DACS Docs - Technical Documentation

Version 1.4.52

Release date 24-Sep-2024 13:09:58

Contents

Section 1: Tools and Utilities
Section 5: Formats and Conventions
Section 7: Miscellaneous
Section 8: Web Services and CGI
HTTP Server: Apache
Articles: Using InfoCards With DACS
Project: HOME // README // ACKNOWLEDGEMENTS // HISTORY // INSTALL // LICENSE // NOTICES // DTDs
Indexes: Configuration Directives // Functions // Authentication Modules // Concepts // Annotations // Variables // Third-Party Packages

Section 1: Tools and Utilities

dacs

- a distributed access control system
[About DACS // About the Manual Pages // Key Concepts // Naming // The dacs Utility // Start-up Processing // Internals // Logging // Audit-Class Log Messages // Tracking User Activity]

dacsacl

- list, check, or re-index access control rules

dacsauth

- authentication check
[Enhancing SSH Security]

dacscheck

- authorization check
[Advantages // Identities // Objects // Rule Evaluation Context // An Example Application // Comparing dacscheck with dacs_acs]

dacsconf

- display configuration directives

dacscookie

- create DACS credentials and emit as a cookie

dacscred

- acquire and manage DACS credentials

dacsemail

- Simple outgoing email agent

dacsexpr

- DACS expression language shell and interpreter

dacsgrid

- administer grid-based one-time passwords

dacshttp

- perform an HTTP/HTTPS request

dacsinfocard

- manage InfoCard accounts

dacsinit

- Configure a minimal DACS federation interactively

dacskey

- generate encryption keys for DACS

dacslist

- list jurisdictions

dacspasswd

- manage DACS accounts

dacsrlink

- create and administer rule links

dacssched

- rule-based command scheduling
[Operation]

dacstoken

- administer hash-based one-time passwords
[PINs (Account Passwords) // One-Time Passwords (OTPs) // Accounts // Importing and Exporting OTP Accounts // XML Provisioning Format // KeyUriFormat Provisioning Format]

dacstransform

- rule-based document transformation
[Configuration]

dacsversion

- display version information

dacsvfs

- access objects through the DACS virtual filestore

sslclient

- an SSL/TLS client
[Server Identity Verification]

Section 3: Functions and Libraries

ds

- Dynamic strings and vectors
[Byte Strings // Vectors]

Section 5: Formats and Conventions

dacs.acls

- DACS access control rules
[Revoking Access and // URL Paths and Service Name Matching // Service Parameters // Constraints // ACL Files // ACL Naming // ACL Syntax // General Structure // Services // Rule Clause Processing // The Precondition Element // Expressions // ACL Rule Elements // The ACL Selection and Evaluation Algorithm]

dacs.conf

- DACS configuration files and directives
[Locating dacs.conf and site.conf // Path Interpolation // File Format // The Default Section // The // Section Merging and Directive Evaluation // The undef() directive // Fatal errors // An example // Jurisdiction // The Effective Jurisdictional // Jurisdiction Selection by URI // Jurisdiction Selection by Jurisdiction Name // Jurisdiction Selection by Default // The Distinguishing URI // Directives // Evaluated Directives // Directive Categories // General Directives // The Auth Clause // The Roles Clause // The Transfer Clause // Advanced Techniques // Configuration Variables // Authentication and Roles]

dacs.exprs

- DACS expression language
[Expression Syntax // Comments // Basic Data Types // Variables and Namespaces // Variable Syntax // Variable Modifier Flags // Reserved Namespaces // Lists, Alists, and Arrays // Lists // Alists // Expression Grammar // Operators // Functions]

dacs.groups

- DACS groups
[Role-Based Group Membership // Group Syntax and Semantics // DACS Metadata]

dacs.nat

- Notice Acknowledgement Token specification
[Introduction // Purpose // Design Elements // Terminology // Notational Conventions // Summary // The Notice Acknowlegement Token // NAT Syntax // NAT Names // NAT Reserved Attributes // URI Matching // Cryptographic Elements // Encoding for Transport // Implementation Notes // NAT HTTP Header Syntax // Multiple NATs // Resource Name Mapping // NAT Creation and Merging // Case Sensitivity // Server Autonomy // Minimal Implementation // Middleware Support]

dacs.vfs

- the DACS virtual filestore
[The vfs_uri and Item Types // Virtual Filestore Details]

Section 7: Miscellaneous

dacs.install

- DACS installation guide
[Trying DACS // Upgrading DACS // Installation Layout Overview // Installing DACS // Tip // Initial Testing // Build Options // Configure Options // Standard build and install options // Feature selection options // Third-party support options]

dacs.java

- DACS Java support

dacs.quick

- DACS Quick Start Tutorial
[Step 1: Install required third-party packages // Step 2: Install and configure Apache // Step 3: Build and install DACS // Step 4: DACS-enable Apache // Step 5: Do basic DACS configuration // Step 6: Do basic Apache configuration for DACS // Step 7: Test basic DACS services // Step 8: Try DACS authentication // Step 9: DACS-wrapping a web service // Step 10: What's next? // Step 11: Clean up // Troubleshooting]

dacs.readme

- DACS README
[DACS At a Glance // Supported Platforms // Other Platforms // Warnings // Release Information // Roadmap // Security // Add-on Features // Administration // Related Software // The DACS Java Library (DJL) // The FedAdmin Web Application // Support // Known Problems // Bugs, Suggestions, and Feedback]

Section 8: Web Services and CGI

autologin

- Convert an Apache identity to a DACS identity
[Web Service Arguments]

cgiparse

- CGI parameter parsing utility

dacs_acs

- DACS access control service
[Module-to-ACS Protocol // Credentials // Rlinks // Rlink Details // HTTP Authentication // Authorization Caching // XML Output // Variables Available To Rules // Standard Environment Variables // Exported DACS Variables // Exported Environment Variables // About Servlets // The DACS_ACS Argument // The DACS-Status-Line header // The DACS_APPROVAL environment variable]

dacs_admin

- DACS administration service
[Web Service Arguments // Resources and Methods]

dacs_auth_agent

- DACS delegated authentication service
[Web Service Arguments // Operation // Local Mode // Alien Mode]

dacs_auth_transfer

- transfer credentials between federations
[The Identity Transfer Protocol // Overview // Protocol Operation // Implementation // Web Service Arguments // Presentation // Export // Token // Import]

dacs_authenticate

- DACS authentication service
[Authentication // Names // Credentials and Cookies // Web Service Arguments // Auth Clause Directives // Initialization and the Auth Namespace // Authentication Clause Control Flow // Authenticating Using an Expression // Middleware Support // Authentication Modules // local_apache_authenticate // local_cas_authenticate // local_cert_authenticate // local_grid_authenticate // local_http_authenticate // Deprecated // local_ldap_authenticate // local_native_authenticate // local_ntlm_authenticate // local_pam_authenticate // local_passwd_authenticate // local_radius_authenticate // local_simple_authenticate // local_tgma_authenticate // local_token_authenticate // local_unix_authenticate // Roles // Roles Clause Directives // Roles Clause Control Flow // Roles Modules // local_roles // local_ldap_roles // local_unix_roles // Related Services]

dacs_autologin_ssl

- use an SSL client certificate to automatically obtain DACS credentials
[Web Service Arguments]

dacs_conf

- display DACS configuration directives
[Web Service Arguments]

dacs_current_credentials

- display DACS credentials
[Web Service Arguments]

dacs_error

- simple error handling utility for DACS

dacs_group

- DACS group administration
[Web Service Arguments]

dacs_infocard

- Information Card administration
[Web Service Arguments]

dacs_list_jurisdictions

- display information about DACS jurisdictions
[Web Service Arguments]

dacs_managed_infocard

- create a managed Information Card
[Configuration // Web Service Arguments]

dacs_mex

- WS-MetadataExchange responder for Information Cards
[Web Service Arguments]

dacs_notices

- DACS notice presentation and acknowledgement handler
[Operation // Web Service Arguments // Middleware Support // Simple Mode // Secure Mode]

dacs_passwd

- manage private DACS passwords
[Web Service Arguments]

dacs_prenv

- CGI program that displays its environment
[Web Service Arguments]

dacs_select_credentials

- temporarily disable DACS credentials
[Web Service Arguments]

dacs_signout

- DACS signout service
[Web Service Arguments]

dacs_sts

- Secure Token Service for managed Information Cards
[Configuration // Web Service Arguments]

dacs_token

- manage DACS one-time password token accounts
[Web Service Arguments]

dacs_transform

- rule-based document transformation
[Regions // Directive and Attribute Syntax // Negation // Recursion // Directives // Configuration // Web Service Arguments]

dacs_uproxy

- minimal HTTP proxying
[Web Service Arguments // Operation]

dacs_version

- display DACS version information
[Web Service Arguments]

dacs_vfs

- access objects through the DACS virtual filestore
[Web Service Arguments]

dacs.services

- DACS web services
[Standard CGI Arguments for DACS Web Services]

pamd

- PAM transaction server

HTTP Server: Apache

mod_auth_dacs

- Apache/DACS authentication and authorization module

Annotations

Security Notes

Access to dacs_auth_transfer Limiting access to dacslist
Accessibility of dacs_auth_transfer Limiting access to dacstoken
Apache AuthType, AuthName, and Require directives Limiting access to dacsvfs
Aspects of NAT security Limiting access to Rlinks
Authentication modules Moving credentials to another host
Authorization caching considered experimental Multiple Auth clauses
Browser caching Multiple credentials for the same identity
CAS-based authentication Password in a URI
Choice of PASSWORD_DIGEST Password visibility and dacsauth
Configuration based on arguments Password visibility and dacspasswd
Configuration of dacs_auth_transfer Passwords and local_passwd_authenticate
Configuring COOKIE_PATH Permissions for dacs_acs
Constraints on new passwords Potential password logging when debugging
Contradictory rules Privacy of the federation key
DACS advisory Reliance on cookie names
DACS configuration files Remove tutorial files
dacs_admin disabled by default Reporting authentication failure
dacs_auth_agent disabled by default Restrict access to dacs_uproxy
dacs_authenticate security issues Restrict access to dacs_vfs
dacskey and accessibility of keyfiles Restricted access to dacs_conf
Defining new item types Restricted access to dacs_passwd
Disabled or restricted web services Restricted access to dacs_token
Disabling SECURE_MODE Restricted access to dacs_version
Enabling authentication modules Restricting access to dacs_auth_transfer
exec() target UID/GID Running dacs_acs setuid/setgid
Execution privileges and dacsauth Running dacsauth, dacs_authenticate setuid/setgid
Exporting OTP Accounts Secure NTLM communication
File and directory permissions Security aspects of access tokens
Hierarchical independence in ACL paths Security implications of dacsinfocard
Honouring imported credentials Security implications of dacspasswd
HOTP vs. TOTP Security implications of PERMIT_CHAINING
Implications of delegation Security issues and dacsgrid
Importation of identities Security issues and dacstransform
InfoCard identity Security issues and pamd
Input directory for dacs_transform Setting the lifetime of credentials
Insecurity of local_simple_authenticate Supported Devices
Isolation requirements for dacscheck Tagging mod_auth_dacs
ldaps scheme unavailable Testing Apache+DACS
Lifetime of credentials and cert-based authentication Tokens and secret keys
Limitations of ACS_CREDENTIALS_LIMIT TOTP Drift Window Size
Limitations of AUTH_SINGLE_COOKIE TOTP Drift Window Size
Limitations of COMPAT_MODE Tracking anonymous users
Limitations of constraints Upgrading
Limitations of COOKIE_HTTPONLY Use of MD5
Limitations of COOKIE_NAME_TERMINATORS Use of the REFEDERATE directive
Limitations of NAME_COMPARE Using dacs_admin()
Limitations of VERIFY_UA Using SSL/TLS with dacs_auth_transfer
Limitations on CGI arguments Verification of DACS-wrapping
Limiting access to dacsconf Verify checksums after downloading
Limiting access to dacscookie Weakening of credentials

Important Notes

Apache 2.2 Interaction between dacshttp and sslclient
Apache 2.2 Limitations on CGI arguments
Apache AuthType, AuthName, and Require directives mod_auth_dacs version compatibility
Basic and Digest authentication NO WARRANTY
Build/Install notes NO WARRANTY
Converting ACL format PAM authentication
DACS advisory Password syntax
dacsauth() considered experimental Potential import/export restrictions
dacscheck() considered experimental Potential password logging when debugging
Definition of jurisdiction metadata Third-party packages
Deprecation of Samba Unique jurisdiction sections
File permissions of autologin Upgrading DACS
Hiding the DACS_ACS argument user() returning False
Installing Apache  

Other Notes

Apache AuthType, AuthName, and Require directives Limitations on CGI arguments
DACS advisory Potential password logging when debugging

Tips

Apache AuthType, AuthName, and Require directives Manual pages: fonts
Begin by reviewing dacs.quick(7) Manual pages: man(1) output
Begin with a basic DACS install Obtaining Berkeley DB
Building standalone components Omitting braces in a variable reference
Built-in authentication modules OpenLDAP options
Built-in roles modules Potential password logging when debugging
CAS protocol Problems while building with shared libraries
Caveat when connecting to a web server Redirection after authentication
Choosing better passwords Remember to make public files accessible
Configuration of mod_ssl in httpd.conf Remember to restart httpd
Configuring HTTP authentication Reviewing build notes
DACS advisory Rotate log files
DACS self tests Save your config.nice
dacs_transform and the 'insert' directive Selecting characters and substrings
DEFAULT_JURISDICTION environment variable Selecting new credentials
Displaying an X.509 certificate Sending the client certificate
Displaying CGI arguments Short links
Displaying DACS environment variables Testing LDAP authentication
Domain attributes in cookies Testing NTLM authentication
Easier upgrades Testing where a client authenticated
Escaping space characters Try dacsexpr
Failed internal HTTP requests Use site.conf-std
Filename suffixes for CGI programs Using dacsinit
Filenames for rulesets Using user()
Generated directory listings, internal redirects Validating ruleset syntax
InfoCard authentication using an expression Value of an if statement
Initial configuration using dacsinit Variable substitution in dacs_transform
Installing a subset of DACS Verify web server version
Limitations on CGI arguments Viewing DACS documentation via Apache
local_unix_authenticate and setuid Whitespace in a variable reference

Variables

${Args::DACS_USERNAME} ${DACS::POSTDATA} DACS_FEDERATION
${Args::RNAME} ${DACS::PROXYREQ} DACS_HOME
${Args::USERNAME} ${DACS::QUERY} DACS_IDENTITY
${Auth::ABORT} ${DACS::REMOTE_ADDR} DACS_JURISDICTION
${Auth::CREDENTIALS_LIFETIME_SECS} ${DACS::REMOTE_HOST} DACS_MOD_AUTH_DACS
${Auth::CURRENT_ROLES} ${DACS::RIDENT} DACS_MOD_AUTH_DACS_VERSION
${Auth::CURRENT_USERNAME} ${DACS::RIPTR} DACS_RELEASE
${Auth::DACS_IDENTITY} ${DACS::RNAME} DACS_ROLES
${Auth::DACS_JURISDICTION} ${DACS::ROLES} DACS_SBINDIR
${Auth::DACS_USERNAME} ${DACS::URI} DACS_SITE_CONF
${Auth::DACS_VERSION} ${DACS::URI} DACS_SITE_CONF
${Auth::LAST_ROLES} ${DACS::USER_AGENT} DACS_SITE_CONF_SPEC
${Auth::MODULE_SKIP} ${DACS::USERNAME} DACS_USERNAME
${Auth::ROLES} ${Env::REMOTE_USER} DACS_VERSION
${Conf::dacs_approval_digest_name} ${Env::REQUEST_URI} DACS_VERSION
${Conf::FEDERATION_DOMAIN} ${LDAP::attrname} DOCUMENT_ROOT
${Conf::http_auth_401} ${LDAP::attrvalue} EXE_SUFFIX
${Conf::LOG_LEVEL} ${LDAP::USERNAME} FEDERATIONS_ROOT
${Conf::prompt_submit_label} ${Options::AUXILIARY} HTTP_HOST
${DACS::ACS} ${Options::DACS_JURISDICTION} HTTP_USER_AGENT
${DACS::ARG_COUNT} ${Options::DACS_USERNAME} infocard_card_image_card
${DACS::ARGS_TRUNCATED} ${Options::DACS_VERSION} infocard_card_image_cert
${DACS::ARGS} ${Options::PASSWORD} infocard_card_image_passwd
${DACS::AUTHORIZATION} ${Options::USERNAME} infocard_sts_password
${DACS::CONTENT_ENCODING} APACHE_HOME infocard_sts_password
${DACS::CONTENT_LENGTH} argv[0] infocard_sts_title
${DACS::CONTENT_TYPE} CGI_SUFFIX infocard_sts_username_password_prompt_fmt
${DACS::CURRENT_URI_NO_QUERY} DACS_ACS_JURISDICTION JURISDICTION_URI
${DACS::CURRENT_URI} DACS_APPROVAL JURISDICTION_URI_PREFIX
${DACS::FEDERATION} DACS_BINDIR OPENSSL_PROG
${DACS::FILENAME} DACS_CGIBINDIR SERVER_ADDR
${DACS::IDENTITY} DACS_CONCISE_IDENTITY SERVER_NAME
${DACS::INTERACTIVE} DACS_CONF SERVER_PORT
${DACS::IP} DACS_CONF SSL/TLS variables
${DACS::JURISDICTION} DACS_CONF_SPEC URI_SCHEME
${DACS::METHOD} DACS_CONSTRAINT ${DACS::PATH_INFO}
DACS_DEFAULT_CONSTRAINT   

Configuration Directives

ACCEPT_ALIEN_CREDENTIALS EXPR NOTICES_NAT_NAME_PREFIX
ACS_ACCESS_TOKEN_ENABLE FEDERATION_DOMAIN NOTICES_SECURE_HANDLER
ACS_ACCESS_TOKEN_LIFETIME_LIMIT FEDERATION_NAME NOTICES_WORKFLOW_LIFETIME_SECS
ACS_ACCESS_TOKEN_LIFETIME_SECS FLAGS OPTION
ACS_AUTHENTICATED_ONLY HTTP_AUTH OPTION
ACS_CREDENTIALS_INVALID_BEFORE_DATETIME HTTP_AUTH_ENABLE OPTION*
ACS_CREDENTIALS_LIFETIME_SECS HTTP_PROG OPTION*
ACS_CREDENTIALS_LIMIT IMPORT_FROM PAMD_HOST
ACS_EMIT_APPROVAL IMPORT_ROLES PAMD_PORT
ACS_ERROR_HANDLER IMPORT_URL PASSWORD_AUDIT
ACS_FAIL INFOCARD_AUDIENCE PASSWORD_CONSTRAINTS
ACS_INACTIVITY_LIMIT_SECS INFOCARD_AUDIENCE_RESTRICTION PASSWORD_DIGEST
ACS_POST_BUFFER_LIMIT INFOCARD_CARD_DATETIME_EXPIRES PASSWORD_OPS_NEED_PASSWORD
ACS_POST_EXCEPTION_MODE INFOCARD_CARD_DEFS_URL PASSWORD_SALT_PREFIX
ACS_PRE_AUTH INFOCARD_CARD_FILL_URL PERMIT_CHAINING
ACS_SUCCESS INFOCARD_CARD_IMAGE_BASE_URL PREDICATE
ACS_TRACK_ACTIVITY INFOCARD_CARD_LIFETIME_SECS PREDICATE
ADMIN_IDENTITY INFOCARD_CARD_OUTPUTDIR PREDICATE
ALLOW_HTTP_COOKIE INFOCARD_CARD_VERSION PROXY_EXEC_DOCUMENT_ROOT
AUTH_AGENT_ALLOW_ADMIN_IDENTITY INFOCARD_CARDID_BASE_URL PROXY_EXEC_MAPPER_DEFAULT_ACTION
AUTH_CREDENTIALS_ADMIN_LIFETIME_SECS INFOCARD_CARDID_SUFFIX PROXY_EXEC_MAPPER_LOG_FILE
AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS INFOCARD_DIGEST PROXY_EXEC_MAPPER_LOGGING
AUTH_ERROR_HANDLER INFOCARD_IP_PRIVACY_URL PROXY_EXEC_MAPPER_RULES_FILE
AUTH_FAIL INFOCARD_IP_PRIVACY_VERSION PROXY_EXEC_PROG_URI
AUTH_FAIL_DELAY_SECS INFOCARD_ISSUER_INFO_ENTRY REFEDERATE
AUTH_SINGLE_COOKIE INFOCARD_MEX_URL RLINK
AUTH_SUCCESS INFOCARD_REQUIRE_APPLIES_TO ROLE_STRING_MAX_LENGTH
AUTH_SUCCESS_HANDLER INFOCARD_STRONG_RP_IDENTITY ROLES*
AUTH_TRANSFER_EXPORT INFOCARD_STS_AUTH_TYPE SECURE_MODE
AUTH_TRANSFER_TOKEN_LIFETIME_SECS INFOCARD_STS_CACERTFILE SIGNOUT_HANDLER
claim_name INFOCARD_STS_CERTFILE SSL_PROG
claim_name INFOCARD_STS_KEYFILE SSL_PROG_ARGS
claim_type INFOCARD_STS_KEYFILE_PASSWORD SSL_PROG_CA_CRT
claim_type INFOCARD_STS_PASSWORD_METHOD SSL_PROG_CLIENT_CRT
claim_uri_prefix INFOCARD_STS_RP_ENDPOINT STATUS_LINE
claim_uri_prefix INFOCARD_TOKEN_DRIFT_SECS STYLE
claim_uri_prefix_abbrev INFOCARD_TOKEN_ISSUER SUCCESS_URL
claim_value INFOCARD_TOKEN_LIFETIME_SECS TEMP_DIRECTORY
COMPAT_MODE INFOCARD_TOKEN_MAX_LENGTH TOKEN_HOTP_ACCEPT_WINDOW
CONTROL INFOCARD_USERNAME_SELECTOR TOKEN_REQUIRES_PIN
COOKIE_HTTPONLY INIT* TRACE_LEVEL
COOKIE_NAME_TERMINATORS INIT* UNAUTH_ROLES
COOKIE_NO_DOMAIN JURISDICTION_NAME UPROXY_APPROVED
COOKIE_PATH LOG_FILE URL
CREDENTIALS_LIFETIME_SECS LOG_FILTER URL
CREDENTIALS_LIFETIME_SECS LOG_FORMAT URL*
CSS_PATH LOG_LEVEL URL*
DTD_BASE_URL LOG_SENSITIVE VERBOSE_LEVEL
ERROR_URL LOGINGEN_FILE VERIFY_IP
EVAL LOGINGEN_PROG VERIFY_UA
EXIT* NAME_COMPARE VFS
EXIT* NOTICES_ACCEPT_HANDLER XSD_BASE_URL
EXIT* NOTICES_ACK_HANDLER EXPR
NOTICES_DECLINE_HANDLER   

DTDs

These XML DTD skeletons are used only to help document information used by DACS.

access_token.dtd, acl_index.dtd, acl.dtd, auth_reply.dtd, common.dtd, Configuration.dtd, credentials.dtd, crypt_keys.dtd, dacs_acs.dtd, dacs_admin.dtd, dacs_auth_agent.dtd, dacs_auth_reply.dtd, dacs_auth_transfer.dtd, dacs_conf_reply.dtd, dacs_current_credentials.dtd, dacs_group.dtd, dacs_infocard.dtd, dacs_list_jurisdictions.dtd, dacs_notices.dtd, dacs_passwd.dtd, dacs_select_credentials.dtd, dacs_user_info.dtd, dacs_version.dtd, groups.dtd, roles_reply.dtd, selected_credentials.dtd, store_reply.dtd


This documentation was created on Tue Sep 24 16:22:48 PDT 2024 using DocBook and libxslt.
Font:
−− Set ++