.\" Copyright (c) 2003-2012 .\" Distributed Systems Software. All rights reserved. .\" See the file LICENSE for redistribution information. .\" $Id: copyright-nr 2564 2012-03-02 00:17:08Z brachman $ '\" t .\" Title: dacs.readme .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 08/23/2020 .\" Manual: DACS Miscellaneous Information Manual .\" Source: DACS 1.4.40 .\" Language: English .\" .TH "DACS\&.README" "7" "08/23/2020" "DACS 1.4.40" "DACS Miscellaneous Information" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" dacs.readme \- \fBDACS\fR README .SH "DESCRIPTION" .PP This file is part of the \fBDACS\fR suite\&. .PP After reviewing this document, it will be beneficial to look at these important documents: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} for a brief description of this release, and possibly last minute updates, please refer to \m[blue]\fBREADME\fR\m[]\&\s-2\u[1]\d\s+2 .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} for a technical overview of the system, including a description of command line flags common to most \fBDACS\fR programs, please see \m[blue]\fBdacs(1)\fR\m[]\&\s-2\u[2]\d\s+2 .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} for information about licensing, please refer to \m[blue]\fBLICENSE\fR\m[]\&\s-2\u[3]\d\s+2 .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} for information about installation, please refer to \m[blue]\fBdacs\&.install(7)\fR\m[]\&\s-2\u[4]\d\s+2 .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} for the Quick Start tutorial, please refer to \m[blue]\fBdacs\&.quick(7)\fR\m[]\&\s-2\u[5]\d\s+2 .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} for important release notes, please visit \m[blue]\fBhttps://dacs\&.dss\&.ca/download\&.html\fR\m[] .RE .sp .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNO WARRANTY\fR .ps -1 .br .PP This software is provided by Dss "as is" and any express or implied warranties, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non\-infringement, are disclaimed\&. in no event shall dss be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage\&. .sp .5v .RE .SS "DACS At a Glance" .PP \fBDACS\fR is: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} a light\-weight, open source single sign\-on system; .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} a flexible and powerful attribute\- and role\-based access control system; .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} a set of feature\-rich authentication methods; .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} an \m[blue]\fBApache\fR\m[]\&\s-2\u[6]\d\s+2 2\&.2 and 2\&.4 module and suite of CGI programs; .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} able to apply coarse\-grained access control to web service requests made using standard web browsers; .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} able to provide fine\-grained access control functionality to almost any program or script; .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} a collection of web services that can provide access control and identity management functionality to your middleware; .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} a C/C++ toolkit for building new authentication and access control functionality into programs, whether web\-based or not; .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} for Unix\-type platforms, such as GNU/Linux, macOS, and FreeBSD\&. .RE .PP \fIFor developers\fR, \fBDACS\fR makes access control functionality available through the command line, allowing scripts (Perl, PHP, shell, etc\&.) to make data\-driven access control decisions rather than program\-driven ones\&. This can be used completely independently of the web functionality and without dealing with run\-time configuration of \fBDACS\fR\&. Please see \m[blue]\fBdacscheck(1)\fR\m[]\&\s-2\u[7]\d\s+2\&. \fBDACS\fR also provides web services from which single sign\-on systems can be constructed\&. .PP \fIFor web sites\fR, \fBDACS\fR can help manage access to web resources in many situations, whether you have just one web server, several web servers at one site, or many web servers spread across the Internet\&. You may find it to be useful simply as a universal authentication mechanism for a single \fBApache\fR server or as a full\-fledged, single sign\-on multi\-server identity management and access control system\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBTip\fR .ps -1 .br .PP If you are interested in \m[blue]\fBdacscheck(1)\fR\m[]\&\s-2\u[7]\d\s+2 or the general\-purpose \fBDACS\fR utilities (e\&.g\&., \m[blue]\fBdacshttp(1)\fR\m[]\&\s-2\u[8]\d\s+2, \m[blue]\fBsslclient(1)\fR\m[]\&\s-2\u[9]\d\s+2) but are not interested in web services or \fBApache\fR, refer to the instructions in \m[blue]\fBdacs\&.install(7)\fR\m[]\&\s-2\u[4]\d\s+2\&. .sp .5v .RE .PP The \fBDACS\fR home page is at \m[blue]\fBhttps://dacs\&.dss\&.ca\fR\m[]\&. \fBDACS\fR was hosted as a \m[blue]\fBSourceForge\fR\m[]\&\s-2\u[10]\d\s+2 project at \m[blue]\fBhttp://sourceforge\&.net/projects/dacs\fR\m[], but that has not been used since 2013\&. .SS "Supported Platforms" .PP \fBDACS\fR is currently developed and tested: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} with \m[blue]\fBApache\fR\m[]\&\s-2\u[6]\d\s+2 2\&.2\&.31 and 2\&.4\&.25 (2\&.0\&.X releases, which were once supported, are now deprecated and untested) .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} on platforms: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fBFreeBSD\fR\m[]\&\s-2\u[11]\d\s+2 10\&.3 and 11\&.1 (amd64) .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fBCentOS\fR\m[]\&\s-2\u[12]\d\s+2 7\&.3 (x86_64, Linux 3\&.10, built from \m[blue]\fBRed Hat Enterprise Linux\fR\m[]\&\s-2\u[13]\d\s+2 7) .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fBmacOS Sierra\fR\m[]\&\s-2\u[14]\d\s+2 10\&.13\&.3 (Intel Core i7, x86_64) .RE .sp .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} using \fBGCC\fR 5\&.4 (and newer), and on some platforms, recent Clang/LLVM compilers .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} using recent \fBFirefox\fR, \fBSafari\fR, \fBChrome\fR, and \fBInternet Explorer\fR browsers .RE .sp .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP \fBDACS\fR 1\&.4\&.40 is the final version to officially support the Apache 2\&.2 series\&. Future releases of \fBDACS\fR will not be maintained, tested, or documented with Apache 2\&.2 series servers\&. .sp .5v .RE .PP FreeBSD 10\&.3 is the primary development platform\&. For this reason, references to Unix manual pages throughout the \fBDACS\fR documentation cite the FreeBSD documentation\&. This should not matter much if you are using a different platform, but keep this in mind\&. .PP Most \fBDACS\fR installations are on Linux or FreeBSD platforms\&. Support for macOS is comparatively recent\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} When building \fBDACS\fR for use with \fBApache\fR 2\&.2, you will probably need to specify the \fB\-\-with\-apache\-apr\fR flag, and perhaps other \fBApache\fR\-related flags, to \fBconfigure\fR\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBApache\fR 1\&.3 and 2\&.0 are \fInot\fR supported (please refer to the \m[blue]\fBFAQ\fR\m[]\&\s-2\u[15]\d\s+2)\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBDACS\fR has not been tested with \fBApache\fR 2\&.1\&. .RE .sp .5v .RE .SS "Other Platforms" .PP \fBDACS\fR \fIis not officially supported on platforms other than those described above\fR\&. Recent releases have built and worked correctly on other platforms, but because we do not have ready access to them, or due to lack of interest, we no longer test on them\&. .PP Up to and including version 1\&.4\&.25, \fBDACS\fR was tested and used on \m[blue]\fBSolaris 10\fR\m[]\&\s-2\u[16]\d\s+2 (\m[blue]\fBOpenSolaris\fR\m[]\&\s-2\u[17]\d\s+2 2008\&.11, SunOS 5\&.11, \m[blue]\fBx86\fR\m[]\&\s-2\u[18]\d\s+2)\&. Solaris is no longer supported\&. Early versions of \fBDACS\fR were used on Solaris 8 (SPARC) and Solaris 10 (SPARC) platforms\&. A wide variety of build, install, and run\-time problems were encountered with third\-party packages on the OpenSolaris and SPARC platforms\&. Depending on which third\-party software your \fBDACS\fR configuration requires, or if you are prepared to try older versions of third\-party software or devote extra effort, you may have some success running \fBDACS\fR on these platforms, but in general we cannot recommend using these platforms for \fBDACS\fR in production settings and they are no longer officially supported\&. Comments specific to Solaris remain in the \fBDACS\fR documentation but will likely be removed in a future release, as will configuration and build capabilities\&. .PP Earlier releases of \fBDACS\fR compiled and (mostly) installed cleanly on WinXP/\m[blue]\fBCygwin\fR\m[]\&\s-2\u[19]\d\s+2 1\&.7\&.5 and later with \fBGCC\fR 4\&.3, but starting with \fBDACS\fR 1\&.4\&.26, \m[blue]\fBCygwin\fR\m[]\&\s-2\u[19]\d\s+2 is no longer used for testing \fBDACS\fR\&. Comments specific to Cygwin that remain in the \fBDACS\fR documentation will likely be removed in a future release, as will configuration and build capabilities\&. Regarding Cygwin and earlier versions of \fBDACS\fR: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBmod_auth_dacs\fR does not build as a shared module .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} there were problems building \fBExpat\fR 2\&.0\&.0 from source (2\&.0\&.1 is ok) .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} only limited testing has been performed on this platform .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} you can\*(Aqt execute src/config\&.nice; copy it to some other filename and execute that instead .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} when doing "make install", try the username and group "Administrators" or "Administrator" when prompted if you don\*(Aqt know what else to use (the install procedure should use those names as defaults .RE .PP We expect that \fBDACS\fR will also run on other varieties of Unix and with other browsers\&. No testing is done with very old browsers, however\&. We would appreciate reports of problems encountered while building or running \fBDACS\fR on unofficial platforms so that we can address portability issues and support these platforms better\&. .SS "Warnings" .PP \fIPlease read this section carefully\fR! .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBSecurity\fR .ps -1 .br .PP .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} After obtaining a \fBDACS\fR release, please verify \fIall\fR checksums for the file you downloaded\&. Do not use a download if any checksum for it does not match\&. Checksums are posted at \m[blue]\fBhttps://dacs\&.dss\&.ca/download\&.html\fR\m[] immediately after a new release is distributed\&. .sp \fBOpenSSL\*(Aqs\fR \fBdgst\fR command can be used to compute checksums; for example, .sp .if n \{\ .RS 4 .\} .nf % openssl dgst \-md5 dacs\-1\&.4\&.32\&.tgz % openssl dgst \-sha1 dacs\-1\&.4\&.32\&.tgz .fi .if n \{\ .RE .\} .sp .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} Improper installation, configuration, or use of \fBDACS\fR may leave your system open to various kinds of attacks and exploits\&. .sp Many other systems and software components, including \fBApache\fR and \fBOpenSSL\fR, can also compromise system security if not properly installed, configured, and administered; they give similar admonishments\&. Please take appropriate care\&. .sp A \fBDACS\fR administrator ought to have some experience with \fBApache\fR configuration (including its authentication and access control directives, and building \fBhttpd\fR), and basic knowledge of security issues on the installation platform\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} The security of \fBDACS\fR depends on the security of the underlying operating system, third party software, build, installation, and configuration parameters, human factors, and more\&. In particular, ensure that file ownership and modes are appropriate for run\-time accessible \fBDACS\fR configuration and data files (dacs\&.conf, site\&.conf, encryption keys, access control rules, group files, etc\&.)\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 4.\h'+01'\c .\} .el \{\ .sp -1 .IP " 4." 4.2 .\} Users of your \fBDACS\fR\-wrapped services are responsible for maintaining the secrecy of information used to sign on (such as passwords) and authentication and authorization information sent to them by \fBDACS\fR (such as HTTP cookies)\&. Spyware, and browser modifications or improper settings, may compromise security \- \fBDACS\fR cannot prevent improper use or intentional misuse\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 5.\h'+01'\c .\} .el \{\ .sp -1 .IP " 5." 4.2 .\} After access is granted to a resource, \fBDACS\fR does nothing to stop a user from redistributing whatever is returned by the web server\&. Therefore, strictly speaking, \fBDACS\fR is neither a copyright enforcement system nor is it a \m[blue]\fBDigital Rights Management (DRM) system\fR\m[]\&\s-2\u[20]\d\s+2, although it may be possible to apply \fBDACS\fR in those domains\&. \fBDACS\fR does have the ability to force a user to view and acknowledge a copyright notice or license, however\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 6.\h'+01'\c .\} .el \{\ .sp -1 .IP " 6." 4.2 .\} Making routine backup copies of your current \fBDACS\fR configuration and data files is \fIstrongly encouraged\fR\&. A procedure should be established for periodically creating copies of your \fBDACS\fR installation and keeping them in a secure, off\-site location\&. This is especially important for encryption keys and account files, which cannot be recreated if lost\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 7.\h'+01'\c .\} .el \{\ .sp -1 .IP " 7." 4.2 .\} Please review Section 15 ("Security Considerations") of \m[blue]\fBRFC 2616\fR\m[]\&\s-2\u[21]\d\s+2\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 8.\h'+01'\c .\} .el \{\ .sp -1 .IP " 8." 4.2 .\} Be sure to check for new releases of \fBDACS\fR regularly\&. New releases may address important bugs and security issues, so keeping your installation current is important\&. You can \m[blue]\fBsubscribe to email notifications\fR\m[]\&\s-2\u[22]\d\s+2\&. .sp You should likewise stay alert to new releases of third\-party packages that your install of \fBDACS\fR uses\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 9.\h'+01'\c .\} .el \{\ .sp -1 .IP " 9." 4.2 .\} Note that, because of the enormous number of combinations of platforms, versions, third\-party packages, build options, run\-time options, and so on, not every possible \fBDACS\fR deployment that can be created and enabled is actually built or tested\&. This is presumably true for nearly every large software package but it\*(Aqs worth emphasizing\&. Therefore, make sure you test carefully before putting your \fBDACS\fR deployment into production and after making changes to it\&. .RE .sp .RS 4 .ie n \{\ \h'-04'10.\h'+01'\c .\} .el \{\ .sp -1 .IP "10." 4.2 .\} Reiterating, test carefully after making changes to your \fBDACS\fR configuration\&. In particular, make sure that new access control rules and user authentication work as you expect\&. .RE .sp .RS 4 .ie n \{\ \h'-04'11.\h'+01'\c .\} .el \{\ .sp -1 .IP "11." 4.2 .\} \fIFor \fR\fI\fBDACS\fR\fR\fI to be a secure system, all communication between \fR\fI\fBDACS\fR\fR\fI and its users, components, and middleware must take place over a secure connection (typically using SSL/TLS and the \fR\fI\m[blue]\fBHTTPS\fR\m[]\&\s-2\u[23]\d\s+2\fR\fI method) to safeguard account names, passwords, \fR\fI\fBDACS\fR\fR\fI credentials, and so on\fR\&. \fBDACS\fR does not \fIrequire\fR secure network connections, however, and can function without them in situations where a lower standard of security is acceptable\&. See \m[blue]\fBSECURE_MODE\fR\m[]\&\s-2\u[24]\d\s+2\&. .sp Note that if a client connects from an insecure subnet, various \m[blue]\fBman\-in\-the\-middle attacks\fR\m[]\&\s-2\u[25]\d\s+2 are possible, even when it appears that SSL/TLS is being used (for example, see \m[blue]\fBsslstrip\fR\m[]\&\s-2\u[26]\d\s+2)\&. .RE .sp .RS 4 .ie n \{\ \h'-04'12.\h'+01'\c .\} .el \{\ .sp -1 .IP "12." 4.2 .\} In the event of an emergency situation that might be related to \fBDACS\fR, you may, of course, stop all \fBApache\fR processes\&. It is sufficient to make dacs\&.conf inaccessible to \fBApache\fR, however, whether by renaming the file, changing its ownership, or changing its permissions\&. (Or, you may make the \fBDACS\fR web services unavailable using the same methods\&.) All \fBDACS\fR web services must be able to read dacs\&.conf, so this will effectively turn \fBDACS\fR off\&. More selective ways of limiting access are available, such as through the revocation list\&. .RE .sp .RS 4 .ie n \{\ \h'-04'13.\h'+01'\c .\} .el \{\ .sp -1 .IP "13." 4.2 .\} \fBDACS\fR depends mainly on \m[blue]\fBOpenSSL\fR\m[]\&\s-2\u[27]\d\s+2, a third\-party package that you need to obtain separately, for cryptographic functionality\&. Some library functions provided by your operating system (such as \m[blue]\fBcrypt(3)\fR\m[]\&\s-2\u[28]\d\s+2) are also used\&. .RE .sp .RS 4 .ie n \{\ \h'-04'14.\h'+01'\c .\} .el \{\ .sp -1 .IP "14." 4.2 .\} It is strongly recommended that the Network Time Protocol (NTP, \m[blue]\fBRFC 1305\fR\m[]\&\s-2\u[29]\d\s+2) or equivalent be used on any host that runs \fBDACS\fR commands or web services\&. A sudden, large change to a system\*(Aqs clock while \fBDACS\fR is operational may have undesirable effects and should be avoided\&. In particular, setting the system\*(Aqs clock backward must be avoided as it may make the system more vulnerable to attack, such as by effectively extending the lifetime of sensitive data or the validity period of certain operations\&. .RE .sp .RS 4 .ie n \{\ \h'-04'15.\h'+01'\c .\} .el \{\ .sp -1 .IP "15." 4.2 .\} System administrators should take appropriate steps to ensure that Domain Name System (DNS, \m[blue]\fBRFC 1035\fR\m[]\&\s-2\u[30]\d\s+2) lookups are secure\&. .RE .sp .RS 4 .ie n \{\ \h'-04'16.\h'+01'\c .\} .el \{\ .sp -1 .IP "16." 4.2 .\} If you are deploying \fBDACS\fR as part of a publicly accessible web site, consider including a notification on your site that it may issue cookies\&. This is commonly mentioned in a site\*(Aqs "Privacy" or "Security" page\&. \fBDACS\fR may not function as expected if a user\*(Aqs browser has disabled cookies or will not accept them; in particular, the single sign\-on feature generally requires that users\*(Aq browsers accept cookies\&. .RE .sp .RS 4 .ie n \{\ \h'-04'17.\h'+01'\c .\} .el \{\ .sp -1 .IP "17." 4.2 .\} The \fBDACS\fR distribution may include code, features, or functionality that is not described in the distribution\*(Aqs documentation, or is described as untested, partially implemented, or deprecated, or is accompanied by a warning\&. Such code, features, or functionality is subject to change or removal without notice and should not be used\&. .RE .sp .RS 4 .ie n \{\ \h'-04'18.\h'+01'\c .\} .el \{\ .sp -1 .IP "18." 4.2 .\} Weaknesses that render cryptographic algorithms unsuitable in certain contexts are inevitably discovered and publicly announced\&. \fBDACS\fR administrators should revise the configuration of cryptographic digests and ciphers appropriately over time to maintain the security of their system\&. .RE .sp .5v .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP \fBDACS\fR MAY INCLUDE ITS OWN CRYPTOGRAPHIC FUNCTIONS and may therefore fall under certain import, export, and/or use restrictions in other parts of the world, even though \fBDACS\fR is developed, maintained, and officially distributed from Canada\&. .PP Export and/or import and/or use of strong cryptography software, providing cryptography hooks, or merely communicating technical details about cryptographic software is illegal in some parts of the world\&. YOU ARE STRONGLY ADVISED to pay close attention to any laws that may apply when you import, export, or use \fBDACS\fR, or even communicate about it\&. We are not liable for any violations you make \- it is your responsibility\&. For additional information, see the \m[blue]\fBCrypto Law Survey\fR\m[]\&\s-2\u[31]\d\s+2\&. .sp .5v .RE .SS "Release Information" .PP Information about \fBDACS\fR releases, including the latest release, is provided in the \m[blue]\fBVersion Guide\fR\m[]\&\s-2\u[32]\d\s+2 and on the \m[blue]\fBDownload and Release Information\fR\m[] page\&. .PP To programmatically determine the latest version of \fBDACS\fR and obtain a direct link for downloading, you may invoke \m[blue]\fBhttps://dacs\&.dss\&.ca/cgi\-bin/dacs/latest_dacs\fR\m[], which returns a simple text document comprised of name/value pairs\&. .SS "Roadmap" .PP Stability, backward compatibility, portability across supported platforms, and keeping up to date with respect to third\-party support packages are now the primary goals of \fBDACS\fR 1\&.4 releases\&. A top priority is to fix all known bugs between releases and improve the documentation\&. .PP Please consult the \fBDACS\fR \m[blue]\fBweb site\fR\m[] for information on upcoming releases\&. .SS "Upgrading" .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBSecurity\fR .ps -1 .br .PP Because \fBDACS\fR is security software, we strongly recommend that you upgrade to the newest release as soon as you are able\&. .sp .5v .RE .PP Upgrading is neither a difficult nor a time consuming procedure most times\&. Sometimes an incompatible change in \fBDACS\fR will require you to change a \fBDACS\fR configuration file, but this should not be difficult to do and we will try to advise you of such changes\&. .PP The \fBDACS\fR 1\&.4 releases contain a great many changes and improvements, some incompatible with earlier releases of \fBDACS\fR\&. If you are upgrading from \fBDACS\fR 1\&.3\&.2 or another older release, you will need to become familiar with these changes\&. You must manually convert your old \fBDACS\fR configuration files to the new format, for example\&. You should not find upgrading to be a difficult or time consuming task\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP Making backup copies of your \fBDACS\fR installation immediately prior to upgrading is strongly recommended\&. .sp .5v .RE .PP Some features available in earlier versions of \fBDACS\fR are not available in this release, but will be provided as soon as possible\&. .PP Note that \fBDACS\fR 1\&.4 may not interoperate with prior releases\&. .PP We aim to avoid making any backward incompatible changes within the \fBDACS\fR 1\&.4\&.x releases\&. .SS "Add\-on Features" .PP Some features of \fBDACS\fR may be implemented by third parties or as custom extensions\&. They may be included with the open source \fBDACS\fR distribution (and therefore fall under the open source \m[blue]\fBLICENSE\fR\m[]\&\s-2\u[3]\d\s+2), or are provided separately\&. The \m[blue]\fBdacsversion\fR\m[]\&\s-2\u[33]\d\s+2 command and \m[blue]\fBdacs_version\fR\m[]\&\s-2\u[34]\d\s+2 web service indicate whether add\-ons are enabled (present) in a particular installation of \fBDACS\fR; look for +addons or addons="enabled" from the former, and ENABLE_ADDONS=1 from the latter\&. .PP While add\-ons may provide new capabilities, they should not alter the syntax or semantics of capabilities shared with the base \fBDACS\fR distribution\&. .SS "Administration" .PP Once installed and configured, \fBDACS\fR requires very little administration\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBTip\fR .ps -1 .br .PP At higher logging levels, \fBDACS\fR log files can become large quite quickly\&. You should therefore arrange for them to be rotated regularly (e\&.g\&., using \m[blue]\fBnewsyslog(8)\fR\m[]\&\s-2\u[35]\d\s+2)\&. A built\-in log rotation feature is being considered for \fBDACS\fR\&. .sp .5v .RE .PP If you\*(Aqre creating \fBDACS\fR log files that have names based on their date of creation, to expire/rotate/compress them you might periodically run the \m[blue]\fBfind(1)\fR\m[]\&\s-2\u[36]\d\s+2 command to identify old logs\&. For example, the command .sp .if n \{\ .RS 4 .\} .nf % find /usr/local/dacs/logs \-type f \-a \-mtime 2 \-a \-exec gzip {} \e; .fi .if n \{\ .RE .\} .sp will compress any files in the log directory that haven\*(Aqt been modified for at least 24 hours\&. .PP There are also \fBApache\fR modules available to do the rotation: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fBhttp://httpd\&.apache\&.org/modules\fR\m[] .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fBhttp://modules\&.apache\&.org\fR\m[] .RE .sp .SS "Related Software" .PP A variety of other software and resources for \fBDACS\fR can be found in the \m[blue]\fBdacs\-contrib\fR\m[]\&\s-2\u[37]\d\s+2 project at \m[blue]\fBSourceForge\fR\m[]\&\s-2\u[10]\d\s+2\&. .sp .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBThe DACS Java Library (DJL)\fR .RS 4 .PP The \fBDJL\fR is being developed to support the use of \fBDACS\fR in Java client applications\&. It implements Java wrapper classes for selected \fBDACS\fR services, and provides an HTTP client through which \fBDACS\fR services may be accessed and \fBDACS\fR credentials obtained and managed\&. .RE .sp .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBThe FedAdmin Web Application\fR .RS 4 .PP \fBFedAdmin\fR is an administrator console for managing the configuration of \fBDACS\fR federations and jurisdictions\&. It is deployed in a servlet container such as Tomcat, but must be accessed via an Apache+\fBDACS\fR proxy and deployed under a dedicated FEDADMIN \fBDACS\fR application jurisdiction\&. .PP \fBFedAdmin\fR implements partial coverage of the most common \fBDACS\fR configuration tasks, including viewing federation and jurisdiction configuration directives, adding and deleting local \fBDACS\fR users, and creating, editing, and deleting ACL rules\&. .RE .SS "Support" .PP An array of technical support is available from \m[blue]\fBDSS\fR\m[]\&\s-2\u[38]\d\s+2\&. Please see the \m[blue]\fBsupport page\fR\m[]\&\s-2\u[39]\d\s+2 for details\&. \fBDACS\fR development, maintenance, and free support is made possible in part by customers that purchase technical support packages or contract for customizations (most of which then become available to all free of charge)\&. .SS "Known Problems" .PP There are a few defects in the \fBDACS\fR 1\&.4 releases that administrators should be aware of\&. These are not likely to be addressed in the near future\&. .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} If the HTTP data stream is compressed or encrypted (other than via SSL/TLS), \fBDACS\fR will not be able to access POST arguments and you should use the \fBmod_auth_dacs\fR module directive "SetDACSAuthPostBuffer 0"\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} In general, \fBDACS\fR does not support IPv6 addresses\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} The group management service and group distribution utilities have not be tested with this release of \fBDACS\fR\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 4.\h'+01'\c .\} .el \{\ .sp -1 .IP " 4." 4.2 .\} The man pages are generated from DocBook XML\&. The docbook\-xsl used to create [nt]roff source is incomplete and/or buggy\&. As a result, the quality of the formatting is sometimes poor\&. You will find the HTML version of the documentation more readable\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 5.\h'+01'\c .\} .el \{\ .sp -1 .IP " 5." 4.2 .\} Support for internationalization is poor\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 6.\h'+01'\c .\} .el \{\ .sp -1 .IP " 6." 4.2 .\} Some configuration directives have global scope (i\&.e\&., they apply in several contexts) when it might be preferable to have context\-specific versions of them\&. For example, the algorithm specified by \m[blue]\fBPASSWORD_DIGEST\fR\m[]\&\s-2\u[40]\d\s+2 is used for more than one purpose within \fBDACS\fR\&. On the other hand, this reduces the number of directives, and therefore helps to contain the complexity of \fBDACS\fR\&. .RE .SS "Bugs, Suggestions, and Feedback" .PP Please see the \m[blue]\fBsupport page\fR\m[]\&\s-2\u[39]\d\s+2 for details\&. .PP Some elements of \fBDACS\fR are less well\-travelled than others and users may therefore experience problems with them\&. Please \m[blue]\fBlet us know\fR\m[]\&\s-2\u[41]\d\s+2 if you encounter bugs\&. .SH "SEE ALSO" .PP \m[blue]\fBdacs(1)\fR\m[]\&\s-2\u[2]\d\s+2, \m[blue]\fBdacs\&.install(7)\fR\m[]\&\s-2\u[4]\d\s+2, \m[blue]\fBdacs\&.quick(7)\fR\m[]\&\s-2\u[5]\d\s+2 .SH "AUTHOR" .PP Distributed Systems Software (\m[blue]\fBwww\&.dss\&.ca\fR\m[]\&\s-2\u[38]\d\s+2) .SH "COPYING" .PP Copyright \(co 2003\-2018 Distributed Systems Software\&. See the \m[blue]\fBLICENSE\fR\m[]\&\s-2\u[3]\d\s+2 file that accompanies the distribution for licensing information\&. .SH "NOTES" .IP " 1." 4 README .RS 4 \%http://dacs.dss.ca/man/../misc/README .RE .IP " 2." 4 dacs(1) .RS 4 \%http://dacs.dss.ca/man/dacs.1.html .RE .IP " 3." 4 LICENSE .RS 4 \%http://dacs.dss.ca/man/../misc/LICENSE .RE .IP " 4." 4 dacs.install(7) .RS 4 \%http://dacs.dss.ca/man/dacs.install.7.html .RE .IP " 5." 4 dacs.quick(7) .RS 4 \%http://dacs.dss.ca/man/dacs.quick.7.html .RE .IP " 6." 4 Apache .RS 4 \%http://httpd.apache.org .RE .IP " 7." 4 dacscheck(1) .RS 4 \%http://dacs.dss.ca/man/dacscheck.1.html .RE .IP " 8." 4 dacshttp(1) .RS 4 \%http://dacs.dss.ca/man/dacshttp.1.html .RE .IP " 9." 4 sslclient(1) .RS 4 \%http://dacs.dss.ca/man/sslclient.1.html .RE .IP "10." 4 SourceForge .RS 4 \%http://www.sourceforge.net .RE .IP "11." 4 FreeBSD .RS 4 \%https://www.freebsd.org .RE .IP "12." 4 CentOS .RS 4 \%http://www.centos.org .RE .IP "13." 4 Red Hat Enterprise Linux .RS 4 \%http://www.redhat.com/rhel .RE .IP "14." 4 macOS Sierra .RS 4 \%http://www.apple.com/macosx .RE .IP "15." 4 FAQ .RS 4 \%https://dacs.dss.ca/faq.html .RE .IP "16." 4 Solaris 10 .RS 4 \%http://www.sun.com/software/solaris/10/index.jsp .RE .IP "17." 4 OpenSolaris .RS 4 \%http://www.opensolaris.com .RE .IP "18." 4 x86 .RS 4 \%http://www.solaris-x86.org/ .RE .IP "19." 4 Cygwin .RS 4 \%http://cygwin.com/ .RE .IP "20." 4 Digital Rights Management (DRM) system .RS 4 \%http://en.wikipedia.org/wiki/Digital_rights_management .RE .IP "21." 4 RFC 2616 .RS 4 \%http://www.rfc-editor.org/rfc/rfc2616.txt .RE .IP "22." 4 subscribe to email notifications .RS 4 \%http://freshmeat.net/projects/dacs/ .RE .IP "23." 4 HTTPS .RS 4 \%http://www.rfc-editor.org/rfc/rfc2818.txt .RE .IP "24." 4 SECURE_MODE .RS 4 \%http://dacs.dss.ca/man/dacs.conf.5.html#SECURE_MODE .RE .IP "25." 4 man-in-the-middle attacks .RS 4 \%http://en.wikipedia.org/wiki/Man-in-the-middle_attack .RE .IP "26." 4 sslstrip .RS 4 \%http://www.thoughtcrime.org/software/sslstrip .RE .IP "27." 4 OpenSSL .RS 4 \%http://www.openssl.org .RE .IP "28." 4 crypt(3) .RS 4 \%https://www.freebsd.org/cgi/man.cgi?query=crypt&apropos=0&sektion=3&manpath=FreeBSD+10.3-RELEASE&format=html .RE .IP "29." 4 RFC 1305 .RS 4 \%http://www.rfc-editor.org/rfc/rfc1305.txt .RE .IP "30." 4 RFC 1035 .RS 4 \%http://www.rfc-editor.org/rfc/rfc1035.txt .RE .IP "31." 4 Crypto Law Survey .RS 4 \% http://www.cryptolaw.org .RE .IP "32." 4 Version Guide .RS 4 \%https://dacs.dss.ca/versions.html .RE .IP "33." 4 dacsversion .RS 4 \%http://dacs.dss.ca/man/dacsversion.1.html .RE .IP "34." 4 dacs_version .RS 4 \%http://dacs.dss.ca/man/dacs_version.8.html .RE .IP "35." 4 newsyslog(8) .RS 4 \%https://www.freebsd.org/cgi/man.cgi?query=newsyslog&apropos=0&sektion=8&manpath=FreeBSD+10.3-RELEASE&format=html .RE .IP "36." 4 find(1) .RS 4 \%https://www.freebsd.org/cgi/man.cgi?query=find&apropos=0&sektion=1&manpath=FreeBSD+10.3-RELEASE&format=html .RE .IP "37." 4 dacs-contrib .RS 4 \%http://sourceforge.net/projects/dacs-contrib .RE .IP "38." 4 DSS .RS 4 \%http://www.dss.ca .RE .IP "39." 4 support page .RS 4 \%https://dacs.dss.ca/support.html .RE .IP "40." 4 PASSWORD_DIGEST .RS 4 \%http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_DIGEST .RE .IP "41." 4 let us know .RS 4 \%http://www.dss.ca/contactus.html .RE