DACS Docs - Technical Documentation

Version 1.4.31

Release date 15-Sep-2014 11:50:39

Contents

Section 1: Tools and Utilities
Section 5: Formats and Conventions
Section 7: Miscellaneous
Section 8: Web Services and CGI
HTTP Server: Apache
Articles: Using InfoCards With DACS
Project: HOME // README // ACKNOWLEDGEMENTS // HISTORY // INSTALL // LICENSE // NOTICES // DTDs
Indexes: Configuration Directives // Functions // Authentication Modules // Concepts // Annotations // Variables // Third-Party Packages

Section 1: Tools and Utilities

dacs

- a distributed access control system

dacsacl

- list, check, or re-index access control rules

dacsauth

- authentication check

dacscheck

- authorization check

dacsconf

- display configuration directives

dacscookie

- create DACS credentials and emit as a cookie

dacscred

- acquire and manage DACS credentials

dacsemail

- Simple outgoing email agent

dacsexpr

- DACS expression language shell and interpreter

dacsgrid

- administer grid-based one-time passwords

dacshttp

- perform an HTTP/HTTPS request

dacsinfocard

- manage InfoCard accounts

dacsinit

- Configure a minimal DACS federation interactively

dacskey

- generate encryption keys for DACS

dacslist

- list jurisdictions

dacspasswd

- manage DACS accounts

dacsrlink

- create and administer rule links

dacssched

- rule-based command scheduling

dacstoken

- administer hash-based one-time passwords

dacstransform

- rule-based document transformation

dacsversion

- display version information

dacsvfs

- access objects through the DACS virtual filestore

sslclient

- an SSL client

Section 3: Functions and Libraries

ds

- Dynamic strings and vectors

Section 5: Formats and Conventions

dacs.acls

- DACS access control rules

dacs.conf

- DACS configuration files and directives

dacs.exprs

- DACS expression language

dacs.groups

- DACS groups

dacs.nat

- Notice Acknowledgement Token specification

dacs.vfs

- the DACS virtual filestore

Section 7: Miscellaneous

dacs.install

- DACS installation guide

dacs.java

- DACS Java support

dacs.quick

- DACS Quick Start Tutorial

dacs.readme

- DACS README

Section 8: Web Services and CGI

autologin

- Convert an Apache identity to a DACS identity

cgiparse

- CGI argument parsing utility

dacs.services

- DACS web services

dacs_acs

- DACS access control service

dacs_admin

- DACS administration service

dacs_auth_agent

- DACS delegated authentication service

dacs_auth_transfer

- transfer credentials between federations

dacs_authenticate

- DACS authentication service

dacs_autologin_ssl

- use an SSL client certificate to automatically obtain DACS credentials

dacs_conf

- display DACS configuration directives

dacs_current_credentials

- display DACS credentials

dacs_error

- simple error handling utility for DACS

dacs_group

- DACS group administration

dacs_infocard

- Information Card administration

dacs_list_jurisdictions

- display information about DACS jurisdictions

dacs_managed_infocard

- create a managed Information Card

dacs_mex

- WS-MetadataExchange responder for Information Cards

dacs_notices

- DACS notice presentation and acknowledgement handler

dacs_passwd

- manage private DACS passwords

dacs_prenv

- CGI program that displays its environment

dacs_select_credentials

- temporarily disable DACS credentials

dacs_signout

- DACS signout service

dacs_sts

- Secure Token Service for managed Information Cards

dacs_token

- manage DACS one-time password token accounts

dacs_transform

- rule-based document transformation

dacs_uproxy

- minimal HTTP proxying

dacs_version

- display DACS version information

dacs_vfs

- access objects through the DACS virtual filestore

pamd

- PAM transaction server

HTTP Server: Apache

mod_auth_dacs

- Apache/DACS authentication and authorization module

Annotations

Security Notes

Access to dacs_auth_transfer Password in a URI
Accessibility of dacs_auth_transfer Password visibility and dacsauth
Apache AuthType, AuthName, and Require directives Password visibility and dacspasswd
Aspects of NAT security Passwords and local_passwd_authenticate
Authentication modules Permissions for dacs_acs
Authorization caching considered experimental Potential password logging when debugging
Browser caching Privacy of the federation key
CAS-based authentication Reliance on cookie names
Configuration based on arguments Reporting authentication failure
Configuration of dacs_auth_transfer Restrict access to dacs_uproxy
Configuring COOKIE_PATH Restrict access to dacs_vfs
Constraints on new passwords Restricted access to dacs_conf
Contradictory rules Restricted access to dacs_passwd
DACS advisory Restricted access to dacs_token
DACS configuration files Restricted access to dacs_version
Defining new item types Restricting access to dacs_auth_transfer
Disabled or restricted web services Running dacs_acs setuid/setgid
Disabling SECURE_MODE Running dacsauth, dacs_authenticate setuid/setgid
Enabling authentication modules Secure NTLM communication
Execution privileges and dacsauth Security aspects of access tokens
Exporting OTP Accounts Security implications of PERMIT_CHAINING
File and directory permissions Security implications of dacsinfocard
Hierarchical independence in ACL paths Security implications of dacspasswd
Honouring imported credentials Security issues and dacsgrid
Implications of delegation Security issues and dacstransform
Importation of identities Security issues and pamd
InfoCard identity Setting the lifetime of credentials
Input directory for dacs_transform Supported Devices
Insecurity of local_simple_authenticate TOTP Drift Window Size
Isolation requirements for dacscheck TOTP Drift Window Size
Lifetime of credentials and cert-based authentication Tagging mod_auth_dacs
Limitations of ACS_CREDENTIALS_LIMIT Testing Apache+DACS
Limitations of AUTH_SINGLE_COOKIE Tokens and secret keys
Limitations of COMPAT_MODE Tracking anonymous users
Limitations of COOKIE_HTTPONLY Upgrading
Limitations of COOKIE_NAME_TERMINATORS Use of MD5
Limitations of NAME_COMPARE Use of the REFEDERATE directive
Limitations of VERIFY_UA Using SSL with dacs_auth_transfer
Limitations of constraints Using dacs_admin()
Limitations on CGI arguments Verification of DACS-wrapping
Limiting access to Rlinks Verify checksums after downloading
Limiting access to dacsconf Weakening of credentials
Limiting access to dacscookie dacs_admin disabled by default
Limiting access to dacslist dacs_auth_agent disabled by default
Limiting access to dacstoken dacs_authenticate security issues
Limiting access to dacsvfs dacskey and accessibility of keyfiles
Moving credentials to another host exec() target UID/GID
Multiple Auth clauses ldaps scheme unavailable
Multiple credentials for the same identity  

Important Notes

Apache AuthType, AuthName, and Require directives NO WARRANTY
Converting ACL format PAM authentication
DACS advisory Potential import/export restrictions
Definition of jurisdiction metadata Potential password logging when debugging
File permissions of autologin Third-party packages
Hiding the DACS_ACS argument Unique jurisdiction sections
Installation notes Upgrading DACS
Installing Apache dacsauth() considered experimental
Interaction between dacshttp and sslclient dacscheck() considered experimental
Limitations on CGI arguments mod_auth_dacs version compatibility
NO WARRANTY user() returning False

Other Notes

Apache AuthType, AuthName, and Require directives Limitations on CGI arguments
DACS advisory Potential password logging when debugging

Tips

Apache AuthType, AuthName, and Require directives Obtaining Berkeley DB
Begin by reviewing dacs.quick(7) Omitting braces in a variable reference
Begin with a basic DACS install Potential password logging when debugging
Building standalone components Problems while building with shared libraries
Built-in authentication modules Redirection after authentication
Built-in roles modules Remember to make public files accessible
CAS protocol Remember to restart httpd
Configuration of mod_ssl in httpd.conf Reviewing build notes
Configuring HTTP authentication Rotate log files
DACS advisory Save your config.nice
DACS self tests Selecting characters and substrings
DEFAULT_JURISDICTION environment variable Selecting new credentials
Displaying CGI arguments Short links
Displaying DACS environment variables Testing LDAP authentication
Domain attributes in cookies Testing NTLM authentication
Easier upgrades Testing where a client authenticated
Escaping space characters Try dacsexpr
Failed internal HTTP requests Use site.conf-std
Filename suffixes for CGI programs Using dacsinit
Filenames for rulesets Using user()
Generated directory listings, internal redirects Validating ruleset syntax
How to choose better passwords Value of an if statement
InfoCard authentication using an expression Variable substitution in dacs_transform
Initial configuration using dacsinit Verify web server version
Installing a subset of DACS Viewing DACS documentation via Apache
Limitations on CGI arguments Whitespace in a variable reference
Manual pages: fonts dacs_transform and the 'insert' directive
Manual pages: man(1) output local_unix_authenticate and setuid

Variables

${Args::DACS_USERNAME} ${DACS::PATH_INFO} DACS_DEFAULT_CONSTRAINT
${Args::RNAME} ${DACS::POSTDATA} DACS_FEDERATION
${Args::USERNAME} ${DACS::PROXYREQ} DACS_HOME
${Auth::ABORT} ${DACS::QUERY} DACS_IDENTITY
${Auth::CREDENTIALS_LIFETIME_SECS} ${DACS::REMOTE_ADDR} DACS_JURISDICTION
${Auth::CURRENT_ROLES} ${DACS::REMOTE_HOST} DACS_MOD_AUTH_DACS
${Auth::CURRENT_USERNAME} ${DACS::RIDENT} DACS_RELEASE
${Auth::DACS_IDENTITY} ${DACS::RIPTR} DACS_ROLES
${Auth::DACS_JURISDICTION} ${DACS::RNAME} DACS_SBINDIR
${Auth::DACS_USERNAME} ${DACS::ROLES} DACS_SITE_CONF
${Auth::DACS_VERSION} ${DACS::URI} DACS_SITE_CONF
${Auth::LAST_ROLES} ${DACS::URI} DACS_SITE_CONF_SPEC
${Auth::MODULE_SKIP} ${DACS::USERNAME} DACS_USERNAME
${Auth::ROLES} ${DACS::USER_AGENT} DACS_VERSION
${Conf::FEDERATION_DOMAIN} ${Env::REMOTE_USER} DACS_VERSION
${Conf::LOG_LEVEL} ${Env::REQUEST_URI} DOCUMENT_ROOT
${Conf::dacs_approval_digest_name} ${LDAP::USERNAME} EXE_SUFFIX
${Conf::http_auth_401} ${LDAP::attrname} FEDERATIONS_ROOT
${Conf::prompt_submit_label} ${LDAP::attrvalue} HTTP_HOST
${DACS::ACS} ${Options::AUXILIARY} HTTP_USER_AGENT
${DACS::ARGS_TRUNCATED} ${Options::DACS_JURISDICTION} JURISDICTION_URI
${DACS::ARGS} ${Options::DACS_USERNAME} JURISDICTION_URI_PREFIX
${DACS::ARG_COUNT} ${Options::DACS_VERSION} OPENSSL_PROG
${DACS::AUTHORIZATION} ${Options::PASSWORD} SERVER_ADDR
${DACS::CONTENT_ENCODING} ${Options::USERNAME} SERVER_NAME
${DACS::CONTENT_LENGTH} APACHE_HOME SERVER_PORT
${DACS::CONTENT_TYPE} CGI_SUFFIX SSL variables
${DACS::CURRENT_URI_NO_QUERY} DACS_ACS_JURISDICTION URI_SCHEME
${DACS::CURRENT_URI} DACS_APPROVAL argv[0]
${DACS::FEDERATION} DACS_BINDIR infocard_card_image_card
${DACS::FILENAME} DACS_CGIBINDIR infocard_card_image_cert
${DACS::IDENTITY} DACS_CONCISE_IDENTITY infocard_card_image_passwd
${DACS::INTERACTIVE} DACS_CONF infocard_sts_password
${DACS::IP} DACS_CONF infocard_sts_password
${DACS::JURISDICTION} DACS_CONF_SPEC infocard_sts_title
${DACS::METHOD} DACS_CONSTRAINT infocard_sts_username_password_prompt_fmt

Configuration Directives

ACCEPT_ALIEN_CREDENTIALS IMPORT_URL PAMD_PORT
ACS_ACCESS_TOKEN_ENABLE INFOCARD_AUDIENCE PASSWORD_AUDIT
ACS_ACCESS_TOKEN_LIFETIME_LIMIT INFOCARD_AUDIENCE_RESTRICTION PASSWORD_CONSTRAINTS
ACS_ACCESS_TOKEN_LIFETIME_SECS INFOCARD_CARDID_BASE_URL PASSWORD_DIGEST
ACS_AUTHENTICATED_ONLY INFOCARD_CARDID_SUFFIX PASSWORD_OPS_NEED_PASSWORD
ACS_CREDENTIALS_LIMIT INFOCARD_CARD_DATETIME_EXPIRES PASSWORD_SALT_PREFIX
ACS_EMIT_APPROVAL INFOCARD_CARD_DEFS_URL PERMIT_CHAINING
ACS_ERROR_HANDLER INFOCARD_CARD_FILL_URL PREDICATE
ACS_FAIL INFOCARD_CARD_IMAGE_BASE_URL PREDICATE
ACS_INACTIVITY_LIMIT_SECS INFOCARD_CARD_LIFETIME_SECS PREDICATE
ACS_POST_BUFFER_LIMIT INFOCARD_CARD_OUTPUTDIR PROXY_EXEC_DOCUMENT_ROOT
ACS_POST_EXCEPTION_MODE INFOCARD_CARD_VERSION PROXY_EXEC_MAPPER_DEFAULT_ACTION
ACS_PRE_AUTH INFOCARD_DIGEST PROXY_EXEC_MAPPER_LOGGING
ACS_SUCCESS INFOCARD_IP_PRIVACY_URL PROXY_EXEC_MAPPER_LOG_FILE
ACS_TRACK_ACTIVITY INFOCARD_IP_PRIVACY_VERSION PROXY_EXEC_MAPPER_RULES_FILE
ADMIN_IDENTITY INFOCARD_ISSUER_INFO_ENTRY PROXY_EXEC_PROG_URI
ALLOW_HTTP_COOKIE INFOCARD_MEX_URL REFEDERATE
AUTH_AGENT_ALLOW_ADMIN_IDENTITY INFOCARD_REQUIRE_APPLIES_TO RLINK
AUTH_CREDENTIALS_ADMIN_LIFETIME_SECS INFOCARD_STRONG_RP_IDENTITY ROLES*
AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS INFOCARD_STS_AUTH_TYPE ROLE_STRING_MAX_LENGTH
AUTH_ERROR_HANDLER INFOCARD_STS_CACERTFILE SECURE_MODE
AUTH_FAIL INFOCARD_STS_CERTFILE SIGNOUT_HANDLER
AUTH_FAIL_DELAY_SECS INFOCARD_STS_KEYFILE SSL_PROG
AUTH_SINGLE_COOKIE INFOCARD_STS_KEYFILE_PASSWORD SSL_PROG_ARGS
AUTH_SUCCESS INFOCARD_STS_PASSWORD_METHOD SSL_PROG_CA_CRT
AUTH_SUCCESS_HANDLER INFOCARD_STS_RP_ENDPOINT SSL_PROG_CLIENT_CRT
AUTH_TRANSFER_EXPORT INFOCARD_TOKEN_DRIFT_SECS STATUS_LINE
AUTH_TRANSFER_TOKEN_LIFETIME_SECS INFOCARD_TOKEN_ISSUER STYLE
COMPAT_MODE INFOCARD_TOKEN_LIFETIME_SECS SUCCESS_URL
CONTROL INFOCARD_TOKEN_MAX_LENGTH TEMP_DIRECTORY
COOKIE_HTTPONLY INFOCARD_USERNAME_SELECTOR TOKEN_HOTP_ACCEPT_WINDOW
COOKIE_NAME_TERMINATORS INIT* TOKEN_REQUIRES_PIN
COOKIE_NO_DOMAIN INIT* TRACE_LEVEL
COOKIE_PATH JURISDICTION_NAME UNAUTH_ROLES
CREDENTIALS_LIFETIME_SECS LOGINGEN_FILE UPROXY_APPROVED
CREDENTIALS_LIFETIME_SECS LOGINGEN_PROG URL
CSS_PATH LOG_FILE URL
DTD_BASE_URL LOG_FILTER URL*
ERROR_URL LOG_FORMAT URL*
EVAL LOG_LEVEL VERBOSE_LEVEL
EXIT* LOG_SENSITIVE VERIFY_IP
EXIT* NAME_COMPARE VERIFY_UA
EXIT* NOTICES_ACCEPT_HANDLER VFS
EXPR NOTICES_ACK_HANDLER XSD_BASE_URL
EXPR NOTICES_DECLINE_HANDLER claim_name
FEDERATION_DOMAIN NOTICES_NAT_NAME_PREFIX claim_name
FEDERATION_NAME NOTICES_SECURE_HANDLER claim_type
FLAGS NOTICES_WORKFLOW_LIFETIME_SECS claim_type
HTTP_AUTH OPTION claim_uri_prefix
HTTP_AUTH_ENABLE OPTION claim_uri_prefix
HTTP_PROG OPTION* claim_uri_prefix_abbrev
IMPORT_FROM OPTION* claim_value
IMPORT_ROLES PAMD_HOST  

DTDs

These XML DTD skeletons are used only to help document information used by DACS.

Configuration.dtd, access_token.dtd, acl.dtd, acl_index.dtd, auth_reply.dtd, common.dtd, credentials.dtd, dacs_acs.dtd, dacs_admin.dtd, dacs_auth_agent.dtd, dacs_auth_reply.dtd, dacs_auth_transfer.dtd, dacs_conf_reply.dtd, dacs_current_credentials.dtd, dacs_group.dtd, dacs_infocard.dtd, dacs_list_jurisdictions.dtd, dacs_notices.dtd, dacs_passwd.dtd, dacs_select_credentials.dtd, dacs_user_info.dtd, dacs_version.dtd, groups.dtd, roles_reply.dtd, selected_credentials.dtd, store_reply.dtd


This documentation was created on Tue Oct 21 11:19:58 PDT 2014 using DocBook and libxslt.
Font:
−− Set ++