DACS DACS - The Distributed Access Control System

DACS: The Distributed Access Control System

DACS is a light-weight single sign-on and role-based access control system for web servers and server-based software. DACS makes secure resource sharing and remote access via the web easier, safer, and more efficient. DACS is particularly well suited to providing single sign-on across organizational or departmental web servers, and to limiting access to their web-based resources.

Released under an open source license, DACS gives you:

Get Information: Overview; What is DACS?; About DACS; Features; Versions; FAQ; Documentation
Get DACS: Download DACS
Get Started: Tutorial; Tips and Examples
Get Help: Technical Support

DACS = Authentication + Authorization

DACS works with virtually any authentication method and unifies an assortment of accounts into a single identity. You can leverage the user accounts and authentication methods that you already use, or introduce new ones easily. Out of the box, DACS lets users authenticate using: DACS username/password, X.509 client certificate, self-issued or managed Information Card, one-time password, Unix account, Apache password files, Windows NTLM, ADS/LDAP, CAS, HTTP, PAM, Basic or Digest Auth, special URLs, two-factor authentication, expressions, and more.

Our highest priority is for DACS to remain a secure, stable, and well-documented system.

Light-weight single sign-on

Once a user has signed on through DACS, he will be recognized throughout a federation of web servers.

While it shares many of the advantages of other single sign-on systems, DACS offers some unique features and is more efficient, and simpler to understand, customize, and administer compared to the heavy-weight, enterprise-level alternatives. If your single sign-on needs are modest, or if you are not even certain what they are, you should look at DACS. DACS does the hardest parts for you - all that you need to do is configuration and "look & feel" customizations.

Authentication and Authorization Toolkit

Why reinvent the wheel? Creating security software demands specialized expertise. It is challenging to develop and keep current. Besides offering a complete single sign-on solution, DACS includes a toolbox of components from which other single sign-on systems and web site features can be built. It supplies authorization checking capabilities and user authentication functionality that developers need to get their applications working quickly, whether web-based or not. Many kinds of server-based applications can benefit from DACS tools. Its rule processing engine can be employed in a wide variety of applications, not only to provide fine-grained authorization testing. Configuration is flexible and programmable.

For applications: Authorization testing can be performed from the command line, allowing scripts (Perl, PHP, shell, etc.) to make data-driven access control decisions rather than code-driven ones. Authentication functionality is also available from the command line; programs can easily reuse existing user accounts, authentication methods, and user management tools.
For middleware and web services: Authentication and authorization testing can be done through simple, REST-based web service calls, the DACS Java library, or a C/C++ API. DACS web services can return XML or JSON formatted documents.


DSS is pleased to announce the release of DACS 1.4.34. Download links and information about this release are here. It is important to review the Post-Release Notes before building DACS. All sites are encouraged to upgrade. Links to the latest version are here.

Web site changes are in progress. Some examples/demos/links on this site and in the manual pages may not work until the changes are complete. We apologize for any inconvenience.

Several alerts regarding OpenSSL have been published recently: 19-Mar-2015, 11-Jun-2015, 9-Jul-2015. Recent releases of DACS should work with OpenSSL 1.0.2d and 1.0.1p, but formal testing will not be completed until the next version of DACS is released. Also see SSL Server Test and SSL Cipher Suite Details of Your Browser. Note that support for OpenSSL versions 1.0.0 and 0.9.8 ends on 31-Dec-2015 and no security updates for these releases will be provided after that date.

We have recently experimented with the popular HAProxy high-performance TCP/HTTP Load Balancer by adding support for DACS authentication. For background information and instructions, see README.DACS. To get the patches and example configuration files, download haproxy-dacs-1.5.11.tgz. If there is sufficient interest, work will continue, so please let us know what you think.

DACS (and Apache) can optionally use Berkeley DB to store various information, such as passwords. Starting with version 6.0.x, Oracle changed the Berkeley DB license from the Sleepycat License to the GNU AFFERO GENERAL PUBLIC LICENSE. For some analysis of this change, please refer to Oracle switches Berkeley DB license, Debian, Berkeley DB, and AGPLv3, and Oracle Quietly Switches BerkeleyDB To AGPL. DACS will continue to be compatible with Berkeley DB 5.3, which was released under the Sleepycat License, for as long as practical. Other DBM-type databases are supported by DACS.

In early 2011, Microsoft announced that it would not support CardSpace (aka, Infocards and Information Cards) starting with Windows 8. CardSpace has been the most widely available identity selector for using Information Cards. The implementation of Infocards support within DACS remains in the code base and is documented, but is no longer being actively tested and maintained (neither are the demos). Support for Information Cards within DACS will likely be removed eventually. You may find that other Infocard and CardSpace related projects have been terminated and their web pages are out of date or no longer available. See: On the Demise of CardSpace; Open Cardspace opportunity; Personal Reflections on the CardSpace Journey; From CardSpace to Verified Claims; Change will come: the present is untenable; The Clay Feet of Giants?; RIP, Windows CardSpace. Hello, U-Prove; and U-Prove.

Apache 2.4 is now the preferred branch for use with DACS. Apache 2.2 has been designated as a legacy branch. Apache 2.0 is no longer supported by DACS, as that branch of Apache is no longer maintained.

Several GNU/Linux-based distributions, such as Debian and Ubuntu, include DACS as a package. Although DSS helps to facilitate those packages, we do not prepare, maintain, or test them for those specific platforms. The Debian project uses DACS for its single sign-on system for web services.

Site Search

You can use Google to search this site, including the FAQ and technical documentation.

This page last modified 31-Jul-2015 14:53 PDT
© Copyright 2001-2015 DSS Distributed Systems Software Inc. All rights reserved.
Vancouver, British Columbia, Canada