All,
I asked some IBM LDAP questions awhile back, and we have it configured, and
users are able to bind to it, a big thank-you to the folks that responded.
What I am looking for assistance now (or a real life example) is usage of the
ICTX plugin for remote authorizations. Server-side setup is already done, but
I cannot find any good examples of distributed side code calling LDAP for
remote authorizations. What I do find in the fine manual is:
Using remote authorization and audit
The remote authorization and audit services are enabled when the ICTX extended
operations component
is con®gured for IBM Tivoli Directory Server. Refer to “Con®guring the IBM
Tivoli Directory Server for
remote services support” on page 399 for instructions.
An application or resource manager that uses the remote audit or authorization
LDAP extended operation
must be capable of generating a request, sending it through the network to the
appropriate z/OS IBM TDS
server, and interpreting the response from the z/OS IBM TDS server. The
following steps represent the
typical sequence of events that are speci®c to the LDAP extended operations for
the remote authorization
and auditing:
1. The application must perform a simple bind to the server using an authorized
racfid=userid,cn=ictx bind distinguished name.
2. The application must build a DER-encoded extended operation request having
the de®ned ASN.1
syntax that is speci®c to the audit or authorization request. That request can
then be included with the
z/OS IBM TDS server handle and speci®c request OID on the LDAP client call,
such as
ldap_extended_operation_s(), to build the LDAP message and send it to the
server.
3. The z/OS IBM TDS receives the request and routes it to the ICTX component,
where it is decoded and
processed. ICTX veri®es the correct syntax and the requestor's authority before
invoking the SAF
authorization check or audit service to satisfy the request. The result of the
SAF service is a DER�encoded response that LDAP returns
But no examples for Item #2. I find coding examples of the parameter block,
but some sample code would be worth a thousand pictures for the remote ldap
call.
The remote authorization request must contain the DER-encoding of the ASN.1
syntax. The following is
the remote authorization request syntax:
Request OID: 1.3.18.0.2.12.66
RequestValue ::= SEQUENCE {
RequestVersion INTEGER,
ItemList SEQUENCE of
Item SEQUENCE {
ItemVersion INTEGER,
ItemTag INTEGER,
UserOrGroup IA5String,
Resource IA5String,
Class IA5String,
Access INTEGER,
LogString IA5String
}}
If anyone can please assist, I'd be glad to take this offline for some
hopefully quick discussion/email.
Thanks in advance, Dave
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
