DACS Features and Benefits

Why should you use DACS? Sure, it is a fully supported, open source product with many nifty features, but why should you install it, or at least try it? The answer partly depends on whether you are running one web site, working with two or more web sites, or are a software developer, but we believe that if you get to know it a little and compare it to the alternatives, you will be impressed with DACS!

DACS is not a system designed around the latest technological fads or driven by some industry consortium's business goals. We have developed versatile solutions based on solid, secure core technologies that address many of the authentication and authorization problems of real organizations and system administrators. It is a practical system.

Here are some of the main features and benefits of DACS.

Light-Weight Single Sign-On

DACS gives you an out-of-the-box single sign-on solution with attendant benefits to users and system administrators:

• after authenticating, users are recognized by every site within a DACS federation without needing to have accounts on every site or having to reauthenticate
• after authentication, identification of a user throughout a federation is fast and efficient
• regardless of how users are authenticated, they can assume the same federation-wide identity
• system administrators have fewer accounts to manage and fewer user problems taking up their time
• DACS identities can be transferred between two DACS federations, and between a DACS federation and another identity management system
• a user can be a person or an application

DACS has been carefully designed to have no single point of failure, making it resilient against hardware, software, and communication failures. This means that DACS does not rely on any central computer or server, so that if any component of the system fails or becomes inaccessible, the rest of the system will continue to operate normally. Not all similar systems share this important property! By configuring redundancy into your DACS configuration, your federation can be very tolerant of failures and can continue to operate as normally as possible while servers are brought down for maintenance, etc.

Leveraged User Authentication

DACS supplies a coherent, modular, extensible authentication framework that lets you leverage your existing authentication systems and account management policies, or easily introduce new ones. The most widely-used Apache authentication methods are available and Apache password files can be used by DACS.

• DACS makes it easy to connect to your existing authentication infrastructure so that your users can reuse an existing account name and password rather than having to create and remember yet another one, and system administrators do not need to create new accounts or learn new account management tools
• authentication configuration is determined at run time with all enabled DACS authentication methods selectable
• authentication methods can be combined; for example, a user might have to give an account name and password, and use a valid SSL client certificate
• different users can authenticate using different methods; some might use LDAP/Active Directory, others might use their Unix account, and some might use their X.509 certificate
• accounts used only by DACS can also be created and managed
• user account provisioning, including flexible account disabling, is available
• DACS credentials, which represent an identity, are cryptographically protected using industry-standard methods
• authentication can take place on a server other than the one on which Apache/DACS runs
• authentication can be based on RFC 2617 Basic or Digest Authentication but it is not required, so authentication does not need to be interactive

DACS can authenticate a user based on:

• an X.509 client certificate (via SSL/TLS);
• (now deprecated) a self-issued or managed Information Card (DACS can issue managed InfoCards and act as a Relying Party);
• two-factor authentication using one-time passwords (hardware tokens or software apps) and a PIN, or via a combination of methods;
• two-factor authentication using challenge-response based one-time passwords;
• a Unix account (local or YP/NIS);
• Apache password files (htpasswd, htdbm, or htdigest files);
• Windows NT LAN Manager (NTLM);
• Microsoft Active Directory or LDAP;
• the Central Authentication Service (CAS) protocol;
• an HTTP request (e.g., for Google accounts);
• the RADIUS protocol;
• an identity imported from a trusted system;
• an arbitrary expression or external program evaluation;
• system Pluggable Authentication Modules (PAM);
• an identity established by any Apache authentication module (RFC 2617 Basic or Digest Authentication) or
• its own private username/password database.

These authentication methods can be combined and selected in various ways at authentication time.

DACS has been deployed in environments with thousands of user accounts.

Powerful Access Control

Expressive access control rules let you decide who can access your web site's resources:

• access control can be applied to any of your files, programs, servlets, databases, and web services; with coarse-grained access control, no integration work is required and authorization checks are performed transparently, before a web-based resource is accessed or executed; fine-grained access control can be implemented on a per-application basis via web-based, command-line based, or C/C++ interfaces
• users can be assigned roles in a number of different ways and can be associated with dynamic groups of users
• access can be granted or denied based on the identity, location, roles, or group membership of the user requesting access, or depending on context, such as environment variables or information in a file or database, or based on the result of executing another program
• access can be restricted to registered users and each user can be limited to his personal area of a web site
• an individual user's access can be revoked, no matter how or where the user was authenticated
• web service arguments can be examined by access control rules
• there is built-in support for notice or license acknowledgements
• a rich set of functions, predicates, and C/C++ expressions with variables can be used (also available when configuring DACS)
• configurable as an access control proxy for other web servers, which can ensure globally-enforced access control policies

Features

DACS has a comprehensive feature set. Here is just a partial list:

• DACS comes with a wide selection of authentication methods; it is possible to reuse your existing Apache accounts; strong (two-factor) authentication methods are supported
• DACS applies powerful, context-sensitive rule-based authorization processing to service requests
• a single Apache module replaces the functionality of many Apache modules; most of the work is done outside of Apache, making customization and debugging easier, and if DACS fails it does not take Apache down with it
• areas of a web site where access control is not delegated to DACS are not affected by DACS
• DACS runs on a variety of Unix-type platforms and a federation can be heterogeneous (comprised of any mixture of supported platforms); DACS can interoperate with software running on other platforms (such as Microsoft authentication services) but does not require any DACS software to be installed on those platforms
• if you have some experience with Apache, you can get a DACS federation up and running quickly
• once configured for DACS, Apache does not need to be reconfigured or restarted when DACS is reconfigured or reinstalled
• DACS has been carefully designed so that its run-time configuration and that of Apache are as free of interdependencies as possible
• So far, no modifications to the Apache 2.2 and 2.4 code are required
• DACS is highly configurable, programmable, and available; configuration can depend on run-time conditions; configuration changes take effect immediately, so often no down-time is required
• through its virtual filestore capability, support files (such as password files) can be located on a server other than the one on which Apache/DACS runs
• an audit trail of requests, successful and failed sign-ons, sign-offs, and operations on DACS accounts is produced (user activity monitoring and reporting)
• for any authentication method, weak passwords can be reported; DACS-administered passwords can have configurable length and complexity policies
• the appearance of most web-based user interfaces can be customized, and most work flows can be configured through handlers
• DACS works with most popular browsers and does not require plugins, JavaScript, or any special client-side administration
• DACS can be used in B2B (server-to-server) applications and with software-driven clients
• detailed event logging is fully configurable
• DACS is open source, so you are free to study the code, make your own enhancements, and fix bugs yourself
• by invoking DACS web services, you can introduce new capabilities to applications or middleware, add customizations, or build new features

Please refer to the FAQ for additional details. A summary of major features available in the latest release and planned for upcoming releases is also available.

Controlled Sharing

One of the primary benefits of DACS is that it fosters "controlled sharing". As the need for distributed sharing of resources, remote access, and communication and collaboration over the web grows, so does the need to carefully manage user authentication and authorization. Without the right security tools, these kinds of potentially powerful applications simply cannot be trusted. DACS enables controlled sharing efficiently, economically, and securely.

Tools for Developers

As a developer, you can use DACS as a toolbox for creating customizations and other single sign-on systems and web portals. Access to DACS core technologies is provided through web services and command-line utilities.

Whether you are writing web services, middleware, or any network-based application, you can apply the DACS authentication framework and rule processing engine from the command line or by calling a DACS web service.

The DACS rule processing engine can be used by any program, not only for making access control decisions, but for a wide variety of selection or condition-testing purposes. It has been used as the core technology by document transformation software (dacstransform(1) and dacs_transform(8)) and a command scheduling application (dacssched(1)).

Many of the utilities are not web-based, although they can be used by CGI programs and other web services:

• dacscheck uses the DACS rule processing engine to do authorization checking
• dacsauth uses the DACS authentication framework to validate usernames and passwords
• dacstransform uses the DACS rule processing engine to perform rule-based document transformation

To get a better understanding of what DACS can do and how it works, please take a look at the tips and examples.

If you have any questions about what DACS can and cannot do, please contact us.