DACS is designed, implemented, and owned by
DSS, a small, privately-held software
development house that creates leading-edge, professional quality
open source software.
Our goal is to produce software that is powerful yet as simple as possible.
Development of DACS began in May, 2001,
funded in part by GeoConnections.
A key component
of Canada's National Forest Information System
(NFIS) for many years,
DACS is currently deployed on over 20 servers
across more than a dozen jurisdictions spanning the country to provide
authentication and role provisioning capabilities for the
Canadian Forest Service Network (CFSNet).
Canadian federal and provincial government departments, programs, and
initiatives use DACS to secure their
Additionally, DACS is actively used:
- internally by one of the world's largest manufacturers of computer
- as a major security component in large web-based projects in Germany and
- in a project working with
to supply authentication and single sign-on capabilities
Several GNU/Linux-based distributions, such as
include DACS as a package.
Although DSS helps to facilitate those packages,
we do not prepare, maintain, or test them for those specific platforms.
The Debian project uses DACS for its
system for web services.
Although it is a general-purpose system, DACS
has been deployed in support of web-based applications in the
geospatial domain and has been the subject of three
Open Geospatial Consortium
References from DACS installations
are available upon request.
In collaboration with
Metalogic Software Corp.,
which has contributed to the testing, demonstration, and design
of DACS, DSS provides technical support for
If you are unfamiliar with DACS,
the information in our
is a good place to start.
for the current release is also available.
DACS provides web site administrators and
software developers with a coherent and simple external framework
for describing and enforcing access control based on user identity,
resource attributes, and context.
In the same way that developers use existing software libraries
(such as math, cryptographic, graphics, and LDAP support functions),
databases, and other reusable components instead of implementing them
from scratch, DACS
lets programmers delegate the hard parts of authentication,
authorization checking, and single sign-on to a system specifically designed
for that purpose.
And it lets them, and web site administrators, reap the benefits without
a large investment in software and training.
DACS gives you:
- Low total cost of ownership
Like other open source licensed software, you can usually use
DACS free of charge.
Bug reports are welcome.
Fast, affordable professional technical support is available.
- A feature rich, versatile, and configurable system
- A secure and modular implementation
DACS deployments have been subjected to
independent security analyses.
While programmers have long accepted the benefits of adopting third-party
solutions that involve considerable domain-specific knowledge and which
are challenging to develop, they continue to reimplement their own
access control and authentication solutions. Why?
The disadvantages are obvious.
Application-specific user accounts and passwords proliferate.
Each application adopts its own conventions, languages, and syntaxes.
If integration with an external authentication framework is required,
each application implements its own interfaces to it.
Following this approach increases software development and maintenance costs,
and results in complicated and fragile software that is more expensive
to administer and unpleasant for its users.
Single sign-on systems (and identity management systems) have been
the next Big Thing for years, with trade magazines regularly trotting out cover
stories on them.
Still, these systems are catching on very slowly for web-based applications.
With all of the advantages that they promise, why should this be?
We think there are several major issues:
- Fear of Complexity
Frequently, potential users of these technologies don't quite understand what
single sign-on, authentication, and access control are, how they work,
and how they interoperate.
Or, they think they do until it is time to face some of the subtleties
of deploying these technologies in their computing environment.
And there is a sense that making the wrong decision would be much worse than
falling back on simpler, well-understood methods.
It is difficult to trust something that you do not understand or
are uncomfortable with, particularly in the realm of computer system security.
Many of the articles on these subjects are framed in terms of the Big Picture,
where everyone has a single digital identity that is universally recognized
and single sign-on greases the gears of web-based commerce so that a consumer
can conveniently buy a DVD from one vendor, purchase concert tickets
from another, access his corporate intranet, and file his income tax
return, without having to sign on at each web site.
We hear talk of "consumer identity software" that
"ties together services and software, consumers and businesses".
This is bound to scare away organizations, businesses, institutions,
federations, and schools that are only concerned with finding the simplest
solution to their "small" problem, which typically involves
securely and conveniently controlling access to web-based resources located
on one or more of their servers.
Are the solutions that you need the same as those developed to
address the problems of large corporations and e-commerce?
Some organizations do indeed have complicated authentication and
authorization requirements and have a legitimate fear of making changes
that could cause grief to users,
make extra work for system administrators,
or introduce security problems.
One of the consequences of this, however, is that over time they tend to
accumulate jungles of authentication and security dependencies that they
dare not touch.
That is, until there is a major security breach or things suddenly stop
Solutions aimed at the "enterprise level" are invariably difficult to
understand and learn, and complicated to use.
This increases the fear factor of potential adoptees
and decreases their ability to customize and build on the solutions.
With DACS, we focus on providing solutions
that are as simple as possible (but no simpler).
- Lack of Suitable Solutions
Throughout the DACS documentation we
emphasize that DACS is
What we mean is that we do not presume to know very much about your
particular authentication and access control requirements.
Every organization is different in these respects and rigid, inflexible
software will necessarily force you to do things its way.
Consequently, one of the tenets behind DACS
is that it must provide a wide range of solutions and be easy to extend and
Whenever possible, its modular design and implementation gives
administrators with alternatives and, especially, ways of leveraging
existing software and user accounts to reduce administrative effort
so that it can do things your way instead of vice versa.
architecture is appropriate for your computing environment,
you should be confident that it can meet your single sign-on or access
DACS is increasingly programmable and extensible.
While it can solve many kinds of authentication and authorization checking
DACS can also be viewed as a toolbox from which
a wide spectrum of solutions can be assembled, even ones unforeseen by
When considering adopting a significant software component,
of course there's the expense of the software itself to consider,
including on-going licensing and maintenance costs,
but also the hidden costs (in time and salary) of installing,
learning, configuring, upgrading, and continually administering the software.
One of the promises of single sign-on is to save money, and it sometimes
can, but when considering alternatives remember:
large solutions usually cost large dollars.
DACS, which is free to most users,
provides the cost savings of single sign-on while keeping administrative
DACS may lack some of the bells and whistles
of similar software, but how much are you willing to pay for them?
Should DACS not provide all of the
features and capabilities that you require,
you can build customizations in-house or contact us for information,
advice, or development services to extend
DACS to meet your needs.
It is far from clear in the long run whether a particular technology
or vendor's implementation will win out in this arena,
or even whether any of the current crop of approaches will catch on.
This makes any significant investment in these systems risky.
Because in many cases it costs nothing to use,
and excellent, low-cost technical support is available should you need it,
DACS gives you a low-risk way to become familiar
with the basic technologies while developing a better understanding of
your organization's needs.
Because most of the technologies used by "enterprise level" solutions
were developed by big industry players or consortia, some observers have
questions about intellectual property issues
2] that surround these solutions and how they
will affect this sector of the software industry.
Here are a few characteristics of DACS
that we think you should carefully consider when comparing it against
DACS costs nothing to use, unless you are
distributing a closed-source product.
Bug fixes and new releases are also free of charge when provided on a
You can evaluate DACS at your convenience and
anonymously - no registration is required.
- Open Source
DACS is distributed as source code.
By now everyone knows the many important advantages of this.
DACS has no proprietary or binary components.
It is possible to see how everything works, apply your own customizations
and bug fixes, recompile the entire code base, port to new platforms,
and so on.
Unlike proprietary and managed solutions,
you can satisfy yourself that there is no backdoor that might grant
unintended access to your resources.
DACS uses industry standard
security practices that are well described in its documentation and code,
and which are easily configurable or customizable in many important aspects.
DACS can be run entirely on your platforms;
it does not use any of our web services or depend on any cloud-based support.
DACS is typically not much more complicated
to build and configure than Apache.
DACS web services are easily invoked from
any web browser or by programs, and they return
text, HTML, or simple XML or JSON documents (making it straightforward
to build your own web services on top of DACS).
We believe that DACS is smaller and easier to
understand than similar software - the importance of this should not be
Strength does not necessarily come from complexity,
and the odds are good that a more complex system will have more bugs and
quite possibly more design weaknesses.
- Flexibility and Modularity
Instead of dictating policy, DACS
gives you configurable mechanisms that provide you with ways to mold
DACS to meet your needs rather than forcing you
to do things its way, like other solutions do.
And because you have the source code, you are free to add any features
or customizations that you require at will.
You can run DACS on any supported platform
and single sign-on works across any group of supported platforms.
- Rich Feature Set
DACS has a large and growing selection
of authentication methods, powerful access control rules, and many of
the same features provided by other access control and single sign-on
DACS authentication modules and
authorization checking functionality are available from the command line
for use by virtually any program or script.
web interfaces provide easy access to
DACS administrative functions
and simplifies testing.
DACS uses light-weight protocols and
a collection of efficient CGI programs.
- Quality Documentation
We work hard to ensure that the documentation that
accompanies DACS is both well-written and
It is updated and improved frequently.
Rather than being an implementation of a design produced by committee,
DACS began as a system to address
specific real-world security problems faced by web site administrators
It continues to evolve with that clarity of purpose in mind.
DACS does not aim to be
an all-in-one, "universal identity system".
- Logging and Auditing Capabilities
DACS can be configured to emit
detailed logging information and audits of incoming requests,
information that is critical to detecting and preventing attacks
and for understanding what the system is doing.
- Technical Support
DACS is our main product and has our
Various levels of professional quality
technical support are available at very
Why Not DACS?
Perhaps we can save you some time by touching on why you might look elsewhere
for single sign-on, authentication, or authorization technologies.
Here are some things that might be important to you:
- Standardization Requirements
Although DACS follows standards and
de facto standards, and uses best industry practices whenever possible,
it does not implement a standardized authentication and authorization
In a great many cases, however, we feel this is irrelevant.
Standards are a key to interoperability between different software components,
built by different vendors, but they are not an end unto themselves.
There is no guarantee that different implementations of the same standard will
interoperate in practice, because of different interpretations of the
standard, for instance.
Also, as has been demonstrated many times,
being adopted as a standard does not in itself imply a component is
correct or secure.
When there is a choice, we will almost always select simpler and proven
components over more complicated or newer ones.
But some folks require total standardization no matter what the trade-off.
(DACS does include some mechanisms
that make it possible for it to interoperate with other systems.)
- Architectural Limitations, Design Choices
Although DACS is a general-purpose,
if your requirements are substantially different from
those upon which
DACS is based,
it is possible that DACS may not
be able to solve your problem or function in your environment.
- Insufficient Level of Security
When properly used and configured,
DACS is designed to deliver security on par
with systems that provide secure commercial and financial services
to the public.
If you require a highly-secure system (one with military-grade security),
DACS is not for you.
DACS is not a
access control system.
The DACS technical documentation tries to
clearly identify security issues that you should be aware of.
- Your Background
We assume throughout the documentation that you are already familiar with
the concepts of authentication and authorization,
you have a good understanding of how web servers work,
you are capable of performing routine system administration tasks on
a Unix-type system,
and you are comfortable building, configuring, and running an Apache web server.
Although we do point you at other resources, we do not explain this stuff here.
Also, you ought to have a solid understanding of how single sign-on works if
you are considering using DACS for it;
you should have no trouble understanding the
What is DACS? document.
If you have any doubts, you should probably avoid
DACS - and we would also advise you to stay away
from similar software, lest you accidentally open up your systems to
- Missing Features or Capabilities
It is conceivable that DACS does
not have a feature that you need or does not work on your platform,
although we seriously consider all suggestions for improvements.
DACS does not supply complete
identity management, and it is not intended to.
For instance, it cannot create Unix or Windows accounts or administer their
For web services, DACS can only be integrated
with the Apache web server.
DACS has not been ported to Windows.
If you are unable to run Apache or add the DACS
module to your Apache server, and if adding an Apache server to proxy
incoming requests is not possible,
the command line interfaces to DACS may be
a valid alternative for some.
Some features of DACS are incompletely
implemented, not fully tested, or not yet integrated into the code base.
But if you ask us, you may be surprised by how quickly a feature
can be added; sometimes a feature or function is unavailable simply because
no one has asked for it yet.
Or perhaps it is not readily apparent that DACS
can already do what you require.
- The Big Corporation
DACS is designed, implemented, and
supported by a small team that can quickly answer questions,
respond to requests, and fix bugs.
Its chief architect has a Ph.D. in Computer Science and almost 30 years of
experience with systems programming and distributed systems.
We can probably resolve your problem before you would even be able to cut
through the red tape at Big Corporation or find the right person to talk to
And we suspect that you'll find technical support for
DACS, should you require it, to be much cheaper
than what Big Corporation charges.
We work on DACS in no small part because
we truly enjoy it.
And as we have benefited from open source software, we want to continue
making our own contributions.
Still, some people insist on dealing with large vendors only.
One more thing to keep in mind...
even Really Big Corporations go out of business or terminate product lines.
Where will that leave you if you do not have source code?
© Copyright 2003-2017 DSS Distributed Systems Software, Inc.
All rights reserved.