DACS Features and Benefits
Why should you use DACS?
Sure, it is a fully supported, open source product with many nifty features,
but why should you install it, or at least try it?
The answer partly depends on whether you are running one web site,
working with two or more web sites, or are a software developer,
but we believe that if you get to know it a little and compare it to the
alternatives, you will be impressed with DACS!
DACS is not a system designed around
the latest technological fads or driven by some
industry consortium's business goals.
We have developed versatile solutions based on solid, secure core technologies
that address many of the authentication and authorization problems of
real organizations and system administrators.
It is a practical system.
Here are some of the main features and benefits of
DACS gives you an out-of-the-box
single sign-on solution with attendant benefits to users and
- after authenticating, users are recognized by every site within a
DACS federation without needing to have accounts
on every site or having to reauthenticate
- after authentication, identification of a user throughout a federation
is fast and efficient
- regardless of how users are authenticated, they can assume
the same federation-wide identity
- system administrators have fewer accounts to manage
and fewer user problems taking up their time
- DACS identities can be
transferred between two DACS federations,
and between a DACS federation and
another identity management system
- a user can be a person or an application
DACS has been carefully designed to
have no single point of failure, making it resilient against hardware,
software, and communication failures.
This means that DACS does not rely on any
central computer or server, so that if any component of the system fails or
becomes inaccessible, the rest of the system will continue to operate normally.
Not all similar systems share this important property!
By configuring redundancy into your DACS
configuration, your federation can be very tolerant of failures and can
continue to operate as normally as possible while servers are brought
down for maintenance, etc.
DACS supplies a coherent, modular,
extensible authentication framework that lets you leverage your
existing authentication systems and account management policies,
or easily introduce new ones.
The most widely-used Apache authentication methods are available and
Apache password files can be used by DACS.
- DACS makes it easy to connect to
your existing authentication infrastructure so that your
users can reuse an existing account name and password rather than
having to create and remember yet another one, and system administrators
do not need to create new accounts or learn new account management tools
- authentication configuration is determined at run time with
all enabled DACS authentication methods
- authentication methods can be combined; for example, a user
might have to give an account name and password,
and use a valid SSL client certificate
- different users can authenticate using different methods;
some might use LDAP/Active Directory, others might use their Unix
account, and some might use their X.509 certificate
- accounts used only by DACS can
also be created and managed
- user account provisioning, including flexible account disabling,
- DACS credentials, which represent
an identity, are cryptographically protected using industry-standard methods
- authentication can take place on a server other than the one
on which Apache/DACS runs
- authentication can be based on RFC 2617 Basic or Digest Authentication
but it is not required, so authentication does not need to be interactive
DACS can authenticate a user based on:
- an X.509 client certificate (via SSL/TLS);
- (now deprecated)
a self-issued or managed Information Card
(DACS can issue managed InfoCards and act as a Relying Party);
- two-factor authentication using one-time passwords
(hardware tokens or software apps) and a PIN,
or via a combination of methods;
- two-factor authentication using challenge-response based one-time passwords;
- a Unix account (local or YP/NIS);
- Apache password files (htpasswd, htdbm, or htdigest files);
- Windows NT LAN Manager (NTLM);
- Microsoft Active Directory or LDAP;
- the Central Authentication Service (CAS) protocol;
- an HTTP request (e.g., for Google accounts);
- the RADIUS protocol;
- an identity imported from a trusted system;
- an arbitrary expression or external program evaluation;
- system Pluggable Authentication Modules (PAM);
- an identity established by any Apache authentication module
(RFC 2617 Basic or Digest Authentication) or
- its own private username/password database.
These authentication methods can be combined and selected
in various ways at authentication time.
DACS has been deployed in environments
with thousands of user accounts.
Powerful Access Control
Expressive access control rules let you decide who can access
your web site's resources:
- access control can be applied to any of your files,
programs, servlets, databases, and web services;
with coarse-grained access control,
no integration work is required and
authorization checks are performed transparently,
before a web-based resource is accessed or executed;
fine-grained access control can be implemented on a
per-application basis via web-based, command-line based, or C/C++ interfaces
- users can be assigned roles in a number of different ways and can be
associated with dynamic groups of users
- access can be granted or denied based on the identity, location,
roles, or group membership of the user requesting access, or depending
on context, such as environment variables or information in a file or database,
or based on the result of executing another program
- access can be restricted to registered users and each user can be
limited to his personal area of a web site
- an individual user's access can be revoked,
no matter how or where the user was authenticated
- web service arguments can be examined by access control rules
- there is built-in support for notice or license acknowledgements
- a rich set of functions, predicates, and C/C++ expressions with variables
can be used
(also available when configuring DACS)
- configurable as an access control proxy for other web servers,
which can ensure globally-enforced access control policies
DACS has a comprehensive feature set.
Here is just a partial list:
- DACS comes with a wide selection
of authentication methods; it is possible to reuse your existing
Apache accounts; strong (two-factor) authentication methods are supported
- DACS applies powerful,
context-sensitive rule-based authorization processing to service requests
- a single Apache module replaces the functionality of many Apache modules;
most of the work is done outside of Apache, making
customization and debugging easier,
and if DACS fails it does not take
Apache down with it
- areas of a web site where access control is not delegated
to DACS are not affected
- DACS runs on a variety of
Unix-type platforms and a federation can be heterogeneous
(comprised of any mixture of supported platforms);
DACS can interoperate with software
running on other platforms (such as Microsoft authentication services) but
does not require any DACS software to be
installed on those platforms
- if you have some experience with Apache, you can get a
DACS federation up and running quickly
- once configured for DACS,
Apache does not need to be reconfigured or restarted when
DACS is reconfigured or reinstalled
- DACS has been carefully designed so
that its run-time configuration and that of Apache are as free of
interdependencies as possible
- So far, no modifications to the Apache 2.2 and 2.4 code
- DACS is highly configurable,
programmable, and available;
configuration can depend on run-time conditions;
configuration changes take effect immediately,
so often no down-time is required
- through its virtual filestore capability, support files
(such as password files) can be located on a server other than the one
on which Apache/DACS runs
- an audit trail of requests, successful and failed sign-ons,
sign-offs, and operations on DACS accounts
is produced (user activity monitoring and reporting)
for any authentication method, weak passwords can be reported;
DACS-administered passwords can
have configurable length and complexity policies
- the appearance of most web-based user interfaces can be customized,
and most work flows can be configured through handlers
- DACS works with most popular browsers and
- DACS can be used in
B2B (server-to-server) applications and with software-driven clients
- detailed event logging is fully configurable
- DACS is open source, so you are free
to study the code, make your own enhancements, and fix bugs yourself
- by invoking DACS web services,
you can introduce new capabilities to applications or middleware,
add customizations, or build new features
Please refer to the
FAQ for additional details.
A summary of major features available in the latest release and planned
for upcoming releases
is also available.
One of the primary benefits of DACS
is that it fosters "controlled sharing".
As the need for distributed sharing of resources, remote access,
and communication and collaboration over the web grows,
so does the need to carefully manage user authentication and authorization.
Without the right security tools, these kinds of potentially powerful
applications simply cannot be trusted.
DACS enables controlled sharing
efficiently, economically, and securely.
Tools for Developers
As a developer, you can use DACS as a toolbox
for creating customizations and other single sign-on systems and web portals.
Access to DACS core technologies is
provided through web services and command-line utilities.
Whether you are writing web services, middleware, or any network-based
application, you can apply the DACS
authentication framework and rule processing engine from the command line
or by calling a DACS web service.
The DACS rule processing engine can
be used by any program, not only for making access control decisions,
but for a wide variety of selection or condition-testing purposes.
It has been used as the core technology by document transformation
and a command scheduling application
Many of the utilities are not web-based, although they can be used
by CGI programs and other web services:
- dacscheck uses the
DACS rule processing engine to do
- dacsauth uses the
DACS authentication framework to
validate usernames and passwords
- dacstransform uses the
DACS rule processing engine to perform
rule-based document transformation
To get a better understanding of what DACS can do and how it works,
please take a look at the tips and examples.
If you have any questions about what DACS
can and cannot do,
please contact us.
© Copyright 2003-2019 DSS Distributed Systems Software, Inc.
All rights reserved.