164 lines
12 KiB
HTML
164 lines
12 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="EIM lookup operations" />
|
|
<meta name="abstract" content="This information explains the process for Enterprise Identity Mapping (EIM) mapping and view examples." />
|
|
<meta name="description" content="This information explains the process for Enterprise Identity Mapping (EIM) mapping and view examples." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzalveserverdomain.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzalveservercncpts.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzalvlookupoperationexamplesexample1.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzalvlookupoperationexamplesexample2.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzalvlookupoperationexamplesexample3.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzalvlookupoperationexamplesexample4.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzalvambiguousgroupregistry.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzalv_policy_associations.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzalveservereimmaplookup" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>EIM lookup operations</title>
|
|
</head>
|
|
<body id="rzalveservereimmaplookup"><a name="rzalveservereimmaplookup"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">EIM lookup operations</h1>
|
|
<div><p>This information explains the process for Enterprise Identity Mapping
|
|
(EIM) mapping and view examples.</p>
|
|
<p>An application or an operating system uses an EIM API to perform a <em>lookup
|
|
operation</em> so that the application or operating system can map from one
|
|
user identity in one registry to another user identity in another registry.
|
|
An EIM lookup operation is a process through which an application or operating
|
|
system finds an unknown associated user identity in a specific target registry
|
|
by supplying some known and trusted information. Applications that use EIM
|
|
APIs can perform these EIM lookup operations on information only if that information
|
|
is stored in the EIM domain. An application can perform one of two types of
|
|
EIM lookup operations based on the type of information the application supplies
|
|
as the source of the EIM lookup operation: a user identity or an EIM identifier.</p>
|
|
<div class="p">When applications or operating systems use the <samp class="codeph">eimGetTargetFromSource()</samp> API
|
|
to obtain a target user identity for a given target registry, they must supply
|
|
a <em>user identity as the source</em> of the lookup operation. To be used as
|
|
the source in a EIM lookup operation, a user identity must have either an
|
|
identifier source association defined for it or be covered by a policy association.
|
|
When an application or operating system uses this API, the application or
|
|
operating system must supply three pieces of information:<ul><li>A user identity as the source, or starting point of the operation. </li>
|
|
<li>The EIM registry definition name for the source user identity. </li>
|
|
<li>The EIM registry definition name that is the target of the EIM lookup
|
|
operation. This registry definition describes the user registry that contains
|
|
the user identity that the application is seeking.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="p">When applications or operating systems use the <samp class="codeph">eimGetTargetFromIdentifier()</samp> API
|
|
to obtain a user identity for a given target registry, they must supply an <em>EIM
|
|
identifier as the source</em> of the EIM lookup operation. When an application
|
|
uses this API, the application must supply two pieces of information:<ul><li>An EIM identifier as the source, or starting point of the operation. </li>
|
|
<li>The EIM registry definition name that is the target of the EIM lookup
|
|
operation. This registry definition describes the user registry that contains
|
|
the user identity that the application is seeking.</li>
|
|
</ul>
|
|
</div>
|
|
<p>For a user identity to be returned as the target of either type of EIM
|
|
lookup operation, the user identity must have a target association defined
|
|
for it. This target association can be in the form of an identifier association
|
|
or a policy association.</p>
|
|
<div class="p">The supplied information is passed to EIM and the EIM lookup operation
|
|
searches for and returns any target user identities, by searching EIM data
|
|
in the following order, as Figure 10 illustrates:<ol><li>Identifier target association for an EIM identifier. <span class="br">The
|
|
EIM identifier is identified in one of two ways: It is supplied by the <samp class="codeph">eimGetTargetFromIdentifier()</samp> API.
|
|
Or, the EIM identifier is determined from information supplied by the <samp class="codeph">eimGetTargetFromSource()</samp> API. </span></li>
|
|
<li>Certificate filter policy association. </li>
|
|
<li>Default registry policy association. </li>
|
|
<li>Default domain policy association.</li>
|
|
</ol>
|
|
</div>
|
|
<p><strong>Figure 10:</strong> EIM lookup operation general processing flow chart</p>
|
|
<p><br /><img src="rzalv515.gif" alt="Process flow chart for a mapping lookup operation " /><br /></p>
|
|
<div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />In the following flow, lookup operations first checks the
|
|
individual registry definition, such as the specified source registry or target
|
|
registry. If lookup operations fail to find a mapping using the individual
|
|
registry definition, it determines whether the individual registry definition
|
|
is a member of a group registry definition. If it is a member of a group registry
|
|
definition, the lookup operation checks the group registry definition to satisfy
|
|
the mapping lookup request.<img src="./deltaend.gif" alt="End of change" /></div>
|
|
<div class="p">The lookup operation search flows in this manner:<ol><li>The lookup operation checks whether mapping lookups are enabled. <span class="br">The
|
|
lookup operation determines whether mapping lookups are enabled for the specified
|
|
source registry, the specified target registry, or both specified registries.
|
|
If mapping lookups are not enabled for one or both of the registries, then
|
|
the lookup operation ends without returning a target user identity.</span></li>
|
|
<li>The lookup operation checks whether there are identifier associations
|
|
that match the lookup criteria.<span class="br">If an EIM identifier was
|
|
provided, the lookup operation uses the specified EIM identifier name. Otherwise,
|
|
the lookup operation checks whether there is a specific identifier source
|
|
association that matches the supplied source user identity and source registry.
|
|
If there is one, the lookup operation uses it to determine the appropriate
|
|
EIM identifier name. The lookup operation then uses the EIM identifier name
|
|
to search for an identifier target association for the EIM identifier that
|
|
matches the specified target EIM registry definition name. If there is an
|
|
identifier target association that matches, the lookup operation returns the
|
|
target user identity defined in the target association.</span></li>
|
|
<li>The lookup operation checks whether the use of policy associations are
|
|
enabled. <span class="br">The lookup operation checks whether the domain
|
|
is enabled to allow mapping lookups using policy associations. The lookup
|
|
operation also checks whether the target registry is enabled to use policy
|
|
associations. If the domain is not enabled for policy associations or the
|
|
registry is not enabled for policy associations, then the lookup operation
|
|
ends without returning a target user identity.</span></li>
|
|
<li>The lookup operation checks for certificate filter policy associations. <span class="br">The lookup operation checks whether the source registry is
|
|
an X.509 registry type. If it is an X.509 registry type, the lookup operation
|
|
checks whether there is a certificate filter policy association that matches
|
|
the source and target registry definition names. The lookup operation checks
|
|
whether there are certificates in the source X.509 registry that satisfy the
|
|
criteria specified in the certificate filter policy association. If there
|
|
is a matching policy association and there are certificates that satisfy the
|
|
certificate filter criteria, the lookup operation returns the appropriate
|
|
target user identity for that policy association.</span></li>
|
|
<li>The lookup operation checks for default registry policy associations.<span class="br">The lookup operation checks whether there is a default registry
|
|
policy association that matches the source and target registry definition
|
|
names. If there is a matching policy association, the lookup operation returns
|
|
the appropriate target user identity for that policy association.</span></li>
|
|
<li>The lookup operation checks for default domain policy associations.<span class="br">The lookup operation checks whether there is a default domain
|
|
policy association defined for the target registry definition. If there is
|
|
a matching policy association, the lookup operation returns the associated
|
|
target user identity for that policy association.</span></li>
|
|
<li>The lookup operation is unable to return any results.</li>
|
|
</ol>
|
|
</div>
|
|
<p>To learn more about Enterprise Identity Mapping lookup operations view
|
|
the following examples:</p>
|
|
</div>
|
|
<div>
|
|
<ul class="ullinks">
|
|
<li class="ulchildlink"><strong><a href="rzalvlookupoperationexamplesexample1.htm">Lookup operation examples: Example 1</a></strong><br />
|
|
Use this example to learn how the search flow works for a lookup operation that returns a target user identity from specific identifier associations based on the known user identity.</li>
|
|
<li class="ulchildlink"><strong><a href="rzalvlookupoperationexamplesexample2.htm">Lookup operation examples: Example 2</a></strong><br />
|
|
Use this example to learn how the search flow works for a lookup operation that returns a target user identity from specific identifier associations based on the known Kerberos principal.</li>
|
|
<li class="ulchildlink"><strong><a href="rzalvlookupoperationexamplesexample3.htm">Lookup operation examples: Example 3</a></strong><br />
|
|
Use this example to learn how the search flow works for a lookup operation that returns a target user identity from a default registry policy association.</li>
|
|
<li class="ulchildlink"><strong><a href="rzalvlookupoperationexamplesexample4.htm">Lookup operation examples: Example 4</a></strong><br />
|
|
Use this example to learn how the search flow works for a lookup operation that returns a target user identity in a user registry that is a member of a group registry definition.</li>
|
|
<li class="ulchildlink"><strong><a href="rzalvambiguousgroupregistry.htm">Lookup operation examples: Example 5</a></strong><br />
|
|
Use this example to learn about lookup operations returning ambiguous results that involve group registry definitions.</li>
|
|
</ul>
|
|
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalveservercncpts.htm" title="Use this information learn about important EIM concepts that you need to understand to implement EIM successfully.">Enterprise Identity Mapping concepts</a></div>
|
|
</div>
|
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
|
<div><a href="rzalveserverdomain.htm" title="This information explains how to use a domain to store all your identifiers.">EIM domain</a></div>
|
|
<div><a href="rzalv_policy_associations.htm" title="Use this information to learn about how to use policy associations to describe a relationship between multiple user identities and a single user identity in a user registry.">Policy associations</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |