Valid on UNIX
CA ControlMinder passes as much information about the user requesting authorization as possible to the Exits API functions. Depending on what CA ControlMinder knows about the user, the Exits API function may be given the user name, the UNIX user ID number, and the user ACEE handle.
Users may or may not be defined in the CA ControlMinder database. If the user is defined in the database, CA ControlMinder has an entry in the Accessor Environment Entry (ACEE) table for that user. All entries in the ACEE table have an ACEE handle that points to the information about that entry. A user not defined in the database is assigned an ACEE handle of ‑1. An ACEE handle of ‑1 informs the Exits API functions that the request did not come from a CA ControlMinder‑defined user.
This section provides the instructions for compiling and linking your Exits API functions with the seosd daemon or the sepass utility. These are general instructions that describe the most common system configurations. Each system has its own specific requirements. It is impossible to provide detailed requirements for every possible system configuration. Consult your system guides for the details of your particular system's compiler and linker options.
You must include the header files authxapi.h and seostype.h in your Exits API functions. These files are located in the include subdirectory. Put the following two lines near the top of an Exits API function source file:
#include authxapi.h #include seostype.h
We recommend using an ANSI‑C compliant compiler.
This section provides the instructions for compiling and linking your Exits API functions with the seosd service or the pwdchange.dll. These are general instructions that describe the most common system configurations. Each system has its own specific requirements. It is impossible to provide detailed requirements for every possible system configuration. Consult your system guides for the details of your particular system's compiler and linker options.
You must include the header file authxapi.h in your Exits API functions. This file is located in the include subdirectory. Put the following line near the top of an Exits API function source file:
#include authxapi.h
We recommend using an ANSI-C compliant compiler.
Because the target of your code is either a shared library (for UNIX) or a dynamic link library (for Windows), you may need to use compiler flags to determine the correct code generation method. The examples provided in the samples subdirectory should help you find the appropriate flag for your operating system.
CA ControlMinder is completely modular in design and implementation. Management of resources is also completely modular. Most of the system objects that CA ControlMinder protects are considered general resources. A class is a family of resources that share the same attributes. For example, an attempt to open a file is considered an access request to a resource of class FILE. In UNIX, an attempt to substitute (su) to another user is considered an access request to a resource of class SURROGATE. Grouping resources in this manner allows CA ControlMinder to use one general authorization algorithm.
Your Exits API functions must maintain the same modular approach as the CA ControlMinder functions. The Exits API functions are called whenever there is an attempt to access a specified resource. Your functions must use a modular algorithm that works consistently for an entire class and does not interfere with or generate errors for other classes.
Important! CA ControlMinder constantly receives authorization requests from system events and user programs. These requests may be redirected to your exit function. Ensure that your function is optimized and terminates as quickly as possible, so as to minimize system overhead. Special care must be taken when writing exit functions. You cannot write an exit function and leave debugging for runtime. A trivial bug can bring down your system.
Note: For more information about classes, properties, and resources, see the Endpoint Administration Guide (for Windows or UNIX).
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|