eimAddPolicyFilter()--Add EIM Policy Filter
Syntax
#include <eim.h> int eimAddPolicyFilter(EimHandle * eim, EimPolicyFilterInfo * filterInfo, EimRC * eimrc)Service Program Name: QSYS/QSYEIM
Default Public Authority: *USE
Threadsafe: Yes
The eimAddPolicyFilter() function adds the specified policy filter value to the domain. A policy association can then be added to the policy filter value using the Add EIM Policy Association (eimAddPolicyAssociation) API. A policy association is used in a mapping lookup operation (eimGetTargetFromSource) if a specific source association does not exist. A policy association to a policy filter value is used to map users with similar attributes to the same target identity in the target registry. You can use the Format EIM Policy Filter (eimFormatPolicyFilter) API to have a policy filter value created for you in the correct format based on the data that is provided.
EIM version 2 must be supported by the local EIM APIs to use this API (see eimGetVersion()--Get EIM Version).
Certificate policy filter details
A certificate policy filter is used to map user (or client) certificates with similar attributes to the same target identity in the target registry. For example, a certificate policy filter can be added so that all certificates issued by the same Certificate Authority (CA) are mapped to the same target identity in the target registry. Or, all certificates from the same organization are mapped to the same target identity in the target registry.
To locate a certificate policy filter, a search will be done using a series of full and partial distinguished names (DNs) until the most specific matching filter policy is found. The following values are used in sequence to search for a matching certificate filter policy:
-
<SDN>subject's-full-DN</SDN><IDN>issuer's-full-DN</IDN>
example: <SDN>CN=John D. Smith,OU=Sales,O=IBM,L=Rochester,ST=Min,C=US</SDN><IDN>OU=VeriSign Class 1 Individual Subscriber,O=VeriSign,L=Internet</IDN> -
<SDN>subject's-partial-DN</SDN><IDN>issuer's-full-DN</IDN>
example: <SDN>O=IBM,L=Rochester,ST=Min,C=US</SDN><IDN>OU=VeriSign Class 1 Individual Subscriber,O=VeriSign,L=Internet</IDN> - <SDN>subject's-full-DN</SDN>
example: <SDN>CN=John D. Smith,OU=Sales,O=IBM,L=Rochester,ST=Min,C=US</SDN> - <SDN>subject's-partial-DN</SDN>
example: <SDN>OU=Sales,O=IBM,L=Rochester,ST=Min,C=US</SDN> - <IDN>issuer's-full-DN</IDN>
example: <IDN>OU=VeriSign Class 1 Individual Subscriber,O=VeriSign,L=Internet</IDN> - <IDN>issuer's-partial-DN</IDN>
example: <IDN>O=VeriSign,L=Internet</IDN>
Note that searching is not done for the following values:
- <SDN>subject's-full-DN</SDN><IDN>issuer's-partial-DN</IDN>
- <SDN>subject's-partial-DN</SDN><IDN>issuer's-partial-DN</IDN>
Each step of the search using a partial DN may actually involve a series of
searches for partial name values based on the full DN. Each partial DN value in
the series is determined by removing the next most specific node in the DN.
The nodes are removed from the most specific to the least specific, in the order
that they appear in the DN.
Authorities and Locks
- EIM Data
- Access to EIM data is controlled by EIM access groups. LDAP administrators also have access to EIM data. The access groups whose members have authority to the EIM data for this API follow:
-
- EIM Administrator
- EIM Registries Administrator
Parameters
- eim (Input)
- The EIM handle returned by a previous call to eimCreateHandle(). A valid
connection is required for this function.
- filterInfo (Input)
- The information about the policy filter to be added.
The EimPolicyFilterInfo structure contains information about the policy filter to add.
For EIM_CERTIFICATE_FILTER (1) policy filter type, the filter field must contain an EimCertificatePolicyFilter structure. The sourceRegistry field must contain the name of a registry that has a type of X.509.
The structure layouts follow:
enum EimPolicyFilterType { EIM_ALL_FILTERS, /* All policy filters -- not supported for this interface. */ EIM_CERTIFICATE_FILTER /* Policy filter is a certificate filter. */ }; typedef struct EimCertificatePolicyFilter { char * sourceRegistry; /* The source registry to add the policy filter to. */ char * filterValue; /* The policy filter value. */ } EimCertificatePolicyFilter; typedef struct EimPolicyFilterInfo { enum EimPolicyFilterType type; union { EimCertificatePolicyFilter certFilter; } filter; } EimPolicyFilterInfo;
- eimrc (Input/Output)
- The structure in which to return error code information. If the return
value is not 0, eimrc is set with additional information. This parameter may be
NULL. For the format of the structure, see EimRC--EIM
Return Code Parameter.
Return Value
The return value from the API. Following each return value is the list of possible values for the messageCatalogMessageID field in the eimrc parameter for that value.
- 0
- Request was successful.
- EACCES
- Access denied. Not enough permissions to access data.
EIMERR_ACCESS (1) Insufficient access to EIM data.
- EBADDATA
- eimrc is not valid.
- EBADNAME
- Registry name is not valid or insufficient access to EIM data.
EIMERR_NOREG (28) EIM Registry not found or insufficient access to EIM data.
- EBUSY
- Unable to allocate internal system object.
EIMERR_NOLOCK (26) Unable to allocate internal system object.
- ECONVERT
- Data conversion error.
EIMERR_DATA_CONVERSION (13) Error occurred when converting data between code pages.
- EINVAL
- Input parameter was not valid.
EIMERR_HANDLE_INVAL (17) EimHandle is not valid. EIMERR_PARM_REQ (34) Missing required parameter. Please check API documentation. EIMERR_PTR_INVAL (35) Pointer parameter is not valid. EIMERR_POLICY_FILTER_TYPE_INVAL (60) Policy filter type is not valid. EIMERR_REGTYPE_INVAL (62) Registry type is not valid. EIMERR_FUNCTION_NOT_SUPPORTED (70) The specified function is not supported by the EIM version.
- ENOMEM
- Unable to allocate required space.
EIMERR_NOMEM (27) No memory available. Unable to allocate required space.
- ENOTCONN
- LDAP connection has not been made.
EIMERR_NOT_CONN (31) Not connected to LDAP. Use eimConnect() API and try the request again.
- EROFS
- LDAP connection is for read only. Need to connect to master.
EIMERR_READ_ONLY (36) LDAP connection is for read only. Use eimConnectToMaster() to get a write connection.
- EUNKNOWN
- Unexpected exception.
EIMERR_LDAP_ERR (23) Unexpected LDAP error. %s EIMERR_UNKNOWN (44) Unknown error or unknown system state. EIMERR_UNEXP_OBJ_VIOLATION (56) Unexpected object violation.
Related Information
- eimRemovePolicyFilter() --Remove
EIM Policy Filter
- eimListPolicyFilters() --List EIM
Policy Filters
- eimFormatPolicyFilter() --Format
EIM Policy Filter
- eimAddPolicyAssociation() --Add
EIM Policy Association
- eimRemovePolicyAssociation()
--Remove EIM Policy Association
- eimListRegistryAssociations()
--List EIM Registry Associations
Example
The following example adds a policy filter.
Note: By using the code examples, you agree to the terms of the Code license and disclaimer information.
#include <eim.h> #include <stddef.h> #include <stdio.h> #include <stdlib.h> int main (int argc, char *argv[]) { int rc; char eimerr[100]; EimRC * err; EimHandle * handle; EimPolicyFilterInfo filterInfo; /* Set up error structure. */ memset(eimerr,0x00,100); err = (EimRC *)eimerr; err->memoryProvidedByCaller = 100; /* Get eim handle from input arg. */ /* This handle is already connected to EIM. */ handle = (EimHandle *)argv[1]; /* Set up policy filter information */ filterInfo.type = EIM_CERTIFICATE_FILTER; filterInfo.filter.certFilter.sourceRegistry = "MySourceRegistry"; filterInfo.filter.certFilter.filterValue = "<IDN>OU=VeriSign Class 1 Individual Subscriber,O=VeriSign,L=Internet</IDN>"; /* Add the policy filter */ if (0 != (rc = eimAddPolicyFilter(handle, &filterInfo, err))) { printf("Add EIM Policy Filter error = %d", rc); return -1; } return 0; }
API introduced: V5R3
[ Back to top | Security APIs | APIs by category ]