DACS DACS - The Distributed Access Control System


Download and Release Information

DACS software is available at no cost. It is officially distributed in source form only - you must build it, although in most cases this is not difficult. A Debian GNU/Linux release of DACS is available, however. DSS does not prepare or manage that distribution.

Please refer to the license for details and copyright notices.

Starting with version 1.4.26, DACS is not available on SourceForge - get it from the links in the table below. Releases prior to 1.4.26 may be available as tarballs on SourceForge.net.

Important release notes, change summaries, and post-release notifications are posted on this page, and when a significant bug is found after release, we will post a notice here, sometimes with a solution. Please review this information before installing DACS or if you are experiencing any problems with DACS. We apologize for any inconvenience and try to fix all known bugs in the next release. Patches and bug fix releases are sometimes available - please inquire.

Information that appears here about older releases may be superseded by changes made in newer releases; this also applies to such things as the renaming of programs and files. A bug reported for a specific release may also be present in earlier releases.

As mentioned elsewhere, we like to think that development of DACS is guided largely by the needs of its users, so we need your input to do a good job! Your requests and suggestions are important for us to continue to focus our efforts on solving problems that are important to you.

We do not require you to register your copy of DACS, but we would appreciate hearing from you if you decide to use it. The anonymous information you provide can help us to focus development and will be taken into account when we consider making changes, particularly changes that are incompatible with earlier releases.

IMPORTANT

DACS MAY USE AND IMPLEMENT CRYPTOGRAPHIC FUNCTIONALITY.
Although DACS is developed, maintained, and distributed from Canada, it may fall under certain import, export, and/or use restrictions in other parts of the world. DACS may implement or adapt ad hoc, enhanced, standardized, or published cryptographic algorithms, or use cryptographic functionality provided by OpenSSL, other third-party software, or operating system libraries and system calls.

Export and/or import and/or use of strong cryptography software, providing cryptography hooks, or merely communicating technical details about cryptographic software is illegal in some parts of the world. YOU ARE STRONGLY ADVISED to pay close attention to any laws that may apply when you import, export, or use DACS, or even communicate about it. We are not liable for any violations you make - it is your responsibility.

For additional information, see the Crypto Law Survey.

What You Need

To build DACS, at minimum you will need the following:

If you require certain optional features, you may need to obtain additional (open source licensed) third-party software, such as OpenLDAP or Berkeley DB. Sometimes this software is already installed on your system.

Please see dacs.install(7) for details.

Bugs and Support

If you are having a problem with DACS, after first reviewing the release notes and post-release notes for your version, the next thing to do is check your DACS log files and Apache log files (you may need to bump up your logging level to get additional information as to what is happening). You should also consult the FAQ and Tips. Whenever possible, you should always run the latest release of DACS and check that you are compiling with the correct version of third-party software.

Please see the support area for information on reporting bugs and other assistance. Technical support and maintenance packages are available.

Downloads and Release History

To unpack a tarball into a subdirectory named after the tarball file with the extension removed,

The decompression commands should be available on practically all platforms that are suitable for building DACS.

To generate checksums for your downloaded tarball to compare against the values published here, the following commands are either already available on your system or can be easily obtained:

For instance:
% openssl dgst -sha1 dacs-1.4.52.tbz
SHA1(dacs-1.4.52.tbz)= cda55e1b691e3d7210c9cbf18eaf1337f96c0b2b
If your system does not have a utility for computing SHA3 digests, the functionality is provided by the latest release of OpenSSL. Also, the Perl Digest::SHA3 module provides the sha3sum command (which you may be able to install using the cpan command):
% openssl dgst -sha3-256 dacs-1.4.52.tbz
SHA3-256(dacs-1.4.52.tbz)= df5156421ee41c2fa44fc7cc16e7cfea0e41d5e384d761a600ef688a25321eb7
% sha3sum -a 256 dacs-1.4.52.tbz
df5156421ee41c2fa44fc7cc16e7cfea0e41d5e384d761a600ef688a25321eb7  dacs-1.4.52.tbz

Release Name Release Date Release Info Tarballs
File Name Bytes Checksums
1.4.52 24-Sep-2024 README, Notes, Changes, Post-Release
dacs-1.4.52.tbz 3884516 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.52.txz 2837564 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.52.tgz 5245209 | file SHA-1 SHA2-256 SHA3-256
1.4.51 20-Jun-2024 README, Notes, Changes, Post-Release
dacs-1.4.51.tbz 3842851 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.51.txz 2798692 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.51.tgz 5185787 | file SHA-1 SHA2-256 SHA3-256
1.4.50 22-Jul-2023 README, Notes, Changes, Post-Release
dacs-1.4.50.tbz 3818146 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.50.txz 2759988 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.50.tgz 5135381 | file SHA-1 SHA2-256 SHA3-256
1.4.49 8-Feb-2023 README, Notes, Changes, Post-Release
dacs-1.4.49.tbz 3825159 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.49.txz 2752204 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.49.tgz 5126737 | file SHA-1 SHA2-256 SHA3-256
1.4.48 20-Jul-2022 README, Notes, Changes, Post-Release
dacs-1.4.48.tbz 3789807 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.48.txz 2726428 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.48.tgz 5097219 | file SHA-1 SHA2-256 SHA3-256
1.4.47 11-Jan-2022 README, Notes, Changes, Post-Release
dacs-1.4.47.tbz 3753368 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.47.txz 2710096 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.47.tgz 5082940 | file SHA-1 SHA2-256 SHA3-256
1.4.46 8-Jun-2021 README, Notes, Changes, Post-Release
dacs-1.4.46.tbz 3739881 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.46.txz 2692868 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.46.tgz 5061029 | file SHA-1 SHA2-256 SHA3-256
1.4.45 20-Jan-2021 README, Notes, Changes, Post-Release
dacs-1.4.45.tbz 3732517 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.45.txz 2688948 | file SHA-1 SHA2-256 SHA3-256
dacs-1.4.45.tgz 5053429 | file SHA-1 SHA2-256 SHA3-256
1.4.44 28-May-2020 README, Notes, Changes, Post-Release
dacs-1.4.44.tbz 3697624 | file MD5 SHA-1 SHA3-256
dacs-1.4.44.txz 2673212 | file MD5 SHA-1 SHA3-256
dacs-1.4.44.tgz 5030788 | file MD5 SHA-1 SHA3-256
1.4.43 20-Sep-2019 README, Notes, Changes, Post-Release
dacs-1.4.43.tbz 4031434 | file MD5 SHA-1 SHA3-256
dacs-1.4.43.txz 2662928 | file MD5 SHA-1 SHA3-256
dacs-1.4.43.tgz 5529230 | file MD5 SHA-1 SHA3-256
1.4.42 29-Jan-2019 README, Notes, Changes, Post-Release
dacs-1.4.42.tbz 4033403 | file MD5 SHA-1 SHA3-256
dacs-1.4.42.txz 2658548 | file MD5 SHA-1 SHA3-256
dacs-1.4.42.tgz 5537533 | file MD5 SHA-1 SHA3-256
1.4.41 12-Sep-2018 README, Notes, Changes, Post-Release
dacs-1.4.41.tbz 4023149 | file MD5 SHA-1 SHA3-256
dacs-1.4.41.txz 2642216 | file MD5 SHA-1 SHA3-256
dacs-1.4.41.tgz 5510615 | file MD5 SHA-1 SHA3-256
1.4.40 1-Feb-2018 README, Notes, Changes, Post-Release
dacs-1.4.40.tbz 4042929 | file MD5 SHA-1 SHA3-256
dacs-1.4.40.txz 2635236 | file MD5 SHA-1 SHA3-256
dacs-1.4.40.tgz 5522309 | file MD5 SHA-1 SHA3-256
1.4.39 26-May-2017 README, Notes, Changes, Post-Release
dacs-1.4.39.tbz 3936545 | file MD5 SHA-1 SHA3-256
dacs-1.4.39.txz 2571948 | file MD5 SHA-1 SHA3-256
dacs-1.4.39.tgz 5421838 | file MD5 SHA-1 SHA3-256
1.4.38a 23-Nov-2016 README, Notes, Changes, Post-Release
dacs-1.4.38a.tbz 3197601 | file MD5 SHA-1 SHA3-256
dacs-1.4.38a.txz 2384720 | file MD5 SHA-1 SHA3-256
dacs-1.4.38a.tgz 4419668 | file MD5 SHA-1 SHA3-256
1.4.38 21-Oct-2016 README, Notes, Changes, Post-Release
dacs-1.4.38.tbz 3217949 | file MD5 SHA-1 SHA3-256
dacs-1.4.38.txz 2381540 | file MD5 SHA-1 SHA3-256
dacs-1.4.38.tgz 4408542 | file MD5 SHA-1 SHA3-256
1.4.37 18-May-2016 README, Notes, Changes, Post-Release
dacs-1.4.37.tbz 3161890 | file MD5 SHA-1 SHA3-256
dacs-1.4.37.txz 2307400 | file MD5 SHA-1 SHA3-256
dacs-1.4.37.tgz 4297942 | file MD5 SHA-1 SHA3-256
1.4.36 29-Dec-2015 README, Notes, Changes, Post-Release
dacs-1.4.36.tbz 2848706 | file MD5 SHA-1
dacs-1.4.36.txz 2265696 | file MD5 SHA-1
dacs-1.4.36.tgz 3965296 | file MD5 SHA-1
1.4.35 26-Aug-2015 README, Notes, Changes, Post-Release
dacs-1.4.35.tbz 2847147 | file MD5 SHA-1
dacs-1.4.35.txz 2263636 | file MD5 SHA-1
dacs-1.4.35.tgz 3958437 | file MD5 SHA-1
1.4.34 24-Jul-2015 README, Notes, Changes, Post-Release
dacs-1.4.34.tbz 2853871 | file MD5 SHA-1
dacs-1.4.34.txz 2241336 | file MD5 SHA-1
dacs-1.4.34.tgz 3921638 | file MD5 SHA-1
1.4.33 4-Mar-2015 README, Notes, Changes, Post-Release
dacs-1.4.33.tbz 2823965 | file MD5 SHA-1
dacs-1.4.33.txz 2226260 | file MD5 SHA-1
dacs-1.4.33.tgz 3898367 | file MD5 SHA-1
1.4.32 6-Jan-2015 README, Notes, Changes, Post-Release
dacs-1.4.32.tbz 2772845 | file MD5 SHA-1
dacs-1.4.32.txz 2212812 | file MD5 SHA-1
dacs-1.4.32.tgz 3878443 | file MD5 SHA-1
1.4.31 15-Sept-2014 README, Notes, Changes, Post-Release
dacs-1.4.31.tbz 2773056 | file MD5 SHA-1
dacs-1.4.31.txz 2187540 | file MD5 SHA-1
dacs-1.4.31.tgz 3827475 | file MD5 SHA-1
1.4.30 7-July-2014 README, Notes, Changes, Post-Release
dacs-1.4.30.tbz 2753095 | file MD5 SHA-1
dacs-1.4.30.txz 2175092 | file MD5 SHA-1
dacs-1.4.30.tgz 3805653 | file MD5 SHA-1
1.4.29 30-Oct-2013 README, Notes, Changes, Post-Release
dacs-1.4.29.tbz 2751185 | file MD5 SHA-1
dacs-1.4.29.txz 2170444 | file MD5 SHA-1
dacs-1.4.29.tgz 3796945 | file MD5 SHA-1
1.4.28b 1-Mar-2013 README, Notes, Changes, Post-Release
dacs-1.4.28b.tbz 2715660 | file MD5 SHA-1
dacs-1.4.28b.txz 2153752 | file MD5 SHA-1
dacs-1.4.28b.tgz 3768448 | file MD5 SHA-1
1.4.28a 29-Jan-2013 README, Notes, Changes, Post-Release
dacs-1.4.28a.tbz 2711714 | file MD5 SHA-1
dacs-1.4.28a.txz 2141460 | file MD5 SHA-1
dacs-1.4.28a.tgz 3749167 | file MD5 SHA-1
1.4.28 23-Oct-2012 README, Notes, Changes, Post-Release
dacs-1.4.28.tgz 3732171 | file MD5 SHA-1
dacs-1.4.28.tbz 2700929 | file MD5 SHA-1
1.4.27b 19-Mar-2012 README, Notes, Changes, Post-Release
dacs-1.4.27b.tgz 3724152 | file MD5 SHA-1
dacs-1.4.27b.tbz 2695824 | file MD5 SHA-1
1.4.27 16-Jan-2012 README, Notes, Changes, Post-Release
dacs-1.4.27.tgz 3675561 | file MD5 SHA-1
dacs-1.4.27.tbz 2627120 | file MD5 SHA-1
1.4.26 30-Sep-2011 README, Notes, Changes, Post-Release
dacs-1.4.26.tgz 3658730 | file MD5 SHA-1
dacs-1.4.26.tbz 2608183 | file MD5 SHA-1
1.4.25 23-Jun-2010 Notes, Changes, Post-Release, Patch
dacs-1.4.25.tgz 3633131 | file MD5 SHA-1
dacs-1.4.25.tbz 2563328 | file MD5 SHA-1
1.4.24 7-Jan-2010 Notes, Changes, Post-Release
dacs-1.4.24.tgz 3373741 | file MD5 SHA-1
dacs-1.4.24.tbz 2404871 | file MD5 SHA-1
1.4.23a 16-Oct-09 Notes, Changes, Post-Release
dacs-1.4.23a.tgz 3346646 | file MD5 SHA-1
dacs-1.4.23a.tbz 2381089 | file MD5 SHA-1
1.4.23 14-Sep-09 Notes, Changes, Post-Release
dacs-1.4.23.tgz 3324221 | file MD5 SHA-1
dacs-1.4.23.tbz 2358779 | file MD5 SHA-1
1.4.22 13-Jan-09 Notes, Changes, Post-Release
dacs-1.4.22.tgz 3015392 | file MD5 SHA-1
dacs-1.4.22.tbz 2137791 | file MD5 SHA-1
1.4.21 31-Mar-08 Notes, Changes, Post-Release
dacs-1.4.21.tgz 2823882 | file MD5 SHA-1
dacs-1.4.21.tbz 2050146 | file MD5 SHA-1
1.4.20 15-Aug-07 Notes, Changes, Post-Release
dacs-1.4.20.tgz 2686200 | file MD5 SHA-1
dacs-1.4.20.tbz 1925130 | file MD5 SHA-1
1.4.19* 2-Jul-07 Notes, Changes, Post-Release
dacs-1.4.19.tgz 2648991 | file MD5 SHA-1
dacs-1.4.19.tbz 1884646 | file MD5 SHA-1
1.4.18 4-Apr-07 Notes, Changes, Post-Release
dacs-1.4.18.tgz 2542689 | file MD5 SHA-1
dacs-1.4.18.tbz 1842434 | file MD5 SHA-1
1.4.17 8-Feb-07 Notes, Changes, Post-Release
dacs-1.4.17.tgz 2413437 | file MD5 SHA-1
dacs-1.4.17.tbz 1737306 | file MD5 SHA-1
1.4.16 4-Dec-06 Notes, Changes, Post-Release
dacs-1.4.16.tgz 2343899 | file MD5 SHA-1
dacs-1.4.16.tbz 1689186 | file MD5 SHA-1
1.4.15 1-Oct-06 Notes, Changes, Post-Release
dacs-1.4.15.tgz 2264282 | file MD5 SHA-1
dacs-1.4.15.tbz 1620600 | file MD5 SHA-1
1.4.14 1-Aug-06 Notes, Changes, Post-Release
dacs-1.4.14.tgz 2152617 | file MD5 SHA-1
dacs-1.4.14.tbz 1562839 | file MD5 SHA-1
1.4.13a 2-Jun-06 Notes, Changes, Post-Release
dacs-1.4.13a.tgz 2071894 | file MD5 SHA-1
dacs-1.4.13a.tbz 1498288 | file MD5 SHA-1
1.4.13 1-Jun-06 Notes, Changes, Post-Release
dacs-1.4.13.tgz 2072574 | file MD5 SHA-1
dacs-1.4.13.tbz 1499260 | file MD5 SHA-1
1.4.12 1-May-06 Notes, Changes, Post-Release
dacs-1.4.12.tgz 1754404 | file MD5 SHA-1
dacs-1.4.12.tbz 1227125 | file MD5 SHA-1
1.4.11 9-Mar-06 Notes, Changes, Post-Release
dacs-1.4.11.tgz 1704101 | file MD5 SHA-1
dacs-1.4.11.tbz 1187716 | file MD5 SHA-1
1.4.10 26-Jan-06 Notes, Changes, Post-Release
dacs-1.4.10.tgz 1598073 | file MD5 SHA-1
dacs-1.4.10.tbz 1150470 | file MD5 SHA-1
1.4.9 24-Dec-05 Notes, Changes, Post-Release
dacs-1.4.9.tgz 1547377 | file MD5 SHA-1
dacs-1.4.9.tbz 1136473 | file MD5 SHA-1
1.4.8 18-Nov-05 Notes, Changes, Post-Release
dacs-1.4.8.tgz 1474462 | file MD5 SHA-1
dacs-1.4.8.tbz 1087179 | file MD5 SHA-1
1.4.7 20-Oct-05 Notes, Changes, Post-Release
dacs-1.4.7.tgz 1364048 | file MD5 SHA-1
dacs-1.4.7.tbz 1007226 | file MD5 SHA-1
1.4.6 20-Sep-05
|
|
1.4.5 17-Aug-05
|
|
1.4.4 22-Jun-05
|
|
1.4.3 27-May-05
|
|
1.4.2 14-Apr-05
|
|
1.4.1 16-Mar-05
|
|
1.4.0 14-Feb-05
|
|

DACS Version 1.4.52

Release Notes

This release has upgrades for platforms and third-party support packages, and minor bug fixes and improvements. It also includes a beta version of jspr, a JSON parser/validator/analyser library ("JSon ParseR" -- "Jaspar" -- jspr). While it is being actively developed, updated versions of jspr will be made available separately and more frequently than DACS releases.

Change Summary

Post-Release Notes

DACS Version 1.4.51

Release Notes

This release includes a few new minor features, upgrades for platforms and third-party support packages, and minor bug fixes and improvements.

Change Summary

Post-Release Notes

DACS Version 1.4.50

Release Notes

This release contains upgrades for platforms and third-party support packages and minor bug fixes and improvements.

Change Summary

Post-Release Notes

DACS Version 1.4.49

Release Notes

This release contains upgrades for platforms and third-party support packages and minor bug fixes and improvements.

Change Summary

Post-Release Notes

DACS Version 1.4.48

Release Notes

This release contains upgrades for platforms and third-party support packages and minor bug fixes and improvements.

Change Summary

Post-Release Notes

Unfortunately, some difficulties were encountered at the last minute when building on the new macOS (Monterey) arm64/M1 platform. Hopefully these issues will be resolved in the next release of DACS.

DACS Version 1.4.47

Release Notes

This release contains upgrades for platforms and third-party support packages and minor bug fixes and improvements.

Change Summary

Post-Release Notes

Nothing yet.

DACS Version 1.4.46

Release Notes

This release primarily upgrades platforms and third-party support packages, but it also includes a few important bug fixes.

Change Summary

Post-Release Notes

Nothing yet.

DACS Version 1.4.45

Release Notes

This release primarily upgrades platforms and third-party support packages.

Change Summary

Post-Release Notes

In this release, and probably previous releases, the argument to the ack() function should not include a query argument. The argument is a URI that is invoked to return the text of a notice as part of the notice acknowledgment feature. See dacs_notices(8).

DACS Version 1.4.44

Release Notes

This release primarily upgrades platforms and third-party support packages.

Change Summary

Post-Release Notes

Nothing yet.

DACS Version 1.4.43

Release Notes

This release primarily upgrades platforms and third-party support packages.

Change Summary

Post-Release Notes

Nothing yet.

DACS Version 1.4.42

Release Notes

This release primarily upgrades platforms and third-party support packages.

DACS is now using OpenSSL's 1.1.1 series.

Change Summary

Post-Release Notes

DACS Version 1.4.41

Release Notes

This release primarily upgrades platforms and third-party support packages.

Apache 2.2 servers are officially deprecated and starting with this release they are no longer officially supported by DACS.

Change Summary

Post-Release Notes

Nothing yet.

DACS Version 1.4.40

Release Notes

This release primarily upgrades platforms and third-party support packages, but it also introduces basic RADIUS authentication and improves integration of libdsm, the implementation that will replace Samba for NTLM authentication.

Because Apache 2.2 servers are officially deprecated, this is the final version of DACS to officially support the Apache 2.2 series. Although they are likely to continue to interoperate with new releases of DACS for a while, future releases of DACS will not be maintained, tested, or documented with Apache 2.2 series servers.

Change Summary

Post-Release Notes

To test that RADIUS authentication is basically working, here is what we do. On a machine different from where we have built or installed DACS, we configure a FreeRADIUS server (consult its documentation for details) and then run it in the foreground with debugging enabled:

% /sbin/radiusd -X -xxx -f -i 10.0.0.125 -p 1812
This server listens to port 1812 at IP address 10.0.0.125; your values may differ. Then, on our build or install machine, we first test authentication using a FreeRADIUS utility:
% radtest -x bob hello 10.0.0.125:1812 10 testing123
This RADIUS client tries to authenticate user "bob" using password "hello", with debugging enabled, at the same IP address and port listened to by our radiusd above. The "testing123" argument is the shared secret (password) used to authenticate our client instance to the server. The "10" argument (called "nas-port-number") is required but unimportant. A zero exit status from radtest indicates that authentication succeeded; any other value indicates failure. Once the previous testing is successful, with the RADIUS server running as above:
% dacsauth -m radius passwd required \
   -ORADIUS_SERVER=10.0.0.125 -ORADIUS_SECRET=testing123 -u bob -p hello
A zero exit status from dacsauth indicates that authentication succeeded; any other value indicates failure. If desired, continue by configuring DACS for RADIUS authentication and testing using local_radius_authenticate.

DACS Version 1.4.39

Release Notes

Apart from various third-party package and platform upgrades, this release introduces new support for NTLM authentication using a modified version of libdsm as a (mutually exclusive) alternative to the original Samba-based implementation. For a very long time, Samba 3.x has been used by DACS solely for its implementation of NTLM authentication. But because Samba 3.x has not been supported by the Samba team for quite some time, and Samba 4.x has proved to be difficult to build on DACS platforms and is not a drop-in replacement for Samba 3.x in any case, we want to use something much smaller, simpler, and easier to build than Samba.

Samba 3.x can still be used by this version of DACS. But Samba dependencies will be deprecated and eventually removed from DACS. Although it is currently functional and tested, the new implementation using libdsm is not fully integrated or documented within the main DACS build. This will be improved in the next release.

The Windows/NTLM authentication method is completely optional, so the following notes are probably only of interest to those who require it and would prefer not to use the original implementation that depends on Samba. If you want to try the new implementation, do this before building DACS:

  1. Unpack the DACS tarfile
  2. Chdir to dacs-1.4.39/src/libdsm
  3. There are a few steps to follow but it is quite straightforward. The README in that directory has detailed instructions.
    Briefly:
    1. Obtain the source code for two GNU libraries: libtasn1 and libiconv. No changes to those libraries are required.
    2. Build both libraries in place, then build the modified libdsm. A program called ntlmauth will be built and you should use it to test authentication against your Windows server.
    3. If all goes well, build DACS as you normally would, except instead of configuring it using --with-samba use --with-libdsm=./libdsm. Then test authentication again, this time using dacsauth (refer to dacsauth(1) and local_ntlm_authenticate for examples).
    4. If you are satisfied with the results of your testing, complete your installation of DACS and verify that dacs_authenticate also works correctly. The only change you may need to make to dacs.conf is to specify OPTION 'SAMBA_PORT="0"' in the appropriate Auth clause. The new implementation knows which port(s) to try.
  4. Please report any problems so that they can be addressed in the next release.

Change Summary

Post-Release Notes

DACS Version 1.4.38a

Release Notes

This special release addresses some minor but long-standing issues.

Change Summary

Post-Release Notes

Nothing yet.

DACS Version 1.4.38

Release Notes

This release primarily upgrades platforms and third-party support packages, but it also incorporates new cryptographic hashing capabilities.

Change Summary

Post-Release Notes

Nothing yet.

DACS Version 1.4.37

Release Notes

This release primarily upgrades platforms and third-party support packages. Additional HMAC digest algorithms are now provided. A self-contained arbitrary precision integer arithmetic library is now included in the distribution.

Change Summary

Post-Release Notes

DACS Version 1.4.36

Release Notes

This release primarily fixes very minor bugs and upgrades platforms and third-party support packages.

Change Summary

Post-Release Notes

Nothing yet.

DACS Version 1.4.35

Release Notes

This release addresses some bugs, adds some new secure password digest algorithms (such as the new SHA-3 digest algorithms), changes the format of the DACS password file, and platform upgrades. There was an important bug fix to DACS_ACS processing. The DTD/RNC for dacs_version has been modified. Please refer to the distribution's README and manual pages for additional details.

If you are a) upgrading from 1.4.34 and b) were using DACS password files and c) have accounts that use the new parameterized digest methods introduced in 1.4.34, there has been a format change to those account entries. Simple manual editing of those accounts or a password reset is required, otherwise sign-on to those accounts will fail. See the PASSWORD_DIGEST directive for details.

Change Summary

Post-Release Notes

DACS Version 1.4.34

Release Notes

This release primarily addresses some minor bugs, adds some new secure password digest algorithms, and upgrades third-party support packages.

If you are upgrading, please note that there have been a small number of important changes to site.conf-std. If you have not modified your site.conf (and you shouldn't have), you should copy site.conf-std to it.

Change Summary

Post-Release Notes

DACS Version 1.4.33

Release Notes

This release primarily addresses some important bugs, improves documentation, and upgrades third-party support packages.

Change Summary

Post-Release Notes

DACS Version 1.4.32

Release Notes

This release includes some minor improvements, documentation updates, and platform and third-party software upgrades.

Change Summary

Post-Release Notes

DACS Version 1.4.31

Release Notes

This release primarily addresses some important bugs, improves documentation, and upgrades third-party support packages.

Change Summary

Post-Release Notes

Nothing yet.

DACS Version 1.4.30

Release Notes

This release primarily addresses configuration and build problems, improves documentation, fixes some minor bugs, and upgrades third-party support packages.

Change Summary

Post-Release Notes

DACS Version 1.4.29

Release Notes

This release primarily addresses configuration and build problems, improves documentation, fixes some minor bugs, and upgrades third-party support packages.

Change Summary

Post-Release Notes

DACS Version 1.4.28c

Release Notes

This version was not publicly released but the changes summarized below were made to the code base.

Change Summary

Post-Release Notes

This sentence intentionally left blank.

DACS Version 1.4.28b

Release Notes

This release addresses problems with Apache 2.4 support, fixes some minor bugs, and upgrades some third-party support packages.

Change Summary

Post-Release Notes

DACS Version 1.4.28a

Release Notes

This release improves support for Apache 2.4, corrects many problems with dacs.quick(7), and fixes a variety of minor bugs. There are no third-party support package upgrades, so upgrading from DACS 1.4.28 should be easy. For details, consult the README and HISTORY files, dacs.readme(7), and dacs.install(7).

Change Summary

Post-Release Notes

DACS Version 1.4.28

Release Notes

This minor bug fix release addresses build and portability issues. For details, consult the README and HISTORY files, dacs.readme(7), and dacs.install(7).

Change Summary

Post-Release Notes

DACS Version 1.4.27b

Release Notes

This minor bug fix release addresses build and portability issues found after the release of 1.4.27. For details, consult the README and HISTORY files, dacs.readme(7), and dacs.install(7).

Change Summary

Post-Release Notes

Nothing yet.

DACS Version 1.4.27

Release Notes

This is mainly a bug fix release. Consult the README and HISTORY files, dacs.readme(7), and dacs.install(7).

Change Summary

Post-Release Notes

DACS Version 1.4.26

Release Notes

This is mainly a bug fix release. Consult the README and HISTORY files, dacs.readme(7), and dacs.install(7).

Change Summary

Post-Release Notes

DACS Version 1.4.25

Release Notes

Although it mainly fixes bugs and adds some minor features, this release includes improved support for one-time passwords (such as time-based tokens, token provisioning, and additional OTP token vendors), introduces a new, simplified user-selectable authentication control, fixes and improves PAM-based authentication, and adds support for SQLite.

As with earlier releases of DACS, a variety of problems were encountered building third-party software. In particular, OpenSSL - which has seen a larger than usual number of releases recently - seems to be troublesome. These problems are addressed in dacs.install(7).

Change Summary

Post-Release Notes

Important (3-Nov-2010):
The local_passwd_authenticate authentication module for 1.4.25 may report a successful authentication outcome even if an incorrect password is given. If you are using this authentication module or plan to, please apply this patch immediately, then "make install" DACS. Sites running earlier releases of DACS should upgrade (and apply the patch), or at least verify that their release's local_passwd_authenticate is working properly.

DACS Version 1.4.24

Release Notes

This is primarily a bug fix release, but it also introduces support for the Mac OS X 10.6/x86 platform.

As with earlier releases of DACS, a variety of problems were encountered building third-party software on OpenSolaris/x86. These problems - and, sometimes, solutions - are addressed in dacs.install(7).

Change Summary

Post-Release Notes

DACS Version 1.4.23a

Release Notes

This release adds some refinements to the Information Card support, introduces some new features, fixes some bugs, and upgrades to recent releases of third-party supporting software. Everyone is encouraged to upgrade to this release of DACS.

One significant new feature is an optional inactivity time out (see the new directives, ACS_TRACK_ACTIVITY and ACS_INACTIVITY_LIMIT_SECS). Another important feature is that dacs_current_credentials can return information about a user's last login and other logins that might be "active" - this can be useful for detecting security breaches.

[Following the demise of CardSpace, support for Information Cards is deprecated and web site material has been removed.]

If you are upgrading from an earlier release of DACS, after installation check that you are using the site.conf that comes with the new release.

Change Summary

Post-Release Notes

Nothing yet.

DACS Version 1.4.23

Release Notes

This release mainly introduces support for Information Cards, but it also includes some minor enhancements, bug fixes, and upgrades to recent releases of third-party supporting software.

[Following the demise of CardSpace, support for Information Cards is deprecated and web site material has been removed.]

If you are upgrading from an earlier release of DACS, after installation check that you are using the site.conf that comes with the new release.

Change Summary

Post-Release Notes

Building openssl-0.9.8j on FreeBSD

A "make install" of the standard openssl-0.9.8j distribution fails on FreeBSD 7.0, even if specifying only --prefix and --openssldir to configure. It may fail on other platforms, too (I'm lookin' at you, OpenSolaris and Cygwin):

cp: fipscanister.o.sha1: No such file or directory
cp: fipscanister.o: No such file or directory
*** Error code 1

Stop in /usr/k/generic/src/sysutils/openssl-0.9.8j/fips.

Here is what was needed to fix the problem(s) on FreeBSD 7.0 (your mileage may vary).

  1. After unpacking the source distribution, run configure
  2. As usual, run:
    % make
    % make test
    
    These should work properly; if they do, proceed.
  3. Do: make install
    If it fails, continue with the following steps.
  4. Change to the fips subdirectory
  5. Edit each of {aes,des,dh,dsa,hmac,rand,rsa,sha}/Makefile and (if necessary) change the value of INCLUDES (defined near the beginning of the file) to:
    INCLUDES=-I../.. -I..
    
  6. Run "make lib" in each of those directories:
    % (cd aes; make lib)
    % (cd des; make lib)
    and so on
    % (cd sha; make lib)
    
  7. Do: make fipscanister.o
    It will probably report an error, but that's ok provided it actually creates fipscanister.o.
  8. Do: make fips_standalone_sha1
  9. Do: ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
  10. Change to the distribution's root directory and try again to install:
    % cd ..
    % make install
    
    If it still doesn't work, as on OpenSolaris and Cygwin, try openssl-0.9.8i, which doesn't seem to have these problems.

DACS Version 1.4.22

Release Notes

This release mainly fixes an assortment of bugs and upgrades to recent releases of third-party supporting software.

Change Summary

Post-Release Notes

The following errata and comments are associated with this release:

DACS Version 1.4.21

Release Notes

Although this release mainly addresses a wide assortment of bugs, and upgrades to recent releases of third-party supporting software, it also features some significant performance and administrative improvements. Changes of note include:

Change Summary

Post-Release Notes

The following errata are associated with this release:

This and previous releases of DACS produce HTTP cookies that have colons (and possibly other punctuation) in their names. Although this is not known to cause problems with any web browsers, it is unacceptable to some versions of Tomcat. It seems that RFC 2109 (Sections 4.2.2 and 4.1) and RFC 2965 (Sections 3.2.2 and 3.1), with RFC 2616 (Section 2.2), do not allow these "separators" to appear in a cookie name. DACS does not currently have a workaround for this problem, but then it does not claim to be RFC 2109/2965 compliant. A future release of DACS will likely change the syntax of its cookies to something benign. Changes to the cookie name syntax may cause problems for interoperation between different versions of DACS. Note that middleware should not be relying upon (esp. parsing) the names of DACS cookies, other than to identify the different types of cookies, so a change should only be a minor inconvenience for middleware.

It seems that issues may arise when mod_rewrite and mod_proxy come into play with DACS-wrapped resources. A single proxied request may cause Apache to perform many authorization checks. Also, Apache mangles some variables associated with a proxied request during processing (e.g., the REQUEST_URI) and these may not be handled properly by DACS. Avoid these kinds of requests, or at least test them carefully.

DACS Version 1.4.20

Release Notes

This is primarily a bug fix release. DACS is security software - we urge all users to upgrade to the latest release.

Change Summary

Post-Release Notes

While DACS is not officially supported on Solaris/SPARC, a bug has been found on that platform that breaks the http(1) command and internal HTTP requests. One consequence of this bug is that authentication may fail; this particular case can be avoided by using built-in authentication modules. This bug will be fixed in the next release, but you can contact us for a patch.

The SetDACSAuthConf and SetDACSAuthSiteConf directives may not work properly. Because these directives cause the environment variables DACS_CONF and DACS_SITE_CONF, respectively, to be passed to dacs_acs(8), a possible work-around is to explicitly set them in your Apache configuration (using SetEnv, for instance).

DACS should not be affected by the problems recently discovered in OpenSSL 0.9.8e. The next release of DACS will upgrade to the then-current release of OpenSSL.

DACS Version 1.4.19

Release Notes

This is primarily a bug fix and minor enhancements release. DACS is security software - we urge all users to upgrade to the latest release.

Change Summary

Post-Release Notes

  1. Important:
    A bug in the local_passwd_authenticate authentication module has been discovered that can cause an invalid DACS password to be accepted when it should not be. This does not affect any other forms of authentication or the DACS password file. Unless you are sure that you will not use this authentication module, you must apply the following fix. We apologize for the error.

    This bug has been fixed and a new version of src/local_passwd_auth.c is available. Replace the local_passwd_auth.c file (revid 1941) that ships with dacs-1.4.19 with the new one (revid 1983). Do a 'make clean' from the distribution's src directory, then build and install DACS again.

    Before deploying this or any other DACS authentication method in a production system, please ensure that authentication succeeds only if all authentication material is correct.

  2. Correction: in the examples in dacsauth(1), the -vfs flag must appear with the module flags (before the -u flag, for instance).

  3. Regarding the notice acknowledgment feature (dacs_notices(8), dacs.nat(5)), if a document requiring acknowledgement is accessed using the https scheme, all links to the document must provide the port number (even if it is 443) in its URL. For instance, use https://dss.fedroot.com:443/notices/ack-me.html instead of https://dss.fedroot.com/notices/ack-me.html. Failure to do this causes users to see the same prompt twice. The default port number will be handled correctly in the next release.

DACS Version 1.4.18

Release Notes

This is primarily a bug fix and minor enhancements release. DACS is security software - we urge all users to upgrade to the latest release.

Notable improvements include:

Change Summary

Post-Release Notes

There is a bug in dacsvfs(1) that prevents a field separator character other than the default (a colon) from being used. A bug in http(1) causes improper output buffering with the -ih flag.

Arguments passed through the multipart/form-data content type may not be handled correctly.

Requests that are the result of an internal redirect by Apache may cause DACS to become confused about the request URI that it should use.

The dacsrlink(1) command and its manual page have several bugs. The -expires flag is buggy. The manual page has a typo: the flag for the rlink operation should be called -lmode instead of -mode. The manual page lacks examples.

On Cygwin, a build using expat-2.0.0 was clean but the DACS binaries did not work properly. Building with expat-1.95.8 instead solved the problem.

DACS Version 1.4.17

Release Notes

This is primarily a bug fix and minor enhancements release. DACS is security software - we urge all users to upgrade to the latest release.

Notable improvements include:

Neither Samba 3.0.23d nor 3.0.23c would build on the Solaris 5.10 x86 platform (see also DACS 1.4.15).

Cygwin is once again (partially) supported.

Change Summary

Post-Release Notes

A bug was found that may cause the Args namespace to be unavailable during configuration processing by dacs_acs. This will be fixed in the next release.

There may be problems compiling DACS on GNU/Linux if Apache was built with large file support enabled (it was if apr.h defines APR_HAS_LARGE_FILES to be 1). Try configuring Apache's APR support library (srclib/apr) with --disable-lfs, and then rebuilding Apache and DACS. This will be addressed in the next release.

Apparently some GNU/Linux distributions sometimes install Apache's apxs utility as apxs2. In this case, DACS will not find apxs during its build. A quick fix is to edit the DACS src/defs.mk.in file and replace

   apxs = $(apache_home)/bin/apxs
with wherever your apxs2 is, for example:
   apxs = /usr/sbin/apxs2

DACS Version 1.4.16

Release Notes

This is primarily a bug fix and minor enhancements release. DACS is security software - we urge all users to upgrade to the latest release.

Improvements of note include:

Note: In the final stages of testing we discovered that this release of DACS does not build on Cygwin, despite what is indicated elsewhere in the DACS documentation. This is because Cygwin lacks several library functions (even POSIX ones) that are provided by all of the fully-supported platforms. We will decide before the next release whether we will continue to partially support the Cygwin platform or abandon it entirely. Please let us know if you would like to see support for Cygwin continued.

Note: Minor but incompatible changes have been made to the setvar function. If you currently use this function, you will need to review the documentation and make appropriate changes before upgrading.

Change Summary

Post-Release Notes

In releases 1.4.16 and earlier, it is possible to create a DACS account that has no password (the password is the empty string) but these accounts cannot be used because local_passwd_authenticate rejects these passwords as a sanity check. Password-less accounts will be addressed more consistently in release 1.4.17.

DACS Version 1.4.15

Release Notes

This is primarily a bug fix and minor enhancements release. DACS is security software - we urge all users to upgrade to the latest release.

With this release, DACS now supports strong authentication based on the Authenex A-Key hardware token (and other OATH-HOTP/RFC 4226 compliant products). This provides a very low cost and convenient path to two-factor authentication, not only for web-based single sign-on and CGI programs, but for virtually any software. No additional software is required to use the Authenex token with DACS. We hope to support other vendors' products in future releases. Besides auth_token(1), please see a description of the Authenex A-Key and background on two-factor authentication.

This release no longer supports some PASSWORD_* directives, as earlier advised. If you configured them for a previous release, you will need to delete some configuration directives. Please see the Change Summary.

This release includes incompatible changes to dacs_auth_transfer(8). If you configured it for a previous release, you will need to change some configuration directives. We apologize for the inconvenience, but we think you will agree that the new way to configure cross-federation trusts is much simpler and easier to understand. Please see the Change Summary.

We were unable to successfully build, or even configure, Samba 3.0.23c on the Solaris 10 x86 platform but had no problems with it on FreeBSD and GNU/Linux. If you require NTLM support on the Solaris 2.8 platform and experience difficulties building local_ntlm_auth, you may need to edit src/defs.mk and add "-lresolv" to the SAMBA_LIBS argument list (this must be repeated if you re-run configure). Please make sure you build Samba exactly as described in dacs.install(7). If this release of Samba does not build on your platform, or will not work properly with DACS, try an earlier release that has been tested with DACS: samba-3.0.23, samba-3.0.22, or samba-3.0.21a.

Although this release was tested with OpenSSL 0.9.8c, initial testing with 0.9.8d has not revealed any problems and it should be ok to use.

Change Summary

Major changes and improvements include:

Some progress has been made with local_pam_authenticate and we hope to have it functional in the next release.

Post-Release Notes

Both the HTML and XML output of conf(1) and dacs_conf(8) can be incorrect - a closing Roles tag may be omitted. This is insignificant for most users, but a patch is available for src/conf.c. The CSS file for the HTML output (man/css/conf.css) was not updated to include the new Transfer clause. Though not important, a patch is available.

DACS Version 1.4.14

Release Notes

This is primarily a bug fix and minor enhancements release. It includes new applications that apply the DACS rule processing engine to problems other than web access control. A demonstration of one of these applications, dacs_transform(8), is available. The new dacstransform(1) command was used to generate much of this site's documentation.

Improvements of note include:

Note:
A new feature, which is enabled by default, has been added to improve security. Earlier releases will discard credentials generated by this release unless the feature has been disabled at jurisdictions running this release, however. Please refer to the VERIFY_UA directive for details.

Change Summary

Bug fixes, minor enhancements, and documentation improvements, including:

New features:

Post-Release Notes

None yet.

DACS Version 1.4.13

Release Notes

This is primarily a bug fix and minor enhancements release. Please be sure to use dacs-1.4.13a - see below.

Important new features include:

Change Summary

Various minor bug fixes and man page improvements, including:

Post-Release Notes

DACS Version 1.4.12

Release Notes

This is primarily a bug fix and minor enhancements release.

Important new features include:

Change Summary

Various minor bug fixes and man page improvements, including:

Post-Release Notes

DACS Version 1.4.11

Release Notes

This is primarily a bug fix and minor enhancements release.

A new cross-federation identity transfer mechanism has been added. It not only provides support for single sign-on among DACS federations, but also between a DACS federation and other identity management systems. See dacs_auth_transfer(8) for details.

The initial release of a web-based DACS administration interface called FedAdmin will be made available shortly at Sourceforge's contributed resource project for DACS. The DACS Java Library (DJL), which is being developed to support the use of DACS in Java client applications, will also be updated.

Change Summary

Post-Release Notes

DACS Version 1.4.10

Release Notes

Change Summary

This release contains some minor new features, fixes bugs, and improves the documentation.

A contributed resource project for DACS is now available. The DACS Java Library (DJL) is being developed to support the use of DACS in Java client applications. It implements Java wrapper classes for selected DACS services, and provides an HTTP client through which DACS services may be accessed and DACS credentials obtained and managed.

Changes of note:

Post-Release Notes

  1. On some newer GNU/Linux distributions, sslclient appears to fail randomly:
    % perl -e 'printf "GET / HTTP/1.0\n\n";' | sslclient fedroot.com:443 > /dev/null
    ssllib: set_nonblocking: fcntl: Invalid argument

    If you want an immediate fix, replace your src/ssllib.c with ssllib.c.gz [SHA(ssllib.c)= df23421c6f826b9cdac7d2f2a9491898b6137ef3]
  2. "make install" may fail if shared libraries have been configured. To fix this, edit Makefile (and/or Makefile.in), look for the targets install-libs and install-shared-lib, and remove the string "/$(SHARED_LIB)". Or simply disable shared libraries (--disable-shared) when you build this release.

DACS Version 1.4.9

Release Notes

Change Summary

This release contains some minor new features, fixes bugs, and improves the documentation.

Other changes:

Post-Release Notes

None.

DACS Version 1.4.8

Release Notes

Change Summary

The major change is the new dacscheck(1) command, which we believe will open up DACS to many developers and many new applications. It provides simplified, platform-independent, general-purpose access to the DACS access control rule evaluation engine. This feature can be used by any virtually any application, script (Perl, PHP, shell, etc.), server software, or CGI program to make data-driven access control decisions rather than program-driven ones. dacscheck can be used by itself and does not depend on any other DACS programs, web services, or even an web server. Simply install it and start to use it. Please refer to the manual page for details and examples.

Other changes:

Post-Release Notes

DACS Version 1.4.7

Release Notes

Please note the following important changes/incompatibilities:

Post-Release Notes

Change Summary

This release includes:

DACS Version 1.4.6

Release Notes

Authentication bugs
Bugs in the NTLM and LDAP authentication modules have been found that may cause authentication to fail. Fixes for these bugs will appear in the next release.

Checksums
After obtaining a DACS release, please verify all checksums for the file you downloaded. Do not use a download if any checksum for it does not match. Checksums will be posted here from now on.

OpenSSL's "dgst" command can be used to compute checksums:

     openssl dgst -md5 dacs-1.4.6.tgz
     openssl dgst -sha1 dacs-1.4.6.tgz

Checksums for dacs-1.4.6.tgz:
-rw-r--r--  1 brachman  wheel  1320654 Sep 19 16:24 dacs-1.4.6.tgz

MD5:   c5c7bc5a941b9f568f2777c523aec121
SHA-1: f2783a0ecd769c332981f28c1fa7f4cd8c746a25

Checksums for dacs-1.4.6.tbz:
-rw-r--r--  1 brachman  wheel  972539 Sep 19 16:24 dacs-1.4.6.tbz

MD5:   7c1a510dee6e41d33eca4dfadd15afa5
SHA-1: 69137b4913f838eb8bcca17690b589bd26c3039d

A note about upgrading
Because DACS is security software, we strongly recommend that you upgrade to the newest release as soon as you are able. This is neither a difficult nor a time consuming procedure most times. Sometimes an incompatible change in DACS will require you to change a DACS configuration file, but this should not be difficult to do and we will try to advise you of such changes.

For a quick and dirty upgrade (assumes you aren't changing any third-party packages or options):

  1. Obtain and unpack the new distribution and cd to it;
  2. Review the README and INSTALL instructions;
  3. Copy the src/config.nice from your installed version to the new src directory and configure DACS:
    "cd src; sh ./config.nice";
  4. Build DACS ("gmake");
  5. Stop Apache httpd ("apachectl stop");
  6. Install DACS ("gmake install");
  7. Make and install the latest mod_auth_dacs module
    "cd ../apache; gmake tag install";
  8. Restart Apache httpd ("apachectl start"); and
  9. Check that DACS appears to be working correctly.

This will leave your existing DACS configuration files alone but it will also leave files that are no longer needed by the new DACS.

Note: whenever you upgrade to a more recent version of DACS, please do not forget to install the Apache mod_auth_dacs module that comes with your new version of DACS.

Change Summary

This release includes:

DACS Version 1.4.5

Release Notes

Change Summary

DACS Version 1.4.4

Release Notes

Change Summary

DACS Version 1.4.3

Release Notes

If you are upgrading to this version of DACS from an older version of DACS 1.4:

Documentation for the dacs_signout web service is missing from the distribution. Its manual page is available here.

Change Summary

DACS Version 1.4.2

Release Notes

Index: INSTALL

Index: HISTORY

Change Summary

$Id: $