EIM version 2 must be supported by the local EIM APIs to use this API
(see eimGetVersion()--Get EIM Version).
#include <eim.h>
int eimAddPolicyAssociation(EimHandle * eim,
EimPolicyAssociationInfo * policyAssoc,
EimRC * eimrc)
Service Program Name: QSYS/QSYEIMThe eimAddPolicyAssociation() function adds the specified policy association to the domain. A policy association is used to specify the target association for a mapping lookup operation without having to define specific source associations for all users. A policy association will be used in a mapping lookup operation (eimGetTargetFromSource or eimGetTargetFromIdentifier) if a specific source association does not exist.
EIM version 2 must be supported by the local EIM APIs to use this API
(see eimGetVersion()--Get EIM Version).
There are 3 types of policy associations that are supported:
A certificate filter policy association is used to map user (or client) certificates with similar attributes to the same target identity in the target registry. For example, a certificate filter policy association can be added so that all certificates issued by the same Certificate Authority (CA) are mapped to the same target identity in the target registry. Or, all certificates from the same organization are mapped to the same target identity in the target registry.
A default registry policy association is used to map any user in the specified source registry to the same target identity in the target registry.
A default domain association policy is used to map all users to the same target identity in the target registry.
The use of policy associations is controlled by the version of the API interface, not the
domain. If policy associations are added to a domain, they will only be
used in a mapping lookup operation if the version of the mapping lookup API
that is used to access the domain supports policy associations.
See EIM Mapping Lookup Algorithm
for the affect that policy associations have on the mapping lookup operation.
In the mapping lookup algorithm, there is a check to see if there is a
certificate policy filter value that matches the source identity.
To locate a certificate policy filter value, a search will be done using a
series of full and partial distinguished names (DNs) until the most specific
matching certificate policy filter value is found. The following values are
used in sequence to search for a matching certificate policy filter value:
Note that searching is not done for the following values:
Each step of the search using a partial DN may actually involve a series of
searches for partial name values based on the full DN. Each partial DN value in
the series is determined by removing the next most specific node in the DN.
The nodes are removed from the most specific to the least specific, in the order
that they appear in the DN.
The EimPolicyAssociationInfo structure contains information about the policy association to add.
For EIM_CERT_FILTER_POLICY (6) association type, the policyAssociation field must contain an EimCertificateFilterPolicyAssociation structure. The sourceRegistry field must contain the name of a registry that has a type of X.509. The certificate filter policy value specified in the filterValue field must have already been added using the Add EIM Policy Filter (eimAddPolicyFilter) API.
For EIM_DEFAULT_REG_POLICY (7) association type, the policyAssociation field must contain an EimDefaultRegistryPolicyAssociation structure.
For EIM_DEFAULT_DOMAIN_POLICY (8) association type. the policyAssociation field must contain an EimDefaultDomainPolicyAssociation structure.
The structure layouts follow:
enum EimAssociationType {
EIM_ALL_ASSOC, /* Not supported on this interface*/
EIM_TARGET, /* Not supported on this interface*/
EIM_SOURCE, /* Not supported on this interface*/
EIM_SOURCE_AND_TARGET, /* Not supported on this interface*/
EIM_ADMIN, /* Not supported on this interface*/
EIM_ALL_POLICY_ASSOC, /* Not supported on this interface*/
EIM_CERT_FILTER_POLICY, /* Association is a certificate
filter policy association. */
EIM_DEFAULT_REG_POLICY, /* Association is a default
registry policy association */
EIM_DEFAULT_DOMAIN_POLICY /* Policy is a default policy for
the domain. */
};
typedef struct EimCertificateFilterPolicyAssociation
{
char * sourceRegistry; /* The source registry to add the
policy association to. */
char * filterValue; /* The filter value of the policy.*/
char * targetRegistry; /* The name of the target registry
that the filter value should
map to. */
char * targetRegistryUserName; /* The name of the target registry
user name that the filter value
should map to. */
} EimCertificateFilterPolicyAssociation;
typedef struct EimDefaultRegistryPolicyAssociation
{
char * sourceRegistry; /* The source registry to add the
policy association to. */
char * targetRegistry; /* The name of the target registry
that the policy should map to. */
char * targetRegistryUserName; /* The name of the target registry
user name that the policy
should map to. */
} EimDefaultRegistryPolicyAssociation;
typedef struct EimDefaultDomainPolicyAssociation
{
char * targetRegistry; /* The name of the target registry
that the policy should map to. */
char * targetRegistryUserName; /* The name of the target registry
user name that the policy
should map to. */
} EimDefaultDomainPolicyAssociation;
typedef struct EimPolicyAssociationInfo
{
enum EimAssociationType type;
union {
EimCertificateFilterPolicyAssociation certFilter;
EimDefaultRegistryPolicyAssociation defaultRegistry;
EimDefaultDomainPolicyAssociation defaultDomain;
} policyAssociation;
} EimPolicyAssociationInfo;
The return value from the API. Following each return value is the list of possible values for the messageCatalogMessageID field in the eimrc parameter for that value.
| EIMERR_ACCESS (1) | Insufficient access to EIM data. |
| EIMERR_NOREG (28) | EIM Registry not found or insufficient access to EIM data. |
| EIMERR_NOPOLICYFILTER (61) | Policy filter value not found for the specified EIM Registry. |
| EIMERR_NOLOCK (26) | Unable to allocate internal system object. |
| EIMERR_DATA_CONVERSION (13) | Error occurred when converting data between code pages. |
| EIMERR_ASSOC_TYPE_INVAL (4) | Association type is not valid. |
| EIMERR_HANDLE_INVAL (17) | EimHandle is not valid. |
| EIMERR_PARM_REQ (34) | Missing required parameter. Please check API documentation. |
| EIMERR_PTR_INVAL (35) | Pointer parameter is not valid. |
| EIMERR_FUNCTION_NOT_SUPPORTED (70) | The specified function is not supported by the EIM version. |
| EIMERR_NOMEM (27) | No memory available. Unable to allocate required space. |
| EIMERR_NOT_CONN (31) | Not connected to LDAP. Use eimConnect() API and try the request again. |
| EIMERR_READ_ONLY (36) | LDAP connection is for read only. Use eimConnectToMaster() to get a write connection. |
| EIMERR_LDAP_ERR (23) | Unexpected LDAP error. %s |
| EIMERR_UNKNOWN (44) | Unknown error or unknown system state. |
| EIMERR_UNEXP_OBJ_ VIOLATION (56) | Unexpected object violation. |
See Code disclaimer information for information pertaining to code examples.
The following example adds a default registry policy association.
#include <eim.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
int main (int argc, char *argv[])
{
int rc;
char eimerr[100];
EimRC * err;
EimHandle * handle;
EimPolicyAssociationInfo assocInfo;
/* Set up error structure. */
memset(eimerr,0x00,100);
err = (EimRC *)eimerr;
err->memoryProvidedByCaller = 100;
/* Get eim handle from input arg. */
/* This handle is already connected to EIM. */
handle = (EimHandle *)argv[1];
/* Set up policy association information */
assocInfo.type = EIM_DEFAULT_REG_POLICY;
assocInfo.policyAssociation.defaultRegistry.sourceRegistry = "MySourceRegistry";
assocInfo.policyAssociation.defaultRegistry.targetRegistry = "localRegistry";
assocInfo.policyAssociation.defaultRegistry.targetRegistryUserName = "mjjones";
/* Add the policy association */
if (0 != (rc = eimAddPolicyAssociation(handle,
&assocInfo,
err)))
{
printf("Add EIM Policy Association error = %d", rc);
return -1;
}
return 0;
}
| Top | Security APIs | APIs by category |