This section contains the following topics:
Before You Use the Directory API
Structures Used in the Sample Directory Application
The Directory API accesses data stored in a type of database or directory that SiteMinder does not support. With the Directory API, you can:
SiteMinder supports the following namespaces for user directories:
The LDAP, ODBC and NT namespaces can be used without the Directory API. To access another type of user directory, create an interface to the directory with the Directory API.
Before using the Directory API, go to the SiteMinder Administrative UI and create and configure a user directory object with a Custom namespace.
To use the Directory API, you must have the following:
Because no linking is required, there is no restrictive list of supported development environments. For example, you can use the GNU Compiler Collection (GCC). The Directory API has been tested using the following development environments:
Although you don’t need the SiteMinder Policy Server to build a Directory API application, you need the SiteMinder Policy Server to use the application. The SiteMinder Policy Server calls the Directory API.
When you have met the prerequisites, follow these steps:
Optionally, you can place the shared library in a different location, as long as the SiteMinder Policy Server can access it. If you use an alternate location, indicate the fully qualified path to the shared library in the Library field of the SiteMinder User Directory Dialog box.
When you build a Directory API application, include the SmAPI.h file. Your source code must contain the statement:
#include "SmApi.h"
When building a shared library that implements the Directory API, you need not link to any other shared libraries or import libraries. The Directory API is built as a shared library with the exportable functions defined in the include file SmApi.h.
SmApi.h includes the following enumerations used by the Directory API:
Directory Capabilities
Sm_DirApi_Capability_t enumerates the capabilities that can be configured for a custom directory.
The following table lists the directory capabilities enumerated in Sm_DirApi_Capability_t. Descriptions of each capability follow the table.
|
Name |
Value |
|---|---|
|
Sm_DirApi_Capability_ForceResetUserPassword |
0x00000001 |
|
Sm_DirApi_Capability_ChangeUserPassword |
0x00000002 |
|
Sm_DirApi_Capability_DisableUser |
0x00000004 |
|
Sm_DirApi_Capability_SetUserAttributes |
0x00000008 |
|
Sm_DirApi_Capability_Recursive |
0x00000010 |
For a custom directory to have a specific capability, you must define the required user attributes for that capability. For example, to enable SiteMinder to change a user’s password, you need to identify a Password Attribute. SiteMinder then uses that attribute to get and set the user password.
To enable SiteMinder to force a reset of the password, define the following user attributes:
When users are forced to change their passwords, the Policy Server calls SmDirSetUserDisabledState(). In the sample code, the user’s Disabled Flag is set to Sm_Api_Disabled_PWMustChange (the disabled reason).
The SiteMinder Policy Server calls SmDirChangeUserPassword() so that you can change the value in the password field for an entry in your custom directory.
When an administrator uses the SiteMinder Administrative UI to disable or enable a user account, or when Password Services disables a user account, the SiteMinder Policy Server calls SmDirSetUserDisabledState().
In SiteMinder, user accounts can be disabled for a number of reasons, and these reasons are represented by the members of the data structure Sm_Api_DisabledReason_t.
The SiteMinder Policy Server calls SmDirSetUserAttr() so that you can use SiteMinder to set a user attribute in your custom directory.
The following functions in the Directory API have a parameter to hold a recursive flag:
To send information about the directory capabilities to the SiteMinder Policy Server, implement the function SmDirQueryVersion(). Use the capabilities parameter (pnCapabilites) to pass one or more values enumerated in Sm_DirApi_Capability_t. SiteMinder then checks for those capabilities.
For example, if a user attempts to change a password, the SiteMinder Policy Server calls SmDirQueryVersion() to check for the capability Sm_DirApi_Capability_ChangeUserPassword. If the custom directory does not have that capability, the user receives an error message.
An example of setting the directory capabilities is shown in the sample code. First, initialize *pnCapabilities to zero, then set *pnCapabilities as follows:
*pnCapabilities = *pnCapabilities | Sm_DirApi_Capability_<supported_capability>;
For example:
*pnCapabilities = *pnCapabilities | Sm_DirApi_Capability_ChangeUserPassword; *pnCapabilities = *pnCapabilities | Sm_DirApi_Capability_DisableUser;
Ensure that no other application changes data in fields intended for use by SiteMinder. For example, no other application should change data in the field that holds the disabled state of a SiteMinder user.
Policy Resolutions
Sm_PolicyResolution_t, defined in SmApi.h, enumerates the values that describe the relationship between two policy objects. The following Directory API functions use Sm_PolicyResolution_t:
The data types and structures are used in the Directory API, but may also be used by other SiteMinder APIs.
Sm_Api_DisabledReason_t enumerates the reasons that a user account can be disabled.
The following Directory API functions use Sm_Api_DisabledReason_t:
When a user’s account is enabled or disabled, the SiteMinder Policy Server calls SmDirSetUserDisabledState(). This call gives you the opportunity to set the disabled flag in your custom directory to one or more of the disabled reasons, as enumerated in Sm_Api_DisabledReason_t. If a user’s account is disabled or enabled, SmDirGetUserDisabledState() returns the disabled reason(s). When implementing SmDirGetUserDisabledState(), return Sm_Api_Disabled_Enabled if your custom directory does not support a disabled flag.
Note: A user’s account can be disabled for multiple reasons. For example, if the User must change password at next login checkbox is checked and the administrator then clicks Disable, the nDisabledReason holds both the Sm_Api_Disabled_PWMustChange bit and the Sm_Api_Disabled_AdminDisabled bit.
The disabled flag is a SiteMinder user attribute. In the SiteMinder Administrative UI, on the User Attributes tab of the User Directory Dialog box, enter the attribute name in the Disabled Flag field. In the sample, the attribute name is Disabled.
The structure Sm_Api_Context_t gives the function pointers for the SiteMinder logging utility, trace utility, and error utility.
Sm_Api_Reason_t enumerates the reasons for an access event, such as an authentication failure. When a user supplies credentials for authentication, the SiteMinder Policy Server, validating the username and DN, calls SmDirAuthenticateUser(). This call gives you the opportunity to return information about the access event.
To initialize objects, the SiteMinder Policy Server calls the functions in the following table:
|
Function Name |
Object Initialized by SiteMinder Policy Server |
|---|---|
|
Directory provider. Set provider handle. |
|
|
Directory instance. Set directory instance handle. |
|
|
Directory Entry (User) instance. Set user entry instance handle. |
Initializing the Directory Provider
The first time that the custom directory provider is required after the SiteMinder Policy Server is started, the Policy Server calls SmDirInit() to initialize the directory provider. At this point, set the provider handle as shown in the sample code. The SiteMinder Policy Server will not call SmDirInit() again until one of the Policy Server services is started (or re-started).
SmDirInit() is called once per custom directory provider library (.dll or .so).
Initializing the Directory Instance
The Policy Server calls SmDirInitDirInstance() to initialize the directory instance. Set the directory instance handle as shown in the sample code.
SmDirInitDirInstance() is called once per directory instance using this directory provider library. SiteMinder calls the function when it needs a directory context (to perform an operation such as search or get properties) while processing an authentication or authorization request. This function is typically called at the beginning of a request.
Initializing the Directory Entry (User) Instance
The SiteMinder Policy Server initializes the user instance by calling SmDirInitUserInstance(). Set the directory entry (user) instance handle as shown in the sample code.
To release objects, use the functions in the following table:
|
Function Name |
Object Released by SiteMinder Policy Server |
|---|---|
|
Directory provider. Delete provider handle |
|
|
Directory or entry instance. Determine which handle is passed. |
Releasing the User Instance
The SiteMinder Policy Server calls SmDirReleaseInstance() so that you can release the user instance handle if you choose. Ensure that the handle that is passed is the user instance handle, not the directory instance handle.
Releasing the Directory Instance
The SiteMinder Policy Server calls SmDirReleaseInstance() so that you can release the directory instance handle if you choose. Ensure that the handle that is passed is the directory instance handle, not the user instance handle.
SiteMinder calls SmDirReleaseInstance() once per every call to SmDirInitDirInstance(), after the directory context is no longer needed. It is typically called at the end of a request.
Releasing the Directory Provider
When an administrator starts to shut down the SiteMinder Policy Server, the SiteMinder Policy Server calls SmDirRelease() to release the directory provider.
These functions can be called either within a sequence of directory operations or within a sequence of directory entry (user) operations. If the function receives an instance handle through a parameter, determine whether it is a directory instance handle or a directory entry (user) instance handle.
|
Function Name |
Description |
|---|---|
|
Free memory allocated for a sting. |
|
|
Free memory allocated for a string array. |
|
|
Check the Directory API version and the directory capabilities it supports. |
Free Strings and String Arrays
After the SiteMinder Policy Server calls an operation function that takes string parameters, the SiteMinder Policy Server calls SmDirFreeString() or SmDirFreeStringArray() to release allocated memory. Calls may be repeated so that multiple strings can be freed.
For example, a SiteMinder Administrator can use the SiteMinder Administrative UI to perform a search for the user Mikel. The SiteMinder Administrator first selects the string User from the Search drop-down list box, then enters the string Mikel in the Search Expression field. SiteMinder calls SmDirLookup() and passes the strings (in the form “User = Mikel”) into the lpszPattern parameter. SiteMinder then calls SmDirFreeStringArray() twice. On the first call, SiteMinder passes the string array Mikel. On the second call, SiteMinder passes the string array User.
Query and Validation
The SiteMinder Policy Server frequently calls SmDirQueryVersion(), then SmDirValidateInstance(). This sequence may be repeated several times.
The Policy Server calls the directory operations function(s) to let you define directory operations tasks for your custom directory. For example, if a user is using the SiteMinder Administrative UI to search for a user, the Policy Server calls SmDirLookup().
|
Function Name |
Use this function to: |
|---|---|
|
Insert a directory entry (user) into your custom directory. |
|
|
Add a user or group to an existing group. |
|
|
Assign a role to a user or to a group. |
|
|
Retrieve a list of directory entries and corresponding class names. |
|
|
Get the connection handle to the directory. |
|
|
Get information about the object specified in the object parameter. |
|
|
Retrieve the members of a user group. |
|
|
Determine which instance handle is passed, and return the associated error message. Also used with directory entry (user) operations. |
|
|
Retrieve the directory entries assigned to a role. |
|
|
Look up a pattern in the directory. |
|
|
Delete a directory entry (user) from your custom directory. |
|
|
Remove a user or group from a existing group. |
|
|
Remove a user or group from an assigned role. |
|
|
Search on the criteria specified in the search filter parameter. |
|
|
Return a count of the entries that meet the criteria specified in the parameters. |
|
|
Determine which instance handle is passed, and validate that instance. Also used with directory entry (user) operations. |
|
|
Perform any needed validation on the user ID. |
|
|
Convert the credentials presented by the user to a user ID for the custom directory. |
The operations covered in this section apply to directory entries, such as users, groups and roles.
The SiteMinder Policy Server calls the directory entry (user) operation function(s) relevant to the operation performed. For example, if a user is using the SiteMinder Administrative UI to disable a user account, the SiteMinder Policy Server calls SmDirSetUserDisabledState().
|
Function Name |
Use this function to: |
|---|---|
|
Check the directory for the provided user name and password. |
|
|
Change the value in the password field for the specified user. |
|
|
Determine which instance handle is passed, and return the associated error message. Also used with directory operations. |
|
|
Retrieve the value of the specified user attribute. |
|
|
Retrieve an array of values for a single attribute. |
|
|
Get the object classes for the specified DN. |
|
|
For disabled user accounts, return the reason that an account is disabled. Otherwise, return enabled. |
|
|
Retrieve the groups to which a user belongs. |
|
|
Return the names of all user attributes or only required user attributes. |
|
|
Retrieve the roles to which a user belongs. |
|
|
Set the value for a user attribute. |
|
|
Set an array of values for a single attribute. |
|
|
Enable or disable a user account. |
|
|
Determine which instance handle is passed, and validate that instance. Also used with directory operations. |
|
|
Validate the relationship between policy objects. |
The following diagrams outline the order of function calls for procedures that perform operations on the directory and possibly perform operations on a directory entry (user). For example, using the SiteMinder Administrative UI to search for a particular user in a custom directory requires both operations on the directory and operations on a directory entry (user). Some procedures involve only operations on the directory. For example, using the SiteMinder Administrative UI only to view the properties of a custom user directory requires only operations on the directory.
This second diagram shows an additional sequence that occurs only if directory entry (user) operations occur.
To authenticate a user, the SiteMinder Policy Server requests a username from the user. SmDirValidateUsername() is called to translate the user-supplied username into the internal user ID key used by the directory as the primary key to the user’s data. The username from the credentials is supplied in the lpszUsername parameter. If SmDirValidateUsername() is not implemented, the user-supplied username is passed into lpszUserDN.
If SmDirValidateUsername() is implemented, it should return the user’s ID in the lpszNewUsername parameter. The value returned by lpszNewUsername becomes the lpszUserDN parameter value.
The lpszUserDN parameter value is passed into many other functions, such as SmDirValidateUserDN() and SmDirAuthenticateUser().
The SiteMinder Policy Server calls SmDirAddEntry() so that you can insert a directory entry (user) into your custom directory. Examples of directory entries are users, groups and roles. For example, if you are using a SQL database and need to add a group, you could use SmDirAddEntry() to insert a record into the groups table (and all related tables) for the database.
When adding an entry to a hierarchical directory, it may be helpful to look at the attributes passed in with the entry, such as object class in LDAP.
Syntax
int SM_EXTERN SmDirAddEntry ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const Sm_PolicyResolution_t nEntryType, const char* lpszEntryDN, const char** lpszAttrNames, const char** lpszAttrValues );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
|
nEntryType |
I |
The Policy resolution of the entry. Policy resolutions are enumerated in Sm_PolicyResolution_t, which is defined in SmApi.h. The following elements of Sm_PolicyResolution_t are valid entry types:
|
|
lpszEntryDN |
I |
Buffer containing the distinguished name for the entry being added. |
|
lpszAttrNames |
I |
Buffer containing the names of the entry attributes. |
|
lpszAttrValues |
I |
Buffer containing the values of the entry attributes. |
Returns
Returns 0 if successful or -1 if not successful.
Remarks
This function is called when Delegated Management Services is used to create directory entries, including users or roles.
The SiteMinder Policy Server calls SmDirAddMemberToGroup() so that you can add a user or group to an existing group.
If you want to add a user or group to a role, use SmDirAddMemberToRole(). The difference between a group and a role is defined by your custom directory provider. For some providers, there is no difference.
Syntax
int SM_EXTERN SmDirAddMemberToGroup ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszMemberDN, const char* lpszGroupDN );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
|
lpszMemberDN |
I |
Buffer containing the distinguished name for the user or group being added to the existing group. |
|
lpszGroupDN |
I |
Buffer containing the distinguished name for the group to which the member is being added. |
Returns
Returns 0 if successful or -1 if not successful.
Remarks
This function is called when Delegated Management Services is used to assign either a user or a group to an existing group.
The SiteMinder Policy Server calls SmDirAddMemberToRole() so that you can assign a role to a user or to a group.
For example, in Oracle, a role is a set of object or system privileges that can be granted to a user. A group is a set of users. If you want everyone that performs collections to be able to update the AR table and select from the CUSTOMER table, you could create a role named COLLECTIONS. You could then assign the COLLECTIONS role to each of the individual users who perform collections, or even to a group such as Accounts Receivable.
If you want to add either a user or group to an existing group, use SmDirAddMemberToGroup(). The difference between a group and a role is defined by the provider of the custom directory.
For some providers, there will be no difference between a role and a group.
Syntax
int SM_EXTERN SmDirAddMemberToRole ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszMemberDN, const char* lpszRoleDN );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
|
lpszMemberDN |
I |
Buffer containing the distinguished name for the user or group being added to the existing role. |
|
lpszRoleDN |
I |
Buffer containing the distinguished name for the role to which the member is being added. |
Returns
Returns 0 if successful or -1 if not successful.
Remarks
This function is called when Delegated Management Services is used to assign a role to a user or a group.
Use the SmDirAuthenticateUser() function to check the directory for the provided user name and password.
After the call to SmDirAuthenticateUser(), SiteMinder calls SmDirFreeString() to free the lpszUserMsg buffer, then calls SmDirFreeString() again to free the lpszErrMsg buffer.
Syntax
int SM_EXTERN SmDirAuthenticateUser ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszUserDN, const char* lpszPassword, Sm_Api_Reason_t* pnReason, char** lpszUserMsg, char** lpszErrMsg );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
Handle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the user instance handle. |
|
lpszUserDN |
I |
Buffer containing the user DN that has to be authenticated. If SmDirValidateUsername() is not implemented, the user-supplied username is passed into lpszUserDN. If SmDirValidateUsername() is implemented, SmDirValidateUsername() should return the user’s ID in the lpszNewUsername parameter. The value returned by lpszNewUsername becomes the lpszUserDN parameter value.
|
|
lpszPassword |
I |
Buffer containing the password that has to be authenticated. |
|
pnReason |
O |
Pointer to the resulting reason of the authentication event, using the reasons enumerated in Sm_Api_Reason_t.
|
|
lpszUserMsg |
O |
Output buffer to receive a message for the user. This message can be the challenge text or any other message an authentication scheme developer wants to present to the user through a mechanism external to SiteMinder. In the sample, if a bogus username is presented, authentication fails and the string Failed to authenticate is copied to lpszUserMsg. The Web Agent stores this message in the HTTP variable HTTP_SM_USERMSG. For RADIUS authentication, the user message is returned in the REPLY-MESSAGE response attribute. The SiteMinder Policy Server writes the error message in lpszUserMsg to the SiteMinder Authentication log. |
|
lpszErrMsg |
O |
Output buffer to receive the error message. Use this buffer to return an error message to SiteMinder. In the sample, if a bogus username is presented, authentication fails and the string Failed to authenticate is copied to lpszErrMsg. The SiteMinder Policy Server writes the error message in lpszErrMsg to the SiteMinder Authentication log. The string in lpszErrMsg follows Not Authenticated in the log. The string in lpszUserMsg follows the string in lpszErrMsg. For example, if the challenged user presents the bogus username impostor, the SiteMinder Policy Server writes the following status message to the log: |
Returns
Returns 0 if authentication succeeds, or -1 if there is an error in processing or if the user-supplied credentials are invalid.
If authentication fails, convey the reason through the output parameter pnReason and return -1.
Remarks
This function is called when you use the SiteMinder Test Tool to run IsAuthenticated for a user in the custom directory.
The SiteMinder Policy Server calls SmDirChangeUserPassword() so that you can change the value in the password field for an entry in your custom directory.
To implement SmDirChangeUserPassword(), you must specify the name of the password field in your custom directory. In the SiteMinder Administrative UI, enter that attribute name in the Password Attribute field on the User Attributes tab of the User Directory Dialog box.
The user’s distinguished name is passed in with the following information:
Syntax
int SM_EXTERN SmDirChangeUserPassword ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszUserDN, const char* lpszOldPassword, const char* lpszNewPassword, const char* lpszPasswordAttr, const int bDoNotRequireOldPassword );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the user instance handle. |
|
lpszUserDN |
I |
Buffer containing the user DN whose password has to be changed. |
|
lpszOldPassword |
I |
Buffer containing the old password of the user DN. |
|
lpszNewPassword |
I |
Buffer containing the new password of the user DN. |
|
lpszPasswordAttr |
I |
Directory attribute where the user’s password is stored. Use this attribute to change the user password. The default value for this attribute name in a Netscape LDAP directory is userpassword. |
|
bDoNotRequireOldPassword |
I |
A value indicating whether the user needs to specify the old password to perform the password change. The value 1 indicates that the old password is not required; 0 indicates that the old password is required. An administrator may not need to specify the old password, but an end user would need to specify. |
Returns
Returns 0 if successful or -1 if not successful.
Sample Code Information
If you are changing a user password, SiteMinder passes the name of the password attribute through lpszPasswordAttr. To indicate the name of the directory attribute that holds this information:
The SiteMinder Policy Server calls SmDirEnumerate() to retrieve a list of distinguished names and their corresponding class names (User or Group) in the user directory.
The SiteMinder Policy Server calls SmDirFreeStringArray() to free the lpszDNs and lpszClasses arrays.
Syntax
int SM_EXTERN SmDirEnumerate ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, char*** lpszDNs, char*** lpszClasses );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
|
lpszDNs |
O |
List of user distinguished names present in the directory. |
|
lpszClasses |
O |
List of corresponding class information for the user distinguished names. |
Returns
Returns 0 if successful or -1 if not successful.
Remarks
This function is called when you click the View Contents button in the SiteMinder User Directory Dialog box.
The SiteMinder Policy Server calls SmDirFreeString() to free memory allocated for the specified string in lpszString.
Syntax
void SM_EXTERN SmDirFreeString ( char* lpszString );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpszString |
I |
String for which the allocated memory is to be freed. |
The SiteMinder Policy Server calls SmDirFreeStringArray() to free memory allocated for the specified string array in lpszStringArray. For example, after a call to SmDirEnumerate(), the SiteMinder Policy Server calls SmDirFreeStringArray() to free memory allocated for parameter lpszDNs, then calls SmDirFreeStringArray() again to free memory allocated for parameter lpszClasses.
Syntax
void SM_EXTERN SmDirFreeStringArray ( char* lpszStringArray );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpszStringArray |
I |
String array for which the allocated memory is to be freed. |
This function is called to get the connection handle to the directory.
If you are using active rules, policies, or responses, the SiteMinder Policy Server calls SmDirGetDirConnection() when it calls an authentication scheme library or an active library. The SiteMinder Policy Server calls SmDirGetDirConnection() before authentication.
When implementing SmDirGetDirConnection(), return NULL.
Syntax
void* SM_EXTERN SmDirGetDirConnection ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
Returns
When implementing SmDirGetDirConnection(), return NULL, as shown in the sample.
The SiteMinder Policy Server calls SmDirGetDirObjInfo() to get information about the object specified in the lpszObject buffer. You can use this function to get the following information about the object passed in as lpszObject:
The SiteMinder Policy Server calls SmDirFreeString() to free the lpszDN and lpszClass buffers.
Syntax
int SM_EXTERN SmDirGetDirObjInfo ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszObject, char** lpszDN, char** lpszClass, int* pnSmPolicyResolution );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
|
lpszObject |
I |
The string containing the null-terminated string of the user name. |
|
lpszDN |
O |
Fill in the user distinguished name resolved from the lpszObject. |
|
lpszClass |
O |
Fill in the class of the resolved user distinguished name. |
|
pnSmPolicyResolution |
O |
Fill in the Policy resolution of the resolved user distinguished name. Policy resolutions are enumerated in Sm_PolicyResolution_t. |
Returns
Returns 0 if successful or -1 if not successful.
Remarks
This function is called in the following circumstances:
Sample Code Information
If you are disabling user account Mikel, Mikel is passed in as lpszObject. Using the sample code, the following values are returned:
|
Parameter |
Value |
|---|---|
|
lpszDN |
Mikel |
|
lpszClass |
User |
|
pnSmPolicyResolution |
1 |
The SiteMinder Policy Server calls SmDirGetGroupMembers() so that you can retrieve the members of a user group. This function is designed to support Delegated Management Services.
Syntax
int SM_EXTERN SmDirGetGroupMembers ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszGroupDN, char*** lpszMembers, );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
|
lpszGroupDN |
I |
Buffer containing the distinguished name for the group for which members are being retrieved. |
|
lpszMembers |
O |
Buffer containing the members of the group. |
Returns
Returns 0 if successful or -1 if not successful.
Calling the function SmDirGetLastErrMsg() retrieves the last error message that resulted from a Directory API call.
If a user operation or directory operation fails, store the error message in szErrMsg, which is the third field of the instance handle structure. You can then call SmDirGetLastErrMsg() to retrieve the error message. The SiteMinder Policy Server also calls SmDirGetLastErrMsg() upon operation failure.
This function call is made for both the directory instance and the user instance. Either the directory instance handle or user instance handle can be passed through pInstanceHandle. Your code must determine which handle is passed and return the appropriate error message. See the sample code for an example.
After calling SmDirGetLastErrMsg(), the SiteMinder Policy Server calls SmDirFreeString() to free the error buffer.
Syntax
char* SM_EXTERN SmDirGetLastErrMsg ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The addresses of a pointer to the user instance handle or directory instance handle. |
Returns
The last error message occurred during a directory operation or user operation.
Remarks
This function is called when you are searching for users or groups and the lookup (SmDirLookup()) fails.
Sample Code Information
In the sample code for SmDirValidateUserPolicyRelationship(), under the condition that the policy resolution is UserGroup, there is a call to the function chk_grp(). The third parameter of chk_grp() is an output parameter that returns szErrMsg in the user handle. If you then called SmDirGetLastErrMsg() and passed the user instance handle, you would get the value stored in szErrMsg.
The SiteMinder Policy Server calls SmDirGetRoleMembers() so that you can retrieve the directory entries assigned to a role. This function is designed to support Delegated Management Services.
Syntax
int SM_EXTERN SmDirGetRoleMembers ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszRoleDN, char*** lpszMembers );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
|
lpszRoleDN |
I |
Buffer containing the distinguished name for the role for which members are being retrieved. |
|
lpszMembers |
O |
Buffer containing the members of the role. |
Returns
Returns 0 if successful or -1 if not successful.
The SiteMinder Policy Server calls SmDirGetUserAttr() so that you can retrieve the value for a user attribute in your custom directory. For example, you may need to retrieve the last name of a user.
SiteMinder calls SmDirFreeString() to free the lpszAttrData buffer.
Syntax
int SM_EXTERN SmDirGetUserAttr ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszUserDN, const char* lpszAttrName, char** lpszAttrData );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the user instance handle. |
|
lpszUserDN |
I |
Buffer containing the user DN whose user attribute has to be retrieved. |
|
lpszAttrName |
I |
Buffer containing the name of the user attribute whose value you’re retrieving. |
|
lpszAttrData |
O |
Buffer containing the retrieved value for the requested attribute. Look up the value of the attribute specified in lpszAttrName and return the value in lpszAttrData. |
Returns
Returns 0 if successful or -1 if not successful.
The SiteMinder Policy Server calls SmDirGetUserAttrMulti() so that you can retrieve an array of values for a single attribute. The provider needs to handle the case where this function is called and the attribute has only a single value.
SiteMinder calls SmDirFreeStringArray() to free the lpszAttrData buffer.
Syntax
int SM_EXTERN SmDirGetUserAttrMulti ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszUserDN, const char* lpszAttrName, char*** lpszAttrData );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the user instance handle. |
|
lpszUserDN |
I |
Buffer containing the user DN whose user attributes has to be retrieved. |
|
lpszAttrName |
I |
Buffer containing the name of the user attribute. |
|
lpszAttrData |
O |
Buffer containing the value of the user attribute. Look up the value of the attribute named in lpszAttrName and return the value in lpszAttrData. |
Returns
Returns 0 if successful or -1 if not successful.
The SiteMinder Policy Server calls SmDirGetUserClasses() so that you can get the object classes of the specified distinguished name (DN). This function is designed to support Delegated Management Services.
Your custom directory may be hierarchical or flat. If your directory is hierarchical, as with an LDAP directory, the DN may belong to multiple object classes. If the directory is flat, as with a SQL database, the user DN belongs to a single class, such as User or Group.
Your code must determine the type of DN passed and handle it appropriately. For example, if a the name of a group is passed in, you need to be able to determine that it is a group and return Group.
SiteMinder calls SmDirFreeStringArray() to free the lpszAttrData buffer.
Syntax
int SM_EXTERN SmDirGetUserClasses ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszUserDN, char*** lpszClasses );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the user instance handle. |
|
lpszUserDN |
I |
Buffer containing the distinguished name for which you must retrieve the classes. |
|
lpszClasses |
O |
Buffer containing the classes for the specified distinguished name. |
Returns
Returns 0 if successful or -1 if not successful.
If you decide not to implement this function, return -1.
The SiteMinder Policy Server calls SmDirGetUserDisabledState() to get information about whether a user account is disabled.
If a user account is disabled, SmDirGetUserDisabledState() returns information in pnDisabledReason about how the account was disabled.
The possible reasons that a user is disabled are enumerated in Sm_Api_DisabledReason_t, which is defined in SmApi.h. The disabled reason is set when the SiteMinder Policy Server calls SmDirSetUserDisabledState().
If the custom directory does not support a disabled flag, use the following code to indicate that the user is always enabled:
*pnDisabledReason = Sm_Api_Disabled_Enabled; return 0;
Syntax
int SM_EXTERN SmDirGetUserDisabledState ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszUserDN, const char* lpszDisabledAttr, Sm_Api_DisabledReason_t* pnDisabledReason );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the user instance handle. |
|
pszUserDN |
I |
Buffer containing the user DN whose disabled state has to be retrieved. |
|
lpszDisabledAttr |
I |
The user directory attribute that is used by SiteMinder to track disabled users. Use this attribute to retrieve the disabled state. |
|
pnDisabledReason |
O |
Attribute containing the user disabled state of the user. Store the user-disabled state that is fetched from the user directory attribute specified in lpszDisabledAttr. |
Returns
Return values indicate whether the function successfully determines the user’s disabled state:
Return values do not indicate the disabled state, which is stored in the parameter pnDisabledReason.
Remarks
This function is called in the following circumstances:
Sample Code Information
If you are managing users, when you lookup the user, SiteMinder checks the disabled state for that user by checking lpszDisabledAttr. To indicate the name of the directory attribute that holds this information, in the SiteMinder Administrative UI, in the User Directory Dialog box, on the User Attributes tab, complete the Disabled Flag field. To use the sample, type Disabled in this field.
If the user is enabled, then running the sample code results in a value of Sm_Api_Disabled_Enabled for pnDisabledReason. If the SiteMinder administrator has used the Disable button to disable the user, then running the sample code results in a value of Sm_Api_Disabled_AdminDisabled for pnDisabledReason.
The SiteMinder Policy Server calls SmDirGetUserGroups so that you can retrieve the groups to which a user belongs.
SiteMinder calls SmDirFreeStringArray() to free the lpszGroups array.
Syntax
int SM_EXTERN SmDirGetUserGroups ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszUserDN, const int bRecursive, char*** lpszGroups );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the user instance handle. |
|
lpszUserDN |
I |
Buffer containing the user DN. |
|
bRecursive |
I |
A value specifying whether the custom directory supports recursion (for example, nested groups). The value 1 indicates recursion support; 0 indicates no support. If your custom directory supports recursion, you must search down any hierarchy of groups to find the user. Suppose that the value of the User DN is Bill Collector. Bill Collector may be in a group called AR, and AR may be in a group called Accounting. |
|
lpszGroups |
O |
A list of groups associated with lpszUserDN. |
Returns
Returns 0 if successful or -1 if not successful.
SiteMinder calls SmDirGetUserProperties() so that you can return the names of all user attributes or only required user attributes.
Unlike SmDirGetUserAttr(), which is designed to return values for the attribute names passed, SmDirGetUserProperties() is designed for returning only attribute names.
SiteMinder calls SmDirFreeStringArray() to free the lpszProperties array.
Syntax
int SM_EXTERN SmDirGetUserProperties ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszUserDN, const int bMandatory, char*** lpszProperties );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the user instance handle. |
|
lpszUserDN |
I |
Buffer containing the user DN for which you must retrieve the names of user attributes. |
|
bMandatory |
I |
A value specifying whether to return only mandatory attribute names. The value 1 indicates that only mandatory attribute names are returned; 0 indicates that all attribute names are returned. Some directories have interfaces that distinguish between the mandatory attributes of an object and the optional attributes. For example, IADs for Microsoft Active Directory makes this distinction. |
|
pszProperties |
O |
Array containing a list of user attribute names. |
Returns
Returns 0 if successful or -1 if not successful.
The SiteMinder Policy Server calls SmDirGetUserRoles() so that you can retrieve the roles to which a user belongs.
SiteMinder calls SmDirFreeStringArray() to free the lpszRoles array.
Syntax
int SM_EXTERN SmDirGetUserRoles ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszUserDN, char*** lpszRoles );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the user instance handle. |
|
lpszUserDN |
I |
Buffer containing the user DN whose roles has to be retrieved. |
|
lpszRoles |
O |
A list of roles associated with the user in lpszUserDN. |
Returns
Returns 0 if successful or -1 if not successful.
SmDirInit() is called when SiteMinder initializes the directory services provider for the custom namespace.
This function is called once before any other Directory API functions are called. The function returns the address of a pointer to the handle for the directory. The handle is passed in all subsequent function calls.
Once the administration process starts, the SiteMinder Policy Server calls SmDirInit() the first time you perform any task for which the custom directory provider is required.
For example, if you were to start the Policy Server, then immediately view the properties of a user directory with a Custom namespace, the SiteMinder Policy Server would call SmDirInit(), then call SmDirInitDirInstance().
Syntax
int SM_EXTERN SmDirInit ( const Sm_Api_Context_t* lpApiContext, void** ppHandle, const char* lpszParameter );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
ppHandle |
O |
The address of a pointer to the handle for the Directory API. This parameter is initialized in the call to SmDirInit() and is passed to all subsequent function calls. For example, if you were using SmDirInit() to load a shared library on the directory side, you could use ppHandle to store function pointers to all the functions in that shared library. |
|
lpszParameter |
I |
The null-terminated string specified in the Parameter field of the SiteMinder User Directory Dialog box. |
Returns
Returns 0 if successful or -1 if not successful.
Remarks
Instantiate ProviderHandle_t when SmDirInit() is called. This handle is then passed to almost all subsequent functions. The same value need not be carried through the entire process. You are permitted to change the value.
Release ProviderHandle_t when SmDirRelease() is called.
You could use SmDirInit() to load another shared library. The vendor of the directory containing your data may provide an interface that you can implement by building a shared library. You could use SmDirInit() to load that shared library by placing the path to the shared library in the Parameter field on the Directory Setup tab of the User Directory Dialog box. The string entered in the Parameter field is passed to lpszParameter in calls to SmDirInit() and SmDirInitDirInstance().
Note: The string entered in the Parameter field is also passed to lpszSearchRoot in calls to SmDirSearch() and SmDirSearchCount(). If your code for SmDirInit() needs to use lpszParameter and your code for the search functions needs a search root, you will have to parse the string from the Parameter field.
SiteMinder calls this directory instance initialization function before it calls any of the directory functions on the given directory instance. This function provides you an opportunity to make a connection to the custom directory.
After SiteMinder completes the directory function call, it calls SmDirReleaseInstance(). This function is called multiple times. SiteMinder does not require you to make and break directory connections every time the initialization and release calls are made.
Syntax
int SM_EXTERN SmDirInitDirInstance ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void** ppInstanceHandle, const char* lpszUniqueKey, const char* lpszParameter, const char* lpszUsername, const char* lpszPassword, const int bRequireCredentials, const int bSecureConnection, const int nSearchResults, const int nSearchTimeout );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
ppInstanceHandle |
O |
Use this parameter to set the handle for the directory instance. For example, you could use ppInstanceHandle to hold information about a connection to the directory. At the end of the directory instance lifecycle, the SiteMinder Policy Server calls SmDirReleaseInstance() and passes the directory instance handle so that you can delete the handle. |
|
lpszUniqueKey |
I |
A unique identifier for the directory instance session. This unique key holds the object identifier (OID) of the custom directory object. |
|
lpszParameter |
I |
The null-terminated string specified in the Parameter field of the SiteMinder User Directory Dialog box. The value is the same as it was for the call to SmDirInit(). |
|
lpszUsername |
I |
The string containing the user name as specified in the Credentials and Connection tab of the SiteMinder User Directory Dialog box. When bRequireCredentials is set to true, lpszUsername holds the value in the Username field in the Administrator Credentials group box. |
|
lpszPassword |
I |
The string containing the password as specified in the Credentials and Connection tab of the SiteMinder User Directory Dialog box. When bRequireCredentials is set to true, lpszPassword holds the value in the Password field in the Administrator Credentials group box. |
|
bRequireCredentials |
I |
This boolean indicates whether credentials are required for user directory access. In the SiteMinder Administrative UI, on the Credentials and Connection tab, in the Administrator Credentials group box, there is a Require Credentials check box. Checking this check box sets bRequireCredentials to true (1). When bRequireCredentials is set to true, lpszUsername and lpszPassword will hold the values in the Username and Password fields in the Administrator Credentials group box. The SiteMinder Policy Server uses these credentials to access the directory. |
|
bSecureConnection |
I |
This boolean indicates whether an SSL connection is required to access the user directory. |
|
nSearchResults |
I |
This parameter indicates the maximum number of records to return as the result set of a single search by the Directory API. In the SiteMinder User Directory Dialog box, on the Directory Setup tab, in the Custom NameSpace group box, there is a Max results field. The nSearchResults parameter holds the value in the Max results field. |
|
nSearchTimeout |
I |
This parameter indicates the time in seconds after which the Directory API will stop searching the user directory for results. In the SiteMinder User Directory Dialog box, on the Directory Setup tab, in the Custom NameSpace group box, there is a Max time field. The nSearchResults parameter holds the value in the Max time field. |
Returns
Returns 0 if successful or -1 if not successful.
Remarks
Instantiate DirHandle_t when SmDirInitDirInstance() is called. Set nTag to 0 to distinguish the directory instance handle from the user instance handle.
The handle referenced by DirHandle_t is passed to subsequent directory operations functions. You can change the handle value.
Release DirHandle_t when SmDirReleaseInstance() is called. Use the value of nTag to distinguish between the directory instance handle and the user instance handle.
The SiteMinder Policy Server calls SmDirInitUserInstance() before it calls any of the directory entry (user) operations functions on the given directory instance.
SmDirInitUserInstance() can be called multiple times.
Syntax
int SM_EXTERN SmDirInitUserInstance ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void** ppInstanceHandle, void* pDirInstanceHandle, const char* lpszUserDN );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
ppInstanceHandle |
O |
The address of a pointer to hold the handle for the user instance session. |
|
pDirInstanceHandle |
I |
The address of a pointer handle for the directory instance session. This value is passed in from SmDirInitDirInstance(). |
|
lpszUserDN |
I |
The string containing the null-terminated string of the user distinguished name. |
Returns
Returns 0 if successful or -1 if not successful.
Remarks
Instantiate UserHandle_t when SmDirInitUserInstance() is called. Set nTag to 1 to distinguish the user instance handle from the directory instance handle.
The handle referenced by UserHandle_t is passed to subsequent directory entry (user) operations functions. You can change the handle value.
After SiteMinder completes the calls to the relevant directory entry (user) operations functions, it calls SmDirReleaseInstance(). Release UserHandle_t when this call is made. Use the value of nTag to distinguish between the user instance handle and the directory instance handle.
SiteMinder calls SmDirLookup() to look up a pattern in the directory.
Use the following search expression grammar for the search pattern:
[<class> =] <value>
In the search pattern format:
Your code must be able to interpret a search pattern that begins with the string user=. For example:
...
CStringArray Paths, Classes;
CString szPattern = CString ("user=") + UserDir.m_szUniversalIDAttr
+ CString ("=") + Session.m_szUnivId;
if (m_pDsDir->Lookup (szPattern, Paths, Classes))
....
SiteMinder calls SmDirFreeStringArray() to free the lpszDNs and lpszClasses arrays.
Syntax
int SM_EXTERN SmDirLookup ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszPattern, char*** lpszDNs, char*** lpszClasses );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
|
lpszPattern |
I |
Buffer containing the pattern to search in the directory. |
|
lpszDNs |
O |
List of user distinguished names that match the pattern. |
|
lpszClasses |
O |
List of class information corresponding to the user distinguished names. |
Returns
Returns 0 if successful or -1 if not successful.
Remarks
This function is called when you perform a user directory search.
Sample Code Information
When trying the sample code, go to the SiteMinder Administrative UI, navigate to the dialog box for the directory search, and enter the search criteria as follows:
SmDirQueryVersion() queries the Directory API to find out its version and its directory capabilities. Supported capabilities are enumerated in Sm_DirApi_Capability_t.
Syntax
int SM_EXTERN SmDirQueryVersion ( const Sm_Api_Context_t* lpApiContext, void* pHandle, unsigned long* pnCapabilities );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pnCapabilities |
O |
This parameter is used to pass the capabilities of the custom directory. The capabilities of a custom directory are enumerated in Sm_DirApi_Capability_t, which is defined in SmApi.h. For more information on Sm_DirApi_Capability_t, see Directory Capabilities. |
Returns
Returns the version number of the Directory API that the custom library complies with. Currently the versions supported are Sm_Api_Version_V4 and Sm_Api_Version_V4_1. Version constants are defined in SmApi.h.
The Policy Server calls SmDirRelease() when the directory service provider for the Custom Namespace is no longer required.
Syntax
void SM_EXTERN SmDirRelease ( const Sm_Api_Context_t* lpApiContext, void* pHandle );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
Remarks
This function is called when you stop one of the Policy Server services.
The SiteMinder Policy Server calls SmDirReleaseInstance() so that you can release the user instance or the directory instance if you choose.
Syntax
void SM_EXTERN SmDirReleaseInstance ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the user or directory instance handle. To release the user instance, ensure that pInstanceHandle contains the user instance handle. To release the directory instance, ensure that pInstanceHandle contains the directory instance handle. |
Remarks
You need to write your release code so that it will work with the type of instance handle— user or directory—that is passed.
During a process, the SiteMinder Policy Server may first call SmDirInitDirInstance() and then call SmDirInitUserInstance(). If so, the SiteMinder Policy Server calls SmDirReleaseInstance() twice at the end of the process. At the first call, the user instance handle (as pInstanceHandle) is passed so that you can release the user instance. At the second call, the directory instance handle is passed (as pInstanceHandle) so that you can release the directory instance.
Use the value of nTag to distinguish between a user handle and a directory handle, as follows:
The SiteMinder Policy Server calls SmDirRemoveEntry() so that you can delete a directory entry (user) from your custom directory.
Examples of directory entries are users, groups and roles. For example, if you are using an SQL database and need to remove a group, you could use SmDirRemoveEntry() to delete the relevant record from the groups table (and all related tables) for the database.
If your directory is hierarchical, as with an LDAP directory, you need to handle the process of deleting relevant data at different levels of the hierarchy. It may be helpful to look at the attributes of the entry, such as object class in LDAP.
Syntax
int SM_EXTERN SmDirRemoveEntry ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const Sm_PolicyResolution_t nEntryType, const char* lpszEntryDN );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
|
nEntryType |
I |
The Policy resolution of the entry. Policy resolutions are enumerated in Sm_PolicyResolution_t, which is defined in SmApi.h. The following Sm_PolicyResolution_t elements are valid entry types:
|
|
lpszEntryDN |
I |
Buffer containing the distinguished name for the entry being removed. |
Returns
Returns 0 if successful or -1 if not successful.
Remarks
This function is called when Delegated Management Services is used to delete directory entries, including groups or roles.
The SiteMinder Policy Server calls SmDirRemoveMemberFromGroup() so that you can remove a user or group from a existing group.
Syntax
int SM_EXTERN SmDirRemoveMemberFromGroup ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszMemberDN, const char* lpszGroupDN );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
|
lpszMemberDN |
I |
Buffer containing the distinguished name for the user or group being removed from the parent group. |
|
lpszGroupDN |
I |
Buffer containing the distinguished name for the group from which the member is being removed. |
Returns
Returns 0 if successful or -1 if not successful.
Remarks
This function is called when Delegated Management Services is used to remove users or groups from groups.
The SiteMinder Policy Server calls SmDirRemoveMemberFromRole() so that you can remove a user or group from an assigned role.
Syntax
int SM_EXTERN SmDirRemoveMemberFromRole ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszMemberDN, const char* lpszRoleDN );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
|
lpszMemberDN |
I |
Buffer containing the distinguished name for the user or group being removed from the assigned role. |
|
lpszRoleDN |
I |
Buffer containing the distinguished name for the role from which the member is being removed. |
Returns
Returns 0 if successful or -1 if not successful.
Remarks
This function is called when Delegated Management Services is used to remove users or groups from assigned roles.
SiteMinder calls SmDirSearch() to search on the criteria specified in the search filter lpszSearchFilter. You could use SmDirSearch() to execute a query, such as an SQL select, on your custom directory.
In addition to the search filter, the function SmDirSearch() passes directory search parameters. In the SiteMinder Administrative UI, on the Directory Setup tab, you can specify parameters in the following fields:
The nSearchTimeout and nSearchResults parameters of SmDirSearch() pass the information entered in those fields.
SiteMinder calls SmDirFreeStringArray() to free the lpszDNs array.
Syntax
int SM_EXTERN SmDirSearch ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, char*** lpszDNs, const char* lpszSearchFilter, const char* lpszSearchRoot, const int nSearchResults, const int nSearchTimeout, const int nSearchScope );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
|
lpszDNs |
O |
Distinguished names of the users found as a result of the search. |
|
lpszSearchFilter |
I |
Buffer containing the search expression. |
|
lpszSearchRoot |
I |
This parameter is designed to hold the search root—that is, the starting point for the search. In a hierarchical directory, when authenticating a user, SiteMinder starts at the root and works down the tree. In the SiteMinder Administrative UI, on the Directory Setup tab, in the Custom Namespace group box, the value entered in the Parameter field is passed in through lpszSearchRoot. Note: The string entered in the Parameter field is also passed to lpszParameter for use with SmDirInit() and SmDirInitDirInstance(). If your code for SmDirInit() needs to use lpszParameter and your code for SmDirSearch() needs a search root, you will have to parse the string from the Parameter field. |
|
nSearchResults |
I |
This parameter holds the maximum number of records that can be returned for a single search of the directory. |
|
nSearchTimeout |
I |
This parameter holds the maximum time in seconds that the API should keep searching the directory for results. |
|
nSearchScope |
I |
This parameter indicates how far below the root (lpszSearchRoot) the API will query the directory to find a match. Depending on the value in nSearchScope, the search could go down only one level or through the entire subtree. The default value is 2. |
Returns
Returns 0 if successful or -1 if not successful.
Use the function SmDirSearchCount() to return a count of the entries retrieved through the search criteria specified in lpszSearchFilter, subject to the restrictions specified in the directory search parameters. See the Remarks section for more information.
Syntax
int SM_EXTERN SmDirSearchCount ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, int* pnCount, const char* lpszSearchFilter, const char* lpszSearchRoot, const int nSearchResults, const int nSearchTimeout, const int nSearchScope );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
|
pnCount |
O |
Number of entries returned by the search |
|
lpszSearchFilter |
I |
Buffer containing search expression. |
|
lpszSearchRoot |
I |
This parameter is designed to hold the search root, or the starting point for the search. In a hierarchical directory, when authenticating a user, SiteMinder starts at the root and works down the tree. |
|
nSearchResults |
I |
The parameter holds the maximum number of records that can be returned for a single search of the directory. |
|
nSearchTimeout |
I |
This parameter holds the maximum time in seconds that the API should keep searching the directory for results. |
|
nSearchScope |
I |
This parameter indicates how far below the root (lpszSearchRoot) the API will query the directory to find a match. Depending on the value in nSearchScope, the search could go down only one level or through the entire subtree. The default value is 2. |
Returns
Returns 0 if successful or -1 if not successful.
Remarks
In the SiteMinder Policy Server User Interface, on the Directory Setup tab, parameters can be specified in the following fields:
Note: The string entered in the Parameter field is also passed to lpszParameter for use with SmDirInit() and SmDirInitDirInstance(). If your code for SmDirInit() needs to use lpszParameter and your code for SmDirSearchCount() needs a search root, you will have to parse the string from the Parameter field.
The SiteMinder Policy Server calls SmDirSetUserAttr() so that you can use SiteMinder to set a user attribute in your custom directory. For example, you may need to change the last name of a user.
Syntax
int SM_EXTERN SmDirSetUserAttr ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszUserDN, const char* lpszAttrName, const char* lpszAttrData );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the user instance handle. |
|
lpszUserDN |
I |
Buffer containing the user DN whose user attribute has to be set. |
|
lpszAttrName |
I |
Buffer containing the name of the user attribute. |
|
lpszAttrData |
I |
Buffer containing the value of the user attribute. |
Returns
Returns 0 if successful or -1 if not successful.
The SiteMinder Policy Server calls SmDirSetUserAttrMulti() so that you can set an array of values for a single attribute in your custom directory.
Syntax
int SM_EXTERN SmDirSetUserAttrMulti ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszUserDN, const char* lpszAttrName, const char** lpszAttrData );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the user instance handle. |
|
lpszUserDN |
I |
Buffer containing the user DN whose user attribute has to be set. |
|
lpszAttrName |
I |
Buffer containing the name of the user attribute. |
|
lpszAttrData |
I |
Buffer containing the values for the user attribute. |
Returns
Returns 0 if successful or -1 if not successful.
The SiteMinder Policy Server calls SmDirSetUserDisabledState() when an administrator uses the SiteMinder Policy Server User Interface to disable or enable a user, or Password Services disables a user.
This call gives you the opportunity to set the disabled flag in your custom directory to the disabled reason passed in through nDisabledReason.
When implementing SmDirSetUserDisabledState(), be sure that you have specified which field (or attribute) in the custom directory will hold the disabled reason. In the SiteMinder Policy Server User Interface, specify the attribute name in the Disabled Flag field on the User Attributes tab on the User Directory dialog box. This attribute is passed in through lpszDisabledAttr.
Syntax
int SM_EXTERN SmDirSetUserDisabledState ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszUserDN, const char* lpszDisabledAttr, const Sm_Api_DisabledReason_t nDisabledReason );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the user instance handle. |
|
lpszUserDN |
I |
Buffer containing the Distinguished Name (DN) of the user whose disabled state has to be modified. |
|
lpszDisabledAttr |
I |
The user directory attribute that holds a user’s disabled state. The SiteMinder Policy Server checks this attribute to see if a user is enabled or disabled. If a user is disabled, this attribute also holds the specific reason. Use this attribute to change a user’s disabled state. |
|
nDisabledReason |
I |
Reason that the user was disabled or enabled. Possible reasons are enumerated in Sm_Api_DisabledReason_t. Store the user-disabled state in the user directory attribute that is specified in lpszDisabledAttr. |
Note: A user account can be disabled for multiple reasons. Be sure to hold onto the disabled reason(s) and be sure that you don’t overwrite those bits. For example, if the User must change password at next login checkbox is checked and the administrator clicks Disable, the nDisabledReason parameter holds both the Sm_Api_Disabled_PWMustChange bit and the Sm_Api_Disabled_AdminDisabled bit. When the user account is enabled, be sure to clear all the disabled bits.
Returns
Returns 0 if successful or -1 if not successful.
Remarks
To enable a user’s account in the Policy Server User Interface:
To disable a user’s account in the Policy Server User Interface:
Enabled user accounts can also be disabled by using Password Services. For example, you can configure Password Services to disable a user account under the following conditions:
Sample Code Information
When using the sample, specify the disabled attribute as Disabled. This attribute will be passed in through the parameter lpszDisabledAttr. You can specify the attribute by entering Disabled in the Disabled Flag field on the User Attributes tab of the User Directory dialog box.
In the SiteMinder Policy Server User Interface, in the User Management dialog box, suppose an administrator selects the enabled user Mikel and clicks Disable. Using the sample code, the User DN (lpszUserDN) is Mikel, and the Disabled Attribute (lpszDisabledAttr) is Disabled. The Disabled Reason (nDisabledReason) is Sm_Api_Disabled_AdminDisabled. In the SiteMinder Policy Server User Interface, the User Management dialog box shows that the Current Settings for Mikel have changed from User is enabled to Disabled - administrative.
SiteMinder calls SmDirValidateInstance() so that the Directory API can validate the instance for which the handle is passed.
Either the directory instance handle or user instance handle can be passed through pInstanceHandle. Your code must determine which handle is passed. Check to see if the handle is valid and return the corresponding response.
Syntax
int SM_EXTERN SmDirValidateInstance ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the user instance handle or directory instance handle. |
Returns
Returns 0 if successful or -1 if not successful.
Use this function to perform any needed validation on the user ID passed in through lpszUserDN.
If you do not need to implement SmDirValidateUserDN(), return 0, as shown in the sample code.
Syntax
int SM_EXTERN SmDirValidateUserDN ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszUserDN );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
|
lpszUserDN |
I |
Buffer containing the user DN that has to be validated. |
Returns
Returns 0 if successful or -1 if not successful.
Remarks
This function is called when you use the SiteMinder Test Tool to run IsAuthenticated for a user in the custom directory.
SiteMinder calls this function to validate the user name passed in through lpszUsername.
You can use this function to resolve the user name and copy the user ID into the lpszNewUsername buffer. If you choose not to implement SmDirValidateUsername(), set lpszNewUsername to NULL, as shown in the sample.
SiteMinder calls SmDirFreeString() to free the lpszNewUsername buffer.
Syntax
int SM_EXTERN SmDirValidateUsername ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszUsername, char** lpszNewUsername );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the directory instance handle. |
|
lpszUsername |
I |
Buffer containing the user name that has to be validated. |
|
lpszNewUsername |
O |
Buffer containing the validated user name. |
Returns
Returns 0 if successful or -1 if not successful.
Remarks
This function is called when you use the SiteMinder Test Tool to run IsAuthenticated for a user in the custom directory.
Use SmDirValidateUserPolicyRelationship() to validate the relationship between policy objects. Determine whether the user distinguished name has the specified relationship to the policy distinguished name. The relationship is passed in through nPolicyResolution.
For example:
Syntax
int SM_EXTERN SmDirValidateUserPolicyRelationship ( const Sm_Api_Context_t* lpApiContext, void* pHandle, void* pInstanceHandle, const char* lpszUserDN, const Sm_PolicyResolution_t nPolicyResolution, const int bRecursive, const char* lpszPolicyDN, const char* lpszPolicyClass );
|
Parameter |
I/O |
Description |
|---|---|---|
|
lpApiContext |
I |
Pointer to the API context structure. |
|
pHandle |
I |
The address of the pointer returned by SmDirInit(). |
|
pInstanceHandle |
I |
The address of a pointer to the user instance handle. |
|
lpszUserDN |
I |
Buffer containing the user DN for which you must validate the relationship. |
|
nPolicyResolution |
I |
The relationship between the user distinguished name and the policy distinguished name should match what is specified in nPolicyResolution. Specific policy resolutions are enumerated in Sm_PolicyResolution_t. For more information on Sm_PolicyResolution_t see Sm_PolicyResolution_t. |
|
bRecursive |
I |
Whether the directory supports recursion (for example, nested groups). Suppose that the value of nPolicyResolution is Sm_PolicyResolution_UserGroup, the User DN is Bill Collector, and the Policy DN is Accounting. If your custom directory supports recursion, you will need to search down any hierarchy of groups to find the user. Bill Collector may be in a group called AR, which may be in the group Accounting. |
|
lpszPolicyDN |
I |
Distinguished names of the object, such as users, groups or roles, bound to the policy. |
|
lpszPolicyClass |
I |
Class of the object named in lpszPolicyDN. For example, the class could be Group. |
Returns
Returns 0 if successful or -1 if not successful.
The sample Directory API application resides in:
<install_path>\sdk\samples\smdirapi\smdirapi.cpp
The Directory API includes a directory instance handle, a directory provider handle, and a directory entry (user) instance handle. These handles are returned from the initialization functions listed in section Initialization and Release Functions.
The sample code uses the following structures to manage these handles:
|
Handle Type |
Data Structure |
|---|---|
|
Directory instance |
DirHandle_t |
|
Directory provider |
ProviderHandle_t |
|
Directory entry (user) instance |
UserHandle_t |
The sample instantiates DirHandle_t when SmDirInitDirInstance() is called. The handle is then passed to the directory operations functions.
The same value need not be carried through the entire process. You are permitted to change the value.
The definition of DirHandle_t is as follows:
typedef struct DirHandle_s
{
char nTag;
bool bValid;
char szErrMsg[ERRMSG_SIZE];
char* pszUniqueKey;
char* pszParameter;
char* pszUsername;
char* pszPassword;
int bRequireCredentials;
int bSecureConnection;
int nSearchResults;
int nSearchTimeout;
} DirHandle_t;
The sample releases DirHandle_t when SmDirReleaseInstance() is called. The value of nTag is used to distinguish between the directory instance handle and the user instance handle.
The sample defines the provider handle structure ProviderHandle_t to serve as a bridge between the SiteMinder Policy Server and the Directory API. The provider handle can be used to store data from the time SiteMinder loads the library until the SiteMinder Policy Server shuts down.
The sample instantiates ProviderHandle_t when SmDirInit() is called. The handle is then passed to almost all subsequent functions. The same value need not be carried through the entire process. You are permitted to change the value.
The sample releases ProviderHandle_t when SmDirRelease() is called.
See the function SmDirInit() in the sample code for an example of ProviderHandle_t. You can follow this example, but you aren’t required to. ProviderHandle_t can contain any information that you would like to set at the beginning of the process and carry through, such as a user’s password.
The sample instantiates UserHandle_t when SmDirInitUserInstance() is called. This handle is then passed to the directory entry (user) operations functions. For a list of these functions, see Operations on a Directory Entry (User).
The same value need not be carried through the entire process. You are permitted to change the value.
The definition of UserHandle_t is as follows:
typedef struct UserHandle_s
{
char nTag;
bool bValid;
char szErrMsg[ERRMSG_SIZE];
DirHandle_t* phDir;
char* pszUserDn;
} UserHandle_t;
The sample releases UserHandle_t when SmDirReleaseInstance() is called.
Some functions, such as SmDirReleaseInstance(), may be passed either the directory instance handle or the directory entry (user) instance handle. The sample code provides a way you can distinguish the directory instance handle from the directory entry (user) instance handle.
Notice that nTag is the first field of both DirHandle_t and UserHandle_t. When SmDirInitDirInstance() is called, nTag is set to 0 in DirHandle_t. When SmDirInitUserInstance is called, nTag is set to 1 in UserHandle_t.
When a function that accepts either type of handle is called, the value of nTag is checked to see which type of handle is being passed.
|
Copyright © 2012 CA.
All rights reserved.
|
|