Download and Release Information

DACS software is available for free. It is distributed in source form only - you must build it, although in most cases this is not difficult. Please refer to the license for terms and a copyright notice. Distribution tarballs are available from SourceForge.net.

Important release notes, change summaries, and post-release notifications are posted here. Please review this information before installing DACS or if you are experiencing any problems with DACS. Information that appears here about older releases may be superseded by changes made in newer releases; this also applies to such things as the renaming of programs and files.

When a significant bug is found after release, we will post a notice here, sometimes with a solution. A bug reported for a specific release may also be present in earlier releases. We apologize for any inconvenience and try to fix all known bugs in the next release. Patches and bug fix releases are sometimes available - please inquire.

The list of current and planned features may be of interest.

As mentioned elsewhere, we like to think that development of DACS is guided largely by the needs of its users, so we need your input to do a good job! Your requests and suggestions are important for us to continue to focus our efforts on solving problems that are important to you.

We do not require you to register your copy of DACS, but we would appreciate hearing from you if you decide to use it. The anonymous information you provide can help us to focus development and will be taken into account when we consider making changes, particularly changes that are incompatible with earlier releases.

What You Need

To build DACS, at minimum you will need the following:

• One of the officially supported platforms: FreeBSD, GNU/Linux, Mac OS X 10.6, or Solaris
• GNU make (gmake) and GCC
• Third-party software: Apache 2.0/2.2, OpenSSL, and Expat

If you require certain optional features, you will need to obtain some additional third-party software, such as Berkeley DB, Samba, or OpenLDAP.

Please see dacs.install(7) for details.

Bugs and Support

If you are having a problem with DACS, after first reviewing the release notes for your version, the next thing to do is check the DACS log files and the Apache log files. You should also consult the FAQ and Tips. Whenever possible, you should always run the latest release of DACS.

Please see the support area for information on reporting bugs and other assistance. Technical support and maintenance packages are available.

Downloads and Release History

DACS Version 1.4.25

Release Notes

Although it mainly fixes bugs and adds some minor features, this release includes improved support for one-time passwords (such as time-based tokens, token provisioning, and additional OTP token vendors), introduces a new, simplified user-selectable authentication control, fixes and improves PAM-based authentication, and adds support for SQLite.

As with earlier releases of DACS, a variety of problems were encountered building third-party software. In particular, OpenSSL - which has seen a larger than usual number of releases recently - seems to be troublesome. These problems are addressed in dacs.install(7).

Change Summary

• VFS support for SQLite (starting with 3.6.23.1) (see dacs.conf(5))
• added "user_sufficient" authentication control (see dacs_authenticate(8))
• fixes and improvements to PAM-based authentication (see dacs_authenticate(8))
• third-party software upgrades: BerkeleyDB 5.0.21, Apache 2.2.15, Readline 6.1, Samba 3.5.3, openssl-1.0.0a, openldap-2.4.21, xmlsec1-1.2.16, libxml2-2.7.7
  note: DACS will no longer build against earlier releases of Samba
  note: it was necessary to rebuild xmlsec1 against OpenSSL 1.0.0
  note: changes made in OpenSSL 0.9.8[mno] are incompatible with DACS; do not use them with DACS
  
• XML bug fix for dacs_select_credentials(8) and minor (though incompatible) change to its DTD (dacs_select_credentials.dtd)
• bug fixes: URL parsing, VFS rename, dacstransform(1) and dacs_transform(8), function argument type conversion (see Post-Release Notes for 1.4.24)
• initial, partial support for JSON output (this will be completed and tuned in the next release)
• minor additions to the syntax() function
• dacsemail(1)
• added debug_xxx debug flag file mechanism (see dacs_acs(8))
• bug fix: the syntax of the id attribute of an Auth/Roles/Transfer clause should be restricted to an alphabetic followed by zero or more alphanumerics, hyphens, and underscores (see dacs.conf(5))
• upgrade: Mac OS X 10.6.4 (x86) platform
• added RFC 4231 HMAC test vectors
• added -with-apache-apr-includes and --with-apache-apr-cpp-defs build flags for Apache special cases
• many fixes and improvements to OTP token support in dacstoken; new dacs_token web service; new support for time-based OTP tokens (TOTP); incompatible changes to token account format and command line flags (see dacstoken(1), dacs_token(8), and dacs_authenticate(8))
• persistent font change capability for HTML manual pages
• internal improvements: mutual exclusion locking, shared memory segments (not available on some platforms)
• Rlinks, dacsrlink(1): several important bug fixes
• undocumented dacs_complete word/string completion service (see src/complete.c)

Post-Release Notes

Not mentioned in the release notes and HISTORY were some improvements to the output of dacs_error, a generic error handling Perl script.

Note: There is uncertainty about the future of OpenSolaris. This may lead to abandoning it as an officially supported platform for DACS.

DACS Version 1.4.24

Release Notes

This is primarily a bug fix release, but it also introduces support for the Mac OS X 10.6/x86 platform.

As with earlier releases of DACS, a variety of problems were encountered building third-party software on OpenSolaris/x86. These problems - and, sometimes, solutions - are addressed in dacs.install(7).

Change Summary

• fixed several low-level bugs, some of which might have caused DACS web services or utilities to crash
• added --enable-dump command line argument to aid debugging (see dacs(1))
• added support for the FreeBSD 8.X (amd64) platform (support for FreeBSD 7.X/amd64 continues)
• added support for the Mac OS X 10.6 on the x86 platform; note:
  • if building OpenSSL, you may need to specify the 64-bit architecture because its configuration appears to default to 32 bits; use e.g.,

          /usr/bin/perl ./Configure darwin64-x86_64-cc \
              --prefix=/usr/local/openssl-0.9.8l \
              --openssldir=/usr/local/openssl-0.9.8l shared
          

  • default owner/group of installed DACS files is "_www" (names which seem to ship with the system); this should probably agree with your Apache's httpd.conf settings for User/Group
• third-party software upgrades: OpenSSL 0.9.8l, xmlsec1-1.2.14

Post-Release Notes

• A URI parsing bug causes some valid URIs to be considered invalid. Examples:

  % dacsexpr
  > syntax(uri, "http://example.com?")
  0
  > syntax(uri, "http://example.com?foo")
  0
  > syntax(uri, "http://example.com?foo=baz")
  0
  

  A workaround is to insert a slash ("/") immediately before the question mark.
• A virtual filestore bug can sometimes cause the "rename" operation, when used with the dacs-kwv-fs scheme, to report success but result in no data being modified.
• Several problems have been found in dacs_transform(8)/dacstransform(1) and their documentation; until these are addressed in the next release, please test carefully.
• Automatic conversion of a function argument to the string data type may trigger an evaluation error in some cases. A workaround is to use an explicit cast:

  > hash((string) 123, 0)
  

• The XML document returned by dacs_select_credentials can be invalid because of a missing <ok> element. If you require an immediate fix, edit src/select_credentials.c and emit the element immediately after the <dacs_select_credentials> element (at or near line 439).
• Problems were apparently introduced by changes to CFB mode encryption in OpenSSL 0.9.8m [1, 2] and DACS does not appear to work correctly with OpenSSL 0.9.8m, 0.9.8n, or 1.0.0. Decryption/encryption performed by DACS using these releases of OpenSSL may not be compatible with DACS releases that use earlier or later releases of OpenSSL. These changes have apparently since been reversed in the OpenSSL code base. Do not upgrade beyond the version(s) recommended for this release of DACS (see dacs.install(7)). Note: after building DACS, always do a "make test".
• A bug has been found in regmatch() when subexpressions are used. Matches may not be copied into a namespace if the namespace has already been used.
• Though not yet confirmed, it appears that if any HTTP cookie contains a double quote character, that HTTP cookie and subsequent ones in the Cookie header may be ignored. This can make it appear as if an authenticated user is unauthenticated, for example, because the cookie bearing DACS credentials is not processed.
• Several long-standing problems with PAM-based authentication have been identified. Expect fixes and improved documentation in the next release.

DACS Version 1.4.23a

Release Notes

This release adds some refinements to the Information Card support, introduces some new features, fixes some bugs, and upgrades to recent releases of third-party supporting software. Everyone is encouraged to upgrade to this release of DACS.

One significant new feature is an optional inactivity time out (see the new directives, ACS_TRACK_ACTIVITY and ACS_INACTIVITY_LIMIT_SECS). Another important feature is that dacs_current_credentials can return information about a user's last login and other logins that might be "active" - this can be useful for detecting security breaches.

For additional information about Information Cards and the new authentication capabilities available in this release, please visit the demo area. Note that as with the previous release, you must use the built-in local_infocard_authentication module rather than the web service.

If you are upgrading from an earlier release of DACS, after installation check that you are using the site.conf that comes with the new release.

Change Summary

• new InfoCard directives: INFOCARD_STS_RP_ENDPOINT, INFOCARD_TOKEN_MAX_LENGTH, and INFOCARD_TOKEN_DRIFT_SECS
• new general directives: ACS_TRACK_ACTIVITY and ACS_INACTIVITY_LIMIT_SECS
• enhancements to dacs_current_credentials(8), including ability to report last sign on and active sign ons. There is one potential incompatibility with previous releases, as the DTD for the document returned by dacs_current_credentials has changed. The different format is produced only if user tracking is enabled -- see dacs(1). The modifications to the XML are quite minor.
• third-party software upgrades: Apache 2.2.14, Samba 3.2.15, BerkeleyDB 4.8.24, GNU Readline 6.0, libxml2-2.7.6, xmlsec1-1.2.13
• bug fixes:
  • dacs_version/dacsversion: reporting InfoCard enabled
  • low-level database bug could cause random crashes

Post-Release Notes

Nothing yet.

DACS Version 1.4.23

Release Notes

This release mainly introduces support for Information Cards, but it also includes some minor enhancements, bug fixes, and upgrades to recent releases of third-party supporting software.

For additional information about Information Cards and the new authentication capabilities optionally available in this release, please visit the demo area. If you like (or do not like) DACS support for InfoCards, please let us know.

If you are upgrading from an earlier release of DACS, after installation check that you are using the site.conf that comes with the new release.

Change Summary

• initial support for self-issued and managed InfoCards:
  • added --enable-infocard-auth and --with-xmlsec1-config build flags
  • review the distribution's infocards/README file
  • review: dacs_infocard(8), dacsinfocard(1), dacs_managed_infocard(8), dacs_mex(8), dacs_sts(8), dacs_authenticate(8), dacs.conf(5), dacs.install(7), and Using InfoCards With DACS
  • an additional Apache directive is now expected by the default config:
    Alias /infocards "/usr/local/dacs/www/infocards/"
    New installation directory /usr/local/dacs/www/infocards contains some default public files and possibly some private (ACL-controlled) subdirectories
• reintroduction of dacs_select_credentials - review dacs_select_credentials(8)
• special effective url pattern "*" - see dacs.acls(5)
• extensions to index()
• fixed elapsed time calculation
• eliminated potential extraneous semi-colon when zapping DACS cookies
• the variable previously called JURISDICTION_URI is now called JURISDICTION_URI_PREFIX and a new variable called JURISDICTION_URI has similar semantics but includes the request's scheme and any port number
• new index table of variables added to the Technical Documentation web page
• new directive: ACS_POST_EXCEPTION_MODE
• bug fixes:
  • handling of -vfs argument (e.g., dacspasswd)
  • regmatch() with multiple subexpressions and no namespace arg
  • VERBOSE_LEVEL should not increase LOG_LEVEL
  • PREDICATE directive in Roles clause
  • getsize operation on HTTP types
  • fixed potential segfault bug if decode(url, ...) fails, as when SERVICE_ARGS is truncated
  • fixes for parsing of Content-Type MIME headers
• added CSS for dacs_current_credentials(8)
• set ACS_CREDENTIALS_LIMIT to 1 as the default
• added user("mine") variant
• added error-name CREDENTIALS_LIMIT (error-code 908) to the ACS_ERROR_HANDLER directive; this is undocumented in the manual and discovered too late to fix (the error is triggered by dacs_acs(8) if ACS_CREDENTIALS_LIMIT is exceeded).
• data type names used in casts are now case sensitive (they had been case insensitive, although that was not documented)
• third-party software upgrades: openssl-0.9.8k, Apache 2.2.13, OpenLDAP 2.4.17, Samba 3.2.14
  Note: when upgrading to openssl-0.9.8j there were some problems with "make install" and Makefiles under the fips subdirectory did not have INCLUDES set correctly and some manual intervention was required to complete the build. Additional details are here.
• improvements regarding logging of potentially sensitive information, lowered priority of most Apache logging messages generated by mod_auth_dacs
• upgrade Solaris 10 test platform to OpenSolaris 2008.11/x86 (SunOS 5.11)

Post-Release Notes

• You must use the built-in local_infocard_authentication module rather than the web service; the latter mode of use is not fully implemented (it will require changes to auth_reply.dtd). Please see dacs_authenticate(8).
• dacs_version(8) and dacsversion(1) do not report that InfoCard support has been enabled when it has been.
• A bug has been discovered that can cause DACS applications to crash, particularly during configuration processing. A fix will appear in the next release.

Building openssl-0.9.8j on FreeBSD

A "make install" of the standard openssl-0.9.8j distribution fails on FreeBSD 7.0, even if specifying only --prefix and --openssldir to configure. It may fail on other platforms, too (I'm lookin' at you, OpenSolaris and Cygwin):

cp: fipscanister.o.sha1: No such file or directory
cp: fipscanister.o: No such file or directory
*** Error code 1

Stop in /usr/k/generic/src/sysutils/openssl-0.9.8j/fips.

Here is what was needed to fix the problem(s) on FreeBSD 7.0 (your mileage may vary).

1. After unpacking the source distribution, run configure
2. As usual, run:
   

   % make
   % make test
   

   These should work properly; if they do, proceed.
3. Do: make install
   If it fails, continue with the following steps.
4. Change to the fips subdirectory
5. Edit each of {aes,des,dh,dsa,hmac,rand,rsa,sha}/Makefile and (if necessary) change the value of INCLUDES (defined near the beginning of the file) to:

   INCLUDES=-I../.. -I..
   

6. Run "make lib" in each of those directories:
   

   % (cd aes; make lib)
   % (cd des; make lib)
   and so on
   % (cd sha; make lib)
   

7. Do: make fipscanister.o
   It will probably report an error, but that's ok provided it actually creates fipscanister.o.
8. Do: make fips_standalone_sha1
9. Do: ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
10. Change to the distribution's root directory and try again to install:

    % cd ..
    % make install
    

    If it still doesn't work, as on OpenSolaris and Cygwin, try openssl-0.9.8i, which doesn't seem to have these problems.

DACS Version 1.4.22

Release Notes

This release mainly fixes an assortment of bugs and upgrades to recent releases of third-party supporting software.

• As in the past, Samba (3.2.7, this time) would neither configure nor build on the Solaris 5.10 x86 platform (see also DACS 1.4.15).
• Your mileage may vary, but when building OpenLDAP on the Solaris 5.10 x86 platform, before running 'configure' it was necessary to do 'setenv CC /usr/sfw/bin/gcc' so that the correct compiler was found.
• On any platform, if you are including LDAP support and encounter DACS build errors related to '-lsasl2' or 'sasl' symbols, add the '--without-cyrus-sasl' flag when you run the OpenLDAP 'configure', rebuild OpenLDAP, and then rebuild DACS. Contrary to the documentation in inet(3), the Solaris 5.10 x86 platform puts inet_aton() in libresolv; if local_ldap_auth fails to build because inet_aton() is not found, edit DACS's defs.mk (and defs.mk.in, if you like) and add '-lresolv' to the end of the OPENLDAP_LIBS definition, then run 'gmake' again.
• For the next release of DACS, we intend to upgrade to OpenSolaris 2008.11 for testing.

Change Summary

• fixes for possibly buggy jurisdiction listing in dacs_admin(8)
• added optional public_key to jurisdiction's group_member element in groups.dtd (used by dacs_admin, dacs_list_jurisdictions, dacsinit)
• dacskey(1) can now print public and private keys, bug fixes
• local_apache_auth handles large flat-file passwords (htpasswd) quicker
• third-party support upgrades: OpenSSL 0.9.8i, OpenLDAP 2.3.43, Apache 2.2.11, Samba 3.2.7, Berkeley DB 4.7.25
• new functions: strtolower(), strtoupper(), strstr(), strrstr()
• start at separating independent code into its own library, libdss.a
• upgrade to docbook-xsl-1.74.0 and consequential minor format processing changes
• additional tests for HMAC (FIPS 198-1)
• added configuration directive AUTH_CREDENTIALS_ADMIN_LIFETIME_SECS
• fixes for URI decoding bugs
• build fixes for Solaris and Linux
• problems associated with release 1.4.21 have been fixed; truncated multipart/form-data arguments still sometimes occur, but they should not cause dacs_acs to crash anymore (see dacs_acs(8) and the Apache configuration directive SetDACSAuthPostBuffer for details). In any case, you should set SetDACSAuthPostBuffer to zero if you do not require DACS to process the HTTP entity body. If you are able to use the GET method instead, that will also avoid the problem. [It seems that this problem with truncation is due to some recent subtle changes in the way Apache processes brigades.] Note that disabling this feature of DACS does not mean that you cannot DACS-wrap programs that are run via POST, only that DACS will not make variables contained within the POST data stream available to its access control rules - the program will run normally if DACS grants access.

Post-Release Notes

The following errata and comments are associated with this release:

• If you see the message "Mime parse of SERVICE_ARGS failed" in the DACS log it suggests that the truncation problem mentioned above is occurring.
• Some browsers (Firefox3 is one of them) may formulate an HTTP request using the POST method that includes a Content-Type header that is valid but that DACS does not understand, causing DACS to ignore any arguments in the entity body (meaning that the POST parameters are not available to DACS). In this context, a Content-Type header like "application/x-www-form-urlencoded; charset=UTF-8" will trigger the bug.
• The regmatch() function may not return the correct value when there is at least one subexpression in the regex and no namespace argument. For example, "regmatch("foo", "(bar)|(baz)|(foo)") returns 3 when it should return the string foo.
• The dacsacl(1) command unnecessarily reformats its input ACL files. This is usually harmless, but can add a lot of whitespace. If a rule's url_pattern or url_expr attribute values contain quotes, the corresponding INDEX file entries will sometimes not be read correctly, resulting in an error and dacs_acs denying access. If this happens, the INDEX file (and possibly also ACL files) will need to be repaired manually.
• DACS may sometimes lose cookies following internal Apache redirects, despite the access control rule in effect setting pass_http_cookie to yes. A symptom of this bug is that although a valid credentials cookie is sent (possibly with other DACS or non-DACS cookies), DACS appears to "forget" who is sending a request because the user's DACS credentials are lost. Other cookies may also mysteriously disappear, or disappear instead. These internal redirections occur when Apache receives a request that involves a DirectoryIndex directive, for instance. This bug likely exists in earlier DACS releases.

  For example, it is possible for Apache configuration to cause a user's request for https://example.com to be internally redirected to https://example.com/, then https://example.com/index.html, and finally to https://example.com/index.php. When this bug is triggered, the DACS rule for https://example.com/index.php may not see the credentials that were sent with the request.

  If you require an immediate fix and are not concerned about DACS cookies being revealed through environment variables (such as when only trusted users have login access to your Apache box), you can try a quick and dirty solution:

  1. change to the apache directory of the DACS distribution
  2. edit mod_auth_dacs.c (save the original, just in case)
  3. Locate the function dacs_cookie_zap() and make it return immediately without doing anything (just insert a return statement at its start)
  4. Do: make tag install
  5. Restart Apache

DACS Version 1.4.21

Release Notes

Although this release mainly addresses a wide assortment of bugs, and upgrades to recent releases of third-party supporting software, it also features some significant performance and administrative improvements. Changes of note include:

• a new indexing mechanism for access control rules to accelerate searches for the applicable rule - due to this change, however, the dacsacl command must always be run after the ruleset has been modified (see dacsacl(1));
• re-introduction of the authorization caching feature, a cookie-based mechanism to optionally bypass authorization checking of requests after they have been approved once, which can be of particular benefit for frequently accessed files such as images and CSS files, or when a rule is relatively expensive to evaluate (see dacs_acs(8));
• a complete rewrite of the dacs_admin web service to provide a fully REST-ful, unified, and comprehensive administrative web-based console [note that in this release, dacs_admin will only produce HTML output and only supports read-only operations] (see dacs_admin(8));
• extensions to the DACS programming language with new, composite data types (lists, associative lists, and arrays) [note that their implementation is mostly but not totally complete; in particular, list references may not yet be embedded within strings]; and
• a new utility (dacsinit) for interactively configuring a very basic federation and jurisdiction, which can help you to get started with DACS quickly.

Change Summary

• Notable bug fixes and minor enhancements, including:
  • dacs_transform(8) and dacstransform(1): added "expr" attribute to the "insert" directive
  • added expand() and sprintf() functions
  • allow a relative path argument to get() in stand-alone apps
  • added automatic type conversion for printf() arguments
  • potentially incompatible changes to the UPROXY_APPROVED directive (see dacs.conf(5) and dacs_uproxy(8))
  • bug fixes for HTTP requests on the (unofficial) Solaris/SPARC platform
  • bug fixes for the SetDACSAuthConf and SetDACSAuthSiteConf directives (mod_auth_dacs)
  • language extension to allow braces to be omitted in variable references in certain cases as a convenience
  • print() and printf() are now void functions
  • bug fixes for MIME parsing
  • support for DESTDIR in Makefiles; see dacs.install(7)
• Retirement of FreeBSD 4.X, 5.X, and 6.X testing platforms, addition of FreeBSD 7.X (amd64) platform
• Upgrade to OpenSSL 0.9.8g
  Note: when building it on FreeBSD, it was necessary to specify the -fPIC flag to its config program
• Upgrades to Samba 3.0.28 and Apache 2.2.8/2.0.63
• Incompatible changes to access control rule processing:
  • to both significantly improve performance and simplify the rule processing engine, changes have been made to the way rules are named and processed
  • these changes will only affect users of earlier releases who are using customized access control rules
  • the new format preprocesses rules to create an index called INDEX. The index is an XML file (with syntax acl_index.dtd) located at the root of each ACL directory structure (e.g., /usr/local/dacs/acls/INDEX)
  • you cannot have a rule file named "INDEX" (unless you change the definition of ACL_INDEX_FILENAME and rebuild DACS)
  • an index file is processed during rule processing to determine the rule that best matches a request, so it must always reflect the set of available rules and be up-to-date WRT their contents
  • at most one rule file will be read during access control processing, namely the best match
  • the DTD acl.dtd has been revised with a new "status" attribute (currently IMPLIED but eventually REQUIRED) that is used to flag a rule as enabled or disabled for access control checking purposes
  • Release 1.4.21 ships with the standard DACS rules in the new format
  • if an existing DACS installation has added custom ACLs, its old format rules must be converted to the new format - the old format should no longer be used
  • because the changes affect the rule processing engine, rules used by dacscheck(1) must also be converted and indexed. A command like the following might be used to do this (your path will vary):
    % dacsacl -un -build -vfs '[acls]file:///usr/local/myapp/rules'
  • the dacsacl(1) command should be used to convert from the old format to the new format:
    % dacsacl -convert
    this will create a new INDEX file or replace an existing one, and edit existing rules to use the new "status" attribute this should only need to be done one time (running it more than once should not cause any problems, however, so if any errors are reported you may re-run the conversion after fixing the problems)
  • during conversion, rule files that were disabled in the old format will also be disabled in the new format; if an old format file happens to have a "status" attribute it will override the status implied by its filename
  • during conversion, the priority associated with any subdirectory is lost, only the numeric suffix of files containing a rule is used to determine the rule priority propagated to the INDEX file. Manual attention may be required to preserve the intended order of rule processing if subdirectory priority was significant in the old format.
  • rule files and subdirectories are not renamed during conversion
  • apart from conversion to the new format, dacsacl does not support the old format
  • only the "acls" item type is converted, not the "dacs_acls" (since 1.4.21 and later ship with the standard ACLs already converted)
  • Important: after conversion check that the converted rules are enabled or disabled properly. If you find an error, edit the rule and change its status. When you are done, run dacsacl again.
  • whenever a rule is added, deleted, or modified, dacsacl(1) must always be run to rebuild the INDEX files:
    % dacsacl -build
    this will create new INDEX files or replace any existing ones and assumes that rules are in the new format (i.e., they have a "status" attribute)
  • in the new format, all subdirectories are examined, regardless of any "acl-" prefix, need not have a numeric suffix, cannot be disabled, and any numeric suffix does not influence rule priority
  • in the new format, rule files must still begin with the prefix "acl-" (any other non-directory file names are ignored), but the convention "acl-disabled" to signify a disabled rule file is not followed - so although initially disabled after conversion, in the new format a rule file or subdirectory with this prefix does necessarily imply that the rule file or subdirectory is disabled - only the INDEX determines that.
  • in the new format, the "acl-" prefix is still required for files containing rules but it is no longer required or significant for subdirectories
  • in the new format, priorities are non-negative integers, with zero being the highest possible priority. Rules with equal priorities are ordered based on the ASCII collating order strcmp(3) of their full pathnames
  • notwithstanding the conversion operation, in the new format a rule that does not have a "status" attribute defaults to being disabled, and the old style ACL prefix "acl-disabled" has no special meaning (e.g., if such a rule is fed to dacsacl as a file argument for syntax checking)
  • in previous releases, if an error occurred while searching through rules (e.g., a syntax error was found) the search would terminate and access would be denied. In the new format, if dacsacl finds an error in a rule it does not update the INDEX file and because only the responsible rule is read, errors in other rules should not trigger problems during rule processing.
• Incompatible changes and improvements to dacs_admin(8)
  • changes to resource naming (URLs) for more REST-ful conformance, improved HTML interface
  • bug fixes and minor improvements, including CSS support
• Re-introduction of the authorization caching feature
  This allows positive access control decisions to be cached so that future requests by the same client for resources controlled by the same rule can be granted more quickly - see dacs_acs(8)
• Addition of dacsinit, a script to create and initialize a minimal, single jurisdiction federation. There is currently no manual page for the program, but there are brief descriptions here and here. Run it with the -n flag the first time you use it. If there is any positive feedback, the program is likely to be extended to do more configuration and initializations.

Post-Release Notes

The following errata are associated with this release:

• The release accidentally shipped with a rule that allows all access to dacs_admin. This could potentially reveal information that should not be made public, so it is important to either (1) disable the default rule for dacs_admin, (2) change the default to restrict access to dacs_admin, or (3) add a custom rule for the jurisdiction, which will override the default, and restrict access appropriately. If you do (1) or (2), you should make the change to the installed rule and to the rule that comes with the distribution (acls/acl-admin.0) because 'make install' will replace the installed rule with the rule that comes with the distribution. Make sure that dacsacl is run after you make the changes, and then verify that access has been disabled or restricted as you intend.
• A bug (or feature) in Makefile.in makes it necessary to build DACS with the --enable-developer flag for dacs_admin to be built and installed. This will be changed in the next release.
• Examples of rules in the manual pages were not updated to include the new "status" attribute. (Note: the Tips have been revised to include this attribute)
• It is not made clear in the manual page for dacskey(1) that the keyfile argument is accessed via the virtual filestore. Therefore, a relative pathname is not acceptable.
• On some platforms, the pre-generated documentation in the distribution's man directory may not unpack properly, causing make to think that the documentation needs to be rebuilt even though it does not; a bug in the Makefile can lead to the pre-generated documentation files being truncated. If this happens, restore the contents of the man directory from the distribution tarball and do 'make touch install' from the man directory.
• Optionally, DACS can be configured to use OpenLDAP to supply core functionality for LDAP-based authentication (local_ldap_auth). On some platforms, OpenLDAP may fail to build, producing error messages about undefined symbols beginning with "sasl_". DACS does not require SASL support, so OpenLDAP can be configured with the --with-cyrus-sasl=no flag.
• The local_apache_auth module runs very slowly when given a large (e.g., thousands of entries) flat-file (htpasswd) formatted password file. Converting the file to Berkeley DB format (htdbm) is currently the only solution (also see dbmmanage).
• The description of the from() function should mention that in the case where the argument is a full or partially matching domain name and REMOTE_HOST is not available but REMOTE_ADDR is, a reverse DNS lookup will be performed on the argument and all IP addresses that result will be tested against REMOTE_ADDR; if this lookup fails, then the function raises an error condition and rule processing will terminate. You should therefore avoid using a domain name argument that may not be resolvable on the host where DACS is run.
• Immediately after pasting the text to create a new access control rule in Step 6.5 of the Quick Start tutorial, you must run dacsacl(1) to rebuild the rule index:

     % dacsacl -uj LA
  

  You must always run dacsacl after you add or change an ACL.
• A bug was found in http(1) that breaks the -f flag.
• A truncated multipart/form-data argument (e.g., as a result of file uploading) may cause dacs_acs(8) to crash. Smaller uploads (up to approx. 7 KB) usually work, however. Additionally, truncation may occur erroneously, depending on the size of the argument, particular browser type being used, version of Apache, and perhaps other environmental factors (this problem has reared its ugly head before and appears to be intimately related to Apache internals). It may be possible to work around the problem(s) by adjusting SetDACSAuthPostBuffer and ACS_POST_BUFFER_LIMIT. Because the possibility of truncated arguments can never be eliminated, there should probably be better ways to tell DACS what to do when they occur.

This and previous releases of DACS produce HTTP cookies that have colons (and possibly other punctuation) in their names. Although this is not known to cause problems with any web browsers, it is unacceptable to some versions of Tomcat. It seems that RFC 2109 (Sections 4.2.2 and 4.1) and RFC 2965 (Sections 3.2.2 and 3.1), with RFC 2616 (Section 2.2), do not allow these "separators" to appear in a cookie name. DACS does not currently have a workaround for this problem, but then it does not claim to be RFC 2109/2965 compliant. A future release of DACS will likely change the syntax of its cookies to something benign. Changes to the cookie name syntax may cause problems for interoperation between different versions of DACS. Note that middleware should not be relying upon (esp. parsing) the names of DACS cookies, other than to identify the different types of cookies, so a change should only be a minor inconvenience for middleware.

It seems that issues may arise when mod_rewrite and mod_proxy come into play with DACS-wrapped resources. A single proxied request may cause Apache to perform many authorization checks. Also, Apache mangles some variables associated with a proxied request during processing (e.g., the REQUEST_URI) and these may not be handled properly by DACS. Avoid these kinds of requests, or at least test them carefully.

DACS Version 1.4.20

Release Notes

This is primarily a bug fix release. DACS is security software - we urge all users to upgrade to the latest release.

Change Summary

• Bug fixes:
  • important bug fix to local_passwd_authenticate prevents invalid passwords from being accepted
  • canonicalize the DACS error URL (avoiding a redundant acknowledgement by dacs_notices(8))
  • invalid Content-Type headers parsing
  • buffer handling bugs
  • VFS vfs-uri open bug
• renamed, refined, and documented dacs_uproxy(8) (for security reasons, it is not built by default)
• added -check argument to dacskey(1) to do cursory key validation
• new functions: ustamp(), dacs_meta(), dacs_approval()
• removed deprecated functions: hex_decode(), cescape(), mime_encode(), mime_decode(), url_encode(), url_decode()
• third-party support upgrades: Samba 3.0.25b, BerkeleyDB 4.6.18, OpenLDAP 2.3.37
• upgrade to GCC 4.2.1 for development
• dacs_prenv(8) now sorts list of environment variables
• assorted fixes and improvements to dacs.quick(7)

Post-Release Notes

While DACS is not officially supported on Solaris/SPARC, a bug has been found on that platform that breaks the http(1) command and internal HTTP requests. One consequence of this bug is that authentication may fail; this particular case can be avoided by using built-in authentication modules. This bug will be fixed in the next release, but you can contact us for a patch.

The SetDACSAuthConf and SetDACSAuthSiteConf directives may not work properly. Because these directives cause the environment variables DACS_CONF and DACS_SITE_CONF, respectively, to be passed to dacs_acs(8), a possible work-around is to explicitly set them in your Apache configuration (using SetEnv, for instance).

DACS should not be affected by the problems recently discovered in OpenSSL 0.9.8e. The next release of DACS will upgrade to the then-current release of OpenSSL.

DACS Version 1.4.19

Release Notes

This is primarily a bug fix and minor enhancements release. DACS is security software - we urge all users to upgrade to the latest release.

Change Summary

• Bug fixes:
  • handling of -expires date in dacscookie(1) (also minor enhancements)
  • dacsvfs(1) must set field separator character properly
  • multipart/form-data arguments not handled correctly
  • setvar(split, ...) did not handle a trailing null element properly
  • authorization tests after an internal redirect may have been performed on the request URI again instead of the new target URI or an empty string argument
  • assorted fixes for dacsrlink(1)
  • ACS_ERROR_HANDLER error-action was broken
  • dacs_list_jurisdictions(8) with FORMAT=TEXT
  • minor MIME whitespace parsing error
  • fix for long-standing bug in dacs_list_jurisdictions(8) and dacs_list_jurisdictions.dtd plus some minor improvements and attribute renaming:
    
    • attribute name renamed to jname (jurisdiction name)
    • attribute name is now the full name of the jurisdiction
    • attribute public_key renamed to fed_public_key
    • attribute public_key is now the jurisdiction's public key, if known
  • bug fixes and overhaul to dacsexpr(1) command line processing. Note: some changes are incompatible, though minor
    Also:
    • a -n flag for syntax checking
    • removed -env flag
    • improved "batch mode" (non-interactive) operation
    • operation as a '#!' script
  • fixes for bstring type
  • parsing empty blocks, like "if (3) {} print('hi');"
  • exec() now sets ${DACS::status} correctly
  • fixes for http(1), including handling binary content
  • minor I/O processing bug fixes
• formatting improvements for dacs_conf(8) HTML
• added expiry element to the concise syntax (an Rlink with an identity can now be assigned a lifetime)
• dacscheck(1) can emit a redirection request (-redirect flag)
• added -s flag to dacsexpr(1)
• DACS expression language changes:
  • new functions: source(), syntax(), hash(), trim()
  • added create operation to counter()
  • extended get() argument for consistency and to use 'stdin' item type
  • extensions to setvar() (rename, post operations), new optional limit argument with split or regsplit operations
  • added '+' and 'z' modifier flags to variable references
  • new transform() and transform_config() functions
  • A '#' now introduces a comment in expressions
  • extended password()
  • extensions to vfs()
• added AUTH_SINGLE_COOKIE directive
• removed obsolete manual pages
• ignore expired rules via expires_expr attribute
• extended ACS_ERROR_HANDLER to evaluate an expression, backward-compatible changes to syntax, clarified documentation
• added dacslist(1) command version of dacs_list_jurisdictions(8)
• change to DACS base-64 encoding character set to make encoded strings safe in paths (this does not affect MIME base-64 encodings); NOTE: the change is (temporarily) "mostly" backward compatible in that the old encoding is still recognized, however some things could break. DACS admins should take this opportunity to regenerate federation and jurisdiction keys (see dacskey(1)); user passwords via local_passwd_authenticate should also be updated
• consolidated encoding/decoding functions into encode() and decode(), and added dacs64 encoding type
  NOTE: anyone using the old function names must make the obvious edits to convert the old names into the new ones; the following functions are deprecated and will be removed from a future release: cescape(), hex_decode(), mime_encode(), mime_decode(), url_encode(), url_decode()
• additional internal PKI support
• changed site.conf defaults for LOG_LEVEL and LOG_FORMAT
• changes to default log message formats
• added several new flags to dacspasswd(1) and various improvements. Notes: These changes are backward compatible with existing DACS password files. Not all of the new features can be accessed through dacs_passwd(8), dacs_admin(8), etc.
• revisions to dacs_passwd(8) man page
• use of DEFAULT_JURISDICTION environment variable - see dacs(1)
• upgrades: expat-2.0.1, samba-3.0.25a, openldap-2.3.35
• new functionality for cgiparse(8) (should be backward compatible)
• Added DACS_USERNAME to the "url syntax" argument list of AUTH_SUCCESS_HANDLER

Post-Release Notes

1. Important:
   A bug in the local_passwd_authenticate authentication module has been discovered that can cause an invalid DACS password to be accepted when it should not be. This does not affect any other forms of authentication or the DACS password file. Unless you are sure that you will not use this authentication module, you must apply the following fix. We apologize for the error.

   This bug has been fixed and a new version of src/local_passwd_auth.c is available. Replace the local_passwd_auth.c file (revid 1941) that ships with dacs-1.4.19 with the new one (revid 1983). Do a 'make clean' from the distribution's src directory, then build and install DACS again.

   Before deploying this or any other DACS authentication method in a production system, please ensure that authentication succeeds only if all authentication material is correct.

2. Correction: in the examples in dacsauth(1), the -vfs flag must appear with the module flags (before the -u flag, for instance).

3. Regarding the notice acknowledgment feature (dacs_notices(8), dacs.nat(5)), if a document requiring acknowledgement is accessed using the https scheme, all links to the document must provide the port number (even if it is 443) in its URL. For instance, use https://dss.fedroot.com:443/notices/ack-me.html instead of https://dss.fedroot.com/notices/ack-me.html. Failure to do this causes users to see the same prompt twice. The default port number will be handled correctly in the next release.

DACS Version 1.4.18

Release Notes

This is primarily a bug fix and minor enhancements release. DACS is security software - we urge all users to upgrade to the latest release.

Notable improvements include:

• a new "authentication-at-authorization-time" feature that allows a user identity to be established, either interactively or non-interactively, via HTTP Basic Auth (RFC 2617) or using any available context (the request URI, arguments, etc.); see dacs_acs(8) and ACS_PRE_AUTH
• a new "Rlinks" feature that can associate a URL with authorizing rules and an identity, promoting collaboration and sharing; see dacs_acs(8) and dacsrlink(1)
• new functions: counter(), on_success(), password(), request_match(), strptime(), undef(), var()
• new or enhanced directives: ACS_FAIL, ACS_PRE_AUTH, ACS_SUCCESS, AUTH_FAIL, HTTP_AUTH, HTTP_AUTH_ENABLE

Change Summary

• bug fixes for building shared library
• bug fix: conditional expressions could sometimes cause a segfault
• bug fix: application/x-www-form-urlencoded content type was sometimes not properly encoded (this broke ampersands in passwords, for example)
• bug fix: make Args namespace available to configuration processing
• bug fix: http(1) may write a binary body improperly
• replaced Configuration.dtd, which seems to have gotten lost, and updated dacs_conf_reply.dtd
• added EXPR (-expr) pseudo-module to dacsauth(1)
• added strptime() function, changes to time()
• dacs_authenticate(8) now ignores unrecognized web service arguments
• tools/DACScheck* moved to tools/perl
• changes to HTTP_AUTH and HTTP_AUTH_ENABLE directives in support of the new pre-authorization testing HTTP authentication feature; the changes to these two directives are backward compatible, but anyone using either directives should review the updated descriptions
• added -invisible/-visible flags to DACS_ACS argument, with the former being the new default behaviour
• minimal support for Java via JNI - see dacs.java(7)
• upgrade to Apache 2.2.4, OpenSSL 0.9.8e, Samba 3.0.24, OpenLDAP 2.3.34
• experimental dacsauth() and dacscheck() functions note: use with care because they may have reentrancy bugs and may be relatively heavy memory users
• added request_match() function
• added -rlink flag to DACS_ACS (available as ${ARGS::RLINK} in ACS_PRE_AUTH expression)
• added the "n" modifier flag to variables
• added AUTH_FAIL, ACS_SUCCESS, ACS_FAIL, ACS_PRE_AUTH directives
• added functions: on_success(), counter(), var(), password()
• minor enhancements to time() function
• added ability to conditionally include a config directive via undef()
• minor extensions to acl.dtd for new optional attributes
• minor experimental addition to acl.dtd (the "identity" element)
• ACL checking extended to look at expires_expr and url_expr attributes
• new BY_SIMPLE_REDIRECT error code for "pure" redirects (this can be used with redirect() and a deny clause to create short links)
• addition of the Cookies namespace
• new "Rlinks" feature - see dacsrlink(1)
• minor HTML formatting changes for dacs_prenv(8)
• minor HTML formatting changes for dacs_list_jurisdictions(8)

Post-Release Notes

There is a bug in dacsvfs(1) that prevents a field separator character other than the default (a colon) from being used. A bug in http(1) causes improper output buffering with the -ih flag.

Arguments passed through the multipart/form-data content type may not be handled correctly.

Requests that are the result of an internal redirect by Apache may cause DACS to become confused about the request URI that it should use.

The dacsrlink(1) command and its manual page have several bugs. The -expires flag is buggy. The manual page has a typo: the flag for the rlink operation should be called -lmode instead of -mode. The manual page lacks examples.

On Cygwin, a build using expat-2.0.0 was clean but the DACS binaries did not work properly. Building with expat-1.95.8 instead solved the problem.

DACS Version 1.4.17

Release Notes

This is primarily a bug fix and minor enhancements release. DACS is security software - we urge all users to upgrade to the latest release.

Notable improvements include:

• a new 'simple' style of authentication via local_simple_authenticate for inherently password-less accounts (note that local_passwd_authenticate requires a user provided password that cannot be the empty string)
• improved handling of binary data
• upgrades to samba-3.0.23d, openldap-2.3.31, docbook-xsl-1.71.1
• new local_ldap_roles module can assign LDAP/ADS roles to any user; it was previously necessary to authenticate the user through local_ldap_authenticate to obtain these roles

Neither Samba 3.0.23d nor 3.0.23c would build on the Solaris 5.10 x86 platform (see also DACS 1.4.15).

Cygwin is once again (partially) supported.

Change Summary

• added new 'simple' style of authentication via local_http_authenticate for inherently password-less accounts (note that local_passwd_authenticate requires a user provided password that cannot be the empty string)
• bug fix: composing and storing authentication styles in credentials
• bug fix: bareword not treated as string in some cases
• bug fix: empty role string from roles module not always handled properly
• improvements and clarifications to the OPTION Auth/Roles directive,
new OPTION* directive for better run-time adjustments
• bug fix: file(basename, ...) function
• new AUTH_SUCCESS directive gives a post-authentication hook
• clarifications and fixes to LOG_FILTER directive's behaviour
• bug fix: variable modifier flag parsing
• updated copyright notices
• NOTE: six utilities have been renamed for consistency aclcheck(1) to dacsacl(1), conf(1) to dacsconf(1), cookie(1) to dacscookie(1), mkkey(1) to dacskey(1), auth_grid(1) to dacsgrid(1), auth_token(1) to dacstoken(1) also renamed prenv(8) to dacs_prenv(8) See dacs(1) for an explanation of the the naming convention. The original names, which may have been confusing or conflicted with non-DACS software, are temporarily still available via the dacs(1) command. Their manual pages will be temporarily retained as reminders of the changes.
• added the unary type cast operator, and sizeof and typeof functions
• enhancements to the substr() function
• improved handling of binary data for correct application of url_decode, mime_decode, and future functions; new "bstring" data type; new functions: hex_decode(), bstring(), and cescape()
• added hmac(), digest(), and random() functions
• documented C-style character and numeric escape codes
• upgrades to samba-3.0.23d, openldap-2.3.31, docbook-xsl-1.71.1
• fixed local_pam_auth build bug with shared libraries
• Auth/Roles/Transfer clause id tags are now case sensitive
• new COOKIE_HTTPONLY directive
• new local_ldap_roles module can assign LDAP/ADS roles to any user; it was previously necessary to authenticate the user through local_ldap_authenticate to obtain these roles
• Authorization header parsing using setvar()
• bug fixes for building shared library
• minor extensions to dacs_version(8) and its DTD

Post-Release Notes

A bug was found that may cause the Args namespace to be unavailable during configuration processing by dacs_acs. This will be fixed in the next release.

There may be problems compiling DACS on GNU/Linux if Apache was built with large file support enabled (it was if apr.h defines APR_HAS_LARGE_FILES to be 1). Try configuring Apache's APR support library (srclib/apr) with --disable-lfs, and then rebuilding Apache and DACS. This will be addressed in the next release.

Apparently some GNU/Linux distributions sometimes install Apache's apxs utility as apxs2. In this case, DACS will not find apxs during its build. A quick fix is to edit the DACS src/defs.mk.in file and replace

   apxs = $(apache_home)/bin/apxs

   apxs = /usr/sbin/apxs2

DACS Version 1.4.16

Release Notes

This is primarily a bug fix and minor enhancements release. DACS is security software - we urge all users to upgrade to the latest release.

Improvements of note include:

• a new authentication module, local_http_authenticate (e.g., used to authenticate against a Google account)
• distributed generation of user info records (login/logout/access events), used to track user activity
• improvements to revocation list processing
• built-in versions of roles modules
• re-introduction of PAM authentication (local_pam_authenticate)
• new parsing/array functionality for the setvar() function (also note a related enhancement to the user() function with the namespace keyword)

Note: In the final stages of testing we discovered that this release of DACS does not build on Cygwin, despite what is indicated elsewhere in the DACS documentation. This is because Cygwin lacks several library functions (even POSIX ones) that are provided by all of the fully-supported platforms. We will decide before the next release whether we will continue to partially support the Cygwin platform or abandon it entirely. Please let us know if you would like to see support for Cygwin continued.

Note: Minor but incompatible changes have been made to the setvar function. If you currently use this function, you will need to review the documentation and make appropriate changes before upgrading.

Change Summary

• bug fix: http_auth_jurisdiction variable didn't set DACS_JURISDICTION
• bug fixes for building with Samba on GNU/Linux
• bug fixes for building with Samba on Solaris 8 (-lresolv)
• new authentication module, local_http_authenticate (used to authenticate against a Google account, for instance)
• bug fix for dacs_conf(8) and conf(1) where closing Roles tag may be omitted in XML and HTML output; CSS fix
• upgrade to OpenSSL 0.9.8d and Berkeley DB 4.5.20
• fixes to configure.ac: --disable-... flags, --with-iconv processing
• added DACS_IDENTITY and DACS_CONCISE_IDENTITY environment variables (useful with dacscheck)
• fix to Auth clause's INIT* directive to propagate ${Auth::CURRENT_USERNAME}
• distributed generation of user info records (login/logout/access events), written to "user_info" VFS type (--enable-user-info) supports federation-wide tracking of user activity (see dacs(1))
• minor VFS enhancements and bug fixes (file locking, append mode)
• bug fix: backslashes within strings were not always handled consistently, especially two consecutive backslashes; this fix could possibly break some existing strings that contain multiple consecutive backslashes
• build DACScheck.pm and install it in .../dacs/lib/perl
• additional test cases
• fixes for secure -aux prompting by dacsauth
• added -vfs flag to dacspasswd to specify alternate password file
• minor improvements to revocation list processing, including account disabling
• built-in versions of roles modules, fixes for enabling/disabling roles modules by 'configure'
• minor build enhancements and simplifications (including changes for linking shared libraries)
• fixes and improvements for local_pam_authenticate
• added variables to the Conf namespace (such as DACS_SITE_CONF and OPENSSL_PROG) and renamed some for consistency (such as SITE_CONF_SPEC to DACS_SITE_CONF_SPEC)
• added ${<namespace>::#} syntax to return the number of variables in a namespace
• minor changes to http(1)
• minor changes to subset() and contains_any() functions
• setvar() function:
  • bug fixes and enhancements
  • incompatible syntactical changes
  • new operators: copy, delete, load, loadi, regsplit, split
• addition of "namespace" operator to user() function
• redirect() function now takes an optional error name or code
• bug fixes: CREDENTIALS_LIFETIME_SECS directive was ignored by some auth modules

Post-Release Notes

In releases 1.4.16 and earlier, it is possible to create a DACS account that has no password (the password is the empty string) but these accounts cannot be used because local_passwd_authenticate rejects these passwords as a sanity check. Password-less accounts will be addressed more consistently in release 1.4.17.

DACS Version 1.4.15

Release Notes

This is primarily a bug fix and minor enhancements release. DACS is security software - we urge all users to upgrade to the latest release.

With this release, DACS now supports strong authentication based on the Authenex A-Key hardware token (and other OATH-HOTP/RFC 4226 compliant products). This provides a very low cost and convenient path to two-factor authentication, not only for web-based single sign-on and CGI programs, but for virtually any software. No additional software is required to use the Authenex token with DACS. We hope to support other vendors' products in future releases. Besides auth_token(1), please see a description of the Authenex A-Key and background on two-factor authentication.

This release no longer supports some PASSWORD_* directives, as earlier advised. If you configured them for a previous release, you will need to delete some configuration directives. Please see the Change Summary.

This release includes incompatible changes to dacs_auth_transfer(8). If you configured it for a previous release, you will need to change some configuration directives. We apologize for the inconvenience, but we think you will agree that the new way to configure cross-federation trusts is much simpler and easier to understand. Please see the Change Summary.

We were unable to successfully build, or even configure, Samba 3.0.23c on the Solaris 10 x86 platform but had no problems with it on FreeBSD and GNU/Linux. If you require NTLM support on the Solaris 2.8 platform and experience difficulties building local_ntlm_auth, you may need to edit src/defs.mk and add "-lresolv" to the SAMBA_LIBS argument list (this must be repeated if you re-run configure). Please make sure you build Samba exactly as described in dacs.install(7). If this release of Samba does not build on your platform, or will not work properly with DACS, try an earlier release that has been tested with DACS: samba-3.0.23, samba-3.0.22, or samba-3.0.21a.

Although this release was tested with OpenSSL 0.9.8c, initial testing with 0.9.8d has not revealed any problems and it should be ok to use.

Change Summary

Major changes and improvements include:

• upgrades to Apache 2.0.59 and Apache 2.2.3
• upgrades to Samba 3.0.23c, OpenSSL 0.9.8c, and OpenLDAP 2.3.27
• minor bug fixes to dacs_conf(8), conf(1), dacsauth(1), dacscheck(1), and dacssched(1)
• renamed html/examples/login.html to html/examples/slogin.html and added html/examples/login.html, a JavaScript version of login.php
• new authentication module to provide software-based, one-time passwords; see auth_grid(1)
• new authentication module to support one-time password token devices; see auth_token(1)
• new dacs_autologin_ssl(8) web service for automagic SSL login
• the PASSWORD_MINIMUM_LENGTH, PASSWORD_NEEDS_MIXED_CASE, PASSWORD_NEEDS_PUNCTUATION, and PASSWORD_NEEDS_DIGITS directives have been removed - use PASSWORD_CONSTRAINTS; PASSWORD_AUDIT is now an Auth clause directive instead of a general directive
• added --with-cgi-suffix flag to configure
• extended syntax for ACS_ERROR_HANDLER directive (the optional url_pattern element)
• fixed local_cert_authenticate bug
• minor corrections and updates for autologin(8)
• incompatible improvements and simplifications have been made to dacs_auth_transfer(8):
  eliminated directives: AUTH_TRANSFER_ERROR_URL, AUTH_TRANSFER_IMPORT_URL, and AUTH_TRANSFER_SUCCESS_URL
  eliminated VFS item types: auth_transfer_imports, auth_transfer_exports, and auth_transfer_cookies item types
  added directive: AUTH_TRANSFER_EXPORT
  added: Transfer clause and new directives to dacs.conf

Some progress has been made with local_pam_authenticate and we hope to have it functional in the next release.

Post-Release Notes

Both the HTML and XML output of conf(1) and dacs_conf(8) can be incorrect - a closing Roles tag may be omitted. This is insignificant for most users, but a patch is available for src/conf.c. The CSS file for the HTML output (man/css/conf.css) was not updated to include the new Transfer clause. Though not important, a patch is available.

DACS Version 1.4.14

Release Notes

This is primarily a bug fix and minor enhancements release. It includes new applications that apply the DACS rule processing engine to problems other than web access control. A demonstration of one of these applications, dacs_transform(8), is available. The new dacstransform(1) command was used to generate much of this site's documentation.

Improvements of note include:

• new configuration directives to enhance security and detect poor passwords (see the Change Summary for a list of the new directives)
• improved tracking of user requests, including anonymous ones
• new applications of the DACS rule processing engine: dacs_transform(8), dacstransform(1), dacssched(1), and the rule() predicate

Note:
A new feature, which is enabled by default, has been added to improve security. Earlier releases will discard credentials generated by this release unless the feature has been disabled at jurisdictions running this release, however. Please refer to the VERIFY_UA directive for details.

Change Summary

Bug fixes, minor enhancements, and documentation improvements, including:

• upgrade to openldap-2.3.24
• upgrade to samba-3.0.23
• added rule() predicate, which exposes the rule processing engine to expressions
• http(1) command redirect handling fixes
• new configuration directives (see dacs.conf(5)):
  PASSWORD_AUDIT, PASSWORD_CONSTRAINTS (Note: this new directive replaces the PASSWORD_MINIMUM_LENGTH, PASSWORD_NEEDS_MIXED_CASE, PASSWORD_NEEDS_PUNCTUATION, and PASSWORD_NEEDS_DIGITS directives, which will be removed in future releases), VERIFY_UA, UNAUTH_ROLES, ACS_CREDENTIALS_LIMIT
• added ROLE_STRING_MAX_LENGTH directive and improved role string error logging
• boolean value conversion fixes in expressions
• improved request tracking of unauthenticated users

• added dacs_transform(8), a prototype web service to demonstrate how the DACS rule processing engine can be applied to document transformations
• added dacstransform(1), a command analog to dacs_transform(8)
• added dacssched(1), a prototype command to demonstrate how the DACS rule processing engine can be applied to scheduling command execution

Post-Release Notes

None yet.

DACS Version 1.4.13

Release Notes

This is primarily a bug fix and minor enhancements release. Please be sure to use dacs-1.4.13a - see below.

Important new features include:

• port to Apache 2.2
• dacsauth, an initial version of a command line authentication program (see dacsauth(1))
• a new authentication module, local_cas_authenticate, for authenticating through the Central Authentication Service (CAS)

Change Summary

Various minor bug fixes and man page improvements, including:

• port to Apache 2.2
  requires --with-apache-apr flag when DACS is configured
• upgrade to Apache 2.0.58, Apache 2.2.2
• upgrade to openssl-0.9.8b
• minor changes to DACS license to clarify redistribution and repackaging
• new predicates file_owner() and file_group()
• completed and documented vfs() function
• added ${DACS::IDENTITY} variable
• fixed expression evaluation bug causing incorrect True/False result from return/exit function
• fixed expression syntax bug when statement follows a brace-delimited block: if (expr) { ... } statement
• fixed several expression parsing and evaluation bugs
• added 100+ initial expression test cases ("make tests")
• added NIST HMAC test vector tests
  ("make tests" or "make crypto; ./crypto")
• SSL library buffer management bug fix (affects http and sslclient)
• dacsauth, an initial version of a command line authentication program
• new authentication module, local_cas_authenticate, for authenticating through the Central Authentication Service (CAS)

Post-Release Notes

• Shortly after release, a bug was found that may cause configuration processing to fail. When this bug is triggered, the DACS log file will contain the message: Invalid boolean result value.

  To fix this problem, either:

  1. obtain DACS 1.4.13a or
  2. replace two files with the ones found in patch-1.4.13a.tgz. From the distribution's root directory, do:

       % gunzip < patch-1.4.13a.tgz | tar -xvf -
       % cd src
       % gmake install
     

  We apologize for the inconvenience.

• Older versions of gdb (4.18, for example) do not work properly with DACS binaries, at least on FreeBSD. This appears to be related to the upgrade to OpenSSL 0.9.8b. Upgrading to a newer release of gdb (6.4, for example) avoids the problem. A similar problem was found on Solaris 10/x86, even with newer releases of gdb, but this DACS release works around it on that platform (by passing -gstabs+ to GCC).

DACS Version 1.4.12

Release Notes

This is primarily a bug fix and minor enhancements release.

Important new features include:

• the ability to authenticate against Apache htpasswd and htdbm files using any DACS password-oriented authentication module
• a DACS implementation of RFC 2617 HTTP Basic Authentication supporting authentication by any password-oriented DACS authentication module
• a DACS implementation of RFC 2617 HTTP Digest Authentication for authenticating against Apache htdigest files
• built-in versions of authentication modules can be selected

Change Summary

Various minor bug fixes and man page improvements, including:

• added -ssl-flags argument to http(1)
• bug fix re COMPAT_MODE and old cookie name format
• bug fix re LOG_SENSITIVE directive
• bug fix re selection of "audit" log messages by LOG_FILTER
• minor fixes and improvements to dacscred and its documentation
• added tools/DACScheck.pm
• sslclient bug fixes
• clarification of regsub() behaviour
• bug fix for rule matching where Jurisdiction uri attribute ends in a slash
• new check for precondition element error
• fixes for Solaris 10 x86 platform
• bug fix re: <user name="any"/>
• minor improvements to http, including following redirects
• minor improvements to mkkey and its documentation
• properly ignore disabled rules
• upgrade to Samba 3.0.22
• upgrade to OpenLDAP 2.3.21
• configuration processing fixes and documentation clarifications
• Note: if the following directive appears in any site.conf or dacs.conf, it should be deleted:

        VFS "[default]dacs-fs:"
  

• Built-in authentication modules
  In the Auth clause, you can use (so far):
  URL="local_passwd_authenticate" (or URL="passwd")
  URL="local_ntlm_authenticate" (or URL="ntlm")
  URL="local_apache_authenticate" (or URL="apache")
  URL="local_unix_authenticate" (or URL="unix")
  For the last one, dacs_authenticate must be setuid root since it must be able to read the shadow password file.
• Incompatible change to dacs_auth_agent local mode name mapping for improved usability: Configure, e.g.,
  

        VFS "[auth_agent_local_test]dacs-fs:/usr/local/dacs/testmap"
  

  (previous behaviour of "auth_agent_local" is retained)
  Where /usr/local/dacs/testmap is a file consisting of expressions, one per line (a continued line ends with a backslash). Each expression is evaluated until one is True; its value becomes the mapped username. The value of the USERNAME argument is available to each expression as ${Expr::_} (a new convention, reminiscent of Perl's $_ variable). Say the file contains:
  

        regsub(${Expr::_}, "^auggie doggie$", "auggie")
        regsub(${Expr::_}, "^julia$", "sara")
  

  If USERNAME is "auggie doggie", credentials will be issued for "auggie". If USERNAME is "julia", credentials will be issued for "sara". If USERNAME is something else, the request will fail.
• RFC 2617 Basic and Digest auth support:
  • new local_apache_authenticate module lets DACS use htpasswd, htdigest, and htdbm files directly
  • does RFC 2617 Basic auth in conjunction with an htpasswd or htdbm file, or with any DACS username/password based module (e.g, local_unix_authenticate, local_ntlm_authenticate, local_passwd_authenticate)
  • does RFC 2617 Digest auth in conjunction with an htdigest file
  • this feature should be considered semi-reliable pending additional testing
  • documented in dacs_acs(8) and dacs_authenticate(8)

Post-Release Notes

• In previous versions, a reference to an undefined variable in a configuration file did not result in an error; the empty string was interpolated. This behaviour has been changed in this release as a precaution against buggy configuration files. If you are upgrading from an earlier release and your configuration file stops working, it may be because your dacs.conf or site.conf tries to dereference an undefined variable. Perhaps the easiest fix is to use the "e" or "?" modifier flag when referencing a variable that might not be defined.
• The return/exit function sometimes yields an incorrect value.
• A syntax error can occur when a statement that ends with a block is followed by another statement. This sequence of statements should have the value 3:

  if (1) { 2; } 3;
  

  A temporary workaround is to explicitly separate the statements:

  if (1) { 2; }; 3;
  

DACS Version 1.4.11

Release Notes

This is primarily a bug fix and minor enhancements release.

A new cross-federation identity transfer mechanism has been added. It not only provides support for single sign-on among DACS federations, but also between a DACS federation and other identity management systems. See dacs_auth_transfer(8) for details.

The initial release of a web-based DACS administration interface called FedAdmin will be made available shortly at Sourceforge's contributed resource project for DACS. The DACS Java Library (DJL), which is being developed to support the use of DACS in Java client applications, will also be updated.

Change Summary

• many minor bug fixes and documentation improvements
• new cross-federation identity transfer capability: dacs_auth_transfer
• improvements and important extensions to user() predicate to handle multiple credentials correctly; compatible except that the optional MODE argument is now part of the string argument instead of being a separate argument. The ACL user_list's user element inherits these improvements.
• expression evaluation fixes and improvements
• fixes for 64-bit architecture
• minor changes to revocation list processing
• uri_expr attribute added to Jurisdiction element (dacs_conf_reply.dtd)
• dacs_url template expansion by dacs_list_jurisdictions
• string interpolation enhancements (%u, %s, %U)
• ability to reference Args namespace during config processing
• DTD change: dacs_current_credentials.dtd
• to aid in debugging, dacs_current_credentials can optionally return additional detail (by default, limited to privileged users)
• ACL changes: acl-current-credentials.0, acl-dacs.0, acl-auth-transfer.0
• moved dacs.quick(5) to dacs.quick(7)
  Suggestion:

       % rm -f /usr/local/dacs/man/man5/dacs.quick.5 
       % rm -f /usr/local/dacs/man/cat5/dacs.quick.5.gz
  

• Cookie naming format change to align with DACS names. The change is that a second colon follows the <federation_name> This also affects NAT cookie names, which are not DACS cookies per se
• Mostly backward-compatible changes to the Jurisdiction section matching algorithm in dacs.conf, improved documentation. The uri attribute can now include a simple hostname pattern (e.g., uri=*.fedroot.com) and a port number (fedroot.com:8080 and fedroot.com:8081 can now be different jurisdictions). Hostname matching is case-insensitive but URI path matching is still case-sensitive and is done path segment-by-segment rather than as a simple string compare. NB: this could potentially break some configuration files. Note that if you use ports in the uri=, you may need to change the -u flag (e.g., in httpd.conf or ssl.conf) to add the port. See "The Jurisdiction Section" in dacs.conf(5).
• bug fix: "sensitive" log messages could incorrectly be emitted
• bug fix: dacs_version/dacsversion didn't emit detailed version info for shared libraries (fix is to always link them statically)
• bug fix: dacscred always wanted to use SSL
• many build and install fixes for Solaris 8
• added 'touch' target to man/Makefile in case make thinks it needs to regenerate documentation when it really doesn't

Post-Release Notes

• This release uses va_copy(), which is not present in older versions of stdarg(3) that come with GCC.
• The changes wrt cookie naming broke the pseudo-backward compatibility enabled by the COMPAT_MODE directive. This will be fixed in the next release. The cookie name format change will, of course, also require all jurisdictions within a federation to upgrade to this release if any one of them upgrades, otherwise credentials may not be recognized. While we apologize for any inconvenience, our mantra is "security first" and we urge you to upgrade to the newest release as soon as you are able.
• The installation instructions in dacs.install(7) are missing material on how to configure Apache for DACS. You can obtain a revised version (right-click the link and "Save Link Target As..." or "Save Target As..."), replace the one in your distribution's man directory with it, and do a 'make install' from the man directory.
• A bug may prevent arguments passed as application/x-www-form-urlencoded content type in the message body from being accessible in the Args namespace.
• A bug prevents all "sensitive" messages from being logged, even if LOG_SENSITIVE is set to "yes".
• A bug in the LOG_FILTER directive prevented non-audit events from being properly ignored.
• A bug in configuration processing sometimes causes variables in the Conf namespace to be interpolated as the empty string.
• Additional changes (not listed above):
  • new directives: COOKIE_NO_DOMAIN and CSS_PATH
  • bug fix for sslclient
  • bug fix for installion of shared libraries

DACS Version 1.4.10

Release Notes

Change Summary

This release contains some minor new features, fixes bugs, and improves the documentation.

A contributed resource project for DACS is now available. The DACS Java Library (DJL) is being developed to support the use of DACS in Java client applications. It implements Java wrapper classes for selected DACS services, and provides an HTTP client through which DACS services may be accessed and DACS credentials obtained and managed.

Changes of note:

• added -D as a dacsoption flag - see dacs(1)
• optional LOG_FORMAT directive added, LOG_FEDERATION_NAME removed (note: remove the latter from configuration files)
• optional SSL_PROG_ARGS directive added
• initial implementation of experimental COMPAT_MODE directive to prevent DACS 1.2 credentials from being discarded
• implemented missing assignment operators (+=, -=, etc.) and pre/post inc/dec operators for integer variables (${var}++, etc.)
• a default namespace ("Temp") is now allowed as a convenience:
  ${foo} = 17 is equivalent to ${Temp::foo} = 17
  This can be disabled, or the name changed, at compile time
• added a PHP example to dacscheck(1)
• added if/elseif/else statement and the comma operator
• added expression testing framework to dacsexpr(1) (see its -et flag)
• added -uj and -us dacsoptions flags for convenience
• extensions to the VERIFY_IP directive
• upgrades to expat-2.0.0, BerkeleyDB 4.4.20, samba-3.0.21a, openldap-2.3.18
• added STATUS_LINE directive and -status_line/-no_status_line DACS_ACS flags

Post-Release Notes

1. On some newer GNU/Linux distributions, sslclient appears to fail randomly:
   % perl -e 'printf "GET / HTTP/1.0\n\n";' | sslclient fedroot.com:443 > /dev/null
   ssllib: set_nonblocking: fcntl: Invalid argument
   If you want an immediate fix, replace your src/ssllib.c with ssllib.c.gz [SHA(ssllib.c)= df23421c6f826b9cdac7d2f2a9491898b6137ef3]
2. "make install" may fail if shared libraries have been configured. To fix this, edit Makefile (and/or Makefile.in), look for the targets install-libs and install-shared-lib, and remove the string "/$(SHARED_LIB)". Or simply disable shared libraries (--disable-shared) when you build this release.

DACS Version 1.4.9

Release Notes

Change Summary

This release contains some minor new features, fixes bugs, and improves the documentation.

Other changes:

• many bug fixes and documentation revisions and improvements
• fixes and improvements to the dacscheck(1) command and its man page
• fixes to autologin(8) and exec() function
• fixes to local_roles, local_unix_roles, and dacs_authenticate(8)
• added the Env namespace
• fixes to dacs_notices(8) and its man page
• fixes to the virtual filestore and its documentation
• added --with-apache=omit (see INSTALL)
• added ability to select case sensitive/insensitive comparison of federation/jurisdiction/usernames. See docs for the new NAME_COMPARE directive and the revised user() predicate. A consequence of this change is that accounts created by dacspasswd are now lowercase names; otherwise case-insensitive comparisons will consider "Bob" and "bob" equivalent. Some such existing accounts will become inaccessible if the admin changes to case-insensitive names.
• added DACS-Status-Line with -check_only and -check_fail flags; see dacs_acs(1)
• changes to dacs_acs.dtd

Post-Release Notes

None.

DACS Version 1.4.8

Release Notes

Change Summary

The major change is the new dacscheck(1) command, which we believe will open up DACS to many developers and many new applications. It provides simplified, platform-independent, general-purpose access to the DACS access control rule evaluation engine. This feature can be used by any virtually any application, script (Perl, PHP, shell, etc.), server software, or CGI program to make data-driven access control decisions rather than program-driven ones. dacscheck can be used by itself and does not depend on any other DACS programs, web services, or even an web server. Simply install it and start to use it. Please refer to the manual page for details and examples.

Other changes:

• many bug fixes and documentation revisions and improvements
• upgrade to OpenSSL 0.9.8a
• new configuration directives for password constraints
• fixes for Cygwin
• backward compatible changes to the AUTH_SUCCESS_HANDLER and SIGNOUT_HANDLER directives
• changes to dacs_passwd, its DTD and default ACL
• changes to DACS name parsing and user() predicate
• changes to behaviour of permit_chaining attribute

Post-Release Notes

• A bug in dacscheck(1) causes identities given in the "concise syntax" to be parsed incorrectly. A partial workaround is to omit the squirrelly braces; for example, use -i u=bobo or -i u="bobo" or -i 'u="bobo"' instead of -i '{u="bobo"}'
• A bug in dacscheck(1) may cause SEGVs on system configurations where hostname(1) does not return the host's FQDN. You can use the -fn flag to explicitly provide a federation name.
• A bug in autologin(8) prevents it from operating correctly. The fix is to get REMOTE_USER from the environment and pass its value as the USERNAME argument to dacs_authenticate.
• A bug in expression evaluation causes a non-zero return status of a command executed by exec() to abort evaluation.
• A bug in http(1) causes the -user-agent flag to be ignored.

DACS Version 1.4.7

Release Notes

Please note the following important changes/incompatibilities:

• changed from comma-separated URI lists to space-separated lists in all notice acknowledgement XML
• changed ack() predicate to take individual URI arguments rather than a single URI argument; NB: this may require changes to existing ACLs that use the ack() predicate
• a "secure" cookie is emitted if a request comes over https, regardless of SECURE_MODE
• Renamed acl-auth.0 to the more accurate acl-local-auth.0
  Note: after acl-local-auth.0 has been installed, delete a previously installed copy of acl-auth.0
• A new feature called ACL delegation allows a DACS administrator to delegate access control decisions for a portion of the URL space to another person (or DACS identity) or to rules obtained from another source. See dacs.acls(5).
• The store command is now called vfs (delete any previously installed copies of store).

Post-Release Notes

• Apache's AddDACSAuth directive's command-line-arg-string argument, which is supposed to be optional, must actually be provided. This will be fixed in the next release; in the meantime, you can use "-v".
• A bug in dacs_auth_agent's local mode of operation requires the item type auth_agent_local to be configured (it's supposed to be optional). This will be fixed in the next release.
• Where the INSTALL file describes sslclient, replace www.fedroot.com with fedroot.com.

Change Summary

This release includes:

• many bug fixes and documentation revisions
• some log entries now include a "session tracking identifier"
• sensible https/SSL defaults for the http command
• new dacs_auth_agent web service
• replacement of Store clause with VFS configuration directive
  Note: this may require revisions to dacs.conf and site.conf
• added version header/footer lines to HTML man pages
• important bug fixes for local_ntlm_authenticate and local_ldap_authenticate
• upgrades to samba-3.0.20a, openldap-2.2.26, docbook-xsl-1.69.1, openssl-0.9.7i, and Apache 2.0.55
• new delegated ACLs feature
• aclcheck now also checks the revocation list
• reworking of the former "url" virtual filestore type (now called "vfs")
• http/https URI schemes are supported by the new VFS directive

DACS Version 1.4.6

Release Notes

Authentication bugs
Bugs in the NTLM and LDAP authentication modules have been found that may cause authentication to fail. Fixes for these bugs will appear in the next release.

Checksums
After obtaining a DACS release, please verify all checksums for the file you downloaded. Do not use a download if any checksum for it does not match. Checksums will be posted here from now on.

OpenSSL's "dgst" command can be used to compute checksums:

     openssl dgst -md5 dacs-1.4.6.tgz
     openssl dgst -sha1 dacs-1.4.6.tgz

Checksums for dacs-1.4.6.tgz:
-rw-r--r--  1 brachman  wheel  1320654 Sep 19 16:24 dacs-1.4.6.tgz

MD5:   c5c7bc5a941b9f568f2777c523aec121
SHA-1: f2783a0ecd769c332981f28c1fa7f4cd8c746a25

Checksums for dacs-1.4.6.tbz:
-rw-r--r--  1 brachman  wheel  972539 Sep 19 16:24 dacs-1.4.6.tbz

MD5:   7c1a510dee6e41d33eca4dfadd15afa5
SHA-1: 69137b4913f838eb8bcca17690b589bd26c3039d

A note about upgrading
Because DACS is security software, we strongly recommend that you upgrade to the newest release as soon as you are able. This is neither a difficult nor a time consuming procedure most times. Sometimes an incompatible change in DACS will require you to change a DACS configuration file, but this should not be difficult to do and we will try to advise you of such changes.

For a quick and dirty upgrade (assumes you aren't changing any third-party packages or options):

1. Obtain and unpack the new distribution and cd to it;
2. Review the README and INSTALL instructions;
3. Copy the src/config.nice from your installed version to the new src directory and configure DACS:
   "cd src; sh ./config.nice";
4. Build DACS ("gmake");
5. Stop Apache httpd ("apachectl stop");
6. Install DACS ("gmake install");
7. Make and install the latest mod_auth_dacs module
   "cd ../apache; gmake tag install";
8. Restart Apache httpd ("apachectl start"); and
9. Check that DACS appears to be working correctly.

This will leave your existing DACS configuration files alone but it will also leave files that are no longer needed by the new DACS.

Note: whenever you upgrade to a more recent version of DACS, please do not forget to install the Apache mod_auth_dacs module that comes with your new version of DACS.

Change Summary

This release includes:

• many bug fixes and documentation revisions
• initial version of dacs_notices
• initial version of dacscred
• improved support for middleware, changes to dacs_acs DACS_ACS argument
• logging enhancements, including support for syslog(3)

DACS Version 1.4.5

Release Notes

Change Summary

DACS Version 1.4.4

Release Notes

Change Summary

DACS Version 1.4.3

Release Notes

If you are upgrading to this version of DACS from an older version of DACS 1.4:

• In your site.conf file and/or your dacs.conf file, your SSL_PROG directive should point to the location of your DACS sslclient program:

      SSL_PROG "${Conf::DACS_HOME}/bin/sslclient"
  

• Because the format for ACL file names has been changed, you may need to rename your ACLs. To be used by DACS, rule files must begin with "acl-". All other file and directory names are ignored. A rule named acl.0 will not be used by DACS, for example; if it is renamed to acl-local.0 it will be processed. Please consult the documentation for details.

Documentation for the dacs_signout web service is missing from the distribution. Its manual page is available here.

Change Summary

DACS Version 1.4.2

Release Notes

Index: INSTALL

• Please pay careful attention to the descriptions of the third-party packages.
• For a few third-party packages, it is important that you use the exact version that is mentioned. Do not use anything newer or older.
• For other packages, a particular release is recommended. It is less critical that you use the recommended release, but older releases may have important bugs, including security problems. Newer releases will not have been tested with DACS.
• You may save yourself time and headaches if you just use the recommended releases.

Index: HISTORY

• added suport for LDAP and Microsoft ADS based authentication
• improved man pages
• minor bug fixes
• minor changes:
  • new and renamed DACS expression functions, including ldap name parsing
  • if -v and --version are given, also print module version stamps
  • an initial version of WWW-Authenticate/Authorization header handling (ACS can respond with or accept RFC 2617 headers)
  • added "ndbm" storage method (includes gdbm in compatibility mode)
  • added missing C/C++ bit operators for DACS expressions

Change Summary