About DACS

DACS is designed, implemented, and owned by DSS, a small, privately-held software development house that creates leading-edge, professional quality open source software. Our goal is to produce software that is powerful yet as simple as possible.

Development of DACS began in May, 2001, funded in part by GeoConnections. A key component [0-broken, 1-broken, 2] of Canada's National Forest Information System (NFIS) for many years, DACS is currently deployed on over 20 servers across more than a dozen jurisdictions spanning the country to provide authentication and role provisioning capabilities for the Canadian Forest Service Network (CFSNet). Canadian federal and provincial government departments, programs, and initiatives use DACS to secure their web resources. Additionally, DACS is actively used:

• internally by one of the world's largest manufacturers of computer networking products
• as a major security component in large web-based projects in Germany and Switzerland
• in a project working with Spring Security to supply authentication and single sign-on capabilities

Several GNU/Linux-based distributions, such as Debian, Ubuntu, and Linux Mint include DACS as a package. Although DSS helps to facilitate those packages, we do not prepare, maintain, or test them for those specific platforms. The Debian project uses DACS for its single sign-on system for web services.

Although it is a general-purpose system, DACS has been deployed in support of web-based applications in the geospatial domain and has been the subject of three Open Geospatial Consortium initiatives (CIPI 1.1, CIPI 1.2, and OWS-3).

References from DACS installations are available upon request.

If you are unfamiliar with DACS, the information in our Resources area is a good place to start. Complete technical documentation for the current release is also available.

Why DACS?

DACS provides web site administrators and software developers with a coherent and simple external framework for describing and enforcing access control based on user identity, resource attributes, and context. In the same way that developers use existing software libraries (such as math, cryptographic, graphics, and LDAP support functions), databases, and other reusable components instead of implementing them from scratch, DACS lets programmers delegate the hard parts of authentication, authorization checking, and single sign-on to a system specifically designed for that purpose. And it lets them, and web site administrators, reap the benefits without a large investment in software and training.

DACS gives you:

• Low total cost of ownership
  Like other open source licensed software, you can usually use DACS free of charge. Bug reports are welcome. Fast, affordable professional technical support is available.
• A feature rich, versatile, and configurable system
  
• A secure and modular implementation
  DACS deployments have been subjected to independent security analyses.

While programmers have long accepted the benefits of adopting third-party solutions that involve considerable domain-specific knowledge and which are challenging to develop, they continue to reimplement their own access control and authentication solutions. Why? The disadvantages are obvious. Application-specific user accounts and passwords proliferate. Each application adopts its own conventions, languages, and syntaxes. If integration with an external authentication framework is required, each application implements its own interfaces to it. Following this approach increases software development and maintenance costs, and results in complicated and fragile software that is more expensive to administer and unpleasant for its users.

Single sign-on systems (and identity management systems) have been the next Big Thing for years, with trade magazines regularly trotting out cover stories on them. Still, these systems are catching on very slowly for web-based applications. With all of the advantages that they promise, why should this be? We think there are several major issues:

1. Fear of Complexity
   Frequently, potential users of these technologies don't quite understand what single sign-on, authentication, and access control are, how they work, and how they interoperate. Or, they think they do until it is time to face some of the subtleties of deploying these technologies in their computing environment. And there is a sense that making the wrong decision would be much worse than falling back on simpler, well-understood methods. It is difficult to trust something that you do not understand or are uncomfortable with, particularly in the realm of computer system security.

   Many of the articles on these subjects are framed in terms of the Big Picture, where everyone has a single digital identity that is universally recognized and single sign-on greases the gears of web-based commerce so that a consumer can conveniently buy a DVD from one vendor, purchase concert tickets from another, access his corporate intranet, and file his income tax return, without having to sign on at each web site. We hear talk of "consumer identity software" that "ties together services and software, consumers and businesses". This is bound to scare away organizations, businesses, institutions, federations, and schools that are only concerned with finding the simplest solution to their "small" problem, which typically involves securely and conveniently controlling access to web-based resources located on one or more of their servers.

   Are the solutions that you need the same as those developed to address the problems of large corporations and e-commerce?

   Some organizations do indeed have complicated authentication and authorization requirements and have a legitimate fear of making changes that could cause grief to users, make extra work for system administrators, or introduce security problems. One of the consequences of this, however, is that over time they tend to accumulate jungles of authentication and security dependencies that they dare not touch. That is, until there is a major security breach or things suddenly stop working.

   Solutions aimed at the "enterprise level" are invariably difficult to understand and learn, and complicated to use. This increases the fear factor of potential adoptees and decreases their ability to customize and build on the solutions. With DACS, we focus on providing solutions that are as simple as possible (but no simpler).

2. Lack of Suitable Solutions
   Throughout the DACS documentation we emphasize that DACS is flexible. What we mean is that we do not presume to know very much about your particular authentication and access control requirements. Every organization is different in these respects and rigid, inflexible software will necessarily force you to do things its way. Consequently, one of the tenets behind DACS is that it must provide a wide range of solutions and be easy to extend and configure. Whenever possible, its modular design and implementation gives administrators with alternatives and, especially, ways of leveraging existing software and user accounts to reduce administrative effort so that it can do things your way instead of vice versa. Provided the DACS architecture is appropriate for your computing environment, you should be confident that it can meet your single sign-on or access control requirements.

   DACS is increasingly programmable and extensible. While it can solve many kinds of authentication and authorization checking problems out-of-the-box, DACS can also be viewed as a toolbox from which a wide spectrum of solutions can be assembled, even ones unforeseen by its creators.

3. Expense
   When considering adopting a significant software component, of course there's the expense of the software itself to consider, including on-going licensing and maintenance costs, but also the hidden costs (in time and salary) of installing, learning, configuring, upgrading, and continually administering the software. One of the promises of single sign-on is to save money, and it sometimes can, but when considering alternatives remember: large solutions usually cost large dollars.

   DACS, which is free to most users, provides the cost savings of single sign-on while keeping administrative overhead down. DACS may lack some of the bells and whistles of similar software, but how much are you willing to pay for them? Should DACS not provide all of the features and capabilities that you require, you can build customizations in-house or contact us for information, advice, or development services to extend DACS to meet your needs.

4. Risk
   It is far from clear in the long run whether a particular technology or vendor's implementation will win out in this arena, or even whether any of the current crop of approaches will catch on. This makes any significant investment in these systems risky. Because in many cases it costs nothing to use, and excellent, low-cost technical support is available should you need it, DACS gives you a low-risk way to become familiar with the basic technologies while developing a better understanding of your organization's needs.

   Because most of the technologies used by "enterprise level" solutions were developed by big industry players or consortia, some observers have questions about intellectual property issues [1, 2] that surround these solutions and how they will affect this sector of the software industry.

Here are a few characteristics of DACS that we think you should carefully consider when comparing it against alternative solutions:

• Cost
  DACS costs nothing to use, unless you are distributing a closed-source product. Bug fixes and new releases are also free of charge when provided on a best-effort basis. You can evaluate DACS at your convenience and anonymously - no registration is required.
• Open Source
  DACS is distributed as source code. By now everyone knows the many important advantages of this. DACS has no proprietary or binary components. It is possible to see how everything works, apply your own customizations and bug fixes, recompile the entire code base, port to new platforms, and so on. Unlike proprietary and managed solutions, you can satisfy yourself that there is no backdoor that might grant unintended access to your resources.
• Security
  DACS uses industry standard security practices that are well described in its documentation and code, and which are easily configurable or customizable in many important aspects. DACS can be run entirely on your platforms; it does not use any of our web services or depend on any cloud-based support.
• Simplicity
  DACS is typically not much more complicated to build and configure than Apache. DACS web services are easily invoked from any web browser or by programs, and they return text, HTML, or simple XML or JSON documents (making it straightforward to build your own web services on top of DACS). We believe that DACS is smaller and easier to understand than similar software - the importance of this should not be underestimated. Strength does not necessarily come from complexity, and the odds are good that a more complex system will have more bugs and quite possibly more design weaknesses.
• Flexibility and Modularity
  Instead of dictating policy, DACS gives you configurable mechanisms that provide you with ways to mold DACS to meet your needs rather than forcing you to do things its way, like other solutions do. And because you have the source code, you are free to add any features or customizations that you require at will. You can run DACS on any supported platform and single sign-on works across any group of supported platforms.
• Rich Feature Set
  DACS has a large and growing selection of authentication methods, powerful access control rules, and many of the same features provided by other access control and single sign-on systems.
• Versatility
  DACS authentication modules and authorization checking functionality are available from the command line for use by virtually any program or script. Its REST-oriented web interfaces provide easy access to DACS administrative functions and simplifies testing.
• Efficiency
  DACS uses light-weight protocols and a collection of efficient CGI programs.
• Quality Documentation
  We work hard to ensure that the documentation that accompanies DACS is both well-written and complete. It is updated and improved frequently.
• Practicality
  Rather than being an implementation of a design produced by committee, DACS began as a system to address specific real-world security problems faced by web site administrators and programmers. It continues to evolve with that clarity of purpose in mind. DACS does not aim to be an all-in-one, "universal identity system".
• Logging and Auditing Capabilities
  DACS can be configured to emit detailed logging information and audits of incoming requests, information that is critical to detecting and preventing attacks and for understanding what the system is doing.
• Technical Support
  DACS is our main product and has our full attention. Various levels of professional quality technical support are available at very reasonable prices.

Why Not DACS?

Perhaps we can save you some time by touching on why you might look elsewhere for single sign-on, authentication, or authorization technologies. Here are some things that might be important to you:

• Standardization Requirements
  Although DACS follows standards and de facto standards, and uses best industry practices whenever possible, it does not implement a standardized authentication and authorization framework. In a great many cases, however, we feel this is irrelevant. Standards are a key to interoperability between different software components, built by different vendors, but they are not an end unto themselves. There is no guarantee that different implementations of the same standard will interoperate in practice, because of different interpretations of the standard, for instance. Also, as has been demonstrated many times, being adopted as a standard does not in itself imply a component is correct or secure. When there is a choice, we will almost always select simpler and proven components over more complicated or newer ones. But some folks require total standardization no matter what the trade-off. (DACS does include some mechanisms that make it possible for it to interoperate with other systems.)
• Architectural Limitations, Design Choices
  Although DACS is a general-purpose, highly-flexible system, if your requirements are substantially different from those upon which DACS is based, it is possible that DACS may not be able to solve your problem or function in your environment.
• Insufficient Level of Security
  When properly used and configured, DACS is designed to deliver security on par with systems that provide secure commercial and financial services to the public. If you require a highly-secure system (one with military-grade security), DACS is not for you. DACS is not a mandatory access control system. The DACS technical documentation tries to clearly identify security issues that you should be aware of.
• Your Background
  We assume throughout the documentation that you are already familiar with the concepts of authentication and authorization, you have a good understanding of how web servers work, you are capable of performing routine system administration tasks on a Unix-type system, and you are comfortable building, configuring, and running an Apache web server. Although we do point you at other resources, we do not explain this stuff here. Also, you ought to have a solid understanding of how single sign-on works if you are considering using DACS for it; you should have no trouble understanding the What is DACS? document. If you have any doubts, you should probably avoid DACS - and we would also advise you to stay away from similar software, lest you accidentally open up your systems to external access.
• Missing Features or Capabilities
  It is conceivable that DACS does not have a feature that you need or does not work on your platform, although we seriously consider all suggestions for improvements. DACS does not supply complete identity management, and it is not intended to. For instance, it cannot create Unix or Windows accounts or administer their passwords. For web services, DACS can only be integrated with the Apache web server. DACS has not been ported to Windows. If you are unable to run Apache or add the DACS module to your Apache server, and if adding an Apache server to proxy incoming requests is not possible, the command line interfaces to DACS may be a valid alternative for some. Some features of DACS are incompletely implemented, not fully tested, or not yet integrated into the code base. But if you ask us, you may be surprised by how quickly a feature can be added; sometimes a feature or function is unavailable simply because no one has asked for it yet. Or perhaps it is not readily apparent that DACS can already do what you require.
• The Big Corporation
  DACS is designed, implemented, and supported by a small team that can quickly answer questions, respond to requests, and fix bugs. Its chief architect has a Ph.D. in Computer Science and almost 30 years of experience with systems programming and distributed systems. We can probably resolve your problem before you would even be able to cut through the red tape at Big Corporation or find the right person to talk to there. And we suspect that you'll find technical support for DACS, should you require it, to be much cheaper than what Big Corporation charges.

  We work on DACS in no small part because we truly enjoy it. And as we have benefited from open source software, we want to continue making our own contributions. Still, some people insist on dealing with large vendors only. One more thing to keep in mind... even Really Big Corporations go out of business or terminate product lines. Where will that leave you if you do not have source code?