shared\-services
% gmake build\-static\-progs
% gmake build\-shared\-progs
% gmake build\-shared\-lib
% gmake install\-libs
% gmake install\-shared\-lib
% gmake install\-static\-lib
% gmake install\-progs
% gmake install\-services
.fi
.if n \{\
.RE
.\}
.sp
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBConfigure Options\fR
.RS 4
.PP
To verify that this documentation is up\-to\-date, please run:
.sp
.if n \{\
.RS 4
.\}
.nf
% configure \-\-help
.fi
.if n \{\
.RE
.\}
.sp
This will also tell you which features are enabled (or disabled) by default\&.
Standard build and install options.PP
.PP
\fB\-\-prefix=\fR\fB\fIPREFIX\fR\fR
.RS 4
The root for the installation hierarchy [/usr/local/dacs], which is referred to as the symbol and variable
\m[blue]\fBDACS_HOME\fR\m[]\&\s-2\u[70]\d\s+2
.RE
.PP
\fB\-\-exec\-prefix=\fR\fB\fIEPREFIX\fR\fR
.RS 4
The root for the architecture\-dependent hierarchy [\fIPREFIX\fR]
.RE
.PP
\fB\-\-bindir=\fR\fB\fIDIR\fR\fR
.RS 4
Where
\fBDACS\fR
utilities are installed [\fIEPREFIX\fR/bin]
.RE
.PP
\fB\-\-libdir=\fR\fB\fIDIR\fR\fR
.RS 4
Where
\fBDACS\fR
libraries are installed [\fIEPREFIX\fR/lib]
.RE
.PP
\fB\-\-includedir=\fR\fB\fIDIR\fR\fR
.RS 4
Where
\fBDACS\fR
include files are installed [\fIEPREFIX\fR/include]
.RE
.PP
\fB\-\-mandir=\fR\fB\fIDIR\fR\fR
.RS 4
Where
\fBDACS\fR
manual pages are installed [\fIEPREFIX\fR/man]
.RE
.PP
\fB\-\-enable\-shared\fR
.RS 4
Generate shared libraries
.RE
.PP
\fB\-\-enable\-static\fR
.RS 4
Generate static libraries
.RE
.PP
\fB\-\-disable\-prefix\-check\fR
.RS 4
Disable prefix path check\&. The prefix path check does some sanity tests on
\fIPREFIX\fR\&.
.RE
Feature selection options.PP
.PP
\fB\-\-enable\-access\-tokens\fR
.RS 4
Compile with the authorization caching feature
.RE
.PP
\fB\-\-enable\-all\-auth\fR
.RS 4
Enable all authentication methods; you can use this flag and then individually disable methods (e\&.g\&.,
\fB\-\-enable\-all\-auth\fR\fB\-\-disable\-apache\-auth\fR
would enable all methods except
\fBApache\fR
password authentication
.RE
.PP
\fB\-\-enable\-apache\-auth\fR
.RS 4
Enable
\fBApache\fR
password authentication directly through
\fBDACS\fR
.RE
.PP
\fB\-\-enable\-bdb\fR
.RS 4
Enable
Berkeley DB
support (default is
yes)\&. If you don\*(Aqt want it, use
\fB\-\-disable\-bdb\fR
.RE
.PP
\fB\-\-enable\-cas\-auth\fR
.RS 4
Enable CAS authentication
.RE
.PP
\fB\-\-enable\-cert\-auth\fR
.RS 4
Enable X\&.509 client certificate authentication
.RE
.PP
\fB\-\-enable\-dacs\-conf\fR
.RS 4
Specify default
\fBDACS\fR
config file
.RE
.PP
\fB\-\-enable\-dacs\-log\fR
.RS 4
Specify initial
\fBDACS\fR
log file
.RE
.PP
\fB\-\-enable\-debug\fR
.RS 4
Compile with debugging
.RE
.PP
\fB\-\-enable\-developer\fR
.RS 4
Compile with development flags
.RE
.PP
\fB\-\-enable\-fts\fR
.RS 4
Use included
\m[blue]\fBfts(3)\fR\m[]\&\s-2\u[71]\d\s+2
library
.RE
.PP
\fB\-\-enable\-gdbm\fR
.RS 4
Enable ndbm support using gdbm\*(Aqs compatibility API (\m[blue]\fBgdbm(3)\fR\m[]\&\s-2\u[72]\d\s+2)
.RE
.PP
\fB\-\-enable\-grid\-auth\fR
.RS 4
Enable one\-time password grid authentication
.RE
.PP
\fB\-\-enable\-infocard\-auth\fR
.RS 4
Enable InfoCard authentication and support
.RE
.PP
\fB\-\-enable\-java\fR
.RS 4
Enable Java support
.RE
.PP
\fB\-\-enable\-ldap\-auth\fR
.RS 4
Enable LDAP authentication and roles
.RE
.PP
\fB\-\-enable\-local\-roles\fR
.RS 4
Enable private
\fBDACS\fR
roles module (enabled by default)
.RE
.PP
\fB\-\-enable\-native\-auth\fR
.RS 4
Enable authentication via
\fBApache\fR
modules
.RE
.PP
\fB\-\-enable\-ndbm\fR
.RS 4
Enable native Unix ndbm API support
.RE
.PP
\fB\-\-enable\-ntlm\-auth\fR
.RS 4
Enable NTLM authentication
.RE
.PP
\fB\-\-enable\-pam\-auth\fR
.RS 4
Enable PAM authentication
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
The PAM module should be considered experimental\&. Test it carefully before production use\&.
.sp .5v
.RE
.RE
.PP
\fB\-\-enable\-passwd\-auth\fR
.RS 4
Enable DACS password\-protected account authentication
.RE
.PP
\fB\-\-enable\-rule\-patterns\fR
.RS 4
Enable extended URL patterns when matching a request against ACLs (this is an add\-on feature)
.RE
.PP
\fB\-\-enable\-simple\-auth\fR
.RS 4
Enable simple DACS account authentication
.RE
.PP
\fB\-\-enable\-sqlite\fR
.RS 4
Enable
SQLite
support (default is
no)\&. If you don\*(Aqt want it, use
\fB\-\-disable\-sqlite\fR
.RE
.PP
\fB\-\-enable\-token\-auth\fR
.RS 4
Enable one\-time password token authentication
.RE
.PP
\fB\-\-enable\-unix\-roles\fR
.RS 4
Enable Unix groups roles module (enabled by default on Unix platforms)
.RE
.PP
\fB\-\-enable\-user\-info\fR
.RS 4
Compile with the user information reporting feature
.RE
Third\-party support options.PP
.PP
\fB\-\-with\-apache=\fR\fB\fIDIR\fR\fR
.RS 4
Root
\fBApache\fR
install directory; if
\fIDIR\fR
is "omit", however, a basic subset of
\fBDACS\fR
will be installed (\m[blue]\fBalso see above\fR\m[]\&\s-2\u[73]\d\s+2) (example: if
\fBApache\fR
files have been installed in
/usr/local/apache2\&.2/include,
/usr/local/apache2\&.2/conf, etc\&., use
\fB\-\-with\-apache\fR=/usr/local/apache2\&.2)
.RE
.PP
\fB\-\-with\-apache\-apr=\fR\fB\fIDIR\fR\fR
.RS 4
Root
\fBApache\fRAPR
install directory; required only when
\fBApache\fR2\&.2
or
2\&.4
are used (example:
\fB\-\-with\-apache\-apr\fR=/usr/local/apache2\&.2/apr\-httpd)
.RE
.PP
\fB\-\-with\-apache\-apr\-config=\fR\fB\fIPATH\fR\fR
.RS 4
\fBApache\fRAPR
configuration program; required only when
\fBApache\fR2\&.2
or
2\&.4
are used and the correct program is not on the search path; this flag may be required if the build system has more than one instance of
\fBApache\fR
installed or if you have installed
\fBApache\fR
in a non\-standard location (example:
\fB\-\-with\-apache\-apr\-config\fR=/usr/local/apache2\&.2/apr\-httpd/bin/apr\-1\-config)
.RE
.PP
\fB\-\-with\-apache\-apr\-cpp\-defs=\fR\fB\fIFLAGS\fR\fR
.RS 4
Preprocessor flags required when compiling files that include
\fBApache\fRAPR
code; may be required with some "non\-standard" cases when
\fBApache\fR2\&.2
or
2\&.4
are used and "\fBapr\-1\-config \-\-cppflags\fR" is unavailable or does not report the correct flags (example:
\fB\-\-with\-apache\-apr\-cpp\-defs\fR=\-D_LARGEFILE64_SOURCE)
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
It has been reported that on some
GNU/Linux
platforms, such as Ubuntu, it is necessary to define these symbols when building
\fBDACS\fR
code that includes
APR
header files (such as
\fBdacsversion\fR):
.sp
.if n \{\
.RS 4
.\}
.nf
#define LINUX 2
#define _REENTRANT
#define _GNU_SOURCE
#define _LARGEFILE64_SOURCE
.fi
.if n \{\
.RE
.\}
.sp .5v
.RE
.RE
.PP
\fB\-\-with\-apache\-apr\-includes=\fR\fB\fIDIR\fR\fR
.RS 4
\fBApache\fRAPR
include files directory; required with some "non\-standard" cases when
\fBApache\fR2\&.2
or
2\&.4
are used and
\fBapr\-1\-config\fR
is unavailable or does not report the correct directory (example:
\fB\-\-with\-apache\-apr\-includes\fR=/usr/bin/include/apr\-1\&.0)
.RE
.PP
\fB\-\-with\-apxs=\fR\fB\fIPATH\fR\fR
.RS 4
By default, the build procedure expects the
\fBApache\fR\fBapxs\fR
utility to be
bin/apxs, relative to
\fBApache\*(Aqs\fR
installation directory\&. On systems where this is incorrect, you must specifically configure the path for
\fBapxs\fR\&. (example:
\fB\-\-with\-apxs\fR=/usr/sbin/apxs2)
.RE
.PP
\fB\-\-with\-bdb=\fR\fB\fIDIR\fR\fR
.RS 4
Location of the root of the installed
Berkeley DB
libraries, include files, etc\&.; for example
\fB\-\-with\-bdb\fR=/usr/local/db\-5\&.3\&.21\&. This implies
\fB\-\-enable\-bdb\fR\&.
.RE
.PP
\fB\-\-with\-cgi\-bin=\fR\fB\fIDIR\fR\fR
.RS 4
Location of
\fBApache\fR
CGI files for
\fBDACS\fR
web services\&. This will resolve to
\fIDIR\fR/cgi\-bin/dacs
if it exists, or
\fIDIR\fR/dacs
if that exists, or
\fIDIR\fR
if its last component is "dacs"\&.
.RE
.PP
\fB\-\-with\-cgi\-suffix=\fR\fB\fISUFFIX\fR\fR
.RS 4
When installing CGI executables, add
\fISUFFIX\fR
as the file extension\&. A typical value for
\fISUFFIX\fR
is "\&.cgi"\&. The default access control rules for
\fBDACS\fR
web services (via the VFS item type
dacs_acls) respect this suffix\&. On
Windows
platforms, where "\&.exe" is the standard extension for programs,
\fISUFFIX\fR
is set to that by default\&. Using a
\fISUFFIX\fR
of "no" sets the extension to the null string\&.
.RE
.PP
\fB\-\-with\-dacs\-conf=\fR\fB\fIPATH\fR\fR
.RS 4
Specify default
\fBDACS\fR
config file (default:
\fIPREFIX\fR/federations/dacs\&.conf)
.RE
.PP
\fB\-\-with\-dacs\-log=\fR\fB\fIPATH\fR\fR
.RS 4
Specify initial
\fBDACS\fR
log file (default:
\fIPREFIX\fR/logs/error_log)
.RE
.PP
\fB\-\-with\-expat=\fR\fB\fIDIR\fR\fR
.RS 4
Root directory of installed
\fBExpat\fR
libraries and include files\&. If Expat files have been installed in
/usr/local/expat/include,
/usr/local/expat/lib, etc\&., use
\fB\-\-with\-expat\fR=/usr/local/expat\&.
.RE
.PP
\fB\-\-with\-federations\-root=\fR\fB\fIDIR\fR\fR
.RS 4
Location of
\fBDACS\fR
federations root directory (default:
\fIPREFIX\fR/federations)
.RE
.PP
\fB\-\-with\-htdocs=\fR\fB\fIDIR\fR\fR
.RS 4
Location of
\fBApache\fR\fBDACS\fR
files if not the
htdocs
subdirectory of the
\fBApache\fR
install directory\&.
.RE
.PP
\fB\-\-with\-iconv=\fR\fB\fIDIR\fR\fR
.RS 4
Path to parent of
iconv
installation\&. This flag may be required if you are enabling
\fBSamba\fR
support\&.
.RE
.PP
\fB\-\-with\-jdk\-bin\fR
.RS 4
If Java support is enabled, this identifies the directory containing the
\fBjava\fR,
\fBjavac\fR,
\fBjavah\fR, and
\fBjar\fR
commands\&. If this flag is absent,
\fBconfigure\fR
will look for those programs using the current
\fBPATH\fR
variable\&. (Example:
\fB\-\-with\-jdk\-bin=/usr/local/java/bin\fR)
.RE
.PP
\fB\-\-with\-jdk\-includes\fR
.RS 4
If Java support is enabled, this is a list of one or more
\fBGCC\fR
include flags for JDK include directories (Example:
\fB\-\-with\-jdk\-includes=\-I/usr/local/jdk/include \-I/usr/local/jdk/include/freebsd\fR)
.RE
.PP
\fB\-\-with\-ldap=\fR\fB\fIDIR\fR\fR
.RS 4
Location of
\fBOpenLDAP\fR\fIsource\fR
files\&. This is the root directory for the OpenLDAP source distribution (Example:
/local/src/openldap\-2\&.2\&.28)\&. This implies
\fB\-\-enable\-ldap\-auth\fR\&.
.RE
.PP
\fB\-\-with\-mailer\-prog=\fR\fB\fIPATH\fR\fR
.RS 4
Location of a mailer program to use instead of
\fBsendmail\fR\&. This is only needed if email support is required\&. If
\fB\-\-with\-mailer\-args\fR
is also specified, it will be used as the command line arguments\&. See
\m[blue]\fBdacsemail(1)\fR\m[]\&\s-2\u[74]\d\s+2
for a description of how the mailer is expected to behave\&.
.RE
.PP
\fB\-\-with\-mailer\-args=\fR\fB\fISTRING\fR\fR
.RS 4
Command line arguments to use with the selected mailer program\&. This is only required if email support is required\&. See
\m[blue]\fBdacsemail(1)\fR\m[]\&\s-2\u[74]\d\s+2
for a description of how the mailer is expected to behave\&.
.RE
.PP
\fB\-\-with\-readline=\fR\fB\fILIB\fR\fR
.RS 4
Use
\m[blue]\fBGNU Readline\fR\m[]\&\s-2\u[54]\d\s+2
when available\&. If
\fILIB\fR
is given, it is the link flag to use or the pathname for the library (other flags may also be specified)\&. (Example:
\fB\-\-with\-readline=\-Wl,\-rpath,/local/src/readline\-6\&.2/lib \-L/local/src/readline\-6\&.2/lib \-I/local/src/readline\-6\&.2/include\fR)
.RE
.PP
\fB\-\-with\-samba=\fR\fB\fIDIR\fR\fR
.RS 4
Location of Samba
\fIsource\fR
files\&. This is the root directory for the Samba source distribution (Example:
/local/src/samba\-3\&.6\&.12)\&. This implies
\fB\-\-enable\-ntlm\-auth\fR\&.
.RE
.PP
\fB\-\-with\-sendmail=\fR\fB\fIPATH\fR\fR
.RS 4
Location of
\m[blue]\fBsendmail(8)\fR\m[]\&\s-2\u[75]\d\s+2\&. This is only needed if email support is required and the location of the
\fBsendmail\fR
command found at configuration time must be overridden\&. If
\fB\-\-with\-mailer\-args\fR
is also specified, it will be used instead of the default
\fBsendmail\fR
command line arguments\&. See
\m[blue]\fBdacsemail(1)\fR\m[]\&\s-2\u[74]\d\s+2
for additional details\&.
.RE
.PP
\fB\-\-with\-sqlite=\fR\fB\fIDIR\fR\fR
.RS 4
Location of the root of the installed
SQLite
libraries, include files, etc\&.; for example
\fB\-\-with\-sqlite\fR=/usr/local/sqlite\-3\&.7\&.10\&. This implies
\fB\-\-enable\-sqlite\fR\&.
.RE
.PP
\fB\-\-with\-ssl=\fR\fB\fIDIR\fR\fR
.RS 4
Location of the root of the installed
\fBOpenSSL\fR
libraries and include files\&. If
\fBOpenSSL\fR
files have been installed in
/usr/local/openssl/include,
/usr/local/openssl/lib, etc\&., use
\fB\-\-with\-expat\fR=/usr/local/openssl\&.
.RE
.PP
\fB\-\-with\-xmlsec1\-config=\fR\fB\fIPATH\fR\fR
.RS 4
If the build procedure cannot find
\fBxmlsec1\-config\fR, or if it finds the wrong one, you can specify its location as
\fIPATH\fR\&. This may only be required if InfoCard authentication has been enabled\&.
.RE
.PP
To specify additional flags for compiling or linking
\fBDACS\fR, set
\fICFLAGS\fR
or
\fILDFLAGS\fR, respectively\&.
.PP
To specify additional flags for compiling or linking the
\m[blue]\fBmod_auth_dacs module\fR\m[]\&\s-2\u[7]\d\s+2, set
\fIAPACHE_CFLAGS\fR
or
\fIAPACHE_LDFLAGS\fR, respectively\&. For example, this command will cause
\fBmod_auth_dacs\fR
to be built with the
\fB\-m64\fR
flag and
\fBDACS\fR
to be built with both the
\fB\-m64\fR
flag and the
\fB\-O3\fR
flag:
.sp
.if n \{\
.RS 4
.\}
.nf
% \&./configure "APACHE_CFLAGS=\-m64" "CFLAGS=\-O3 \-m64" \&.\&.\&.
.fi
.if n \{\
.RE
.\}
.sp
.RE
.SH "SEE ALSO"
.PP
\m[blue]\fBdacs(1)\fR\m[]\&\s-2\u[76]\d\s+2,
\m[blue]\fBdacs\&.readme(7)\fR\m[]\&\s-2\u[6]\d\s+2,
\m[blue]\fBdacs\&.quick(7)\fR\m[]\&\s-2\u[5]\d\s+2
.SH "AUTHOR"
.PP
Distributed Systems Software (\m[blue]\fBwww\&.dss\&.ca\fR\m[]\&\s-2\u[77]\d\s+2)
.SH "COPYING"
.PP
Copyright2003\-2013 Distributed Systems Software\&. See the
\m[blue]\fBLICENSE\fR\m[]\&\s-2\u[78]\d\s+2
file that accompanies the distribution for licensing information\&.
.SH "NOTES"
.IP " 1." 4
gmake
.RS 4
\%http://directory.fsf.org/project/make
.RE
.IP " 2." 4
GCC
.RS 4
\%http://gcc.gnu.org
.RE
.IP " 3." 4
Xcode
.RS 4
\%https://developer.apple.com/xcode
.RE
.IP " 4." 4
ldconfig(8)
.RS 4
\%http://www.freebsd.org/cgi/man.cgi?query=ldconfig&apropos=0&sektion=8&manpath=FreeBSD+9.1-RELEASE&format=html
.RE
.IP " 5." 4
dacs.quick(7)
.RS 4
\%http://dacs.dss.ca/man/dacs.quick.7.html
.RE
.IP " 6." 4
dacs.readme(7)
.RS 4
\%http://dacs.dss.ca/man/dacs.readme.7.html
.RE
.IP " 7." 4
mod_auth_dacs module
.RS 4
\%http://dacs.dss.ca/man/mod_auth_dacs.html
.RE
.IP " 8." 4
dacs_authenticate(8)
.RS 4
\%http://dacs.dss.ca/man/dacs_authenticate.8.html
.RE
.IP " 9." 4
dacs_current_credentials(8)
.RS 4
\%http://dacs.dss.ca/man/dacs_current_credentials.8.html
.RE
.IP "10." 4
dacs_prenv(8)
.RS 4
\%http://dacs.dss.ca/man/dacs_prenv.8.html
.RE
.IP "11." 4
dacs_list_jurisdictions(8)
.RS 4
\%http://dacs.dss.ca/man/dacs_list_jurisdictions.8.html
.RE
.IP "12." 4
dacs_conf(8)
.RS 4
\%http://dacs.dss.ca/man/dacs_conf.8.html
.RE
.IP "13." 4
dacs_signout(8)
.RS 4
\%http://dacs.dss.ca/man/dacs_signout.8.html
.RE
.IP "14." 4
dacs_version(8)
.RS 4
\%http://dacs.dss.ca/man/dacs_version.8.html
.RE
.IP "15." 4
Cygwin
.RS 4
\%http://cygwin.com
.RE
.IP "16." 4
man/index.html
.RS 4
\%http://dacs.dss.ca/man/index.html
.RE
.IP "17." 4
Post-Release Notes
.RS 4
\%http://dacs.dss.ca/download.html
.RE
.IP "18." 4
sudo(8)
.RS 4
\%http://www.freebsd.org/cgi/man.cgi?query=sudo&apropos=0&sektion=8&manpath=FreeBSD+9.1-RELEASE&format=html
.RE
.IP "19." 4
Expat
.RS 4
\%http://sourceforge.net/projects/expat
.RE
.IP "20." 4
OpenSSL
.RS 4
\%http://www.openssl.org
.RE
.IP "21." 4
xmlsec1
.RS 4
\%http://www.aleksey.com/xmlsec
.RE
.IP "22." 4
a patch
.RS 4
\%http://www.openssl.org/support/faq.html#USER1
.RE
.IP "23." 4
Apache
.RS 4
\%http://httpd.apache.org
.RE
.IP "24." 4
above
.RS 4
\%http://dacs.dss.ca/man/#install-openssl
.RE
.IP "25." 4
apr.apache.org
.RS 4
\%http://apr.apache.org
.RE
.IP "26." 4
Third-party support options
.RS 4
\%http://dacs.dss.ca/man/#third-party-support-options
.RE
.IP "27." 4
build Berkeley DB
.RS 4
\%http://dacs.dss.ca/man/#dbm-databases
.RE
.IP "28." 4
FAQ
.RS 4
\%http://dacs.dss.ca/man//faq.html
.RE
.IP "29." 4
Berkeley DB
.RS 4
\%http://www.oracle.com/technology/software/products/berkeley-db/index.html
.RE
.IP "30." 4
Oracle Corporation
.RS 4
\%http://www.oracle.com
.RE
.IP "31." 4
--enable-bdb
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--enable-bdb
.RE
.IP "32." 4
--disable-bdb
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--disable-bdb
.RE
.IP "33." 4
--with-bdb
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--with-bdb
.RE
.IP "34." 4
ftp://ftp.gnu.org/gnu/gdbm
.RS 4
\%ftp://ftp.gnu.org/gnu/gdbm/
.RE
.IP "35." 4
--enable-ndbm
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--enable-ndbm
.RE
.IP "36." 4
--enable-gdbm
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--enable-gdbm
.RE
.IP "37." 4
sdbm
.RS 4
\%http://search.cpan.org/src/NWCLARK/perl-5.8.8/ext/SDBM_File/sdbm/README
.RE
.IP "38." 4
SQLite
.RS 4
\%http://www.sqlite.org
.RE
.IP "39." 4
--enable-sqlite
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--enable-sqlite
.RE
.IP "40." 4
--disable-sqlite
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--disable-sqlite
.RE
.IP "41." 4
--with-sqlite
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--with-sqlite
.RE
.IP "42." 4
local_ntlm_authenticate
.RS 4
\%http://dacs.dss.ca/man/dacs_authenticate.8.html#local_ntlm_authenticate
.RE
.IP "43." 4
Samba
.RS 4
\%http://www.samba.org
.RE
.IP "44." 4
--enable-ntlm-auth
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--enable-ntlm-auth
.RE
.IP "45." 4
--with-samba
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--with-samba
.RE
.IP "46." 4
local_infocard_authenticate
.RS 4
\%http://dacs.dss.ca/man/dacs_authenticate.8.html#local_infocard_authenticate
.RE
.IP "47." 4
libxml2
.RS 4
\%http://xmlsoft.org
.RE
.IP "48." 4
--with-xmlsec1-config
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--with-xmlsec1-config
.RE
.IP "49." 4
--enable-infocard-auth
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--enable-infocard-auth
.RE
.IP "50." 4
local_ldap_authenticate
.RS 4
\%http://dacs.dss.ca/man/dacs_authenticate.8.html#local_ldap_authenticate
.RE
.IP "51." 4
OpenLDAP
.RS 4
\%http://www.openldap.org
.RE
.IP "52." 4
--enable-ldap-auth
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--enable-ldap-auth
.RE
.IP "53." 4
--with-ldap
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--with-ldap
.RE
.IP "54." 4
GNU Readline Library
.RS 4
\%http://cnswww.cns.cwru.edu/php/chet/readline/rltop.html
.RE
.IP "55." 4
dacsexpr(1)
.RS 4
\%http://dacs.dss.ca/man/dacsexpr.1.html
.RE
.IP "56." 4
--with-readline
.RS 4
\%http://dacs.dss.ca/man/#build_flag_--with-readline
.RE
.IP "57." 4
Build Options
.RS 4
\%http://dacs.dss.ca/man/#build_options
.RE
.IP "58." 4
dacsacl(1)
.RS 4
\%http://dacs.dss.ca/man/dacsacl.1.html
.RE
.IP "59." 4
DESTDIR
.RS 4
\%http://www.gnu.org/prep/standards/standards.html#DESTDIR
.RE
.IP "60." 4
Group
.RS 4
\%http://httpd.apache.org/docs/2.2/mod/mpm_common.html#group
.RE
.IP "61." 4
SetDACSAuthDebug
.RS 4
\%http://dacs.dss.ca/man/mod_auth_dacs.html#SetDACSAuthDebug
.RE
.IP "62." 4
ServerTokens
.RS 4
\%http://httpd.apache.org/docs/current/mod/core.html#servertokens
.RE
.IP "63." 4
Alias
.RS 4
\%http://httpd.apache.org/docs/2.2/mod/mod_alias.html#alias
.RE
.IP "64." 4
FEDERATION_DOMAIN
.RS 4
\%http://dacs.dss.ca/man/dacs.conf.5.html#FEDERATION_DOMAIN
.RE
.IP "65." 4
FEDERATION_NAME
.RS 4
\%http://dacs.dss.ca/man/dacs.conf.5.html#FEDERATION_NAME
.RE
.IP "66." 4
JURISDICTION_NAME
.RS 4
\%http://dacs.dss.ca/man/dacs.conf.5.html#JURISDICTION_NAME
.RE
.IP "67." 4
dacskey(1)
.RS 4
\%http://dacs.dss.ca/man/dacskey.1.html
.RE
.IP "68." 4
dacs.groups(5)
.RS 4
\%http://dacs.dss.ca/man/dacs.groups.5.html#dacs_metadata
.RE
.IP "69." 4
dacsversion(1)
.RS 4
\%http://dacs.dss.ca/man/dacsversion.1.html
.RE
.IP "70." 4
DACS_HOME
.RS 4
\%http://dacs.dss.ca/man/dacs.conf.5.html#var_dacs_home
.RE
.IP "71." 4
fts(3)
.RS 4
\%http://www.freebsd.org/cgi/man.cgi?query=fts&apropos=0&sektion=3&manpath=FreeBSD+9.1-RELEASE&format=html
.RE
.IP "72." 4
gdbm(3)
.RS 4
\%http://directory.fsf.org/gdbm.html
.RE
.IP "73." 4
also see above
.RS 4
\%http://dacs.dss.ca/man/#building_subset
.RE
.IP "74." 4
dacsemail(1)
.RS 4
\%http://dacs.dss.ca/man/dacsemail.1.html
.RE
.IP "75." 4
sendmail(8)
.RS 4
\%http://www.freebsd.org/cgi/man.cgi?query=sendmail&apropos=0&sektion=8&manpath=FreeBSD+9.1-RELEASE&format=html
.RE
.IP "76." 4
dacs(1)
.RS 4
\%http://dacs.dss.ca/man/dacs.1.html
.RE
.IP "77." 4
www.dss.ca
.RS 4
\%http://www.dss.ca
.RE
.IP "78." 4
LICENSE
.RS 4
\%http://dacs.dss.ca/man/../misc/LICENSE
.RE