Administration C API Developer’s Referencepublib.boulder.ibm.com/.../en_US/PDF/am39_adminC_devref.pdfVersion 39. GC32-0843-00 IBM Tivoli Access Manager Administration C API Developer’s

IBM Tivoli Access Manager

Administration C APIDeveloper’s ReferenceVersion 3.9

GC32-0843-00

IBM Tivoli Access Manager

Administration C APIDeveloper’s ReferenceVersion 3.9

GC32-0843-00

Note:Before using this information and the product it supports, read the information in Appendix D, “Notices” on page 303.

Third Edition (April 2002)

This edition replaces GC32-0813-00.

© Copyright International Business Machines Corporation 2000, 2002. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiWho should read this reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiWhat this reference contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiPublications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

IBM Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiiRelated publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvAccessing publications online . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiOrdering publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiProviding feedback about publications . . . . . . . . . . . . . . . . . . . . . . . . xviii

Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiiContacting customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiiConventions used in this reference . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiiUser registry differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Chapter 1. Introducing the administration API . . . . . . . . . . . . . . . . . . . 1Administration API overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Administration API components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Administration API shared libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Administration API application development kit . . . . . . . . . . . . . . . . . . . . . . . 2Building applications with the administration API . . . . . . . . . . . . . . . . . . . . . . . 3

Software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Linking required libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Administration API example program . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Deploying an administration API application . . . . . . . . . . . . . . . . . . . . . . . . 4Gathering problem determination information . . . . . . . . . . . . . . . . . . . . . . . . 5

Enabling tracing on the policy server . . . . . . . . . . . . . . . . . . . . . . . . . . 5Enabling tracing on a system using the runtime component . . . . . . . . . . . . . . . . . . 5Gathering trace and message logs . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Chapter 2. Using the administration API . . . . . . . . . . . . . . . . . . . . . . 7Establishing security contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Required input parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Returned objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Example code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Backward compatibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Delegating user credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Creating objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Setting object values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Getting objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Reading object values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Listing object information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Handling errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Obtaining error message text . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Obtaining error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Obtaining error message modifiers . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Cleaning up and shutting down . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Freeing memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Deleting a security context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 3. Administering users and groups . . . . . . . . . . . . . . . . . . . . 17Administering users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

© Copyright IBM Corp. 2000, 2002 iii

Administering user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Administering user passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Administering groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Administering group attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 4. Administering protected objects and protected object spaces . . . . . . . 23Administering protected object spaces . . . . . . . . . . . . . . . . . . . . . . . . . . 23Administering protected objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Administering protected object attributes . . . . . . . . . . . . . . . . . . . . . . . . . 25

Chapter 5. Administering access control . . . . . . . . . . . . . . . . . . . . . 27Administering access control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Administering access control list entries . . . . . . . . . . . . . . . . . . . . . . . . . . 28Administering access control list extended attributes . . . . . . . . . . . . . . . . . . . . . 29Administering extended actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Administering action groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Chapter 6. Administering protected object policies. . . . . . . . . . . . . . . . . 33Administering protected object policy objects . . . . . . . . . . . . . . . . . . . . . . . . 33Administering protected object policy settings . . . . . . . . . . . . . . . . . . . . . . . . 34Administering protected object policy extended attributes . . . . . . . . . . . . . . . . . . . . 35

Chapter 7. Administering single signon resources . . . . . . . . . . . . . . . . . 37Web resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Resource groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Resource credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Credential — create. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Chapter 8. Configuring authorization servers . . . . . . . . . . . . . . . . . . . 41Configuring authorization servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Administering replicas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Certificate maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Chapter 9. Administering servers . . . . . . . . . . . . . . . . . . . . . . . . 43Getting and performing administration tasks . . . . . . . . . . . . . . . . . . . . . . . . 43Notifying replica databases when the master authorization database is updated . . . . . . . . . . . . 43

Notifying replica databases automatically . . . . . . . . . . . . . . . . . . . . . . . . 44Notifying replica databases manually. . . . . . . . . . . . . . . . . . . . . . . . . . 44Setting the maximum number of notification threads . . . . . . . . . . . . . . . . . . . . 44Setting the notification wait time . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Administrating servers and database notification . . . . . . . . . . . . . . . . . . . . . . . 45

Chapter 10. Administration C API reference . . . . . . . . . . . . . . . . . . . . 47ivadmin_acl_attrdelkey() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48ivadmin_acl_attrdelval() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49ivadmin_acl_attrget() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50ivadmin_acl_attrlist() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51ivadmin_acl_attrput() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52ivadmin_acl_create() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53ivadmin_acl_delete() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54ivadmin_acl_get() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55ivadmin_acl_getanyother() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56ivadmin_acl_getdescription() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57ivadmin_acl_getgroup() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58ivadmin_acl_getid(). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59ivadmin_acl_getunauth() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60ivadmin_acl_getuser() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61ivadmin_acl_list() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62ivadmin_acl_listgroups() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

iv IBM Tivoli Access Manager: Administration C API Developer’s Reference

ivadmin_acl_listusers() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64ivadmin_acl_removeanyother() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65ivadmin_acl_removegroup() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66ivadmin_acl_removeunauth() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67ivadmin_acl_removeuser() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68ivadmin_acl_setanyother() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69ivadmin_acl_setdescription(). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70ivadmin_acl_setgroup() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71ivadmin_acl_setunauth() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72ivadmin_acl_setuser() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73ivadmin_action_create() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74ivadmin_action_create_in_group() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76ivadmin_action_delete() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78ivadmin_action_delete_from_group() . . . . . . . . . . . . . . . . . . . . . . . . . . . 79ivadmin_action_getdescription() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80ivadmin_action_getid() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81ivadmin_action_gettype() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82ivadmin_action_group_create() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83ivadmin_action_group_delete() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84ivadmin_action_group_list() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85ivadmin_action_list() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86ivadmin_action_list_in_group() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87ivadmin_cfg_addreplica() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88ivadmin_cfg_chgreplica() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89ivadmin_cfg_configureserver2(). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90ivadmin_cfg_renewservercert() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92ivadmin_cfg_rmvreplica(). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93ivadmin_cfg_setapplicationcert() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94ivadmin_cfg_setkeyringpwd() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95ivadmin_cfg_setlistening() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96ivadmin_cfg_setport() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97ivadmin_cfg_setssltimeout() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98ivadmin_cfg_unconfigureserver() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99ivadmin_context_cleardelcred() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100ivadmin_context_create() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101ivadmin_context_createdefault() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103ivadmin_context_delete() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104ivadmin_context_getaccexpdate() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105ivadmin_context_getdisabletimeint() . . . . . . . . . . . . . . . . . . . . . . . . . . . 106ivadmin_context_getmaxlgnfails() . . . . . . . . . . . . . . . . . . . . . . . . . . . 107ivadmin_context_getmaxpwdage() . . . . . . . . . . . . . . . . . . . . . . . . . . . 108ivadmin_context_getmaxpwdrepchars(). . . . . . . . . . . . . . . . . . . . . . . . . . 109ivadmin_context_getminpwdalphas() . . . . . . . . . . . . . . . . . . . . . . . . . . 110ivadmin_context_getminpwdnonalphas() . . . . . . . . . . . . . . . . . . . . . . . . . 111ivadmin_context_getminpwdlen(). . . . . . . . . . . . . . . . . . . . . . . . . . . . 112ivadmin_context_getpwdspaces() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113ivadmin_context_gettodaccess() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114ivadmin_context_getuserreg() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115ivadmin_context_setaccexpdate() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116ivadmin_context_setdelcred() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117ivadmin_context_setdisabletimeint() . . . . . . . . . . . . . . . . . . . . . . . . . . . 118ivadmin_context_setmaxlgnfails() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119ivadmin_context_setmaxpwdage() . . . . . . . . . . . . . . . . . . . . . . . . . . . 120ivadmin_context_setmaxpwdrepchars() . . . . . . . . . . . . . . . . . . . . . . . . . . 121ivadmin_context_setminpwdalphas() . . . . . . . . . . . . . . . . . . . . . . . . . . 122ivadmin_context_setminpwdnonalphas() . . . . . . . . . . . . . . . . . . . . . . . . . 123ivadmin_context_setminpwdlen() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124ivadmin_context_setpwdspaces() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125ivadmin_context_settodaccess() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126ivadmin_free() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127ivadmin_group_addmembers() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Contents v

ivadmin_group_create2() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129ivadmin_group_delete2() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131ivadmin_group_get() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132ivadmin_group_getbydn() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133ivadmin_group_getcn() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134ivadmin_group_getdescription() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135ivadmin_group_getdn() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136ivadmin_group_getid() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137ivadmin_group_getmembers() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138ivadmin_group_import2() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139ivadmin_group_list() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140ivadmin_group_listbydn() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142ivadmin_group_removemembers() . . . . . . . . . . . . . . . . . . . . . . . . . . . 144ivadmin_group_setdescription() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145ivadmin_objectspace_create() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146ivadmin_objectspace_delete() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148ivadmin_objectspace_list() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149ivadmin_pop_attach() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150ivadmin_pop_attrdelkey() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151ivadmin_pop_attrdelval() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152ivadmin_pop_attrget() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153ivadmin_pop_attrlist() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154ivadmin_pop_attrput() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155ivadmin_pop_create(). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156ivadmin_pop_delete() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157ivadmin_pop_detach() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158ivadmin_pop_find() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159ivadmin_pop_get() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160ivadmin_pop_getauditlevel() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161ivadmin_pop_getdescription() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162ivadmin_pop_getid() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163ivadmin_pop_getqop() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164ivadmin_pop_gettod() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165ivadmin_pop_getwarnmode() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167ivadmin_pop_list() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168ivadmin_pop_removeipauth() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169ivadmin_pop_setanyothernw(). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170ivadmin_pop_setanyothernw_forbidden() . . . . . . . . . . . . . . . . . . . . . . . . . 171ivadmin_pop_setauditlevel() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172ivadmin_pop_setdescription() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173ivadmin_pop_setipauth() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174ivadmin_pop_setipauth_forbidden() . . . . . . . . . . . . . . . . . . . . . . . . . . . 175ivadmin_pop_setqop() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176ivadmin_pop_settod() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177ivadmin_pop_setwarnmode() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179ivadmin_protobj_attachacl() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180ivadmin_protobj_attrdelkey() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181ivadmin_protobj_attrdelval() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182ivadmin_protobj_attrget() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183ivadmin_protobj_attrlist() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184ivadmin_protobj_attrput() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185ivadmin_protobj_create() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186ivadmin_protobj_delete() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187ivadmin_protobj_detachacl() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188ivadmin_protobj_get2() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189ivadmin_protobj_getacl() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191ivadmin_protobj_getdesc() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192ivadmin_protobj_getid() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193ivadmin_protobj_getpolicyattachable() . . . . . . . . . . . . . . . . . . . . . . . . . . 194ivadmin_protobj_getpop() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195ivadmin_protobj_gettype() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

vi IBM Tivoli Access Manager: Administration C API Developer’s Reference

ivadmin_protobj_list3() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197ivadmin_protobj_listbyacl() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199ivadmin_protobj_setdesc() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200ivadmin_protobj_setname() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201ivadmin_protobj_setpolicyattachable() . . . . . . . . . . . . . . . . . . . . . . . . . . 202ivadmin_protobj_settype() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203ivadmin_response_getcode() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204ivadmin_response_getcount() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205ivadmin_response_getmessage() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206ivadmin_response_getmodifier() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207ivadmin_response_getok() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208ivadmin_server_gettasklist() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209ivadmin_server_performtask() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211ivadmin_server_replicate() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213ivadmin_ssocred_create() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214ivadmin_ssocred_delete() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215ivadmin_ssocred_get() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216ivadmin_ssocred_getid() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217ivadmin_ssocred_getssopassword() . . . . . . . . . . . . . . . . . . . . . . . . . . . 218ivadmin_ssocred_getssouser() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219ivadmin_ssocred_gettype() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220ivadmin_ssocred_getuser() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221ivadmin_ssocred_list() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222ivadmin_ssocred_set() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223ivadmin_ssogroup_addres() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224ivadmin_ssogroup_create() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225ivadmin_ssogroup_delete() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226ivadmin_ssogroup_get() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227ivadmin_ssogroup_getdescription() . . . . . . . . . . . . . . . . . . . . . . . . . . . 228ivadmin_ssogroup_getid() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229ivadmin_ssogroup_getresources() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230ivadmin_ssogroup_list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231ivadmin_ssogroup_removeres() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232ivadmin_ssoweb_create() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233ivadmin_ssoweb_delete() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234ivadmin_ssoweb_get() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235ivadmin_ssoweb_getdescription(). . . . . . . . . . . . . . . . . . . . . . . . . . . . 236ivadmin_ssoweb_getid() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237ivadmin_ssoweb_list() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238ivadmin_user_create3() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239ivadmin_user_delete2() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241ivadmin_user_get() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242ivadmin_user_getaccexpdate() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243ivadmin_user_getaccountvalid() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244ivadmin_user_getauthmech() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245ivadmin_user_getbydn() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246ivadmin_user_getcn(). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247ivadmin_user_getdescription() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248ivadmin_user_getdisabletimeint() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249ivadmin_user_getdn() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250ivadmin_user_getid() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251ivadmin_user_getmaxlgnfails() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252ivadmin_user_getmaxpwdage() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253ivadmin_user_getmaxpwdrepchars(). . . . . . . . . . . . . . . . . . . . . . . . . . . 254ivadmin_user_getmemberships() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255ivadmin_user_getminpwdalphas() . . . . . . . . . . . . . . . . . . . . . . . . . . . 256ivadmin_user_getminpwdlen() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257ivadmin_user_getminpwdnonalphas() . . . . . . . . . . . . . . . . . . . . . . . . . . 258ivadmin_user_getpasswordvalid() . . . . . . . . . . . . . . . . . . . . . . . . . . . 259ivadmin_user_getpwdspaces() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260ivadmin_user_getsn() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Contents vii

ivadmin_user_getssouser() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262ivadmin_user_gettodaccess() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263ivadmin_user_import2() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264ivadmin_user_list() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265ivadmin_user_listbydn() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267ivadmin_user_setaccexpdate() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269ivadmin_user_setaccountvalid() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270ivadmin_user_setauthmech() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271ivadmin_user_setdescription() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272ivadmin_user_setdisabletimeint() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273ivadmin_user_setmaxlgnfails(). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274ivadmin_user_setmaxpwdage() . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275ivadmin_user_setmaxpwdrepchars() . . . . . . . . . . . . . . . . . . . . . . . . . . . 276ivadmin_user_setminpwdalphas() . . . . . . . . . . . . . . . . . . . . . . . . . . . 277ivadmin_user_setminpwdlen(). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278ivadmin_user_setminpwdnonalphas() . . . . . . . . . . . . . . . . . . . . . . . . . . 279ivadmin_user_setpassword() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280ivadmin_user_setpasswordvalid() . . . . . . . . . . . . . . . . . . . . . . . . . . . 281ivadmin_user_setpwdspaces() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282ivadmin_user_setssouser() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283ivadmin_user_settodaccess() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Appendix A. Deprecated APIs . . . . . . . . . . . . . . . . . . . . . . . . . 285

Appendix B. User registry differences . . . . . . . . . . . . . . . . . . . . . . 287

Appendix C. Administration C API, Java method, and command line equivalents . . . 291

Appendix D. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

viii IBM Tivoli Access Manager: Administration C API Developer’s Reference

Tables

1. Shared libraries . . . . . . . . . . . 22. Administration API application developer kit

files . . . . . . . . . . . . . . . 33. Creating objects . . . . . . . . . . . 104. Example set operations. . . . . . . . . 105. Example data types returned by get functions 116. Example read operations . . . . . . . . 127. Administrating users . . . . . . . . . 188. Administrating user accounts . . . . . . 199. Administrating user passwords . . . . . . 20

10. Administering groups . . . . . . . . . 2111. Administering group attributes . . . . . . 2112. Administering protected object spaces. . . . 2413. Administering protected objects . . . . . . 2414. Administering protected object attributes 2515. Administering access control lists . . . . . 2816. Administering access control list entries 2917. Administering access control list extended

attributes . . . . . . . . . . . . . 2918. Administering extended actions . . . . . . 3019. Administering action groups . . . . . . . 3120. Administering protected object policy objects 3321. Administering protected object policy settings 3422. Administering protected object policy

extended attributes . . . . . . . . . . 35

23. Administering Web resources . . . . . . 3824. Administering resource groups . . . . . . 3825. Administering credentials . . . . . . . . 3926. Configuring authorization servers . . . . . 4127. Administering replicas . . . . . . . . . 4228. Certificate maintenance . . . . . . . . 4229. Administrating servers and database

notification. . . . . . . . . . . . . 4530. Supported object types . . . . . . . . 14631. Protected object policy default values 15632. Descriptions of audit levels . . . . . . . 16133. APIs deprecated in Access Manager Version

3.9 . . . . . . . . . . . . . . . 28534. APIs deprecated in previous versions of

Tivoli SecureWay Policy Director . . . . . 28535. User registry differences when adding a

duplicate user to a group . . . . . . . 28836. User registry differences when removing a

user from a group who is not a member ofthe group . . . . . . . . . . . . . 288

37. Maximum lengths for names based on userregistry . . . . . . . . . . . . . 288

38. Mapping between administration C API, Javamethods, and the command line interface . . 292

© Copyright IBM Corp. 2000, 2002 ix

x IBM Tivoli Access Manager: Administration C API Developer’s Reference

Preface

IBM® Tivoli® Access Manager (Access Manager) is the base software that isrequired to run applications in the IBM Tivoli Access Manager product suite. Itenables the integration of IBM Tivoli Access Manager applications that provide awide range of authorization and management solutions. Sold as an integratedsolution, these products provide an access control management solution thatcentralizes network and application security policy for e-business applications.

Note: IBM Tivoli Access Manager is the new name of the previously releasedsoftware entitled Tivoli SecureWay® Policy Director. Also, for users familiarwith the Tivoli SecureWay Policy Director software and documentation, themanagement server is now referred to as the policy server.

This reference contains information about how to use Access Manager Cadministration API to enable an application to programmatically perform AccessManager administration tasks. This document describes the C implementation ofthe Access Manager administration API. See the IBM Tivoli Access ManagerAdministration Java Classes Developer’s Reference for information regarding the Java™

implementation of these APIs.

Information on the pdadmin command line interface (CLI) can be found in theIBM Tivoli Access Manager Base Administrator’s Guide.

Who should read this referenceThis reference is for application programmers implementing programs in the Cprogramming language to administer the users and objects associated with theIBM Tivoli Access Manager product.

Readers should be familiar with the following:v PC and UNIX® operating systemsv Database architecture and conceptsv Security managementv Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and

Telnetv The user registry that Access Manager is configured to usev Lightweight Directory Access Protocol (LDAP) and directory services, if used by

your user registryv Authentication and authorization

If you are enabling Secure Sockets Layer (SSL) communication, you also should befamiliar with SSL protocol, key exchange (public and private), digital signatures,cryptographic algorithms, and certificate authorities.

What this reference containsThis reference contains the following chapters and appendixes:v Chapter 1, “Introducing the administration API” on page 1

© Copyright IBM Corp. 2000, 2002 xi

Provides an overview of the administration API and its components. It alsocovers building applications with the API and deploying an administration APIprogram.

v Chapter 2, “Using the administration API” on page 7Each application that uses the administration API must perform certain tasksnecessary for API initialization, shut down, cleanup, memory management, anderror handling. This chapter describes the supported functions for establishingsecurity contexts, creating objects, setting object values, reading object values,listing object information, deleting objects, handling errors, administratingpolicies, cleaning up, and shutting down.

v Chapter 3, “Administering users and groups” on page 17The administration API provides a collection of methods for administeringAccess Manager users and groups. This chapter describes the tasks that thosefunctions accomplish. It describes the supported functions for administeringusers, user accounts, user passwords, groups, group attributes, and the policiesassociated with users.

v Chapter 4, “Administering protected objects and protected object spaces” onpage 23This chapter describes the administration API functions that are used toadminister protected object spaces and protected objects. It describes thesupported functions for administering protected object spaces, protected objects,and protected object attributes.

v Chapter 5, “Administering access control” on page 27This chapter describes the administration API functions that are used toadminister access control. It describes the supported functions for administeringaccess control lists, access control list permissions, access control list extendedattributes, extended actions, and action groups.

v Chapter 6, “Administering protected object policies” on page 33This chapter describes the administration API functions that are used to create,modify, examine, and delete protected object policies. It also discusses attachingor detaching protected objects from protected object policies. It describes thesupported functions for administering protected object policy objects, protectedobject policy settings, and protected object policy extended attributes.

v Chapter 7, “Administering single signon resources” on page 37This chapter provides instructions for using the administration API to create,modify, or delete web resources, resource groups, and resource credentials.

v Chapter 9, “Administering servers” on page 43This chapter provides information about getting and performing administrationtasks and notifying the replica database when the master authorization databaseis updated.

v Chapter 8, “Configuring authorization servers” on page 41This chapter provides instructions for using the administration API to configureservers, modify server configurations, administer replicas, and performcertificate maintenance.

v Chapter 10, “Administration C API reference” on page 47This chapter provides detailed information about specific commands in theadministration API.

v Appendix A, “Deprecated APIs” on page 285This appendix provides a list of the APIs that have been deprecated in thisversion of Access Manager.

v Appendix B, “User registry differences” on page 287

xii IBM Tivoli Access Manager: Administration C API Developer’s Reference

This appendix outlines the differences in behavior of the APIs based on the userregistry being used by Access Manager.

v Appendix C, “Administration C API, Java method, and command lineequivalents” on page 291This appendix shows the mapping that exists between the Administration CAPIs, the Administration Java classes and methods, and the command lineinterface (CLI).

v Appendix D, “Notices” on page 303This appendix provides copyright, legal, and trademark information.

PublicationsThis section lists publications in the Access Manager library and any other relateddocuments. It also describes how to access Tivoli publications online, how to orderTivoli publications, and how to make comments on Tivoli publications.

IBM Tivoli Access ManagerThe Access Manager library is organized into the following categories:v “Release information”v “Base information”v “WebSEAL information” on page xivv “Web security information” on page xivv “Developer references” on page xivv “Technical supplements” on page xv

Publications in the product library are included in Portable Document Format(PDF) on the product CD. To access these publications using a Web browser, openthe infocenter.html file located in the /doc directory on the product CD.

For additional sources of information about Access Manager and related topics, seethe following Web sites:

http://www.ibm.com/redbookshttps://www.tivoli.com/secure/support/documents/fieldguides

Release informationv IBM Tivoli Access Manager for e-business Read Me First

GI11-0918 (am39_readme.pdf)Provides information for installing and getting started using Access Manager.

v IBM Tivoli Access Manager for e-business Release NotesGI11-0919 (am39_relnotes.pdf)Provides late-breaking information, such as software limitations, workarounds,and documentation updates.

Base informationv IBM Tivoli Access Manager Base Installation Guide

GC32-0844<(am39_install.pdf)Explains how to install, configure, and upgrade Access Manager software,including the Web portal manager interface.

v IBM Tivoli Access Manager Base Administrator’s GuideGC23-4684 (am39_admin.pdf)

Preface xiii

http://www.ibm.com/redbooks

https://www.tivoli.com/secure/support/documents/fieldguides/

Describes the concepts and procedures for using Access Manager services.Provides instructions for performing tasks from the Web portal managerinterface and by using the pdadmin command.

v IBM Tivoli Access Manager Base for Linux on zSeries Installation GuideGC23-4796 (am39_zinstall.pdf)Explains how to install and configure Access Manager Base for Linux on thezSeries™ platform.

WebSEAL informationv IBM Tivoli Access Manager WebSEAL Installation Guide

GC32-0848<(amweb39_install.pdf)Provides installation, configuration, and removal instructions for the WebSEALserver and the WebSEAL application development kit.

v IBM Tivoli Access Manager WebSEAL Administrator’s GuideGC23-4682 (amweb39_admin.pdf)Provides background material, administrative procedures, and technicalreference information for using WebSEAL to manage the resources of yoursecure Web domain.

v IBM Tivoli Access Manager WebSEAL Developer’s ReferenceGC23-4683 (amweb39_devref.pdf)Provides administration and programming information for the Cross-domainAuthentication Service (CDAS), the Cross-domain Mapping Framework (CDMF),and the Password Strength Module.

v IBM Tivoli Access Manager WebSEAL for Linux on zSeries Installation GuideGC23-4797 (amweb39_zinstall.pdf)Provides installation, configuration, and removal instructions for WebSEALserver and the WebSEAL application development kit for Linux on the zSeriesplatform

Web security informationv IBM Tivoli Access Manager for WebSphere Application Server User’s Guide

GC32-0850 (amwas39_user.pdf)Provides installation, removal, and administration instructions for AccessManager for IBM WebSphere® Application Server.

v IBM Tivoli Access Manager for WebLogic Server User’s GuideGC32-0851 (amwls39_user.pdf)Provides installation, removal, and administration instructions for AccessManager for BEA WebLogic Server.

v IBM Tivoli Access Manager Plug-in for Edge Server User’s GuideGC23-4685 (amedge39_user.pdf)Describes how to install, configure, and administer the plug-in for IBMWebSphere Edge Server application.

v IBM Tivoli Access Manager Plug-in for Web Servers User’s GuideGC23-4686 (amws39_user.pdf)Provides installation instructions, administration procedures, and technicalreference information for securing your Web domain using the plug-in for Webservers.

Developer referencesv IBM Tivoli Access Manager Authorization C API Developer’s Reference

GC32-0849 (am39_authC_devref.pdf)

xiv IBM Tivoli Access Manager: Administration C API Developer’s Reference

Provides reference material that describes how to use the Access Managerauthorization C API and the Access Manager service plug-in interface to addAccess Manager security to applications.

v IBM Tivoli Access Manager Authorization Java Classes Developer’s ReferenceGC23-4688 (am39_authJ_devref.pdf)Provides reference information for using the Java™ language implementation ofthe authorization API to enable an application to use Access Manager security.

v IBM Tivoli Access Manager Administration C API Developer’s ReferenceGC32-0843 (am39_adminC_devref.pdf)Provides reference information about using the administration API to enable anapplication to perform Access Manager administration tasks. This documentdescribes the C implementation of the administration API.

v IBM Tivoli Access Manager Administration Java Classes Developer’s ReferenceSC32-0842 (am39_adminJ_devref.pdf)Provides reference information for using the Java language implementation ofthe administration API to enable an application to perform Access Manageradministration tasks.

v IBM Tivoli Access Manager WebSEAL Developer’s ReferenceGC23-4683 (amweb39_devref.pdf)Provides administration and programming information for the Cross-domainAuthentication Service (CDAS), the Cross-domain Mapping Framework (CDMF),and the Password Strength Module.

Technical supplementsv IBM Tivoli Access Manager Performance Tuning Guide

GC43-0846 (am39_perftune.pdf)Provides performance tuning information for an environment consisting ofAccess Manager with IBM SecureWay Directory defined as the user registry.

v IBM Tivoli Access Manager Capacity Planning GuideGC32-0847 (am39_capplan.pdf)Assists planners in determining the number of WebSEAL, user registry, andbackend Web servers needed to achieve a required workload.

v IBM Tivoli Access Manager Error Message ReferenceSC32-0845 (am39_error_ref.pdf)Provides explanations and recommended actions for the messages produced byAccess Manager.

The Tivoli Glossary includes definitions for many of the technical terms related toTivoli software. The Tivoli Glossary is available, in English only, at the followingWeb site:

http://www.tivoli.com/support/documents/glossary/termsm03.htm

Related publicationsThis section lists publications related to the Access Manager library.

IBM DB2® Universal Database™

IBM DB2 Universal Database is required when installing IBM SecureWay Directory,z/OS™, and OS/390® SecureWay LDAP servers. DB2 information is available atthe following Web site:

http://www.ibm.com/software/data/db2/

Preface xv

http://www.tivoli.com/support/documents/glossary/termsm03.htm

http://www.ibm.com/software/data/db2/

IBM Global Security ToolkitAccess Manager provides data encryption through the use of the IBM GlobalSecurity Toolkit (GSKit). GSKit is shipped on the IBM Tivoli Access Manager BaseCD for your particular platform.

The GSKit package installs the iKeyman key management utility, gsk5ikm, whichenables you to create key databases, public-private key paris, and certificaterequests. The following document is available in the /doc/GSkit directory on theIBM Tivoli Access Manager Base CD for your particular platform:v Secure Sockets Layer Introduction and iKeyman User’s Guide

(gskikm5c.pdf)Provides information for network or system security administrators who plan toenable SSL communication in their Access Manager secure domain.

IBM SecureWay DirectoryIBM SecureWay Directory, Version 3.2.2, is shipped on the IBM Tivoli AccessManager Base CD for your particular platform. If you plan to install the IBMSecureWay Directory server as your user registry, the following documents areavailable in the /doc/Directory path on the IBM Tivoli Access Manager Base CDfor your particular platform:v IBM SecureWay Directory Installation and Configuration Guide, SC32-0845

(aparent.pdf, lparent.pdf, sparent.pdf, wparent.pdf)Provides installation, configuration, and migration information for IBMSecureWay Directory components on AIX®, Linux, Solaris OperatingEnvironment, and Microsoft® Windows® operating systems.

v IBM SecureWay Directory Release Notes(relnote.pdf)Supplements IBM SecureWay Directory, Version 3.2.2, product documentationand describes features and functions made available to you in this release.

v IBM SecureWay Directory Readme Addendum(addendum322.pdf)Provides information about changes and fixes that occurred after the IBMSecureWay Directory documentation had been translated. This book is providedin English only.

v IBM SecureWay Directory Server Readme(server.pdf)Provides a description of the IBM SecureWay Directory Server, Version 3.2.2.

v IBM SecureWay Directory Client Readme(client.pdf)Provides a description of the IBM SecureWay Directory Client SDK, Version3.2.2. This software development kit (SDK) provides LDAP applicationdevelopment support.

v IBM SecureWay Directory Configuration Schema(scparent.pdf)Describes the directory information tree (DIT) and the attributes that are used toconfigure the slapd32.conf file. In IBM SecureWay Directory Version 3.2, thedirectory settings are stored using the LDAP Directory Interchange Format(LDIF) format in the slapd32.conf file.

v IBM SecureWay Directory Tuning Guide(tuning.pdf)

xvi IBM Tivoli Access Manager: Administration C API Developer’s Reference

Provides performance tuning information for IBM SecureWay Directory. Tuningconsiderations for directory sizes ranging from a few thousand entries tomillions of entries are given where applicable.

For more information about IBM SecureWay Directory, see the following Web site:

http://www.ibm.com/software/network/directory/library/

IBM WebSphere Application ServerIBM WebSphere Application Server, Advanced Single Server Edition 4.0.2, isinstalled with the Web portal manager interface. For information about IBMWebSphere Application Server, see the following Web site:

http://www.ibm.com/software/webservers/appserv/infocenter.html

Accessing publications onlinePublications in the product libraries are included in Portable Document Format(PDF) on the product CD. To access these publications using a Web browser, openthe infocenter.html file, which is located in the /doc directory on the product CD.

When IBM publishes an updated version of one or more online or hardcopypublications, they are posted to the Tivoli Information Center. The TivoliInformation Center contains the most recent version of the publications in theproduct library in PDF or HTML format, or both. Translated documents are alsoavailable for some products.

You can access the Tivoli Information Center and other sources of technicalinformation from the following Web site:

http://www.tivoli.com/support/documents/

Information is organized by product, including release notes, installation guides,user’s guides, administrator’s guides, and developer’s references.

Note: If you print PDF documents on other than letter-sized paper, select the Fit topage check box in the Adobe Acrobat Print dialog (which is available whenyou click File → Print) to ensure that the full dimensions of a letter-sizedpage are printed on the paper that you are using.

Ordering publicationsYou can order many Tivoli publications online at the following Web site:

http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi

You can also order by telephone by calling one of these numbers:v In the United States: 800-879-2755v In Canada: 800-426-4968v In other countries, for a list of telephone numbers, see the following Web site:

http://www.tivoli.com/inside/store/lit_order.html

Preface xvii

http://www.ibm.com/software/network/directory/library/

http://www.ibm.com/software/webservers/appserv/infocenter.html

http://www.tivoli.com/support/documents/



http://www.tivoli.com/inside/store/lit_order.html

Providing feedback about publicationsWe are very interested in hearing about your experience with Tivoli products anddocumentation, and we welcome your suggestions for improvements. If you havecomments or suggestions about our products and documentation, contact us in oneof the following ways:v Send an e-mail to [email protected] Complete our customer feedback survey at the following Web site:

http://www.tivoli.com/support/survey/

AccessibilityAccessibility features help a user who has a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Contacting customer supportIf you have a problem with any Tivoli product, you can contact Tivoli CustomerSupport. See the Tivoli Customer Support Handbook at the following Web site:

http://www.tivoli.com/support/handbook/

The handbook provides information about how to contact Tivoli CustomerSupport, depending on the severity of your problem, and the followinginformation:v Registration and eligibilityv Telephone numbers and e-mail addresses, depending on the country in which

you are locatedv What information to gather before contacting support

Conventions used in this referenceThis reference uses several conventions for special terms and actions and operatingsystem-dependent commands and paths.

Typeface conventionsThe following typeface conventions are used in this reference:

Bold Command names and options, keywords, names of Java classesand objects, and other information that you must use literallyappear in bold.

Italic Variables, command options, and values you must provide appearin italics. Titles of publications and special words or phrases thatare emphasized also appear in italics.

Monospace Code examples, command lines, screen output, file and directorynames, and system messages appear in monospace font.

Brackets ([ ]) Information enclosed in brackets ([ ]) is optional. Anything notenclosed in brackets must be specified.

Braces ({ }) Braces ({ }) identify a set of mutually exclusive options, withexactly one option required.

xviii IBM Tivoli Access Manager: Administration C API Developer’s Reference

http://www.tivoli.com/support/survey/

http://www.tivoli.com/support/handbook/

Vertical Bar (|)Mutually exclusive options are separated by a vertical bar (|).

... Additional parameters of the same type can be specified here.

User registry differencesAccess Manager supports a number of different user registries. In most cases, thebehavior of Access Manager is the same regardless of what user registry is in use.However, there are several cases where the processing of a given function differsbased on what user registry is being used. A note similar to the followinghighlights these differences:

User registry difference: This text would describe the different behavior based onthe user registry in use.

See Appendix B, “User registry differences” on page 287 for a complete list ofknown differences.

Preface xix

xx IBM Tivoli Access Manager: Administration C API Developer’s Reference

Chapter 1. Introducing the administration API

The IBM Tivoli Access Manager (Access Manager) administration API componentprovides a set of functions for the administration of Access Manager users anddata objects. The API provides a way for applications to administer users, groups,protected objects, access control lists, protected object policies, and Web resources.

You can use the Access Manager application developer kit (ADK) component toenable your application to programmatically administer Access Manager users anddata.

This chapter contains the following topics:v “Administration API overview”v “Administration API components” on page 2v “Building applications with the administration API” on page 3v “Administration API example program” on page 4v “Deploying an administration API application” on page 4

Note: Due to a compiler problem, existing Tivoli SecureWay Policy Director,Version 3.8 applications compiled on the Sun Solaris Operating Environmentmust be recompiled using the Access Manager libraries. Backwardcompatibility is maintained on all the other supported platforms.

Administration API overviewYou can use the administration API to administer the following types of objects:v Policiesv Usersv Groupsv Access control lists (ACLs)v Extended ACL actionsv Protected object policies (POPs)v Protected objectsv Protected object spacesv Web resourcesv Web resource groupsv Resource credentials

The administration API provides a set of functions for creating, modifying,examining, and deleting each of the preceding object types. The API also definesdata types to represent each object type. The API includes the function callsnecessary for manipulating each of the data types.

The administration API communicates directly with the Access Manager policyserver component. The API establishes an authenticated, Secure Sockets Layer(SSL) session with the Access Manager policy server process. When the SSL sessionis established, the API can send administration requests to the policy server.

© Copyright IBM Corp. 2000, 2002 1

The Access Manager policy server component services these requests in the samemanner that it would service any other incoming requests.

System administrators also can use the pdadmin and svrsslcfg command lineinterfaces to accomplish Access Manager administration tasks. The administrationAPI functions map closely to these commands. Appendix C, “Administration CAPI, Java method, and command line equivalents” on page 291 describes thecommands that match administration API functions. Some administration APIfunctions do not have a pdadmin or svrsslcfg command line equivalent.

Administration API componentsThe administration API consists of the following components:v The administration API shared libraryv The administration API header filev The administration API library to link against (Microsoft® Windows® only)v A demonstration applicationv Makefiles for the demonstration application

Note: The administration APIs are 32-bit only.

The administration API shared libraries are distributed in the Access Managerruntime environment for each platform. The remainder of the administration APIcomponents are distributed in the Access Manager ADK component.

The following sections provide more information about the shared libraries andADK.

Administration API shared librariesThe administration API shared library is distributed in the Access Managerruntime environment component. The administration APIs are 32-bit only. Table 1lists the names of the shared libraries on each platform.

Table 1. Shared libraries

Platform Shared Library Name

Solaris Operating Environment libivadminapi.so

IBM® AIX® libivadminapi.a

Hewlett-Packard HP-UX libivadminapi.sl

Microsoft Windows (32-bit only) ivadminapi.dll

Linux libpdadminapi.so

Note: Due to a compiler problem, existing Tivoli SecureWay Policy Director,Version 3.8 applications compiled on the Sun Solaris Operating Environmentmust be recompiled using the Access Manager libraries. Backwardcompatibility is maintained on all the other supported platforms.

Administration API application development kitThe ADK files are installed as part of the Access Manager ADK componentpackage.

2 IBM Tivoli Access Manager: Administration C API Developer’s Reference

The ADK component contains files that can be placed anywhere on your system.Table 2 lists the files and suggests an installation directory (beneath the AccessManager installation directory) for each file.

Table 2. Administration API application developer kit files

Suggested Directory File to Install File Description

include ivadminapi.h The C header file containing theadministration API functiondeclarations.

include ivadmin_deprecated.h The C header file containing theprototypes and declarations for thefunctions, variables, and attributesthat are deprecated in this version ofAccess Manager.

Avoid including this header file asthe symbols provided in it will beremoved in a future release of theproduct.

lib ivadminapi.lib The library against which to link onthe Microsoft Windows platform.

admin_demo ivadminapi_demo.cMakefileREADME.ivadminapi

This ADK provides a demonstrationprogram and a sample makefile foreach supported platform. You canplace the demonstration program inany directory. The readme fileexplains how to build thedemonstration program.

Building applications with the administration APITo develop applications that use the Access Manager administration API, you mustinstall the required software and then link using the proper libraries.

Software requirementsYou must install and configure an Access Manager secure domain. If you do nothave an Access Manager secure domain installed, install one before beginningapplication development. The minimum installation consists of a single systemwith the following Access Manager base components installed:v Access Manager runtime environmentv Access Manager policy serverv Access Manager ADK

All systems in the Access Manager secure domain that have the runtimeenvironment installed must have the IBM Global Security Toolkit (GSKit)component installed on them as well. If the policy server is using an LDAP orLotus Domino server as the user registry, the IBM SecureWay Directory client alsomust be installed on the system.

For detailed installation instructions, refer to the section of the IBM Tivoli AccessManager Base Installation Guide relating to your operating system platform.

Chapter 1. Introducing the administration API 3

If you already have an Access Manager secure domain installed and want to add adevelopment system to the domain, the minimum Access Manager installationconsists of the following components:v Access Manager runtime environmentv Access Manager ADK

Linking required librariesTo compile applications that use the administration API, you must install theAccess Manager Application Developer Kit (ADK) component on the buildmachine.

When compiling your application on Windows systems, make sure that you addthe include directory for the Windows library to the compiler command line.

When linking your application, specify the directory containing the administrationAPI shared library if it is not in the default location. You must explicitly linkagainst the shared library.

Administration API example programThe Access Manager administration API ADK includes source for an exampleprogram that demonstrates use of the administration API.

The example program demonstrates how to perform the following tasks:v Initialize an administration API security contextv Display an error messagev Create a new Access Manager userv Set a user account to be validv Change the password of the new userv Create a new groupv Add the new user to the groupv Delete a groupv Delete a userv Delete the administration API security context

See the sample makefile supplied with the sample program for build instructionsspecific to each supported operating system platform.

Deploying an administration API applicationApplications that have been developed with the Access Manager administrationAPI must be run on systems that are configured as part of an Access Managersecure domain.

To run an administration API application, you must have installed the AccessManager runtime environment.

The Access Manager runtime environment requires that the IBM SecureWayDirectory client be installed on the application deployment system if an LDAP orLotus Domino server is being used as the user registry.


Administration API applications use the SSL protocol to communicate with theAccess Manager policy server. IBM Global Security Toolkit provides the necessarySSL support. The IBM Global Security Toolkit is installed as part of the productinstallation.

Note: The Access Manager runtime environment installation enforces installationof the required software. For installation instructions, see the appropriatesection in the IBM Tivoli Access Manager Base Installation Guide for youroperating system.

Gathering problem determination informationWhen developing an administratiapplication, you might encounter a problem withAccess Manager. To assist Tivoli support personnel in diagnosing your problem,gather problem determination information relating to your error.

Access Manager components can be configured to log information to one or moretrace files. You can enable tracing for the policy server, or any system using theAccess Manager runtime environment.

Enabling tracing on the policy serverTo enable tracing on the policy server, edit the /etc/routing file, located in theinstallation directory for the Access Manager policy server, and uncomment the lastline.

Shut down and restart the policy server daemon, pdmgrd.

Enabling tracing on a system using the runtime componentTo enable tracing on the system where the error is occurring, edit the /etc/routingfile, located in the installation directory for the Access Manager runtimecomponent, and uncomment the last line.

Restart the application that encountered the error, or re-enter the pdadmincommand that failed. After the failure occurs again, gather the trace logs asoutlined in the next section.

Gathering trace and message logsTrace and message log files for the policy server, and Access Manager runtimeenvironment are written to the /log directory in the Access Manager installationdirectory. To determine the names of the trace log files, you need to determine theprocess identifier, or PID, of the Access Manager process.

Determine the PID for the policy or authorization server by checking the ivmgrd.pidfile:cat ivmgrd.pid

After determining the PID, look in the AM_BASE/log directory for trace files withnames of the form: PID.trace.log.*. Also collect the following message files in thesame directory::notice*.logfatal*.logwarning*.logerror*.log

Chapter 1. Introducing the administration API 5


Chapter 2. Using the administration API

Each application that uses the administration API must perform certain tasksnecessary for API initialization, cleanup, memory management, and error handling.

The administration API provides functions for each of these tasks.

The following sections in this chapter describe the supported functions:v “Establishing security contexts”v “Creating objects” on page 9v “Setting object values” on page 10v “Getting objects” on page 11v “Reading object values” on page 12v “Listing object information” on page 12v “Handling errors” on page 13v “Cleaning up and shutting down” on page 15

Establishing security contextsTo use the administration API, you must first establish a Secure Sockets Layer(SSL) connection between the administration API application and the IBM TivoliAccess Manager (Access Manager) policy server. The administration API refers tothis connection as a security context.

The security context provides for the secure transfer of requests and data betweenthe administration API application and the Access Manager policy server.

Call the function ivadmin_context_createdefault() to create a context with thedefault SSL configuration. The default SSL configuration is the SSL configurationused by the Access Manager policy server.

The function ivadmin_context_createdefault() automatically accesses the followingAccess Manager policy server configuration information:v SSL key-ring file locationv SSL key-ring stash file locationv Access Manager policy server host namev Access Manager policy server listening port

When ivadmin_context_createdefault() is run on the same system as the AccessManager policy server, the preceding information is obtained from Access Managerconfiguration files.

When ivadmin_context_createdefault() is run on another system in the AccessManager secure domain—a system that does not run the Access Manager policyserver—the preceding information is obtained from stored information that wasprovided by the system administrator when the Access Manager runtimeenvironment was configured.

This following sections further describe how to create a security context.


Required input parametersYou must provide the following information as input parameters when you callivadmin_context_createdefault ():v The administrative user ID to use when authenticating

The user ID is the Access Manager user ID. Access Manager uses the underlyinguser registry to maintain this information. Thus the user ID is typically a userregistry name, such as cn=root. This user ID must be a member of the userregistry group: cn=iv-admin,cn=SecurityGroup,secAuthority=default

v The password for the administratorThe administrative user ID and password must be established before callingivadmin_context_createdefault(). The user account and password are establishedduring initial configuration of the Access Manager runtime environment.

Returned objectsThe function ivadmin_context_createdefault () returns the following data:v A pointer to a context object of type ivadmin_context

The context object contains all the information necessary to establish an SSLconnection with the Access Manager policy server.

v A pointer to a response object of type ivadmin_response

The response object contains information about any errors that are generated byadministration API function calls.

Example codeThe following code fragment shows an example call ofivadmin_context_createdefault() with the administrative user sec_master:ivadmin_context ctx;ivadmin_response rsp;unsigned long status;

status = ivadmin_context_createdefault("sec_master", sec_masterpwd, &ctx, &rsp);if (status!= IVADMIN_TRUE) {

/* The context create call failed so we should just exit.* Optionally, you can insert error handling code here *return 0}

Backward compatibilityThe administration API provides one other function that can create a context:ivadmin_context_create(). Use of this function is recommended only for backwardcompatibility.

The function ivadmin_context_create() provides only a subset of the functions inivadmin_context_createdefault(). It does not automatically determine the SSLconfiguration for the Access Manager policy server. When you useivadmin_context_create(), you must manually supply the necessary SSLconfiguration information.

The function ivadmin_context_create() exists primarily for backward compatibilitywith earlier Access Manager versions. Most users should useivadmin_context_createdefault() instead.

For more information, see “ivadmin_context_create()” on page 101.


Delegating user credentialsEach security context has a set of user credentials. The Access Manager policyserver examines these credentials when it is deciding whether to allow or deny arequest for access to Access Manager data.

The default credentials used by ivadmin_context_create() are those of theadministrative user sec_master.

You can use the administration API function ivadmin_context_setdelcred() tospecify an alternative user credential to be used by the Access Manager policyserver to make access decisions. The specified credentials accompany all accessrequests in the secure context until the credentials are cleared and set again.

The user must previously have authenticated and established credentials before thecredentials can be delegated.

To call ivadmin_context_setdelcred(), you must supply the following inputparameters:v Privilege Attribute Certificate (PAC) datav PAC length

You can use the Access Manager authorization API function azn_creds_get_pac() tocreate PAC data from a credential. For more information about establishing andusing user credentials, see the IBM Tivoli Access Manager Authorization C APIDeveloper’s Reference.

You can call the function ivadmin_context_cleardelcred() to clear the delegatedcredentials.

See the following reference pages:v “ivadmin_context_setdelcred()” on page 117v “ivadmin_context_cleardelcred()” on page 100

Creating objectsYou can use the administration API to create Access Manager objects that areneeded to complete administration tasks.

Before you can create an object, you must establish a security context. See“Establishing security contexts” on page 7.

For example, to create a user object, supply the following information:v A security contextv Initialization values for data specific to the object, such as a user’s IDv Any policies that apply to the object, such as password enforcement policies

To create a new user in the user registry, supply the following parameters toivadmin_user_create3():unsigned longivadmin_user_create3(

ivadmin_context ctx, // input - security contextconst char *userid, // input - Access Manager user IDconst char *dn, // input - user registry distinguished nameconst char *cn, // input - user registry common name

Chapter 2. Using the administration API 9

const char *sn, // input - user registry attribute surnameconst char *pwd, // input - user registry attribute passwordunsigned long group_count, // input - Number of user registry group membershipsconst char **groups, // input - user registry group membershipsunsigned long ssouser, // input - SSO credentials policy

// (true/false)unsigned long nopwdpolicy, // input - password policy enforced

// at creation (true/false)ivadmin_response *rsp // output - response object

);

Administration API functions that create objects return error conditions within anivadmin_response object.

For example, the administration API provides functions to create the followingobjects in Table 3.

Table 3. Creating objects

Function Description

ivadmin_user_create3() Creates an Access Manager user.

ivadmin_group_create2() Creates a new Access Manager group.

ivadmin_acl_create() Creates a new access control list.

ivadmin_protobj_create() Creates a new protected object.

ivadmin_pop_create() Creates a new protected object policy.

Setting object valuesYou can use the administration API to set values within the data objects from theuser registry.

Use the administration API set operations in the following situations:v To modify values just after you have created and initialized an object

For example, after creating a new user in the user registry, callivadmin_user_setaccexpdate() to set an account expiration date for the user.

v To modify values for existing objectsFor example, to modify the maximum password age for all user accounts, callivadmin_context_setmaxpwdage().

To perform a set operation, you must have a valid context established between theadministration API application and the Access Manager policy server.

All set operations return the following data:v An integer value (IVADMIN_TRUE or IVADMIN_FALSE) indicating if the

operation succeeded or failed.v An ivadmin_response object. This object contains information about error

conditions.

Table 4 lists examples of administration API set operations.

Table 4. Example set operations


ivadmin_user_setdescription() Sets the description for the specified user


Table 4. Example set operations (continued)


ivadmin_user_setaccexpdate() Sets the expiration date for the specified useraccount

ivadmin_context_setminpwdlen() Sets the minimum password length for alluser accounts

ivadmin_acl_setuser() Sets the entry for the user in the specifiedaccess control list

ivadmin_pop_setauditlevel() Sets the audit reporting level for the specifiedprotected object policy

ivadmin_protobj_settype() Sets the protected object type

Getting objectsThe administration API defines a number of data types to contain Access Managerdata. You can use the administration API to obtain objects of each of the defineddata types. You can then use administration API functions to examine the valuescontained in each object.

The administration API get operations send a request to the Access Manager policyserver to retrieve a reference or handle to the specified object. For example, theobject could be user information contained in a user registry.

The Access Manager policy server verifies the requester’s authority to obtain thespecified object and then retrieves it from the appropriate database. The AccessManager policy server sends the requested object to the application through thesecurity context. The client application places the object in local memory.

Free the local memory when the Access Manager object is no longer needed.

Table 5 lists examples of some administration API data types that are returned byAPI get functions.

Table 5. Example data types returned by get functions

Function Data Type Returned Object Description

ivadmin_acl_get() ivadmin_acl Access control list

ivadmin_pop_get() ivadmin_pop Protected object policy

ivadmin_user_get() ivadmin_ldapuser User information

ivadmin_group_get() ivadmin_ldapgroup Group information

ivadmin_protobj_get2() ivadmin_protobj Protected object

ivadmin_ssocred_get() ivadmin_ssocred Resource credential

ivadmin_ssogroup_get() ivadmin_ssogroup Resource group

ivadmin_ssoweb_get() ivadmin_ssoweb Single signon Web resource


Reading object valuesWhen you have established a context and obtained an object through a getoperation, you can use the administration API to perform read operations on thedata contained in the object. For example, when the application has obtained anivadmin_ldapuser object, the application can use API functions to read the user’sdistinguished name.

For performance reasons, the administration API does not send read requestsdirectly to the Access Manager policy server without first obtaining the relevantobject. Performance is optimized by completing one get transaction through thesecurity context to obtain the relevant object and then querying the object’scontents after it is stored on the local system.

Table 6 shows some example operations that read values from a returned object.

Table 6. Example read operations


ivadmin_user_getcn() Gets the common name from the specifiedivadmin_ldapuser object

ivadmin_user_getdn() Gets the distinguished name from thespecified ivadmin_ldapuser object

ivadmin_user_getsn() Gets the user’s surname from the specifiedivadmin_ldapuser object

ivadmin_group_getdescription() Gets the group’s description entry from theivadmin_ldapgroup object

ivadmin_acl_getuser() Gets the actions defined for a user from theivadmin_acl object

ivadmin_pop_getauditlevel() Gets the audit level defined for the protectedobject policy (POP) from the ivadmin_popobject

ivadmin_protobj_getacl() Gets the access control list (ACL) that isattached to the protected object from theivadmin_protobj object

ivadmin_ssocred_gettype() Gets the type of single signon resourceassociated with the credential from theivadmin_ssocred object

Listing object informationSome administrative tasks require the application to obtain a list of objects of onespecific type. For example, an administrator might need to review the list ofexisting users in order to decide if a new user must be created.

You can use the administration API list operations to accomplish tasks of this type.These operations are similar to API get operations. Both types of operations takethe following actions:v Communicate with the policy server through the secure contextv Request Access Manager data from the policy server

Administration API list operations differ from get operations in one importantway: List operations do not obtain a reference to an entire data object and place itin local memory.


List operations instead obtain an array of pointers to the relevant data type. Thisenables list operations to extract only the important data from much larger datastructures and return it to the client application.

For example, the function ivadmin_user_list() returns a list of user IDs in the formof an array of pointers to character strings:unsigned longivadmin_user_list(

ivadmin_context ctx, // input - Context to policy serverconst char *pattern, // input - Search patternunsigned long maxreturn, // input - Maximum number of returned itemsunsigned long *count, // output - Count of returned itemchar ***userids, // output - Array of pointers to userIDsivadmin_response *rsp // output - Response object

);

Free the memory used by the list when it is no longer needed. Free each relevantcharacter pointer and free the array of pointers.

Handling errorsEach administration API call returns the requested information in its outputparameters. Most API calls also return a pointer to an object of data typeivadmin_response. Objects of type ivadmin_response are referred to as responseobjects in this book.

Administration API calls usually return a pointer to an ivadmin_response object:

ivadmin_response *rsp;

The response objects are initialized to NULL.

You can examine the response object to determine if the administration API callsucceeded or failed. If the call failed, you can examine the contents of the responseobject to obtain further information about the failure.

To detect an error, call ivadmin_response_getok() on the response object. Thisfunction returns an unsigned long integer. This return value corresponds to one ofthe following constants, which are defined in ivadminapi.h:#define IVADMIN_FALSE 0#define IVADMIN_TRUE 1

v If the call encountered an error, the response object contains the constantIVADMIN_FALSE.

v If the call succeeded, the response object contains the constant IVADMIN_TRUE.

When ivadmin_response_getok() returns IVADMIN_FALSE, you can useadditional administration API functions to obtain information about the error. Seethe following sections for more information.

Obtaining error message textTo view text messages describing an error, complete the following steps:1. Call ivadmin_response_getcount() to determine how many error messages

were returned.

Note: Most API calls return only one error message.


2. For each message returned, call ivadmin_response_getmessage(). Pass in, as aninput parameter, an index value for each error message.The following sample code prints the response message (character string) froman administration API command:void printResponse(ivadmin_response rsp, char *api_call) {int i=0;

if (rsp == NULL) {printf(" %s : failed\n", api_call);

}

if (ivadmin_response_getok(rsp)) {printf(" %s : succeeded\n", api_call);

} else {for (i=0; i<ivadmin_response_getcount(rsp); i++) {printf(" %s : %s\n", api_call,

ivadmin_response_getmessage(rsp, i));}

}}

In the preceding example, note that in some failure scenarios, the response(rsp) can be NULL.

For more information, see the following reference pages:v “ivadmin_response_getcount()” on page 205v “ivadmin_response_getmessage()” on page 206

Obtaining error codesUse the following steps to display an Access Manager value code that correspondsto each message that can be displayed with ivadmin_response_getmessage().When you know the meaning of a particular value code, you can use thisinformation to develop application logic specific to the particular error condition.

To view error or warning codes, complete the following steps:1. Call ivadmin_response_getcount() to determine how many error messages

were returned.

Note: Most API calls return only one error message.2. Call ivadmin_response_getcode() with an integer argument (input parameter)

specifying the error message to examine.The response code is returned in the form of an unsigned integer:void printErrorCode(ivadmin_response rsp, char *api_call) {int i=0;

if (rsp == NULL) {printf(" %s : failed\n", api_call);}

if (ivadmin_response_getok(rsp)) {printf(" %s : succeeded\n", api_call);

} else {for (i=0; i<ivadmin_response_getcount(rsp); i++) {

printf(" %s : %ul\n", api_call,ivadmin_response_getcode(rsp, i));

}}

}


Obtaining error message modifiersSome administration API calls return a modifier that categorizes the returnedmessage as one of the following types:v Informationv Warningv Error

The modifiers are defined as constants (unsigned longs):#define IVADMIN_RESPONSE_INFO 0#define IVADMIN_RESPONSE_WARNING 1#define IVADMIN_RESPONSE_ERROR 2

v Call ivadmin_message_getcount() to determine how many information,warning, or error messages were returned.

v Call ivadmin_response_getmodifier() to determine the modifier for the specifiedmessage:unsigned long = modifier;modifier = ivadmin_response_getmodifier(ivadmin_response rsp,unsigned long index);

Cleaning up and shutting downCleanup and shutdown of the administration API consists of freeing the memoryand deleting the security contexts.

Freeing memoryThe administration API provides the function ivadmin_free() for freeing memorythat has been allocated by administration API calls. All memory that has beenallocated by administration API calls must be freed using this function.void ivadmin_free(void *p);

Be sure to free memory allocated when you create the following objects:v An ivadmin_context object

See “Establishing security contexts” on page 7.v A local copy of a data object created by an administration API get function

See “Getting objects” on page 11.v An array of character strings and pointers to the array created by an

administration API list functionSee “Listing object information” on page 12.

v An ivadmin_response object containing error informationSee “Handling errors” on page 13.

Deleting a security contextThe administration API application must close the connection, or security context,to the Access Manager policy server before exiting. The context must be deleted sothat the client system and the Access Manager policy server can free the SSLresources.

The administration API provides the function ivadmin_context_delete(). Thisfunction takes the following input parameters:v A context object of type ivadmin_context

v A pointer to the response object of type ivadmin_response


When the context has been deleted, the context memory is freed. Both theivadmin_context object and ivadmin_response object must be freed.

The following code fragment shows a sample usage of ivadmin_context_delete():unsigned long status:ivadmin_context ctx;ivadmin_response rsp;status = ivadmin_context_delete(ctx, &rsp);

if (status != IVADMIN_TRUE) {/* Delete failed; insert appropriate error handling */

}ivadmin_free(rsp);ivadmin_free(ctx);


Chapter 3. Administering users and groups

The administration API provides a collection of functions for administering IBMTivoli Access Manager (Access Manager) users and groups. This chapter describesthe tasks that those functions accomplish.

Information about Access Manager users and groups is stored in the user registry.You can use the administration API to both modify and access user and groupsettings in the user registry. The administration API provides functions toadminister both individual user settings and global user settings.

Access Manager provides the pdadmin command line interface (CLI) thataccomplishes many of the same user and group administration tasks. Applicationdevelopers who have previously used the pdadmin command to manage anAccess Manager secure domain will find the administration API functionsstraightforward to implement.

This chapter displays the pdadmin command line equivalent for each of theadministration API function calls. You can review the output from the pdadmincommand line equivalents to better understand the types of information returnedby the administration APIs. See theIBM Tivoli Access Manager Base Administrator’sGuide for detailed information on the pdadmin command.

This chapter contains the following topics:v “Administering users”v “Administering user accounts” on page 18v “Administering user passwords” on page 20v “Administering groups” on page 21v “Administering group attributes” on page 21

Administering usersThe administration API provides functions for creating, accessing, deleting, andlisting Access Manager user information within the user registry.

The function ivadmin_user_create3 () creates a user in the user registry used bythe Access Manager policy server.

Note: When a user definition already exists in the user registry, use theivadmin_user_import2() function instead.

The ivadmin_user_import2() function imports an existing user definition from theuser registry into Access Manager and allows the user definition to be managed byAccess Manager.

Use the ivadmin_user_delete2() function to delete a user from Access Manager.

Table 7 on page 18 lists the user administration functions.

User registry difference: Leading and trailing blanks in a user name do not makethe name unique when using an LDAP or Active


Directory user registry. However, leading and trailingblanks do make the user name unique when using aDomino server as a user registry. To keep nameprocessing consistent regardless of what user registry isbeing used, do not define user names with leading ortrailing blanks.

Table 7. Administrating users


ivadmin_user_create3() Creates the specified user.

ivadmin_user_delete2() Deletes the specified user.

ivadmin_user_import2() Creates an Access Manager user by importingan existing user from the user registry.

ivadmin_user_list() Lists Access Manager users.

ivadmin_user_listbydn() Lists users by using the user registry’sdistinguished name.

Administering user accountsWhen a user account has been created in the user registry, you can set and getdifferent pieces of information about the user. You must create a security contextbetween the calling application and the Access Manager policy server before youcan access the user registry. You can obtain the user registry information for a userobject by specifying either the user ID or the user distinguished name.

Call the ivadmin_user_* group of API functions to establish security policies thatapply to one specific Access Manager user. Call the ivadmin_context_* group ofAPI functions to establish security policies that apply to all Access Manager users.

Note: When both an ivadmin_user_* command and an ivadmin_context_*command exist with similar functionality, they are combined andalphabetized under the ivadmin_context_* command as shown in Table 8 onpage 19.

This section describes the API calls that you can use to modify or access thefollowing data:v Account expiration datev Account disablement time intervalv Maximum number of failed loginsv Time of day accessv User registry typev User objectsv User account-valid statusv User names (distinguished names, common names, and surnames)v User descriptionsv User authentication mechanismv Group memberships


Table 8. Administrating user accounts


ivadmin_context_getaccexpdate()ivadmin_user_getaccexpdate()

Gets the account expiration date for useraccounts.

ivadmin_context_getdisabletimeint()ivadmin_user_getdisabletimeint()

Gets the time to disable user accounts whenthe maximum number of login failures isexceeded.

ivadmin_context_getmaxlgnfails()ivadmin_user_getmaxlgnfails()

Gets the maximum number of failed loginsallowed for user accounts.

ivadmin_context_gettodaccess()ivadmin_user_gettodaccess()

Gets the time of day access policy for useraccounts.

ivadmin_context_getuserreg() Determines which type of user registry isconfigured for the Access Manager policyserver.

ivadmin_context_setaccexpdate()ivadmin_user_setaccexpdate()

Sets the account expiration date for useraccounts.

ivadmin_context_setdisabletimeint()ivadmin_user_setdisabletimeint()

Sets the time to disable for user accounts whenthe maximum number of login failures isexceeded.

ivadmin_context_setmaxlgnfails()ivadmin_user_setmaxlgnfails()

Sets the maximum number of failed loginsallowed for user accounts.

ivadmin_context_settodaccess()ivadmin_user_settodaccess()

Sets the time of day access for the account foruser accounts.

ivadmin_user_get() Gets the user object. Takes userID (characterstring) as an input parameter. Returns anobject of type ivadmin_ldapuser. This objectcontains a number of user registry attributesfor the specified user.

ivadmin_user_getaccountvalid() Returns the account-valid indicator for thespecified user object.

ivadmin_user_getauthmech() Returns the user authentication mechanism.

ivadmin_user_getbydn() Gets the user object by using the distinguishedname in the user registry. Returns an object oftype ivadmin_ldapuser.

ivadmin_user_getcn() Returns the common name attribute from thespecified user.

ivadmin_user_getdescription() Returns the user description as a characterstring.

ivadmin_user_getdn() Returns the distinguished name from thespecified user.

ivadmin_user_getmemberships() Lists the groups in which the specified user isa member.

ivadmin_user_getsn() Returns the surname attribute for the specifieduser.

ivadmin_user_getssouser() Returns a setting that indicates if the useraccount has single signon capabilities.

ivadmin_user_setaccountvalid() Enables or disables the specified user account.

ivadmin_user_setauthmech() Sets the user authentication mechanism.

ivadmin_user_setdescription() Sets the user description.

Chapter 3. Administering users and groups 19

Table 8. Administrating user accounts (continued)


ivadmin_user_setssouser() Enables or disables the single signoncapabilities of the Access Manager user.

Administering user passwordsYou can manage user access by setting password attributes. You can specifypolicies that apply only to a single user or specify policies that apply for all users.

This section describes the administration API calls that you can use to modify oraccess password data and policies.

Call the ivadmin_user_* group of API functions to establish security policies thatapply to one specific Access Manager user. Call the ivadmin_context_* group ofAPI functions to establish security policies that apply to all Access Manager users.

Note: When both a ivadmin_user_* command and a ivadmin_context_* commandexist with similar functionality, they are combined and alphabetized underthe ivadmin_context_* command in Table 9.

Table 9. Administrating user passwords


ivadmin_context_getmaxpwdage()ivadmin_user_getmaxpwdage()

Gets the maximum password age for useraccounts.

ivadmin_context_getmaxpwdrepchars()ivadmin_user_getmaxpwdrepchars()

Gets the maximum number of repeatedcharacters allowed in a password for useraccounts.

ivadmin_context_getminpwdalphas()ivadmin_user_getminpwdalphas()

Gets the minimum number of alphabeticcharacters allowed in a password for useraccounts.

ivadmin_context_getminpwdlen()ivadmin_user_getminpwdlen()

Gets the minimum password length for useraccounts.

ivadmin_context_setminpwdnonalphas()ivadmin_user_getminpwdnonalphas()

Gets the minimum number of nonalphabeticcharacters allowed in a password for useraccounts.

ivadmin_context_getpwdspaces()ivadmin_user_getpwdspaces()

Gets policy for whether spaces are allowed inpasswords for user accounts.

ivadmin_context_setmaxpwdage()ivadmin_user_setmaxpwdage()

Sets the maximum password age for useraccounts.

ivadmin_context_setmaxpwdrepchars()ivadmin_user_setmaxpwdrepchars()

Sets the maximum number of repeatedcharacters allowed in a password for useraccounts.

ivadmin_context_setminpwdalphas()ivadmin_user_setminpwdalphas()

Sets the minimum number of alphabeticcharacters allowed in a password for useraccounts.

ivadmin_context_setminpwdlen()ivadmin_user_setminpwdlen()

Sets the minimum password length for useraccounts.

ivadmin_context_setminpwdnonalphas()ivadmin_user_setminpwdnonalphas()

Sets the minimum number of nonalphabeticcharacters allowed in a password for useraccounts.


Table 9. Administrating user passwords (continued)


ivadmin_context_setpwdspaces()ivadmin_user_setpwdspaces()

Sets policy for whether spaces are allowed inpasswords for user accounts.

ivadmin_user_getpasswordvalid() Returns the enabled indicator for the user’spassword.

ivadmin_user_setpassword() Sets the user’s password.

ivadmin_user_setpasswordvalid() Enables or disables the Access Manager user’spassword.

Administering groupsThe administration API provides functions for creating, deleting, and listing themembers of a group.

The name of a group is not case sensitive. Therefore ″group″, ″GROUP″, ″Group″,and ″GrOuP″ all refer to the same Access Manager group. Table 10 lists the groupadministration functions.

User registry difference: Leading and trailing blanks in a group name do notmake the name unique when using an LDAP or ActiveDirectory user registry. However, leading and trailingblanks do make the group name unique when using aDomino server as a user registry. To keep nameprocessing consistent regardless of what user registry isbeing used, do not define group names with leading ortrailing blanks.

Table 10. Administering groups


ivadmin_group_create2() Creates a group.

ivadmin_group_import2() Creates an Access Manager group byimporting an existing group from the userregistry..

ivadmin_group_delete2() Deletes the specified group.

ivadmin_group_list() Lists group names that match the specifiedpattern. Group names can be Access Manageror user registry names.

Administering group attributesThe administration API allows you to administer the attributes of a group. Table 11lists the group attribute administration functions.

Table 11. Administering group attributes


ivadmin_group_get() Gets the group object for the specified groupname.

ivadmin_group_getbydn() Gets the group object for the specifieddistinguished name.

Chapter 3. Administering users and groups 21

Table 11. Administering group attributes (continued)


ivadmin_group_getcn() Returns the group common name attribute forthe specified group.

ivadmin_group_getdescription() Returns the group description.

ivadmin_group_getdn() Returns the group distinguished name for thespecified group.

ivadmin_group_getid() Returns the group ID for the specified group.

ivadmin_group_listbydn() Lists groups that match the specified pattern fordistinguished names.

ivadmin_group_setdescription() Sets the group description.

ivadmin_group_getmembers() Lists the members of the group.

ivadmin_group_addmembers() Adds the specified users to the specified group.User registry difference: Attempting to add aduplicate user to a group is handled differentlydepending on what user registry is being used.See Table 35 on page 288 for details.

ivadmin_group_removemembers() Removes the specified users from the specifiedgroup.User registry difference: Attempting to removea user from a group who is not a member ofthe group is handled differently depending onwhat user registry is being used. See Table 36on page 288 for details.


Chapter 4. Administering protected objects and protectedobject spaces

You can use the administration API to create, modify, examine, list, and delete IBMTivoli Access Manager (Access Manager) protected objects. These protected objectsrepresent resources that must be secured to enforce your security policy. You canspecify the security policy by applying access control lists (ACLs) and protectedobject policies (POPs) to the protected objects.

Access Manager protected objects exist within a virtual hierarchy known as aprotected object space. Access Manager provides several protected object spaces bydefault. You can use the administration API to define new regions of the protectedobject space, to define and secure resources that are specific to a third-partyapplication.

This chapter describes the administration API functions that you can use toadminister protected object spaces and protected objects.

You must be familiar with protected objects before using the administration API.For an introduction to protected objects, see the chapter about managing protectedobjects in the IBM Tivoli Access Manager Base Administrator’s Guide.

For an introduction to the use of ACLs and POPs to secure protected objects, seethe chapter about using access control policies and protected object policies in theIBM Tivoli Access Manager Base Administrator’s Guide.

This chapter contains the following topics:v “Administering protected object spaces”v “Administering protected objects” on page 24v “Administering protected object attributes” on page 25

Administering protected object spacesYou can use the administration API to create and administer a user-definedprotected object space. You can use this protected object space to define a resourcehierarchy that is specific to a third-party application that uses Access Managerauthorization services to enforce a security policy.

User-defined object spaces created with the administration API are dynamicbecause they can be updated while Access Manager is running.

Table 12 on page 24 lists the methods available for administering protected objectspaces.

Note: For an introduction to the creation of protected object spaces, see theprotected object space information in the IBM Tivoli Access Manager BaseAdministrator’s Guide.


Table 12. Administering protected object spaces


ivadmin_objectspace_create() Creates an Access Manager protected objectspace.

ivadmin_objectspace_delete() Deletes the specified Access Managerprotected object space.

ivadmin_objectspace_list() Lists the Access Manager protected objectspaces.

Administering protected objectsDefine protected objects that reflect the resources that your security policy protects.

Access Manager defines two types of protected objects: container objects andresource objects. Understand these concepts before creating and administeringprotected objects.

The name of a protected object can be of any length and contain any character.However, the forward slash (/) character is interpreted to be part of the objecthierarchy, which allows ACLs to be attached at the various points indicated by theforward slash character.

After you create a protected object, you must specify security policy for it bydefining and attaching ACLs, POPs, or both.

For more information about these Access Manager security concepts, see the IBMTivoli Access Manager Base Administrator’s Guide.

Use caution when implementing protected objects programmatically. In manycases, the protected object hierarchy is manually designed, built, and tested by asecurity expert. Carefully review the hierarchy to ensure that the security policy iscorrectly enforced. If you choose to build protected object hierarchiesprogrammatically, be sure to test and review the settings for each object beforedeploying the security environment.

Table 13 lists the methods available to administer protected objects.

Table 13. Administering protected objects


ivadmin_protobj_attachacl() Attaches the specified access control list to thespecified protected object.

ivadmin_protobj_create() Creates an Access Manager protected object.

ivadmin_protobj_delete() Deletes the specified Access Manager protectedobject.

ivadmin_protobj_detachacl() Detaches the access control list from thespecified protected object.

ivadmin_protobj_get2() Returns the specified protected object.

ivadmin_protobj_getdesc() Gets the description of the specified protectedobject.

ivadmin_protobj_getid() Gets the name of the specified protected object.


Table 13. Administering protected objects (continued)


ivadmin_protobj_getpolicyattachable() Indicates whether a protected object policy oraccess control list can be attached to thespecified protected object.

ivadmin_protobj_getpop() Returns the protected object policy for thespecified protected object.

ivadmin_protobj_list3() Returns the protected objects contained underthe specified directory.

ivadmin_protobj_listbyacl() Returns a list of protected objects that have thespecified access control list attached.

ivadmin_protobj_setdesc() Sets the description field of the specifiedprotected object.

ivadmin_protobj_setname() Sets or changes the name of the specifiedprotected object.

ivadmin_protobj_setpolicyattachable() Sets whether a protected object policy oraccess control list can be attached to thespecified protected object.

ivadmin_protobj_settype() Sets the type field of the specified protectedobject.

Administering protected object attributesThe attributes for a protected object can be created, set, queried, and deleted.

Table 14 describes the methods for administering protected object attributes.

Table 14. Administering protected object attributes


ivadmin_protobj_attrdelkey() Deletes the specified extended attribute (nameand values) from the specified protectedobject.

ivadmin_protobj_attrdelval() Deletes the specified value from the specifiedextended attribute key in the specifiedprotected object.

ivadmin_protobj_attrget() Returns the values associated with thespecified extended attribute for the specifiedprotected object.

ivadmin_protobj_attrlist() Lists all the extended attributes associatedwith the specified protected object.

ivadmin_protobj_attrput() Creates an extended attribute with thespecified name and value, if it does notalready exist, and adds the attribute to thespecified protected object. If the attributespecified already exists, the specified value isadded to the existing attribute.

Chapter 4. Administering protected objects and protected object spaces 25


Chapter 5. Administering access control

You can use the administration API to create, modify, examine, list, and delete IBMTivoli Access Manager (Access Manager) access control lists (ACLs). You can alsouse the administration API to attach ACLs to Access Manager protected objectsand to detach ACLs from protected objects.

Each ACL might contain entries for specific users and groups. You can use theadministration API to set ACL entries for users and groups that already exist in theAccess Manager secure domain. You also can use the administration API to setACL entries for the default user categories any-other and unauthenticated.

ACL entries consist of one or more permissions. These permissions specify actionsthat the owner of the entry is allowed to perform. Access Manager provides anumber of default permissions. You can use the adinistration API to defineadditional extended actions. You also can use the administration API to group theextended actions into action groups.

Understand the construction and use of ACLs before using the administration APIACL functions. The proper use of ACLs is key to successfully implementing asecurity policy. For more information, see the chapter about using access controllists in the IBM Tivoli Access Manager Base Administrator’s Guide.

This chapter contains the following topics:v “Administering access control lists”v “Administering access control list entries” on page 28v “Administering access control list extended attributes” on page 29v “Administering extended actions” on page 30v “Administering action groups” on page 30

Administering access control listsACLs enable you to grant or restrict specific users and groups access to protectedresources. The administration API enables you to:v Create and delete ACLsv Retrieve or change information associated with an ACLv List the user or group entries that are included in the ACL

The name of an ACL can be of any length. The following characters are allowed inan ACL name:v Alphanumeric characters defined in the localev The underscore (_) characterv The hyphen (-) character

You specify the user entries that belong in each ACL. You also specify thepermissions or actions that each user is allowed to perform.

You can specify permissions or actions based on group membership, rather thanindividual user identity, to expedite administration tasks.


The administration API defines the ivadmin_acl data type to contain a retrievedACL. You can use administration API functions to extract information from theivadmin_acl object.

Be sure that you understand how to define an ACL policy before using theadministration API ACL functions. For more information, see the section aboutACL entry syntax in the IBM Tivoli Access Manager Base Administrator’s Guide.

Table 15 describes the methods for administering ACLs.

Table 15. Administering access control lists


ivadmin_acl_create() Creates a new ACL.

ivadmin_acl_delete() Deletes the specified ACL.

ivadmin_acl_get() Returns the specified ACL.

ivadmin_acl_getdescription() Returns the description of the specified ACL.

ivadmin_acl_getid() Returns the name of the specified ACL.

ivadmin_acl_list() Returns the names of all the defined ACLs.

ivadmin_acl_listgroups() Returns a list of group names included in thespecified ACL.

ivadmin_acl_listusers() Returns a list of the user names included inthe specified ACL.

ivadmin_acl_setdescription() Sets or modifies the description for thespecified ACL.

Administering access control list entriesYou must create an ACL object before you can administer ACL entries for theobject. To create an ACL object, see “ivadmin_acl_create()” on page 53.

The administration API can be used to specify entries for each of the followingACL entry types:v Usersv Groupsv User any-other (also known as any-authenticated)v User unauthenticated

The type any-other applies to any user that has been authenticated into the AccessManager secure domain but that does not have a separate entry in the ACL.Thetype unauthenticated applies to all user identities that are unknown to AccessManager. Unknown users cannot authenticate into the Access Manager securedomain.

Be sure that you understand ACL entry syntax, ACL entry types, ACL IDattributes, and ACL permission (action) attributes before you use theadministration API functions in this section.

Access Manager supports 18 default actions. For a list of the default AccessManager actions, see the section about default Access Manager permissions foractions in the IBM Tivoli Access Manager Base Administrator’s Guide.


For more information, see the section about ACL entry syntax in the IBM TivoliAccess Manager Base Administrator’s Guide.

Table 16 lists the methods for administering ACL entries.

Table 16. Administering access control list entries


ivadmin_acl_getanyother() Returns the actions defined in the entry for theuser type any-other in the specified ACL.

ivadmin_acl_getunauth() Returns the actions (permissions) defined in theentry for the user type unauthenticated in thespecified ACL.

ivadmin_acl_getuser() Returns the actions (permissions) defined in theentry for the specified user in the specifiedACL.

ivadmin_acl_setuser() Returns the actions (permissions) defined in theentry for the specified group in the specifiedACL.

ivadmin_acl_removeanyother() Removes the ACL entry for the any-other userfrom the specified ACL.

ivadmin_acl_removegroup() Removes the ACL entry for the specified groupfrom the specified ACL.

ivadmin_acl_removeunauth() Removes the ACL entry for theunauthenticated user from the specified ACL.

ivadmin_acl_removeuser() Removes the ACL entry for the specified userfrom the specified ACL.

ivadmin_acl_setanyother() Sets or modifies the ACL entry for theany-other user in the ACL.

Call this function to specify permissions for allauthenticated users that do not have a separateuser or group entry in the specified ACL.

ivadmin_acl_setgroup() Sets or modifies the ACL entry for the specifiedgroup in the specified ACL.

ivadmin_acl_setunauth() Sets the ACL entry for the unauthenticated userin the specified ACL.

Call this function to specify permissions forthose users that have not been authenticated.

ivadmin_acl_setuser() Sets the entry for the specified user in thespecified ACL. Use this to specify the actionsthat a user is permitted to perform.

Administering access control list extended attributesExtended attributes for an ACL can be obtained, set, and deleted. Table 17 lists themethods available for administering ACL extended attributes.

Table 17. Administering access control list extended attributes


ivadmin_acl_attrdelkey() Deletes the specified extended attribute keyfrom the specified ACL.

Chapter 5. Administering access control 29

Table 17. Administering access control list extended attributes (continued)


ivadmin_acl_attrdelval() Deletes the specified value from the specifiedextended attribute key in the specified ACL.

ivadmin_acl_attrget() Gets the extended attribute values for thespecified extended attribute key from thespecified ACL.

ivadmin_acl_attrlist() Lists the extended attribute keys associatedwith the specified ACL.

ivadmin_acl_attrput() Creates an extended attribute with thespecified name and value, if it does notalready exist, and adds the attribute to thespecified ACL. If the attribute specifiedalready exists, the specified value is added tothe existing attribute.

Administering extended actionsAccess Manager provides a default set of actions (permissions) that can be grantedto users or groups. You can use the administration API to define new, extendedactions that supplement the set of default actions. Each of the extended actionsbelongs to an action group.

Extended actions are typically defined to support actions that are specific to athird-party application. For more information about extended actions, see thesection about creating extended ACL actions and action groups in the IBM TivoliAccess Manager Base Administrator’s Guide.

Table 18. Administering extended actions


ivadmin_action_create() Defines a new action (permission) code in theprimary action group.

ivadmin_action_delete() Deletes an action (permission) code from theprimary action group.

ivadmin_action_getdescription() Returns the description for the specifiedaction.

ivadmin_action_getid() Returns the code for the specified action.

ivadmin_action_gettype() Returns the type for the specified action.

ivadmin_action_list() Lists all the defined action (permission) codesfrom the primary action group.

Administering action groupsYou can use the administration API to create, examine, and delete new actiongroups.

Each action group can contain 32 action codes. The default action group containsthe 18 predefined Access Manager action codes. Thus, you can create up to 14 newaction codes to the primary group.


When you need to create more than 32 action codes, you can use theadministration API to define a new action group. Access Manager supports up to32 action groups.

For more information about action groups, see the section about creating extendedACL actions and action groups in the IBM Tivoli Access Manager BaseAdministrator’s Guide.

Table 19. Administering action groups


ivadmin_action_create_in_group() Defines a new action (permission) code in thespecified action group. Call this function toadd an action code to a user-defined extendedaction group.

ivadmin_action_delete_from_group() Deletes an action (permission) code from thespecified action group.

ivadmin_action_group_create() Creates a new action group with the specifiedname.

ivadmin_action_group_delete() Deletes the specified action group and all theactions that belong to the specified group.

ivadmin_action_group_list() Lists all the defined action group names.

ivadmin_action_list_in_group() Lists all the defined action (permission) codesfrom the specified action group.

Chapter 5. Administering access control 31


Chapter 6. Administering protected object policies

You can use the administration API to create, modify, examine, and delete IBMTivoli Access Manager (Access Manager) protected object policies (POPs). You canalso use the Administration API to attach or detach POPs from protected objects.

You can use POPs to impose additional conditions on operations that are permittedby an access control list (ACL) policy. These additional conditions are enforcedregardless of the user or group identities specified in the ACL entries.

Examples of additional conditions include the following:v Forcing data encryptionv Requiring data integrity protectionv Writing a report record to the auditing servicev Requiring an authentication strength levelv Restricting access to a specific time period

Be sure that you understand Access Manager POPs before using the administrationAPI to administer POPs. For more information, see the chapter about using POPsin the IBM Tivoli Access Manager Base Administrator’s Guide.

This chapter contains the following topics:v “Administering protected object policy objects”v “Administering protected object policy settings” on page 34v “Administering protected object policy extended attributes” on page 35

Administering protected object policy objectsPOP objects are administered in a similar way to ACL policies. You can create andconfigure a POP, and then attach the POP to objects in the protected object space.

The administration API defines the ivadmin_pop data type to contain the retrievedPOP. You can use administration API functions to extract data from theivadmin_pop objects. You do not need to know the internal structure of theivadmin_pop data type.

Table 20. Administering protected object policy objects


ivadmin_pop_attach() Attaches a POP to the specified protectedobject.

ivadmin_pop_create() Creates a POPobject with the default values.

ivadmin_pop_delete() Deletes the specified POP.

ivadmin_pop_detach() Detaches a POP from the specified protectedobject.

ivadmin_pop_find() Finds and lists all protected objects that havethe specified POP attached.

ivadmin_pop_get() Gets the specified POP object. Call thisfunction to get an object of type ivadmin_pop.


Table 20. Administering protected object policy objects (continued)


ivadmin_pop_list() Lists all POP objects.

Administering protected object policy settingsYou can use the administration API to set, modify, or remove attributes in a POP.You must create the POP object before specifying POP settings. To create a POPobject, see “ivadmin_pop_create()” on page 156.

You can use administration API functions to specify the following POP attributes:v Authentication levelsv Encryption requirementsv Auditing levelsv Time of day access restrictionsv Warning mode settings

Call ivadmin_pop_setanyothernw() or ivadmin_pop_setipauth() to specify step-upauthentication policy for objects requiring authentication-sensitive authorization.When using step-up authentication, you can either filter users based on IP addressor you can specify step-up authentication for all users, regardless of IP address.

Call ivadmin_pop_setanyothernw() or ivadmin_pop_setipauth() when you wantto specify a POP that specifies step-up authentication policy for all users,regardless of IP address.

For more information, see the section about authentication strength POP policy(step-up) in the IBM Tivoli Access Manager WebSEAL Administration Guide.

The warning mode enables a security administrator to troubleshoot theauthorization policy set on the protected object space.

When you set the warning attribute to yes, any action is possible by any user onthe object where the POP is attached. Any access to an object is permitted even ifthe ACL policy attached to the object is set to deny this access.

Audit records are generated that capture the results of all ACL policies withwarning mode set throughout the object space. The audit log shows the outcomeof an authorization decision as it would have been made if the warning attributehad been set to no.

Table 21. Administering protected object policy settings


ivadmin_pop_getauditlevel() Gets the audit level for the specified POP.

ivadmin_pop_getdescription() Gets the description of the specified POP.

ivadmin_pop_getid() Gets the name of the specified POP.

ivadmin_pop_getqop() Gets the quality of protection level for thespecified POP.

ivadmin_pop_gettod() Gets the time of day range for the specifiedPOP.


Table 21. Administering protected object policy settings (continued)


ivadmin_pop_getwarnmode() Gets the warning mode value from thespecified POP.

ivadmin_pop_removeipauth() Removes the ipauth access setting forauthentication level from the specified POP.

ivadmin_pop_setanyothernw() Sets the anyothernw setting for authenticationlevel from the specified POP.

ivadmin_pop_setanyothernw_forbidden() Sets the anyothernw access setting toforbidden for the specified POP.

ivadmin_pop_setauditlevel() Sets the audit level for the specified POP.

ivadmin_pop_setdescription() Sets the description of the specified POP.

ivadmin_pop_setipauth() Sets the ipauth setting for authentication levelin the specified POP.

ivadmin_pop_setipauth_forbidden() Sets the ipauth setting for authentication levelto forbidden in the specified POP.

ivadmin_pop_setqop() Sets the quality of protection level for thespecified POP.

ivadmin_pop_settod() Sets the time of day range for the specifiedPOP.

ivadmin_pop_setwarnmode() Sets the warning mode for the specified POP.

Administering protected object policy extended attributesTable 22. Administering protected object policy extended attributes


ivadmin_pop_attrdelkey() Deletes the specified extended attribute fromthe specified POP.

ivadmin_pop_attrdelval() Deletes the specified value from the specifiedextended attribute key in the specified POP.

ivadmin_pop_attrget() Gets the values for the specified extendedattribute from the specified POP.

ivadmin_pop_attrlist() Lists the extended attributes associated withthe specified POP.

ivadmin_pop_attrput() Sets the value for the specified extendedattribute in the specified POP.

Chapter 6. Administering protected object policies 35


Chapter 7. Administering single signon resources

You can use the administration API to administer resources that enable an IBMTivoli Access Manager (Access Manager) user to obtain single signon capabilityacross more than one Web server. This capability requires the use of AccessManager WebSEAL junctions.

You can use the administration API to create, modify, examine, and delete thefollowing types of resources:v Web resourcesv Resource groupsv Resource credentials

Be sure that you understand Access Manager single signon support before you usethe administration API to administer single signon resources. For more informationabout administering single signon capability across junctioned Web serverresources, see the section about user registry resource management commands inthe IBM Tivoli Access Manager Base Administrator’s Guide and the section aboutusing global sign-on (GSO) in the IBM Tivoli Access Manager WebSEALAdministrator’s Guide.

This chapter contains the following topics:v “Web resources”v “Resource groups” on page 38v “Resource credentials” on page 39

Web resourcesA Web resource is a Web server that serves as the backend of an Access ManagerWebSEAL junction. An application on the joined Web server can require users toauthenticate specifically to the application. The authentication information, such asuser name and password, often differs from the authentication information used byAccess Manager.

The junctioned Web server thus requires an authenticated Access Manager user tolog in again, using the user name and password specific to the application on thejoined Web server.

You can use the administration API to configure Access Manager so that AccessManager users need to authenticate only one time. You must define a Web resource(server) and then define a user-specific resource credential that containsuser-specific authentication information for the Web resource.

This section describes how to create, modify, and delete Web resources.Administration of resource credentials is described in “Resource credentials” onpage 39.

Note: The administration API does not perform all WebSEAL junctionconfiguration tasks through the API. Use the pdadmin commands to modifythe junction definitions. For more information, see the IBM Tivoli AccessManager WebSEAL Administrator’s Guide.


Table 23. Administering Web resources


ivadmin_ssoweb_create() Creates a single signon Web resource.

ivadmin_ssoweb_delete() Deletes the specified single signon Webresource.

ivadmin_ssoweb_get() Returns the specified single signon Webresource.

ivadmin_ssoweb_getdescription() Returns the description of the specified singlesignon Web resource.

ivadmin_ssoweb_getid() Returns the name (identifier) of the specifiedsingle signon Web resource.

ivadmin_ssoweb_list() Returns a list of all of the single signon Webresource names.

Resource groupsA resource group is a group of Web servers, all of which have been junctioned to anAccess Manager WebSEAL server and all of which use the same set of user IDsand passwords.

You can use the administration API to create resource groups. You can then createa single resource credential for all the resources in the resource group. This enablesyou to simplify the management of Web resources by grouping similar Webresources into resource groups.

You can also use the administration API to add more Web resources, whennecessary, to an existing resource group.

Table 24. Administering resource groups


ivadmin_ssogroup_addres() Adds a single signon resource to a singlesignon resource group.

ivadmin_ssogroup_create() Creates a single signon group resource.

ivadmin_ssogroup_delete() Deletes a single signon group resource.

ivadmin_ssogroup_get() Returns the specified single signon groupresource.

ivadmin_ssogroup_getdescription() Returns the description of the single signongroup resource.

ivadmin_ssogroup_getid() Returns the name of the single signon groupresource.

ivadmin_ssogroup_getresources() Returns a list of the member single signonresource names for the specified single signongroup.

ivadmin_ssogroup_list Returns a list of all of the single signon groupresource names.

ivadmin_ssogroup_removeres() Removes a single signon resource from thespecified single signon resource group.


Resource credentialsA resource credential provides a user ID and password for a single signonuser-specific resource, such as a Web server or a group of Web servers. The Webresource or group of Web resources must exist before you can apply resourcecredentials to it.

Resource credential information is stored in the user’s Access Manager entry in theuser registry.

You can use the administration API to create, modify, examine, and delete resourcecredentials.

Credential — createTable 25. Administering credentials


ivadmin_ssocred_create() Creates a single signon credential.

ivadmin_ssocred_delete() Deletes a single signon credential.

ivadmin_ssocred_get() Returns the specified single signon credential.

ivadmin_ssocred_getid() Returns the name of the single signonresource associated with this credential.

ivadmin_ssocred_getssopassword() Returns the password associated with thissingle signon credential.

ivadmin_ssocred_getssouser() Returns the name of the user associated withthe specified single signon credential.

ivadmin_ssocred_gettype() Returns the type of the single signon resourceassociated with the specified single signoncredential.

ivadmin_ssocred_getuser() Returns the name of the user associated withthis single signon credential.

ivadmin_ssocred_list() Returns the list of single signon credentials forthe specified user.

ivadmin_ssocred_set() Modifies a single signon credential.

Chapter 7. Administering single signon resources 39


Chapter 8. Configuring authorization servers

You can use the administration API to configure and unconfigure servers, modifyconfiguration parameters, administer replicas, and perform certificate maintenance.These APIs are used by the svrsslcfg command line utility instead of the pdadmincommand line utility.

The svrsslcfg utility is used to perform the necessary configuration steps that allowan application to use a secure sockets layer (SSL) connection for communicatingwith the policy server or the authorization server. It is not intended to do all of theconfiguration that may be required to ensure a correctly functioning application.For more information about the svrsslcfg utility, see the section about usingsvrsslcfg and the svrsslcfg reference page in the IBM Tivoli Access ManagerAuthorization C API Developer’s Reference.

Note: The local host name is used to build a unique name for the application. Insome cases, depending on the TCP/IP configuration, the host name is notalways consistent and may result in look-up failures. For example, theoperating system might return the fully qualified host name while anothermachine might just return the host name. If this happens in your network,you should use the following format to specify the server name to thecommand line interface:server_name/desired_host_name

For the API, these parameters are separate. There, desired_host_name shouldbe specified for the host_name parameter.

This chapter contains the following topics:v “Configuring authorization servers”v “Administering replicas” on page 42v “Certificate maintenance” on page 42

Configuring authorization serversUse the configuration commands to enable an application to communicate with thepolicy server or the authorization server. An administrative user identity (forexample, sec_master) and password must be specified for connecting to the policyserver.

Table 26. Configuring authorization servers


ivadmin_cfg_configureserver2() Configures an authorization API server byupdating the configuration file and creatingthe key-ring database.

ivadmin_cfg_setkeyringpwd() Refreshes or changes the key-ring databasepassword.

ivadmin_cfg_setlistening() Sets or resets the enable-listening parameter inthe configuration file.

ivadmin_cfg_setport() Changes the listening port number of theapplication and updates the port number inthe configuration file.


Table 26. Configuring authorization servers (continued)


ivadmin_cfg_setssltimeout() Changes the SSL timeout value in theconfiguration file.

ivadmin_cfg_unconfigureserver() Unconfigures an authorization API server.

Administering replicasTable 27. Administering replicas


ivadmin_cfg_addreplica() Adds a replica entry to the configuration file.

ivadmin_cfg_chgreplica() Changes parameters of a replica entry in theconfiguration file.

ivadmin_cfg_rmvreplica() Removes a replica entry from theconfiguration file.

Certificate maintenanceUse ivadmin_cfg_renewservercert() only when the certificate has beencompromised or when the automatic certificate refresh logic fails.

Table 28. Certificate maintenance


ivadmin_cfg_setapplicationcert() Replaces the optional application certificateauthority certificate and the optional SSLcertificate in the key-ring database.

ivadmin_cfg_renewservercert() Renews the server SSL certificate.


Chapter 9. Administering servers

You can use the administration API to get a list of tasks from the server, send aspecific task to an authorization server, and notify replica databases (automaticallyor manually) when the master authorization database is updated.

This chapter contains the following topics:v Getting and performing administration tasksv Notifying replica databases when the master authorization database is updated

– Notifying replica databases automatically– Notifying replica databases manually– Setting the maximum number of notification threads– Setting the notification wait time

Getting and performing administration tasksYou can send an administration task to a server. You also can request a list of allsupported administration tasks from a server. The caller must have credentialswith sufficient permission to perform the task. For more information, see the IBMTivoli Access Manager Authorization C API Developer’s Reference.

Notifying replica databases when the master authorization database isupdated

When an administrator makes security policy changes, the policy server makesadjustments to the master authorization database to reflect these changes. Toensure that these changes also are dispersed to any authorization servers withreplica databases, you can do one or more of the following:v Configure an IBM Tivoli Access Manager (Access Manager) application, such as

WebSEAL, to poll the master authorization database at regular intervals forupdates. By default, polling is disabled. For more information about polling themaster authorization database, see the cache-refresh-interval option described inthe IBM Tivoli Access Manager Authorization C API Developer’s Reference.

v Enable the policy server to notify authorization servers each time that the masterauthorization database is updated. This automatic process is recommended forenvironments where database changes are infrequent. For more information, see“Notifying replica databases automatically” on page 44.

v Notify authorization servers, on demand, after you make updates to the masterauthorization database. This manual process is recommended for environmentswhere database changes are frequent and involve substantial changes. Forinstructions, see “Notifying replica databases manually” on page 44.

After you select the method that you want to use to update replica databases(automatic, manual, or both), you can fine-tune settings in the ivmgrd.conf file onthe policy server. For more information, see “Setting the maximum number ofnotification threads” on page 44 and “Setting the notification wait time” on page44.


Notifying replica databases automaticallyYou can enable the policy server to send notifications to authorization servers eachtime that the master authorization database is updated. In turn, the authorizationservers automatically request a database update from the policy server.

To enable automatic database updates, edit the ivmgrd.conf file on the policyserver system and add the following attribute=value pair:[ivmgrd]auto-database-update-notify = yes

You must restart the policy server for changes to take effect. Note that this settingis recommended for environments where the master database is changedinfrequently. To turn off automatic notification, specify no.

Notifying replica databases manuallyWhen the master authorization database is updated, you can use theivadmin_server_replicate() function to send notification to application servers thatare configured to receive database update notifications. You can indicate that aspecific server receive update notifications, or specify NULL, which notifies allconfigured authorization servers in the secure domain. If you specify a servername, you are notified whether the server was replicated successfully or if a failureoccurred. If you do not specify a server name, return codes indicate whether or notthe policy server started notifying authorization servers in your secure domain.Note that unless you specify the server-name option, you are not notified when anauthorization server’s database was replicated successfully.

Setting the maximum number of notification threadsWhen the master authorization database is updated, this update is announced toreplica databases through the use of notification threads. Each replica then has theresponsibility of downloading the new data from the master authorizationdatabase.

You can edit the ivmgrd.conf file to set a value for the maximum number ofnotification threads. This number is calculated based on the number of replicadatabases in your secure domain. For example, if you have 10 replica databasesand want to notify them of master database changes simultaneously, specify avalue of 10 for the max-notifier-threads attribute as shown:[ivmgrd]max-notifier-threads = 10

The default value is 10 (threads).

Setting the notification wait timeThere is a time delay between when the policy server updates the masterauthorization database and when notification is sent to database replicas. If youadded auto-database-update-notify = yes to the ivmgrd.conf file as described in“Notifying replica databases automatically” on page 44, you can set this period oftime. To do so, edit the notifier-wait-time value in the ivmgrd.conf file. Forexample, if you are making batch changes to the master authorization database, itis advisable to wait until all changes have been made before policy changes aresent to database replicas. Therefore, you might decide to increase the default valuefrom 15 (seconds) as shown:[ivmgrd]notifier-wait-time = 25


By editing the value for this attribute, the policy server is prevented from sendingindividual replica notifications for each of a series of database changes.

Administrating servers and database notificationTable 29. Administrating servers and database notification


ivadmin_server_gettasklist() Gets the list of tasks from the server.

ivadmin_server_performtask() Sends a command to an authorization server.

ivadmin_server_replicate() Notifies authorization servers to receivedatabase updates.

Chapter 9. Administering servers 45


Chapter 10. Administration C API reference

The APIs in this chapter are presented alphabetically by name. Refer to“Conventions used in this reference” on page xviii for a description of theconventions used to illustrate commands.


ivadmin_acl_attrdelkey()Deletes the specified extended attribute key from the specified access control list.

Syntaxunsigned long

ivadmin_acl_attrdelkey(ivadmin_context ctx,char *aclid,char *attr_key,ivadmin_response *rsp

);

ParametersInput

ctx Context to communicate with the Access Manager policy server.

aclid The name of the access control list.

attr_keyThe extended attribute to delete.

Output

rsp The response object. Indicates the success or failure of the function.Contains error information. Free this object when it is no longer needed.

DescriptionDeletes the specified extended attribute key from the specified access control list.

Command line equivalent:pdadmin modify ACL_name delete attribute attribute_name

Return ValuesReturns the following boolean values:

IVADMIN_TRUEDefined as 1. The function executed successfully.

IVADMIN_FALSEDefined as 0. The function encountered an error.


ivadmin_acl_attrdelval()Deletes the specified value from the specified extended attribute key in thespecified access control list.

Syntaxunsigned longivadmin_acl_attrdelval(

ivadmin_context ctx,char *aclid,char *attr_key,char *attr_value,ivadmin_response *rsp

);

ParametersInput



attr_keyThe extended attribute key.

attr_valueThe extended attribute value to delete from the extended attribute key.

Output


DescriptionDeletes the specified value from the specified extended attribute key in thespecified access control list.

Command line equivalent:pdadmin modify ACL_name delete attribute attribute_name attribute_value




Chapter 10. Administration C API reference 49

ivadmin_acl_attrget()Gets the extended attribute value for the specified extended attribute key from thespecified access control list.

Syntaxunsigned longivadmin_acl_attrget(

ivadmin_acl acl,char *attr_key,unsigned long *count,char ***attr_value

);

ParametersInput

acl The ivadmin_acl object. This object contains the access control list.

attr_keyThe attribute key to look up.

Output

count The number of values returned.

attr_valueThe list of values returned. Free this list when it is no longer needed.

DescriptionGets the extended attribute values for the specified extended attribute key from thespecified access control list.

You must free each element of the returned attribute list as well as the array itself.

Command line equivalent:pdadmin acl show ACL_name attribute attribute_name





ivadmin_acl_attrlist()Lists the extended attribute keys associated with the specified access control list.

Syntaxunsigned longivadmin_acl_attrlist(

ivadmin_acl acl,unsigned long *count,char ***attr_list

);

ParametersInput

acl The ivadmin_acl object. This object contains the access control list.

Output

count The number of extended attributes.

attr_listThe extended attributes. Free this list when it is no longer needed.

DescriptionLists the extended attribute keys associated with the specified access control list.

You must free each element of the returned attribute list as well as the array itself.

Command line equivalent:pdadmin acl list ACL_name attribute





ivadmin_acl_attrput()Sets the extended attribute value for the specified extended attribute key in thespecified access control list.

Syntaxunsigned longivadmin_acl_attrput(

ivadmin_context ctx,char *aclid,char *attr_key,char *attr_value,ivadmin_response *rsp

);

ParametersInput



attr_keyThe extended attribute key for which you want to set a value.

attr_valueThe value to set.

Output


DescriptionSets the extended attribute value for the specified extended attribute key in thespecified access control list.

Command line equivalent:pdadmin acl modify ACL_name set attribute attribute_name attribute_value





ivadmin_acl_create()Creates a new access control list.

Syntaxunsigned longivadmin_acl_create(

ivadmin_context ctx,const char *aclid,ivadmin_response *rsp

);

ParametersInput


aclid The name of the access control list to be created. The name can be of anylength. The following characters are valid in an ACL name.v Alphanumeric characters defined in the localev The underscore (_) characterv The hyphen (-) character

Output


DescriptionCreates a new access control list (ACL). This function creates a new ACL policy inthe Access Manager ACL database. It does not create the specific ACL entries.

Command line equivalent:pdadmin acl create ACL_name





ivadmin_acl_delete()

Deletes the specified access control list.

Syntaxunsigned longivadmin_acl_delete(


);

ParametersInput



Output


DescriptionDeletes the specified access control list.

Command line equivalent:pdadmin acl delete ACL_name





ivadmin_acl_get()Returns the specified access control list.

Syntaxunsigned longivadmin_acl_get(

ivadmin_context ctx,const char *aclid,ivadmin_acl *acl,ivadmin_response *rsp

);

ParametersInput



Output

acl Returned access control list. Free this memory when it is no longer needed.


DescriptionReturns the specified access control list.

Command line equivalent:pdadmin acl show ACL_name





ivadmin_acl_getanyother()Returns the actions (permissions) defined in the entry for the user any-other

in the specified access control list.

Syntaxconst char *ivadmin_acl_getanyother(

ivadmin_acl acl);

ParametersInput

acl Pointer to the access control list.

DescriptionReturns the actions defined in the entry for the user any-other in the specifiedaccess control list. You must call the ivadmin_acl_get() function to obtain theivadmin_acl object before using this function to obtain the actions defined for theany-other user type. Free this character string when it is no longer needed.

Command line equivalent:pdadmin acl show any-other

Return ValuesReturns the actions defined in the entry for the user any-other in the specifiedaccess control list.


ivadmin_acl_getdescription()

Returns the description of the specified access control list.

Syntaxconst char *ivadmin_acl_getdescription(

ivadmin_acl acl);

ParametersInput


DescriptionReturns the description of the specified access control list. You must call theivadmin_acl_get() function to obtain the ivadmin_acl object before usingivadmin_acl_getdescription (). Do not free this entry. This is data maintained inthe access control list structure.


The description is part of the information returned by the pdadmin acl showcommand.

Return ValuesReturns the description of the specified access control list.


ivadmin_acl_getgroup()Returns the actions (permissions) defined in the entry for the specified group inthe specified access control list.

Syntaxconst char *ivadmin_acl_getgroup(

ivadmin_acl acl,const char *groupid

);

ParametersInput


groupidThe name of the group for which you want the actions.

DescriptionReturns the actions (permissions) defined in the entry for the specified group inthe specified access control list. You must call the ivadmin_acl_get() function toobtain the ivadmin_acl object before using this function to obtain the actionsdefined for the group. Free this entry when it is no longer needed.


Return ValuesReturns the actions (permissions) defined in the entry for the specified group inthe specified access control list.


ivadmin_acl_getid()

Returns the name of the specified access control list.

Syntaxconst char *ivadmin_acl_getid(

ivadmin_acl acl);

ParametersInput


DescriptionReturns the name of the specified access control list. You must call theivadmin_acl_get() function to obtain the ivadmin_acl object before using thisfunction. Do not free the returned name. This is data maintained in theivadmin_acl structure.


The access control list name is part of the information returned by the pdadmincommand.

Return ValuesReturns the name of the specified access control list.


ivadmin_acl_getunauth()

Returns the actions (permissions) defined in the entry for the user unauthenticatedin the specified access control list.

Syntaxconst char *ivadmin_acl_getunauth(

ivadmin_acl acl);

ParametersInput


DescriptionReturns the actions (permissions) defined in the entry for the user unauthenticatedin the specified access control list. You must call the ivadmin_acl_get() function toobtain the ivadmin_acl object before using this function to obtain the actionsdefined for all unauthenticated users. Free the returned actions when they are nolonger needed.


Return ValuesReturns the actions (permissions) defined in the entry for the user unauthenticatedin the specified access control list.


ivadmin_acl_getuser()

Returns the actions (permissions) defined in the entry for the specified user in thespecified access control list.

Syntaxconst char *ivadmin_acl_getuser(

ivadmin_acl acl,const char * userid

);

ParametersInput


userid The name of the user entry from which you want to get the list of definedactions.

DescriptionReturns the actions (permissions) defined in the entry for the specified user in thespecified access control list. You must call the ivadmin_acl_get() function to obtainthe ivadmin_acl object before using ivadmin_acl_getuser() to obtain the actionsdefined for the user. Free this character string when no longer needed.


Return ValuesReturns the actions (permissions) defined in the entry for the specified user in thespecified access control list.


ivadmin_acl_list()

Returns the names of all the defined access control lists.

Syntaxunsigned longivadmin_acl_list(

ivadmin_context ctx,unsigned long *count,char ***aclids,ivadmin_response *rsp

);

ParametersInput


Output

count The number of access control list names returned.

aclids Array of pointers to access control list names. Free each access control listname pointer and the array of pointers when they are no longer needed.


DescriptionReturns the names of all of the defined access control lists.

Command line equivalent:pdadmin acl list





ivadmin_acl_listgroups()

Returns a list of group names included in the specified access control list.

Syntaxunsigned longivadmin_acl_listgroups(

ivadmin_acl acl,unsigned long *count,char ***groupids

);

ParametersInput


Output

count The number of group names returned.

groupidsArray of pointers to group names.

DescriptionReturns a list of group names included in the specified access control list. Youmust call the ivadmin_acl_get() function to obtain the ivadmin_acl object beforeusing this function. Free each group name pointer and the array of pointers whenthey are no longer needed.


The list of group names is part of the information returned by this pdadmincommand.





ivadmin_acl_listusers()

Returns a list of the user names included in the specified access control list.

Syntaxunsigned longivadmin_acl_listusers(

ivadmin_acl acl,unsigned long *count,char ***userids

);

ParametersInput


Output

count Number of user names returned.

useridsArray of pointers to user names. Free each user name pointer and thearray of pointers when they are no longer needed.

DescriptionReturns a list of the user names included in the specified access control list. Youmust call the ivadmin_acl_get() function to obtain the ivadmin_acl object beforeusing this function.


The list of users is part of the information returned in the pdadmin command.





ivadmin_acl_removeanyother()

Removes the access control list entry for the user any-other from the specifiedaccess control list.

Syntaxunsigned longivadmin_acl_removeanyother(


);

ParametersInput



Output


DescriptionRemoves the access control list entry for the user any-other from the specifiedaccess control list.

Command line equivalent:pdadmin acl modify ACL_name remove any-other





ivadmin_acl_removegroup()

Removes the access control list entry for the specified group from the specifiedaccess control list.

Syntaxunsigned longivadmin_acl_removegroup(

ivadmin_context ctx,const char *aclid,const char *groupid,ivadmin_response *rsp

);

ParametersInput



groupidThe name of the group entry to be removed from the access control list.

Output


DescriptionRemoves the access control list entry for the specified group from the specifiedaccess control list.

Command line equivalent:pdadmin acl modify ACL_name remove group group_name





ivadmin_acl_removeunauth()

Removes the access control list entry for the user unauthenticated from thespecified access control list.

Syntaxunsigned longivadmin_acl_removeunauth(


);

ParametersInput



Output


DescriptionRemoves the access control list entry for the user unauthenticated from thespecified access control list.

Command line equivalent:pdadmin acl modify ACL_name remove unauthenticated





ivadmin_acl_removeuser()

Removes the access control list entry for the specified user from the specifiedaccess control list.

Syntaxunsigned longivadmin_acl_removeuser(

ivadmin_context ctx,const char *aclid,const char *userid,ivadmin_response *rsp

);

ParametersInput



userid The name of the user entry to be removed from the access control list.

Output


DescriptionRemoves the access control list entry for the specified user from the specifiedaccess control list.

Command line equivalent:pdadmin acl modify ACL_name remove user user_name





ivadmin_acl_setanyother()

Sets or modifies the access control list entry for the user any-other in the accesscontrol list.

Syntaxunsigned longivadmin_acl_setanyother(

ivadmin_context ctx,const char *aclid,const char *actions,ivadmin_response *rsp

);

ParametersInput


aclid Access control list name.

actionsThe new permissions for this access control list entry. This is a stringconsisting of single-letter permission codes.

Output


DescriptionSets or modifies the access control list entry for the user any-other in the accesscontrol list.

Command line equivalent:pdadmin acl modify ACL_name set any-other perms





ivadmin_acl_setdescription()

Set or modify the description for the specified access control list.

Syntaxunsigned longivadmin_acl_setdescription(

ivadmin_context ctx,const char *aclid,const char *description,ivadmin_response *rsp

);

ParametersInput



descriptionNew description.

Output


DescriptionSet or modify the description for the specified access control list.

Command line equivalent:pdadmin acl modify ACL_name description description





ivadmin_acl_setgroup()

Sets or modifies the access control list entry for the specified group in the specifiedaccess control list.

Syntaxunsigned longivadmin_acl_setgroup(

ivadmin_context ctx,const char *aclid,const char *groupid,const char *actions,ivadmin_response *rsp

);

ParametersInput



groupidThe access control list entry for this group is set.


Output


DescriptionSets or modifies the access control list (ACL) entry for the specified group in thespecified access control list. The Access Manager user registry must contain anentry for the specified group before you can call this function to add an entry forthe group to an ACL.

Command line equivalent:pdadmin acl modify ACL_name set group group_name perms





ivadmin_acl_setunauth()

Sets the access control list entry for the user unauthenticated in the specifiedaccess control list.

Syntaxunsigned longivadmin_acl_setunauth(

ivadmin_context ctx,const char *aclid,const char *actions,ivadmin_response *rsp

);

ParametersInput




Output


DescriptionSets the access control list entry for the user unauthenticated in the specifiedaccess control list.

Command line equivalent:pdadmin acl modify ACL_name set unauthenticated perms





ivadmin_acl_setuser()

Sets the entry for the specified user in the specified access control list.

Syntaxunsigned longivadmin_acl_setuser(

ivadmin_context ctx,const char *aclid,const char *userid,const char *actions,ivadmin_response *rsp

);

ParametersInput



userid The access control list entry for this user is set.


Output


DescriptionCall this function to specify the permissions that the user is permitted to perform.For a list of the default Access Manager actions, see the section about defaultAccess Manager permissions for actions in the IBM Tivoli Access Manager BaseAdministrator’s Guide. The Access Manager user registry must contain an entry forthe specified user before you can use this function to add an entry for the user toan access control list (ACL).

Command line equivalent:pdadmin acl modify ACL_name set user user_name perms





ivadmin_action_create()

Defines a new action (permission) code in the primary action group.

Syntaxunsigned longivadmin_action_create(

ivadmin_context ctx,const char *actionid,const char *description,const char *type,ivadmin_response *rsp

);

ParametersInput


actionidAction identifier. This must be a single-letter code that does not conflictwith existing permission codes. The input is left as a string for futureexpansion.

descriptionDescription of a permission code. This description appears in the AccessManager Web portal manage.

type Label for action category. This label appears in the Access Manager Webportal manager.

Output


DescriptionDefines a new action (permission) code in the primary action group.

Each action group can contain 32 action codes. The default action group containsthe 18 predefined Access Manager action codes. Thus, you can callivadmin_action_create() to add up to 14 new action codes to the primary group.

Actions codes consist of one alphabetic character (a–z or A–Z). Actions codes arecase-sensitive. Each action code only can be used once within an action group. Besure that you do not attempt to redefine the default Access Manager action codeswhen adding new codes to the primary group.

Command line equivalent:pdadmin action create name description action_type






ivadmin_action_create_in_group()

Defines a new action (permission) code in the specified action group.

Syntaxunsigned longivadmin_action_create_in_group(

ivadmin_context ctx,const char *actionid,const char *description,const char *type,const char *groupname,ivadmin_response *rsp

);

ParametersInput


actionidAction identifier. This must be a single-letter code that does not conflictwith existing permission codes. The input is left as a string for futureexpansion.

descriptionDescription of the permission code. This appears in the Access ManagerWeb portal manager.

type Label for the action category. This appears in the Access Manager Webportal manager.

groupnameName of the action group in which to create the action.

Output


DescriptionDefines a new action (permission) code in the specified action group. Call thisfunction to add an action code to a user-defined extended action group.

Actions codes consist of one alphabetic character (a–z or A–Z). Actions codes arecase-sensitive. Each action code can be used only once within an action group.Access Manager supports up to 32 actions in one action group.

Command line equivalent:pdadmin action create name description action_type action_group_name






ivadmin_action_delete()

Deletes an action (permission) code from the primary action group.

Syntaxunsigned longivadmin_action_delete(

ivadmin_context ctx,const char *actionid,ivadmin_response *rsp

);

ParametersInput


actionidAction identifier. This must be a single-letter code that identifies thepermission to delete.

Output


DescriptionDeletes an action (permission) code from the primary action group.

Command line equivalent:pdadmin action delete name





ivadmin_action_delete_from_group()

Deletes an action (permission) code from the specified action group.

Syntaxunsigned longivadmin_action_delete_from_group(

ivadmin_context ctx,const char *actionid,const char *groupname,ivadmin_response *rsp

);

ParametersInput


actionidAction identifier. This must be a single-letter code that identifies thepermission to delete.

groupnameName of the action group from which to delete the action.

Output


DescriptionDeletes an action (permission) code from the specified action group.

Command line equivalent:pdadmin action delete name action_group_name





ivadmin_action_getdescription()

Returns the description for the specified action.

Syntaxconst char *ivadmin_action_getdescription(

ivadmin_action action);

ParametersInput

action Pointer to the action.

DescriptionReturns the description for the specified action.

Do not free this string. This data is maintained in the ivadmin_action object.

Command line equivalent:pdadmin action list

This pdadmin command lists information about all the actions, including thedescription for each action.

Return ValuesReturns the description for the specified action.


ivadmin_action_getid()

Returns the code for the specified action.

Syntaxconst char *ivadmin_action_getid(


ParametersInput


DescriptionReturns the code for the specified action.

Do not free this string. This data is maintained in the ivadmin_action structure.


This pdadmin command lists information about all the actions, including the codefor each action.

Return ValuesReturns the code for the specified action.


ivadmin_action_gettype()

Returns the type of the specified action.

Syntaxconst char *ivadmin_action_gettype(


ParametersInput


DescriptionReturns the type of the specified action.

Do not free this string. This data is maintained in the ivadmin_action structure.


This pdadmin command lists information about all the actions, including the typefor each action.

Return ValuesReturns the type of the specified action.


ivadmin_action_group_create()

Creates a new action group with the specified name.

Syntaxunsigned longivadmin_action_group_create(

ivadmin_context ctx,const char *groupname,ivadmin_response *rsp

);

ParametersInput


groupnameName of the new action group.

Output


DescriptionCreates a new action group with the specified name. Access Manager supports amaximum of 32 action groups. Command line equivalent:pdadmin action group create action_group_name





ivadmin_action_group_delete()

Deletes the specified action group and all the actions that belong to the specifiedgroup.

Syntaxunsigned longivadmin_action_group_delete(

ivadmin_context ctx,const char *groupname,ivadmin_response *rsp

);

ParametersInput


groupnameName of the action group to delete.

Output


DescriptionDeletes the specified action group and all of the actions that belong to the specifiedgroup.

Command line equivalent:pdadmin action group delete action_group_name





ivadmin_action_group_list()

Lists all the defined action group names.

Syntaxunsigned longivadmin_action_group_list(

ivadmin_context ctx,unsigned long *count,char ***names,ivadmin_response *rsp

);

ParametersInput


Output

count Number of action group names returned.

names Array of pointers to group name strings. Free each group name string andthe array of pointers when they are no longer needed.


DescriptionLists all the defined action group names. Free each group name string and thearray of pointers when they are no longer needed.

Command line equivalent:pdadmin action group list





ivadmin_action_list()

Lists all the defined action (permission) codes from the primary action group.

Syntaxunsigned longivadmin_action_list(

ivadmin_context ctx,unsigned long *count,ivadmin_action **actions,ivadmin_response *rsp

);

ParametersInput


Output

count The number of actions returned.

actions Array of pointers to actions.


DescriptionLists all the defined action (permission) codes from the primary action group. Usethis function to obtain an opaque list of actions. You can then use additionalfunctions to obtain information from each action (ivadmin_action). For example,you can use ivadmin_action_getdescription() to obtain a description for thespecified ivadmin_action object.

Free each action pointer and the array of pointers when they are no longer needed.






ivadmin_action_list_in_group()

Lists all the defined action (permission) codes from the specified action group.

Syntaxunsigned longivadmin_action_list_in_group(

ivadmin_context ctx,const char *actiongroup,unsigned long *count,ivadmin_action **actions,ivadmin_response *rsp

);

ParametersInput


actiongroupName of the action group to list.

Output

count The number of actions returned.

actions Array of pointers to actions.


DescriptionLists all the defined action (permission) codes from the specified action group.

Free each action pointer and the array of pointers when they are no longer needed.Command line equivalent:pdadmin action list action_group_name





ivadmin_cfg_addreplica()Adds a replica entry to the configuration file.

Syntaxunsigned longivadmin_cfg_addreplica(

const char *cfg_file_name,const char *ivacld_host,int ivacld_port,int ivacld_rank,ivadmin_response *rsp

);

ParametersInput

cfg_file_nameSpecifies the configuration file to use. Unless the configuration file is in thecurrent directory, this must be a fully qualified path name.

ivacld_hostSpecifies the TCP host name of the ivacld server.

ivacld_portSpecifies the listening port number of the ivacld replica server. This is theport number on which the ivacld server listens for requests.

ivacld_rankSpecifies the replica order of preference among other replicas.

Output

rsp Specifies the response object. Indicates the success or failure of thefunction. Contains error information. Free this object when it is no longerneeded.

DescriptionCommand line equivalent:svrsslcfg -add_replica -f cfg_file -h host_name [-p port] [-k rank]





ivadmin_cfg_chgreplica()Changes parameters of a replica entry in the configuration file.

Syntaxunsigned longivadmin_cfg_chgreplica(

const char *cfg_file_name,const char *ivacld_host,int ivacld_port,int ivacld_rank,ivadmin_response *rsp

);

ParametersInput



ivacld_portSpecifies the listening port number of the ivacld replica server. This is theport number on which the ivacld server listens for requests.

ivacld_rankSpecifies the replica order of preference among other replicas.

Output


DescriptionCommand line equivalent:svrsslcfg -chg_replica -f cfg_file -h host_name [-p port] [-k rank]





ivadmin_cfg_configureserver2()Configures an authorization API server by updating the configuration file andcreating the keyring database.

Syntaxunsigned longivadmin_cfg_configureserver2(

ivadmin_context ctx,const char *cfg_file_name,const char *kdb_dir_name,const char *server_name,const char *host_name,ivadmin_cfg_servertype server_type,const char *server_pwd,int enable_listening,int listening_port,int enable_refresh,int kdb_pwd_life,int ssl_timeout,const char *appl_cert,const char *azn_app_host,ivadmin_response *rsp

);

ParametersInput

ctx Specifies the context to use when communicating with the Access Managerpolicy server.


kdb_dir_nameSpecifies the keyring database directory.

server_nameSpecifies a unique server name.

host_nameSpecifies the host name on which the application runs.

server_typeSpecifies the server type. Possible values are local or remote.

server_pwdAdministrator password.

enable_listeningSets the listening-enabled flag in the configuration file.

listening_portSpecifies the TCP/IP port on which the application listens.

enable_refreshEnables or disables the certificate automatic refresh support.

kdb_pwd_lifeSpecifies the keyring database password life in days. If it is 0, a default of183 days is used.


ssl_timeoutSpecifies the Secure Sockets Layer (SSL) session timeout value in seconds.If it is 0, a default of 7200 is used.

appl_certSpecifies the name of the file that contains a base-64 encoded SSLcertificate. This is an optional parameter. If specified, the certificate isstored in the keyring database using a label of APPL_LDAP_CERT. Typicaluse of this parameter is to store the certificate authority certificate that theapplication uses when it authenticates directly to the user registry.

Do not confuse this certificate with the certificate that is used toauthenticate with the Access Manager policy server. The certificatespecified by this parameter does not participate in authentication with thepolicy server; it is strictly for application use and allows the application touse a single keyring database for all SSL certificates.

azn_app_hostThe host name to be written to the azn-host-name entry in theconfiguration file and used by the application at runtime.

This optional parameter is needed only if the host name returned by theTCP gethostbyname() is incorrect or different from the host_nameparameter specified.

Output


DescriptionConfigures an authorization API server by updating the configuration file andcreating the keyring database.

Command line equivalent:svrsslcfg -config -f cfg_file_name -d kdb_dir_name -n server_name \-s server_type -r listening_port -P admin_pwd [-S server_pwd] \[-A admin_ID] [-t ssl_timeout] [-e kbd_pwd_life] [-l listening_mode]





ivadmin_cfg_renewservercert()Renews the server Secure Sockets Layer (SSL) certificate.

Syntaxunsigned longivadmin_cfg_renewservercert(

ivadmin_context ctx,const char *cfg_file_name,const char *server_name,const char *host_name,ivadmin_response *rsp

);

ParametersInput



server_nameSpecifies the unique server name.

host_nameSpecifies the host name on which the application will run.

Output


DescriptionUse this API to refresh the certificate used to authenticate with the policy server ifit has expired or been compromised. The application must be stopped before usingthis API.

Command line equivalent:svrsslcfg -chgcert -f cfg_file -n server_name [-A admin_id] -P admin_pwd





ivadmin_cfg_rmvreplica()Removes a replica entry from the configuration file.

Syntaxunsigned longivadmin_cfg_rmvreplica(

const char *cfg_file_name,const char *ivacld_host,ivadmin_response *rsp

);

ParametersInput



Output


DescriptionRemoves a replica entry from the configuration file.

Command line equivalent:svrsslcfg -chg_replica -f cfg_file -h host_name [-p port] [-k rank]





ivadmin_cfg_setapplicationcert()Replaces the optional application certificate authority certificate and the optionalSecure Sockets Layer (SSL) certificate in the keyring database.

Syntaxunsigned longivadmin_cfg_setapplicationcert(

const char *cfg_file_name,const char *appl_cert,ivadmin_response *rsp

);

ParametersInput


appl_certSpecifies the name of the file that contains a base-64 encoded SSLcertificate. This is an optional parameter. If specified, the certificate isstored in the keyring database using a label of APPL_LDAP_CERT. Typicaluse of this parameter is to store the certificate authority certificate that theapplication uses when it authenticates directly to the user registry.

Do not confuse this certificate with the certificate that is used toauthenticate with the Access Manager policy server. The certificatespecified by this parameter does not participate in authentication with thepolicy server; it is strictly for application use and allows the application touse a single keyring database for all SSL certificates.

Output


DescriptionThe application must be stopped prior to invoking this API.

Command line equivalent:svrsslcfg -modify -f cfg_file [-t timeout] [-C cert_file] [-llistening_mode]





ivadmin_cfg_setkeyringpwd()Refreshes or changes the keyring database password.

Syntaxunsigned longivadmin_cfg_setkeyringpwd(

const char *cfg_file_name,int kdb_pwd_life,ivadmin_response *rsp

);

ParametersInput


kdb_pwd_lifeSpecifies the keyring database password life in days. If 0, a default of 183days is used.

Output


DescriptionUse this API to refresh or change the keyring database random password. A newrandom password is created in the stash file. The application must be stopped toexecute this API.

Command line equivalent:svrsslcfg -chgcert -f cfg_file -n server_name [-A admin_id] -P admin_pwd





ivadmin_cfg_setlistening()

Sets or resets the enable-listening parameter in the configuration file.

Syntaxunsigned longivadmin_cfg_setlistening(

const char *cfg_file_name,int enable_listening,ivadmin_response *rsp

);

ParametersInput


enable_listeningSets the listening-enabled flag in the configuration file.

Output


DescriptionThe listening port in the configuration file must be nonzero to enable listening.Otherwise, an invalid parameter error is returned. The application must be stoppedand restarted after calling this API.

Command line equivalent:svrsslcfg -chgcert -f cfg_file -modify -l yes





ivadmin_cfg_setport()Changes the listening port number of the application and updates the port numberin the configuration file.

Syntaxunsigned longivadmin_cfg_setport(

const char *cfg_file_name,int listening_port,ivadmin_response *rsp

);

ParametersInput


listening_portSpecifies the TCP/IP port on which the application listens.

Output


DescriptionThe server must be stopped and restarted to activate this change. If the port is setto zero, the listen-flags are set to disable.

Command line equivalent:svrsslcfg –config -f cfg_file_name -d kdb_dir_name -n server_name \-s server_type -r listening_port -P admin_pwd [-S server_pwd] \[-A admin_ID] [-t ssl_timeout] [-e kbd_pwd_life] [-l listening_mode]


IVADMIN_TRUEDefined as 1. If a server was specified, this indicates the successfulnotification and database replication by that server. If no server isspecified, this indicates that the policy server has begun notifying eachauthorization server, but is not an indication of successful notification orreplication to any one of those servers.

IVADMIN_FALSEDefined as 0. If a server was specified, this indicates the failure of thenotification and database replication by that server. If no server isspecified, this indicates a failure has occurred in requesting that the policyserver begin notifying each authorization server.


ivadmin_cfg_setssltimeout()Changes the Secure Sockets Layer (SSL) timeout value in the configuration file.

Syntaxunsigned longivadmin_cfg_setssltimeout(

const char *cfg_file_name,int ssl_timeout,ivadmin_response *rsp

);

ParametersInput


ssl_timeoutSpecifies the SSL session timeout value in seconds. If 0 is specified, adefault of 7200 is used.

Output


DescriptionThe application must be stopped and restarted to activate this change.

Command line equivalent:svrsslcfg -modify -f cfg_file [-t timeout] [-C cert_file] [-llistening_mode]





ivadmin_cfg_unconfigureserver()Unconfigures an authorization API server.

Syntaxunsigned longivadmin_cfg_unconfigureserver(

ivadmin_context ctx,const char *cfg_file_name,const char *server_name,const char *host_name,ivadmin_response *rsp

);

ParametersInput



server_nameSpecifies a unique server name.

host_nameSpecifies the host name on which the application runs.

Output


DescriptionThis API reports success even if the server was not configured. This commanddestroys the keyring, any objects in the user registry, and the access control list(ACL) database for the server.

The application must be stopped before calling this API.

Command line equivalent:svrsslcfg –unconfig -f cfg_file_name -n server_name \[-P admin_password] [-A admin_ID]





ivadmin_context_cleardelcred()

Clears the delegated credential for the context.

Syntaxunsigned longivadmin_context_cleardelcred(

ivadmin_context ctx,ivadmin_response *rsp

);

ParametersInput


Output


DescriptionClears the delegated credential for the context.





ivadmin_context_create()

Creates a context.

Syntaxunsigned longivadmin_context_create(

const char *keyringfile,const char *keyringstashfile,const char *keyringpassword,const char *userid,const char *pwd,const char *serverdn,const char *serverhost,unsigned long port,ivadmin_context *ctx,ivadmin_response *rsp

);

ParametersInput

keyringfileFully qualified path name to the Secure Sockets Layer (SSL) keyring filethat contains the public key of the Access Manager policy server.

keyringstashfileFully qualified path name to the stash file that contains the password usedto access the keyring file. You must specify either a keyring stash file orkeyring file password.

If you specify both, the password will be used. If you specify neither, aninvalid input error is returned.

keyringpasswordPassword used to access the keyring file. You must specify either a keyringstash file or a keyring file password. If you specify both, the password isused. If you specify neither, an invalid input error is returned.

userid Administrator user name to authenticate as. This user must be a memberof the following user registry group:cn=iv-admin,cn=SecurityGroups,secauthority=default

pwd Administrator password.

serverdnAccess Manager policy server certificate distinguished name used toauthenticate the Access Manager policy server.

This parameter is optional. If you do not want to authenticate the AccessManager policy server you can specify NULL or an empty string.

serverhostAccess Manager policy server host name or IP address.

port Access Manager policy server listening port number.

Output

ctx Returned context. This is used to send administration requests to theAccess Manager policy server. This object should be freed when it is nolonger needed.



DescriptionThe context represents a connection to the Access Manager policy server. Tosuccessfully create a context the Access Manager policy server must be availableand the authentication must be successful.





ivadmin_context_createdefault()

Creates a context using the default Secure Sockets Layer (SSL) configuration.

Syntaxunsigned longivadmin_context_createdefault(

const char *userid,const char *pwd,ivadmin_context *ctx,ivadmin_response *rsp

);

ParametersInput

userid Administrator user name to use for authenticating. This user must be amember of the following user registry group:cn=iv-admin,cn=SecurityGroups,secauthority=default

pwd Administrator password.

Output

ctx Returned context. This is used to send administration requests to theAccess Manager policy server. Free this object when it is no longer needed.


DescriptionThe context represents a connection to the Access Manager policy server. Thelocation of the Access Manager policy server and SSL information is retrieved fromthe current Access Manager runtime environment configuration.

To successfully create a context, the Access Manager policy server must beavailable and the authentication must be successful.





ivadmin_context_delete()

Deletes the connection with the Access Manager policy server.

Syntaxunsigned longivadmin_context_delete(

ivadmin_context ctx,ivadmin_response *rsp

);

ParametersInput

ctx Context for communicating with the Access Manager policy server. This isthe context to delete.

Output


DescriptionDeletes the connection with the Access Manager policy server. This must be calledbefore exiting the program. Deleting the connection enables the client and AccessManager policy server to free Secure Sockets Layer (SSL) resources. The context isno longer usable; free the context memory after this call.





ivadmin_context_getaccexpdate()

Gets the account expiration date for all user accounts.

Syntaxunsigned longivadmin_context_getaccexpdate(

ivadmin_context ctx,unsigned long *seconds,unsigned long *unlimited,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput


Output

secondsReturned date and time of the expiration of all user accounts. This is thenumber of seconds since 00:00:00 Universal time, 1 January 1970 (same astime_t).

unlimitedReturned the account expiration not restricted indicator.

Supported values are IVADMIN_TRUE and IVADMIN_FALSE.

unset Policy ignored and not enforced if set to true. If set to false, the policy isset as specified.



DescriptionGets the account expiration date for all user accounts.

Command line equivalent:pdadmin policy get account-expiry-date





ivadmin_context_getdisabletimeint()

Gets the time to disable user accounts when the maximum number of loginfailures is exceeded. This setting applies to all user accounts.

Syntaxunsigned longivadmin_context_getdisabletimeint(

ivadmin_context ctx,unsigned long *seconds,unsigned long *disable,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput


Output

secondsDisable the user account for the specified number of seconds if themaximum number of login failures is exceeded.

disable Disable the user account if the maximum number of login failures isexceeded. Administrator action is required to enable the account.





DescriptionGets the time to disable user accounts if the maximum number of login failureshas been exceeded. This setting applies to all user accounts.

Command line equivalent:pdadmin policy get disable-time-interval





ivadmin_context_getmaxlgnfails()

Gets the maximum number of login failures allowed for each user account.

Syntaxunsigned longivadmin_context_getmaxlgnfails(

ivadmin_context ctx,unsigned long *failures,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput


Output

failures Maximum number of login failures allowed.




DescriptionGets the maximum number of login failures allowed for each user account.

Command line equivalent:pdadmin policy get max-login-failures





ivadmin_context_getmaxpwdage()

Gets the maximum password age for all user accounts.

Syntaxunsigned longivadmin_context_getmaxpwdage(

ivadmin_context ctx,unsigned long *seconds,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput


Output

secondsReturned maximum lifetime, in seconds, before expiration of password.




DescriptionGets the maximum password age for all user accounts.

Command line equivalent:pdadmin policy get max-password-age





ivadmin_context_getmaxpwdrepchars()

Gets the maximum number of repeated characters allowed in a password for eachuser account.

Syntaxunsigned longivadmin_context_getmaxpwdrepchars(

ivadmin_context ctx,unsigned long *chars,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput


Output

chars Maximum number of repeated characters allowed.




DescriptionGets the maximum number of repeated characters allowed in a password for eachuser account.

Command line equivalent:pdadmin policy get max-password-repeated-chars





ivadmin_context_getminpwdalphas()

Gets the minimum number of alphabetic characters allowed in a password for eachuser account.

Syntaxunsigned longivadmin_context_getminpwdalphas(


);

ParametersInput


Output

chars Minimum number of alphabetic characters allowed.




DescriptionGets the minimum number of alphabetic characters allowed in a password for eachuser account.

Command line equivalent:pdadmin policy get min-password-alphas





ivadmin_context_getminpwdnonalphas()

Gets the minimum number of nonalphabetic characters allowed in a password foreach user account.

Syntaxunsigned longivadmin_context_getminpwdnonalphas(


);

ParametersInput


Output

chars Minimum number of nonalphabetic characters allowed.




DescriptionGets the minimum number of nonalphabetic characters allowed in a password foreach user account.

Command line equivalent:pdadmin policy get min-password-non-alphas





ivadmin_context_getminpwdlen()

Gets the minimum password length for all user accounts.

Syntaxunsigned longivadmin_context_getminpwdlen(

ivadmin_context ctx,unsigned long *length,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput


Output

length The minimum allowed password length.




DescriptionGets the minimum password length for all user accounts.

Command line equivalent:pdadmin policy get min-password-length





ivadmin_context_getpwdspaces()

Gets whether spaces are allowed in passwords for all user accounts.

Syntaxunsigned longivadmin_context_getpwdspaces(

ivadmin_context ctx,unsigned long *allowed,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput


Output

allowedIndicates whether spaces are allowed in passwords.





DescriptionGets whether spaces are allowed in passwords for all user accounts.

Command line equivalent:pdadmin policy get password-spaces





ivadmin_context_gettodaccess()

Gets the global time of day access policy.

Syntaxunsigned longivadmin_context_gettodaccess(

ivadmin_context ctx,unsigned long *days,unsigned long *start,unsigned long *end,unsigned long *reference,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput


Output

days A bitmap of the days for the time of day access policy.

start The minutes after midnight for the start of the time range.

end The minutes after midnight for the end of the time range.

referenceThe time zone: Coordinated Universal Time (UTC) or local.




DescriptionGets the global time of day access policy

Command line equivalent:pdadmin policy get todaccess





ivadmin_context_getuserreg()

Returns an indicator of which type of user registry is configured for the AccessManager policy server.

Syntaxunsigned longivadmin_context_getuserreg(

ivadmin_context ctx,unsigned long *registry,ivadmin_response *rsp

);

ParametersInput


Output

registryPointer a registry type indicator (IVADMIN_CONTEXT_DCEUSERREG orIVADMIN_CONTEXT_LDAPUSERREG).


DescriptionReturns an indicator of which type of user registry is configured for this AccessManager policy server. The following indicators are defined:#define IVADMIN_CONTEXT_DCEUSERREG 0#define IVADMIN_CONTEXT_LDAPUSERREG 1

Command line equivalent:pdadmin admin show configuration





ivadmin_context_setaccexpdate()

Sets the account expiration date for all user accounts.

Syntaxunsigned longivadmin_context_setaccexpdate(

ivadmin_context ctx,unsigned long seconds,unsigned long unlimited,unsigned long unset,ivadmin_response *rsp

);

ParametersInput


secondsDate and time of the expiration of all user accounts. This is the number ofseconds since 00:00:00 Universal time, 1 January 1970 (same as time_t).

unlimitedDo not expire user accounts and ignore seconds parameter if set to true.




Output


DescriptionSets the account expiration date for all user accounts.

Command line equivalent:pdadmin policy set account-expiry-date {unlimited | absolute_time | unset}





ivadmin_context_setdelcred()

Sets the delegated credential for the context based on the specified PrivilegeAttribute Certificate (PAC).

Syntaxunsigned longivadmin_context_setdelcred(

ivadmin_context ctx,const unsigned char* pacValue,const unsigned long pacLength,ivadmin_response *rsp

);

ParametersInput


pacValueThe credential PAC data.

pacLengthThe credential PAC length.

Output


DescriptionSets the delegated credential for the context based on the specified PAC. Only onecredential can be delegated at a time. If a delegated credential already exists forthis context, it is overwritten.





ivadmin_context_setdisabletimeint()

Sets the time to disable each user account when the maximum number of loginfailures is exceeded.

Syntaxunsigned longivadmin_context_setdisabletimeint(

ivadmin_context ctx,unsigned long seconds,unsigned long disable,unsigned long unset,ivadmin_response *rsp

);

ParametersInput


secondsDisable the user account for the specified number of seconds when themaximum number of login failures is exceeded.

disable Disable the user account when the maximum number of login failures isexceeded. Administrator action is required to enable the account.




Output


DescriptionSets the time to disable each user account when the maximum number of loginfailures is exceeded.

Command line equivalent:pdadmin policy set disable-time-interval {number | unset | disable}





ivadmin_context_setmaxlgnfails()

Sets the maximum number of login failures allowed for each user account.

Syntaxunsigned longivadmin_context_setmaxlgnfails(

ivadmin_context ctx,unsigned long failures,unsigned long unset,ivadmin_response *rsp

);

ParametersInput





Output


DescriptionSets the maximum number of login failures allowed for each user account.

Command line equivalent:pdadmin policy set max-login-failures number | unset





ivadmin_context_setmaxpwdage()

Sets the maximum password age for all user accounts.

Syntaxunsigned longivadmin_context_setmaxpwdage(

ivadmin_context ctx,unsigned long seconds,unsigned long unset,ivadmin_response *rsp

);

ParametersInput


secondsMaximum lifetime, in seconds, before expiration of a password.



Output


DescriptionSets the maximum password age for all user accounts.

Command line equivalent:pdadmin policy set max-password-age {unset | relative_time}





ivadmin_context_setmaxpwdrepchars()

Sets the maximum number of repeated characters allowed in a password for eachuser account.

Syntaxunsigned longivadmin_context_setmaxpwdrepchars(

ivadmin_context ctx,unsigned long chars,unsigned long unset,ivadmin_response *rsp

);

ParametersInput





Output


DescriptionSets the maximum number of repeated characters allowed in a password for eachuser account.

Command line equivalent:pdadmin policy set max-password-repeated-chars number | unset





ivadmin_context_setminpwdalphas()

Sets the minimum number of alphabetic characters allowed in a password for eachuser account.

Syntaxunsigned longivadmin_context_setminpwdalphas(


);

ParametersInput





Output


DescriptionSets the minimum number of alphabetic characters allowed in a password for eachuser account.

Command line equivalent:pdadmin policy set min-password-alphas {unset | number}





ivadmin_context_setminpwdnonalphas()

Sets the minimum number of nonalphabetic characters allowed in a password foreach user account.

Syntaxunsigned longivadmin_context_setminpwdnonalphas(


);

ParametersInput





Output


DescriptionSets the minimum number of nonalphabetic characters allowed in a password foreach user account.

Command line equivalent:pdadmin policy set min-password-non-alphas {unset | number}





ivadmin_context_setminpwdlen()

Sets the minimum password length for each user account.

Syntaxunsigned longivadmin_context_setminpwdlen(

ivadmin_context ctx,unsigned long length,unsigned long unset,ivadmin_response *rsp

);

ParametersInput


length Minimum allowed password length to be set.



Output


DescriptionSets the minimum password length for each user account.

Command line equivalent:pdadmin policy set min-password-length {unset | number}





ivadmin_context_setpwdspaces()

Sets whether spaces are allowed in passwords for all user accounts.

Syntaxunsigned longivadmin_context_setpwdspaces(

ivadmin_context ctx,unsigned long allowed,unsigned long unset,ivadmin_response *rsp

);

ParametersInput


allowedIndicates whether spaces are allowed in passwords




Output


DescriptionSets whether spaces are allowed in passwords for all user accounts.

Command line equivalent:pdadmin policy set password-spaces {yes | no | unset}





ivadmin_context_settodaccess()

Sets the global time of day access policy.

Syntaxunsigned longivadmin_context_settodaccess(

ivadmin_context ctx,unsigned long days,unsigned long start,unsigned long end,unsigned long reference,unsigned long unset,ivadmin_response *rsp

);

ParametersInput


days A bitmap of the days for the time of day policy.



referenceThe time zone: Coordinated Universal Time (UTC) or local.



Output


DescriptionSets the global yime of day access policy.

Command line equivalent:pdadmin policy set todaccess todaccess_string





ivadmin_free()

Frees the memory that has been allocated to the specified object.

Syntaxvoidivadmin_free(

void p*);

ParametersInput

p Pointer to the object to be freed.

DescriptionFrees the memory that has been allocated to the specified object.

Use this function to free all memory that has been allocated by the administrationAPI functions.

There is no command line equivalent for this function.


ivadmin_group_addmembers()

Adds the specified users to the specified group.

Syntaxunsigned longivadmin_group_addmembers(

ivadmin_context ctx,const char *groupid,unsigned long user_count,const char **users,ivadmin_response *rsp

);

ParametersInput


groupidGroup name.

user_countThe number of users to be added to the group.

users New member user names.

Output


DescriptionAdds the specified users to the specified group. Access Manager does not supporta group as a group member.

Command line equivalents:pdadmin group modify group_name add user_name

pdadmin group modify group_name add (user_name1 user_name2 ... )

User registry difference: Attempting to add a duplicate user to a group is handleddifferently depending on what user registry is beingused. See Table 35 on page 288 for details.





ivadmin_group_create2()

Creates a group.

Syntaxunsigned longivadmin_group_create2(

ivadmin_context ctx,const char *groupid,const char *dn,const char *cn,const char *group_container,ivadmin_response *rsp

);

ParametersInput


groupidGroup name.

dn User registry distinguished name.

cn User registry common name attribute.

group_containerContainer object within the management object space. Can be NULL toindicate that it is at the root level.

Output


DescriptionCreates a new Access Manager group by creating a new group in the user registrywith the specified name, distinguished name, and common name.

User registry difference: Leading and trailing blanks in a group name do notmake the name unique when using an LDAP or ActiveDirectory user registry. However, leading and trailingblanks do make the group name unique when using aDomino server as a user registry. To keep nameprocessing consistent regardless of what user registry isbeing used, do not define group names with leading ortrailing blanks.

Command line equivalent:pdadmin group create group_name dn cn






ivadmin_group_delete2()

Deletes the specified group.

Syntaxunsigned longivadmin_group_delete2(

ivadmin_context ctx,const char *groupid,unsigned long registry,ivadmin_response *rsp

);

ParametersInput


groupidGroup name.

registryIndicates whether to delete the group from the user registry as well asfrom Access Manager.


Output


DescriptionDeletes the specified group. Deletes all Access Manager information about thegroup and optionally deletes the user registry contents.

Command line equivalent:pdadmin group delete [–registry] group_name





ivadmin_group_get()

Gets the specified group object.

Syntaxunsigned longivadmin_group_get(

ivadmin_context ctx,const char *groupid,ivadmin_ldapgroup *group,ivadmin_response *rsp

);

ParametersInput


groupidGroup name.

Output

group Returned group. Free the memory for this ivadmin_ldapgroup object whenit is no longer needed.


DescriptionGets the group object for the specified group name. Free the memory for thisivadmin_ldapgroup object when it is no longer needed.

Command line equivalent:pdadmin group show group-name





ivadmin_group_getbydn()

Returns a group user using the user registry distinguished name for identification.

Syntaxunsigned longivadmin_group_getbydn(

ivadmin_context ctx,const char *dn,ivadmin_ldapgroup *group,ivadmin_response *rsp

);

ParametersInput


dn User registry distinguished name of group.

Output

group Returned group. Free this memory when no longer needed.


DescriptionReturns a group user using the user registry DN for identification. Free thememory for this ivadmin_ldapgroup object when it is no longer needed.Command line equivalent:pdadmin group show-dn dn





ivadmin_group_getcn()

Returns the user registry common name attribute for the specified group.

Syntaxconst char *ivadmin_group_getcn(

ivadmin_ldapgroup group);

ParametersInput

group Pointer to the group structure.

DescriptionReturns the user registry common name attribute from the specified group object.

Do not free this memory. This data is maintained in the ivadmin_ldapgroupstructure.


The user registry common name is part of the information returned by thepdadmin group show command.

Return ValuesReturns the user registry common name attribute for the specified group.


ivadmin_group_getdescription()

Returns the user registry description for the specified group.

Syntaxconst char *ivadmin_group_getdescription(


ParametersInput


DescriptionReturns the user registry description for the specified group.



The description is part of the information returned by the pdadmin group showcommand.

Return ValuesReturns the user registry description for the specified group.


ivadmin_group_getdn()Returns the user registry distinguished name for the specified group.

Syntaxconst char *ivadmin_group_getdn(


ParametersInput


DescriptionReturns the user registry distinguished name for the specified group.



The user registry distinguished name is part of the information returned by thepdadmin group show command.

Return ValuesReturns the user registry distinguished name for the specified group.


ivadmin_group_getid()

Returns the group name from the specified group object.

Syntaxconst char *ivadmin_group_getid(


ParametersInput


DescriptionReturns the group name from the specified group object.



The group name is part of the information returned by the pdadmin group showcommand.

Return ValuesReturns the group name from the specified group object.


ivadmin_group_getmembers()

Lists the user names of the members of the specified group.

Syntaxunsigned longivadmin_group_getmembers(

ivadmin_context ctx,const char *groupid,unsigned long *count,char ***userids,ivadmin_response *rsp

);

ParametersInput


groupidGroup name.

Output


userids Array of pointers to user names. Free each user name character pointerand the array of pointers when they are no longer needed.


DescriptionLists the user names of the members of the specified group.

Free each user name character pointer and the array of pointers when they are nolonger needed.

Command line equivalent:pdadmin group show-members group_name





ivadmin_group_import2()

Creates an Access Manager group by importing a group that already exists in theuser registry.

Syntaxunsigned longivadmin_group_import2(

ivadmin_context ctx,const char *groupid,const char *dn,const char *group_container,ivadmin_response *rsp

);

ParametersInput


groupidGroup name.


group_containerContainer object within the management object space. Can be NULL toindicate that it is at the root level.

Output


DescriptionCreates an Access Manager group by importing a group that already exists in theuser registry.

Command line equivalent:pdadmin group import group_name dn





ivadmin_group_list()

Lists the Access Manager groups.

Syntaxunsigned longivadmin_group_list(

ivadmin_context ctx,const char *pattern,unsigned long maxreturn,unsigned long *count,char ***groupids,ivadmin_response *rsp

);

ParametersInput


pattern Pattern match for group names. IVADMIN_ALLPATTERN indicates allgroups.

maxreturnMaximum number to return. IVADMIN_MAXRETURN indicatesunlimited. This number can also be limited by the user registry server sothe maximum returned is really the minimum of the server configurationand this value.

Output

count Number of group names returned.

groupidsArray of pointers to group names. Free each group name character pointerand the array of pointers when they are no longer needed. The orderreturned is the order created.


DescriptionLists the Access Manager groups. Returns the list of group names whose namematches the pattern specified.

The order returned is the order created.

Free each group name character pointer and the array of pointers when they areno longer needed.

Command line equivalent:pdadmin group list pattern max_return






ivadmin_group_listbydn()

Returns the list of user registry distinguished names whose user registry commonname attribute matches the pattern specified.

Syntaxunsigned longivadmin_group_listbydn(

ivadmin_context ctx,const char *pattern,unsigned long maxreturn,unsigned long *count,char ***dns,ivadmin_response *rsp

);

ParametersInput


patternPattern match for common name attribute. IVADMIN_ALLPATTERNindicates all users.

maxreturnMaximum number to return. IVADMIN_MAXRETURN indicatesunlimited. This number can also be limited by the user registry server sothat the maximum returned is really the minimum of the serverconfiguration and this value.

Output

count Number of user registry group distinguished names returned.

dns Array of pointers to user registry distinguished names. Free eachdistinguished name character pointer and the array of pointers when theyare no longer needed. The order returned is the order created.


DescriptionReturns the list of user registry distinguished names whose user registry commonname attributes match the pattern specified.

Free each distinguished name character pointer and the array of pointers whenthey are no longer needed.

Command line equivalent:pdadmin group list-dn pattern max_return






ivadmin_group_removemembers()

Removes the specified users from the specified group.

Syntaxunsigned longivadmin_group_removemembers(

ivadmin_context ctx,const char *groupid,unsigned long user_count,const char **users,ivadmin_response *rsp

);

ParametersInput


groupidGroup name.

user_countNumber of user names to remove.

users Member user names to remove.

Output


DescriptionRemoves the specified users from the specified group.

Command line equivalents:pdadmin group modify group_name remove user_name

pdadmin group modify group_name remove ( user_name1 user_name2 ... )

User registry difference: Attempting to remove a user from a group who is not amember of the group is handled differently dependingon what user registry is being used. See Table 36 onpage 288 for details.





ivadmin_group_setdescription()

Changes the description for the specified group.

Syntaxunsigned longivadmin_group_setdescription(

ivadmin_context ctx,const char *groupid,const char *description,ivadmin_response *rsp

);

ParametersInput


groupidGroup name.


Output


DescriptionChanges the description for the specified group.

Command line equivalent:pdadmin group modify group_name description description





ivadmin_objectspace_create()

Creates an Access Manager protected object space.

Syntaxunsigned longivadmin_objectspace_create(

ivadmin_context ctx,const char *objspaceid,unsigned long type,const char *description,ivadmin_response *rsp

);

ParametersInput


objspaceidThe name of the object space to create.

type The type of object space to create.

descriptionA description for the object space.

Output


DescriptionCreates an Access Manager protected object space.

You must specify as the input parameter type, the object space type for each newobject space. The object space type is used by the Access Manager Web portalmanager to display an appropriate icon with the object.

Note: The root of the new protected object space automatically has theispolicyattachable attribute set to true. For more information, see“ivadmin_protobj_setpolicyattachable()” on page 202.

The supported object types are in Table 30.

Table 30. Supported object types

Variable Name Value Description

IVADMIN_PROTOBJ_TYPE_UNKNOWN 0 Unknown

IVADMIN_PROTOBJ_TYPE_DOMAIN 1 Secure domain

IVADMIN_PROTOBJ_TYPE_FILE 2 File

IVADMIN_PROTOBJ_TYPE_PROGRAM 3 Executable program

IVADMIN_PROTOBJ_TYPE_DIR 4 Directory

IVADMIN_PROTOBJ_TYPE_JNCT 5 Junction

IVADMIN_PROTOBJ_TYPE_WEBSEAL_SVR 6 WebSEAL server


Table 30. Supported object types (continued)

Variable Name Value Description

IVADMIN_PROTOBJ_TYPE_NETSEAL_SVR 7 Unused

IVADMIN_PROTOBJ_TYPE_EXTERN_AUTH_SVR 8 Unused

IVADMIN_PROTOBJ_TYPE_HTTP_SVR 9 Unused

IVADMIN_PROTOBJ_TYPE_NON_EXIST_OBJ 10 Nonexistent object

IVADMIN_PROTOBJ_TYPE_CONTAINER 11 Container object

IVADMIN_PROTOBJ_TYPE_LEAF 12 Leaf object

IVADMIN_PROTOBJ_TYPE_PORT 13 Port

IVADMIN_PROTOBJ_TYPE_APP_CONTAINER 14 Application containerobject

IVADMIN_PROTOBJ_TYPE_APP_LEAF 15 Application leaf object

IVADMIN_PROTOBJ_TYPE_MGMT_OBJ 16 Management object

IVADMIN_PROTOBJ_TYPE_NETSEAL_NET 17 Unused

Command line equivalent:pdadmin objectspace create objectspace_name





ivadmin_objectspace_delete()

Deletes the specified Access Manager protected object space.

Syntaxunsigned longivadmin_objectspace_delete(

ivadmin_context ctx,const char *objspaceid,ivadmin_response *rsp

);

ParametersInput


objspaceidThe name of the object space to delete.

Output


DescriptionDeletes the specified Access Manager protected object space.

Command line equivalent:pdadmin objectspace delete objectspace_name





ivadmin_objectspace_list()

Lists all the Access Manager protected object spaces.

Syntaxunsigned longivadmin_objectspace_list(

ivadmin_context ctx,unsigned long *count,char ***objspace_list,ivadmin_response *rsp

);

ParametersInput


Output

count The number of Access Manager object spaces.

objspace_listA list of the Access Manager object spaces. Free this list when it is nolonger needed.


DescriptionLists all the Access Manager protected object spaces.

Free this list when it is no longer needed.

Command line equivalent:pdadmin objectspace list





ivadmin_pop_attach()

Attaches a protected object policy (POP) to the specified protected object.

Syntaxunsigned longivadmin_pop_attach(

ivadmin_context ctx,char *popid,char *objid,ivadmin_response *rsp

);

ParametersInput


popid The name of the protected object policy to attach.

objid The name of the protected object.

Output


DescriptionAttaches a protected object policy to the specified protected object. Be sure that theprotected object exists in the protect object space before attempting to attach a POP.

Command line equivalent:pdadmin attach object_name pop_name





ivadmin_pop_attrdelkey()

Deletes the specified extended attribute from the specified protected object policy(POP).

Syntaxunsigned longivadmin_pop_attrdelkey(

ivadmin_context ctx,char *popid,char *attr_key,ivadmin_response *rsp

);

ParametersInput


popid The name of the protected object policy.

attr_keyThe extended attribute to delete.

Output


DescriptionDeletes the specified extended attribute from the specified protected object policy.

Command line equivalent:pdadmin pop modify pop_name delete attribute attribute_name





ivadmin_pop_attrdelval()

Deletes the specified value from the specified extended attribute key in thespecified protected object policy (POP).

Syntaxunsigned longivadmin_pop_attrdelval(

ivadmin_context ctx,char *popid,char *attr_key,char *attr_value,ivadmin_response *rsp

);

ParametersInput



attr_keyThe extended attribute containing the value that is to be deleted.

attr_valueThe value to delete from the extended attribute.

Output


DescriptionDeletes the specified value from the specified extended attribute key in thespecified protected object policy.

Command line equivalent:pdadmin pop modify pop_name delete attribute attribute_name attribute_value





ivadmin_pop_attrget()

Gets the values for the specified extended attribute from the specified protectedobject policy.

Syntaxunsigned longivadmin_pop_attrget(

ivadmin_pop pop,char *attr_key,unsigned long *count,char ***attr_value

);

ParametersInput

pop The protected object policy to be accessed.

attr_keyThe extended attribute to get.

Output


attr_valueThe list of values returned. Free this list when it is no longer needed.

DescriptionGets the values for the specified extended attribute from the specified protectedobject policy. Free this list when it is no longer needed.

Command line equivalent:pdadmin pop show pop_name attribute





ivadmin_pop_attrlist()

Lists the extended attributes associated with the specified protected object policy.

Syntaxunsigned longivadmin_pop_attrlist(

ivadmin_pop pop,unsigned long *count,char ***attr_list

);

ParametersInput

pop The protected object policy.

Output

count The number of extended attributes.

attr_listThe list of extended attributes. Free this list when it is no longer needed.

DescriptionLists the extended attributes associated with the specified protected object policy.

Free the elements in this list and the list itself when it is no longer needed.

Command line equivalent:pdadmin pop list pop_name attribute





ivadmin_pop_attrput()

Sets the value for the specified extended attribute in the specified protected objectpolicy.

Syntaxunsigned longivadmin_pop_attrput(


);

ParametersInput



attr_keyThe extended attribute for which a value must be set.

attr_valueThe value to set.

Output


DescriptionSets the value for the specified extended attribute in the specified protected objectpolicy.

Command line equivalent:pdadmin modify pop_name set attribute attribute_name attribute_value





ivadmin_pop_create()

Creates a protected object policy object.

Syntaxunsigned longivadmin_pop_create(

ivadmin_context ctx,const char *popid,ivadmin_response *rsp

);

ParametersInput


popid The name of the protected object policy to create.

Output


DescriptionCreates a protected object policy object with the default values seen in Table 31.

Table 31. Protected object policy default values

Attribute Name Default Value

Description none

Warning mode no

Audit level none

Quality of protection none

Time of day access sun, mon, tue, wed, thu, fri,sat:anytime:local

IP endpoint authentication method policy 0

Any other cetwork 0

For more information about creating POPs, see the section about creating anddeleting protected object policies in the IBM Tivoli Access Manager BaseAdministrator’s Guide.

Command line equivalent:pdadmin pop create pop_name





ivadmin_pop_delete()

Deletes the specified protected object policy.

Syntaxunsigned longivadmin_pop_delete(

ivadmin_context ctx,const char *popid,ivadmin_response *rsp

);

ParametersInput


popid The name of the protected object policy to delete.

Output


DescriptionDeletes the specified protected object policy.

Command line equivalent:pdadmin pop delete pop_name





ivadmin_pop_detach()

Detaches a protected object policy (POP) from the specified protected object.

Syntaxunsigned longivadmin_pop_detach(

ivadmin_context ctx,char *objid,ivadmin_response *rsp

);

ParametersInput


objid The protected object to detach from.

Output


DescriptionDetaches a protected object policy from the specified protected object.

Command line equivalent:pdadmin pop detach pop_name





ivadmin_pop_find()

Finds and lists all protected objects that have the specified protected object policyattached.

Syntaxunsigned longivadmin_pop_find(

ivadmin_context ctx,char *popid,unsigned long *count,char ***obj_list,ivadmin_response *rsp

);

ParametersInput


popid The name of the protected object policy to find.

Output

count Number of protected objects in the list.

obj_list The returned list of protected objects.


DescriptionFinds and lists all protected objects that have the specified protected object policyattached.

You must free each element in the returned list and the list itself when it is nolonger needed.

Command line equivalent:pdadmin pop find pop_name





ivadmin_pop_get()

Gets the specified protected object policy object.

Syntaxunsigned longivadmin_pop_get(

ivadmin_context ctx,char *popid,ivadmin_pop *pop,ivadmin_response *rsp

);

ParametersInput


popid The name of the protected object policy to get.

Output

pop The protected object policy that is returned.


DescriptionGets the specified protected object policy object. Call this function to get an objectof type ivadmin_pop.

You must free the ivadmin_pop object when it is no longer needed.

Command line equivalent:pdadmin pop show pop_name





ivadmin_pop_getauditlevel()

Gets the audit level for the specified protected object policy.

Syntaxunsigned longivadmin_pop_getauditlevel(

ivadmin_pop pop);

ParametersInput


DescriptionGets the audit level for the specified protected object policy.

Command line equivalent:pdadmin show pop_name

The audit level is part of the information returned by the pdadmin command.

Return ValuesAudit level is specified as an unsigned long. The following audit levels aredefined:#define IVADMIN_AUDIT_NONE (0)#define IVADMIN_AUDIT_PERMIT (1)#define IVADMIN_AUDIT_DENY (2)#define IVADMIN_AUDIT_ERROR (4)#define IVADMIN_AUDIT_ADMIN (8)#define IVADMIN_AUDIT_ALL (15)

Descriptions for the audit levels can be found in Table 32.

Table 32. Descriptions of audit levels

Audit Value Description

none Auditing is disabled.

permit Audit all requests on a protected object that result insuccessful access.

deny Audit all requests on a protected object that result in denialof access.

error Audit all internally generated error messages when access tothe protected object is denied.

admin Not implemented.

all Audit success, error, and failure for all events.


ivadmin_pop_getdescription()

Gets the description of the specified protected object policy.

Syntaxconst char*ivadmin_pop_getdescription(

ivadmin_pop pop);

ParametersInput


DescriptionGets the description of the specified protected object policy. You must callivadmin_pop_get() to obtain an ivadmin_pop object before calling this function.

Do not free this description. This data is maintained in the ivadmin_pop structure.


The description is part of the information returned by the pdadmin command.

Return ValuesGets the description of the specified protected object policy.


ivadmin_pop_getid()

Gets the name of the specified protected object policy.

Syntaxconst char*ivadmin_pop_getid(

ivadmin_pop pop);

ParametersInput


DescriptionGets the name of the specified protected object policy. You must callivadmin_pop_get() to obtain an ivadmin_pop object before calling this function.

Do not free this name. This data is maintained in the ivadmin_pop structure.


The name is part of the information returned by the pdadmin command.

Return ValuesGets the name of the specified protected object policy.


ivadmin_pop_getqop()

Gets the quality of protection level for the specified protected object policy.

Syntaxconst char*ivadmin_pop_getqop(

ivadmin_pop pop);

ParametersInput


DescriptionGets the quality of protection level for the specified protected object policy.

Do not free this string. This data is maintained in the ivadmin_pop structure.


The quality of protection level is part of the information returned by the pdadmincommand.

Return ValuesGets the quality of protection level for the specified protected object policy.

The following levels are defined:v nonev integrityv privacy


ivadmin_pop_gettod()

Gets the time of day range for the specified protected object policy.

Syntaxunsigned longivadmin_pop_gettod(

ivadmin_pop pop,unsigned long *days,unsigned long *start,unsigned long *end,unsigned long *reference

);

ParametersInput


Output

days A bitmap of the days.

start The minutes for the start of the range.

end The minutes for the end of the range.

referenceThe time reference; either Universal Time Coordinated (UTC) or local.

DescriptionGets the time of day range for the specified protected object policy.


The time of day range is part of the information returned by the pdadmincommand.

The following values are defined for time of day settings:#define IVADMIN_TIME_LOCAL (0)#define IVADMIN_TIME_UTC (1)#define IVADMIN_TOD_ANY (0)#define IVADMIN_TOD_SUN (1)#define IVADMIN_TOD_MON (2)#define IVADMIN_TOD_TUE (4)#define IVADMIN_TOD_WED (8)#define IVADMIN_TOD_THU (16)#define IVADMIN_TOD_FRI (32)#define IVADMIN_TOD_SAT (64)#define IVADMIN_TOD_ALL (127)#define IVADMIN_TOD_WEEKDAY (62)#define IVADMIN_TOD_WEEKEND (65)#define IVADMIN_TOD_MINUTES (60)#define IVADMIN_TOD_OCLOCK (3600)






ivadmin_pop_getwarnmode()

Gets the warning mode value from the specified protected object policy.

Syntaxunsigned longivadmin_pop_getwarnmode(

ivadmin_pop pop);

ParametersInput


DescriptionGets the warning mode value from the specified protected object policy.


The warning mode value is part of the information returned by the pdadmincommand.





ivadmin_pop_list()

Lists all protected object policy objects.

Syntaxunsigned longivadmin_pop_list(

ivadmin_context ctx,unsigned long *count,char ***poplist,ivadmin_response *rsp

);

ParametersInput


Output

count The number of protected object policy objects.

poplist The list of protected object policies returned.


DescriptionLists all protected object policy objects.

You must free each element in the list and the list itself when it is no longerneeded.

Command line equivalent:pdadmin pop list





ivadmin_pop_removeipauth()

Removes the IP endpoint authentication settings from the specified protected objectpolicy.

Syntaxunsigned longivadmin_pop_removeipauth(

ivadmin_context ctx,char *popid,char *network,char *netmask,ivadmin_response *rsp

);

ParametersInput



networkThe network address to delete.

netmaskThe netmask address.

Output


DescriptionRemoves the IP endpoint authentication settings from the specified protected objectpolicy.

Command line equivalent:pdadmin pop modify pop_name set ipauth remove network netmask





ivadmin_pop_setanyothernw()

Sets the anyothernw, or any other network, setting for the IP authentication levelfrom the specified protected object policy.

Syntaxunsigned longivadmin_pop_setanyothernw(

ivadmin_context ctx,char *popid,unsigned long level,ivadmin_response *rsp

);

ParametersInput



level The authentication level to associate with anyothernw.

Output


DescriptionSets the anyothernw, or any other network, setting for the authentication levelfrom the specified protected object policy (POP). If controlling access by IP addressis not important, use the anyothernw setting to set the authentication level for allIP addresses and IP address ranges not listed explicitly in the POP.

Command line equivalent:pdadmin pop modify pop_name set ipauth anyothernw authentication_level





ivadmin_pop_setanyothernw_forbidden()

Sets the anyothernw, or any other network, access setting to forbidden for thespecified protected object policy.

Syntaxunsigned longivadmin_pop_setanyothernw_forbidden(

ivadmin_context ctx,char *popid,ivadmin_response *rsp

);

ParametersInput



Output


DescriptionSets the anyothernw, or any other network, access setting to forbidden for thespecified protected object policy.

Command line equivalent:pdadmin pop modify pop_name set ipauth anyothernw forbidden





ivadmin_pop_setauditlevel()

Sets the audit level for the specified protected object policy.

Syntaxunsigned longivadmin_pop_setauditlevel(

ivadmin_context ctx,char *popid,unsigned long audit_level,ivadmin_response *rsp

);

ParametersInput



audit_levelThe new audit level for the protected object policy.

Output


DescriptionSets the Audit Level for the specified protected object policy.

Command line equivalent:pdadmin pop modify pop_name set audit-level [all | none | audit_level_list]

Audit level is specified as an unsigned long. The following audit levels aredefined:#define IVADMIN_AUDIT_NONE (0)#define IVADMIN_AUDIT_PERMIT (1)#define IVADMIN_AUDIT_DENY (2)#define IVADMIN_AUDIT_ERROR (4)#define IVADMIN_AUDIT_ADMIN (8)#define IVADMIN_AUDIT_ALL (15)

Table 32 on page 161lists audit levels and their descriptions.





ivadmin_pop_setdescription()

Sets the description of the specified protected object policy.

Syntaxunsigned longivadmin_pop_setdescription(

ivadmin_context ctx,char *popid,char *desc,ivadmin_response *rsp

);

ParametersInput



desc The new description for the protected object policy.

Output


DescriptionSets the description of the specified protected object policy.

Command line equivalent:pdadmin pop modify pop_name set description description





ivadmin_pop_setipauth()

Sets the IP endpoint authentication setting in the specified protected object policy.

Syntaxunsigned longivadmin_pop_setipauth(

ivadmin_context ctx,char *popid,unsigned long network,unsigned long netmask,unsigned long authMethod,ivadmin_response *rsp

);

ParametersInput



networkThe network address.


authMethodThe authentication level to associate with the network.

Output


DescriptionSets the IP endpoint authentication settings in the specified protected object policy.

Command line equivalent:pdadmin pop modify pop_name set ipauth add network netmask \authentication_level





ivadmin_pop_setipauth_forbidden()

Sets the IP endpoint authentication setting to forbidden in the specified protectedobject policy.

Syntaxunsigned longivadmin_pop_setipauth_forbidden(

ivadmin_context ctx,char *popid,unsigned long network,unsigned long netmask,ivadmin_response *rsp

);

ParametersInput



networkThe network address.


Output


DescriptionSets the ipauth setting for the authentication level to forbidden in the specifiedprotected object policy.

Command line equivalent:pdadmin pop modify pop_name set ipauth add network netmask forbidden





ivadmin_pop_setqop()

Sets the quality of protection level for the specified protected object policy.

Syntaxunsigned longivadmin_pop_setqop(

ivadmin_context ctx,char *popid,char *qop_level,ivadmin_response *rsp

);

ParametersInput


popid Name of the protected object policy

qop_levelThe new quality of protection level to set. The following string values aresupported:v nonev integrityv privacy

Output


DescriptionSets the quality of protection level for the specified protected object policy. Thefollowing string values are supported:v nonev integrityv privacy

Command line equivalent:pdadmin pop modify pop_name set qop [none|integrity|privacy]





ivadmin_pop_settod()

Sets the time of day range for the specified protected object policy.

Syntaxunsigned longivadmin_pop_settod(

ivadmin_context ctx,char *popid,unsigned long days,unsigned long start,unsigned long end,unsigned long reference,ivadmin_response *rsp

);

ParametersInput



days A bitmap of the days.

start The minutes for the start of the range.

end The minutes for the end of the range.

referenceThe time zone: Universal Time Coordinated (UTC) or local.

Output


DescriptionSets the time of day range for the specified protected object policy.

Command line equivalent:pdadmin pop modify pop_name set tod-access time_of_day_string

The following values are defined for time of day settings:#define IVADMIN_TIME_LOCAL (0)#define IVADMIN_TIME_UTC (1)#define IVADMIN_TOD_ANY (0)#define IVADMIN_TOD_SUN (1)#define IVADMIN_TOD_MON (2)#define IVADMIN_TOD_TUE (4)#define IVADMIN_TOD_WED (8)#define IVADMIN_TOD_THU (16)#define IVADMIN_TOD_FRI (32)#define IVADMIN_TOD_SAT (64)#define IVADMIN_TOD_ALL (127)#define IVADMIN_TOD_WEEKDAY (62)#define IVADMIN_TOD_WEEKEND (65)#define IVADMIN_TOD_MINUTES (60)#define IVADMIN_TOD_OCLOCK (3600)






ivadmin_pop_setwarnmode()

Sets the warning mode for the specified protected object policy.

Syntaxunsigned longivadmin_pop_setwarnmode(

ivadmin_context ctx,char *popid,unsigned long warn_mode,ivadmin_response *rsp

);

ParametersInput



warn_modeThe new value of the warning mode. The following values are supported:IVADMIN_TRUE (1) or IVADMIN_FALSE (0).

Output


DescriptionSets the warning mode for the specified protected object policy.

Command line equivalent:pdadmin pop modify pop_name set warning [on | off].





ivadmin_protobj_attachacl()

Attaches the specified access control list (ACL) to the specified protected object.

Syntaxunsigned longivadmin_protobj_attachacl(

ivadmin_context ctx,const char *objid,const char *aclid,ivadmin_response *rsp);

ParametersInput




Output


DescriptionAttaches the specified access control list to the specified protected object. If thespecified protected object already has an ACL attached, this function replaces thatACL with the new one. Understand Access Manager ACLs before using thisfunction. For more information about ACLs, see the chapter about using accesscontrol policies in the IBM Tivoli Access Manager Base Administrator’s Guide.

Command line equivalent:pdadmin acl attach object_name ACL_name





ivadmin_protobj_attrdelkey()

Deletes the specified extended attribute (name and value) from the specifiedprotected object.

Syntaxunsigned longivadmin_protobj_attrdelkey(

ivadmin_context ctx,const char *objid,const char *attr_name,ivadmin_response *rsp

);

ParametersInput



attr_nameThe name of the extended attribute to delete.

Output


DescriptionDeletes the specified extended attribute (name and value) from the specifiedprotected object.

Command line equivalent:pdadmin object modify object_name delete attribute_name





ivadmin_protobj_attrdelval()

Deletes the specified value from the specified extended attribute key in thespecified protected object.

Syntaxunsigned longivadmin_protobj_attrdelval(


);

ParametersInput


popid The name of the protected object.

attr_keyThe name of the extended attribute.

attr_valueThe name of the value to delete from the specified extended attribute.

Output


DescriptionDeletes the specified value from the specified extended attribute key in thespecified protected object.

Command line equivalent:pdadmin object modify object_name delete attribute_name attribute_value





ivadmin_protobj_attrget()

Returns the value associated with the specified extended attribute for the specifiedprotected object.

Syntaxunsigned longivadmin_protobj_attrget(

ivadmin_protobj protobj,const char *attr_key,unsigned long *count,char ***attr_value

);

ParametersInput

protobj Access Manager protected object structure.

attr_keyThe extended attribute to access.


attr_valueThe list of values returned for the specified extended attribute. Free this listwhen it is no longer needed.

Output


DescriptionReturns the value associated with the specified extended attribute for the specifiedprotected object.

Free this list when it is no longer needed.

Command line equivalent:pdadmin object show object_name attribute attribute_name





ivadmin_protobj_attrlist()

Lists all the extended attributes associated with the specified protected object.

Syntaxunsigned longivadmin_protobj_attrlist(

ivadmin_protobj protobj,unsigned long *count,char ***attrs_list

);

ParametersInput

protobj Access Manager protected object structure.

Output

count The number of extended attributes returned.

attrs_listThe list of extended attributes returned. Free this list, and the pointer to it,when the list is no longer needed.


DescriptionLists all the extended attributes associated with the specified protected object.

Command line equivalent:pdadmin object list object_name attribute





ivadmin_protobj_attrput()

Creates an extended attribute, with the specified name and value, and adds it tothe specified protected object.

Syntaxunsigned longivadmin_protobj_attrput(

ivadmin_context ctx,const char *objid,const char *attr_name,const char *attr_value,ivadmin_response *rsp

);

ParametersInput



attr_nameThe name of the extended attribute.

attr_valueThe value for the extended attribute.

Output


DescriptionCreates an extended attribute, with the specified name and value, and adds it tothe specified protected object.

Command line equivalent:pdadmin object modify object_name set attribute attribute_name attribute_value





ivadmin_protobj_create()

Creates an Access Manager protected object.

Syntaxunsigned longivadmin_protobj_create(

ivadmin_context ctx,const char *objid,unsigned long type,const char *description,ivadmin_response *rsp

);

ParametersInput


objid The name of the protected object to create. The name can be of any lengthand contain any character. Forward slash (/) characters are interpreted aspart of the object hierarchy, which allows ACLs to be attached at thevarious points indicated by the forward slash character.

type The type of protected object to create.

descriptionThe description of the protected object.

Output


DescriptionYou must specify, as a parameter to ivadmin_protobj_create(), an object space typefor each new object space. The object space type is used by the Access ManagerWeb portal manager to display an appropriate icon with the object.

Table 30 on page 146 lists the supported object types.

Command line equivalent:pdadmin object create object_name





ivadmin_protobj_delete()

Deletes the specified Access Manager protected object.

Syntaxunsigned longivadmin_protobj_delete(

ivadmin_context ctx,const char *objid,ivadmin_response *rsp

);

ParametersInput


objid The name of the protected object to delete.

Output


DescriptionDeletes the specified Access Manager protected object.

Command line equivalent:pdadmin object delete object_name





ivadmin_protobj_detachacl()

Detaches the access control list (ACL) from the specified protected object.

Syntaxunsigned longivadmin_protobj_detachacl(

ivadmin_context ctx,const char *objid,ivadmin_response *rsp

);

ParametersInput



Output


DescriptionDetaches the access control list from the specified protected object. Because onlyone access control list at a time can be attached to an object, the currently attachedaccess control list is detached. Understand Access Manager ACLs before using thisfunction. For more information about ACLs, see the chapter about using accesscontrol policies in the IBM Tivoli Access Manager Base Administrator’s Guide.

Command line equivalent:pdadmin acl detach object_name





ivadmin_protobj_get2()Returns the specified protected object.

Syntaxunsigned longivadmin_protobj_get2(

ivadmin_context ctx,const char *objid,azn_attrlist_h_t *indata,ivadmin_protobj *obj,azn_attrlist_h_t *outdata,unsigned long *resultcount,char ***results,ivadmin_response *rsp

);

ParametersInput


objid Specifies the parent object name.

indata Specifies pass-through data that allows additional information to becommunicated to the server. If a NULL is specified, it is ignored. Fornon-null inputs, a valid address for an azn_attrlist_h_t structure isexpected. It is also assumed that the caller created this azn_attrlist_h_tstructure using the azn_attrlist_create () function. When this data is nolonger required, free the associated memory using the azn_attrlist_delete()function.

Output

obj Specifies the returned object.

outdataSpecifies pass-through data that allows the server to communicateadditional information to the caller. When the data is no longer required,free the associated memory using azn_attrlist_delete().

resultcountSpecifies the number of returned result strings.

results Specifies the result strings, which are the message strings returned by thetask. These are typically output to a command line interface (CLI) or logoutput and contain information about the success or failure of the task.Free each character pointer and the array of pointers when they are nolonger needed.


DescriptionCommand line equivalent:pdadmin object show object_name






ivadmin_protobj_getacl()

Returns the access control list (ACL) that is attached to the specified protectedobject.

Syntaxivadmin_aclivadmin_protobj_getacl(

ivadmin_protobj protobj);

ParametersInput

protobj Pointer to protected object structure.

DescriptionReturns the access control list that is attached to the specified protected object.

Free this structure when it is no longer needed.

Command line equivalent:pdadmin object show object_name

The ACL is part of the information returned by this pdadmin object showcommand.

Return ValuesReturns the access control list that is attached to the specified protected object.


ivadmin_protobj_getdesc()

Gets the description of the specified protected object.

Syntaxconst char *ivadmin_protobj_getdesc(


ParametersInput

protobj The protected object structure.

DescriptionGets the description of the specified protected object. You must callivadmin_protobj_get2() before calling this function.

Do not free this string. This data is maintained in the protected object structureivadmin_protobj.


The description is part of the information returned by this pdadmin command.

Return ValuesGets the description of the specified protected object.


ivadmin_protobj_getid()

Gets the name of the specified protected object.

Syntaxconst char *ivadmin_protobj_getid(


ParametersInput

protobj Pointer to the protected object structure.

DescriptionGets the name of the specified protected object. You must callivadmin_protobj_get2() before calling this function.

Do not free this string. This data is maintained in the protected object structureivadmin_protobj.


The protected object name is part of the information returned by this pdadmincommand.

Return ValuesGets the name of the specified protected object.


ivadmin_protobj_getpolicyattachable()

Gets the isPolicyAttachable attribute of the specified protected object.

Syntaxunsigned longivadmin_protobj_getpolicyattachable(


ParametersInput


DescriptionGets the isPolicyAttachable attribute of the specified protected object. TheisPolicyAttachable attribute of a protected object indicates whether a protectedobject policy (POP) can be attached to that protected object. The default value ofthis attribute is yes.


The protected object isPolicyAttachable attribute is part of the informationreturned by this pdadmin command.


IVADMIN_TRUEDefined as 1. Indicates that isPolicyAttachable is true.

IVADMIN_FALSEDefined as 0. Indicates that isPolicyAttachable is false.


ivadmin_protobj_getpop()

Returns the protected object policy for the specified protected object.

Syntaxivadmin_popivadmin_protobj_getpop(


ParametersInput


DescriptionReturns the protected object policy for the specified protected object.

Free this structure when it is no longer needed.

Return ValuesReturns the protected object policy for the specified protected object.


ivadmin_protobj_gettype()

Returns the type of the specified protected object.

Syntaxunsigned longivadmin_protobj_gettype(


ParametersInput

protobjPointer to protected object structure.

DescriptionReturns the type of the specified protected object.


The protected object type is part of the information returned by this pdadmincommand.

Return ValuesReturns the type of the specified protected object.

Table 30 on page 146 lists types, values, and their descriptions.


ivadmin_protobj_list3()Returns the protected objects in the specified directory, not includingsubdirectories.

Syntaxunsigned longivadmin_protobj_list3(

ivadmin_context ctx,const char *objid,azn_attrlist_h_t *indata,unsigned long *objcount,char ***objs,azn_attrlist_h_t *outdata,unsigned long *resultcount,char ***results,ivadmin_response *rsp

);

ParametersInput


objid Specifies the parent object name.

indata Specifies pass-through data that allows additional information to becommunicated to the server. If a NULL is specified, it is ignored. Fornon-null inputs, a valid address for an azn_attrlist_h_t structure isexpected. It is also assumed that the caller created this azn_attrlist_h_tstructure using the azn_attrlist_create() function. When this data is nolonger required, free the associated memory using the azn_attrlist_delete()function.

Output

objcountSpecifies the number of returned object names.

objs Specifies the list of object names that exist directly below the specifiedparent object. Free each object name character pointer and the array ofpointers when they are no longer needed.

outdataSpecifies pass-through data that allows the server to communicateadditional information to the caller. When the data is no longer required,free the associated memory using the azn_attrlist_delete() function.

resultcountSpecifies the number of returned result strings.

results Specifies the result strings, which are the message strings returned by thetask. These are typically output on a CLI or log output and containinformation about the success or failure of the task. Free each characterpointer and the array of pointers when they are no longer needed.



DescriptionReturns the protected objects in the specified directory, not includingsubdirectories.

Command line equivalent:pdadmin object list object_name





ivadmin_protobj_listbyacl()

Returns a list of protected objects that have the specified access control listattached.

Syntaxunsigned longivadmin_protobj_listbyacl(

ivadmin_context ctx,const char *aclid,unsigned long *count,char ***objids,ivadmin_response *rsp

);

ParametersInput



count Number of protected objects returned.

objids Array of pointers to protected objects. Free each protected object pointerand the array of pointers when they are no longer needed.

Output


DescriptionReturns a list of protected objects which have the specified access control listattached.

Free each protected object name pointer and the array of pointers when no longerneeded.

Command line equivalent:pdadmin acl find ACL_name





ivadmin_protobj_setdesc()

Sets the description field of the specified protected object.

Syntaxunsigned longivadmin_protobj_setdesc(

ivadmin_context ctx,const char *objid,const char *description,ivadmin_response *rsp

);

ParametersInput


objid The name of the protected object for which a new description is to be set.

descriptionThe new description for the protected object.

Output


SyntaxSets the description field of the specified protected object.

Command line equivalent:pdadmin object modify object_name description new_description





ivadmin_protobj_setname()

Sets the name of the specified protected object.

Syntaxunsigned longivadmin_protobj_setname(

ivadmin_context ctx,const char *old_objid,const char *new_objid,ivadmin_response *rsp

);

ParametersInput


old_objidThe old name of the protected object.

new_objidThe new name of the protected object.

Output


DescriptionSets the name of the specified protected object.

Command line equivalent:pdadmin object modify object_name name new_name \

conflict-resolution resolution-modifier





ivadmin_protobj_setpolicyattachable()

Sets the isPolicyAttachable attribute of the specified protected object.

Syntaxunsigned longivadmin_protobj_setpolicyattachable(

ivadmin_context ctx,const char *objid,unsigned long flag,ivadmin_response *rsp

);

ParametersInput



flag The flag containing the value of the isPolicyAttachable attribute. Thepossible values are IVADMIN_TRUE or 1 (yes) and IVADMIN_FALSE or 0(no).

Output


DescriptionSets the isPolicyAttachable attribute of the specified protected object. TheisPolicyAttachable attribute of a protected object indicates whether a protectedobject policy (POP) can be attached to that protected object. The default value ofthis attribute is yes.

Command line equivalent:pdadmin object modify object_name isPolicyAttachable [yes | no]





ivadmin_protobj_settype()

Sets the type field of the specified protected object.

Syntaxunsigned longivadmin_protobj_settype(

ivadmin_context ctx,const char *objid,unsigned long type,ivadmin_response *rsp

);

SyntaxInput



type The new type for the object.

Output


DescriptionSets the type field of the specified protected object.

Command line equivalent:pdadmin object modify object_name type new_type

Table 30 on page 146 lists the supported object types.





ivadmin_response_getcode()

Returns the message code.

Syntaxunsigned longivadmin_response_getcode(

ivadmin_response rsp,unsigned long index

);

ParametersInput


index Zero-based index of the message code requested.

DescriptionReturns the error or warning code associated with the message.

Return ValuesReturns the error or warning code associated with the message.


ivadmin_response_getcount()

Returns the number of messages in the response object.

Syntaxunsigned longivadmin_response_getcount(

ivadmin_response rsp);

ParametersInput


DescriptionReturns the number of messages in the response object.

Return ValuesReturns the number of messages in the response object.


ivadmin_response_getmessage()

Returns the message text from the specified index location in the response object.

Syntaxconst char *ivadmin_response_getmessage(


);

ParametersInput


index Zero-based index of message text requested.

DescriptionReturns the message text from the specified index location in the response object.

Do not free this object. This is data maintained in the response structure.

Return ValuesReturns the message text from the specified index location in the response object.


ivadmin_response_getmodifier()

Returns the message modifier from the specified index location in the responseobject.

Syntaxunsigned longivadmin_response_getmodifier(


);

ParametersInput


index Zero-based index of the message modifier requested.

DescriptionReturns the message modifier from the specified index location in the responseobject. The modifier can be either an error, a warning, or information. Thefollowing values are defined:#define IVADMIN_RESPONSE_INFO 0#define IVADMIN_RESPONSE_WARNING 1#define IVADMIN_RESPONSE_ERROR 2

Return ValuesReturns the message modifier from the specified index location in the responseobject.


ivadmin_response_getok()

Returns a boolean indicator of the success of the operation.

Syntaxunsigned longivadmin_response_getok(

ivadmin_response rsp);

ParametersInput


DescriptionReturns a boolean indicator of the success of the operation.





ivadmin_server_gettasklist()Gets the list of tasks from the server.

Syntaxunsigned longivadmin_server_gettasklist(

ivadmin_context ctx,const char *server,azn_attrlist_h_t *indata,unsigned long *taskcount,char ***tasks,azn_attrlist_h_t *outdata,unsigned long *resultcount,char ***results,ivadmin_response *rsp

);

ParametersInput


server Specifies the name of the server to notify of a database update. Thisparameter is optional. If NULL is specified, all servers configured toreceive database update notifications are notified.

indata Specifies pass-through data that allows additional information to becommunicated to the server. If NULL is specified, it is ignored. Fornon-null inputs, a valid address for an azn_attrlist_h_t structure isexpected. It is also assumed that the caller created this azn_attrlist_h_tstructure using the azn_attrlist_create() function. When this data is nolonger required, free the associated memory using the azn_attrlist_delete()function.

Output

taskcountIndicates the number of returned task strings.

tasks Specifies the list of tasks currently supported by this server. These aretypically in the supported command line interface (CLI) syntax. Free eachtask character pointer and the array of pointers when no longer needed byusing the ivadmin_free() function.

outdataSpecifies pass-through data that allows the server to communicateadditional information to the caller. When the data is no longer required,free the associated memory by using the azn_attrlist_delete() function.

resultcountIndicates the number of returned result strings.

results Specifies the result strings, which are the message strings returned by thetask. These typically are output on a CLI or log output and containinformation about the success or failure of the task. Free each characterpointer and the array of pointers when they are no longer needed.



DescriptionGets the list of tasks from the server.

Command line equivalent:pdadmin server listtasks server_name





ivadmin_server_performtask()Sends a command to an authorization server.

Syntaxunsigned longivadmin_server_performtask(

ivadmin_context ctx,const char *server,const char *task,azn_attrlist_h_t *indata,azn_attrlist_h_t *outdata,unsigned long *resultcount,char ***results,ivadmin_response *rsp

);

ParametersInput


server Specifies the name of server to notify of database update. This parameter isoptional. If NULL is specified, all servers configured to receive databaseupdate notifications will be notified.

task Specifies the task to perform.

indata Specifies pass-through data that allows additional information to becommunicated to the server. If NULL is specified, it is ignored. Fornon-null inputs, a valid address for an azn_attrlist_h_t structure isexpected. It is also assumed that the caller created this azn_attrlist_h_tstructure using the azn_attrlist_create() function. When this data is nolonger required, free the associated memory by using theazn_attrlist_delete() function.

Output

outdataPass-through data that allows the server to communicate additionalinformation to the caller. When the data is no longer required, free theassociated memory by using the azn_attrlist_delete() function.

resultcountIndicates the number of returned result strings.

results The result strings, which are the message strings returned by the task.These are typically output on a command line interface (CLI) or log outputand contain information about the success or failure of the task. Free eachcharacter pointer and the array of pointers when they are no longerneeded.



DescriptionSends a command to the authorization server.

Command line equivalent:pdadmin server task server_name task_to_perform





ivadmin_server_replicate()Notify authorization servers to receive database updates.

Syntaxunsigned longivadmin_server_replicate(

ivadmin_context ctx,const char *server,ivadmin_response *rsp

);

ParametersInput


server Specifies the name of the server to notify of a database update. Thisparameter is optional. If NULL is specified, all servers configured toreceive database update notifications are notified.

Output


DescriptionNotify authorization servers to receive database updates. If a server name isspecified, but is not configured to receive database updates, an error message isdisplayed. If no server name is specified, the process of notifying all configuredservers is initiated, but error messages are not displayed for individual servers.The caller must have the authority to perform server administration tasks on thepolicy server. (The azn_operation_server_admin permission is required on thepolicy server object.)

Command line equivalent:pdadmin server replicate [server-name]


IVADMIN_TRUEDefined as 1. If a server is specified, this indicates the successfulnotification and database replication by that server. If no server isspecified, this indicates that the policy server has begun to notify eachauthorization server. In this case, a return code of IVADMIN_TRUE is notan indication of successful notification or replication for any one of theservers.

IVADMIN_FALSEDefined as 0. If a server is specified, this indicates the a failure of thenotification and database replication by that server. If no server isspecified, this indicates that a failure has occurred in requesting that thepolicy server begin notifying each authorization server.


ivadmin_ssocred_create()

Creates a single signon credential.

Syntaxunsigned longivadmin_ssocred_create(

ivadmin_context ctx,const char *ssoid,unsigned long ssotype,const char *userid,const char *ssouserid,const char *ssopassword,ivadmin_response *rsp

);

ParametersInput


ssoid Single signon resource name with which the single signon credential isassociated. This resource must already exist.

ssotype Single signon resource type. The following types are defined:v IVADMIN_SSOCRED_SSOWEBv IVADMIN_SSOCRED_SSOGROUP

userid User ID associated with the single signon credential.

ssouseridThe user name that this user uses to access the specified resource.

ssopasswordThe password that this user uses to access the specified resource.

Output


DescriptionCreates a single signon credential.

Command line equivalent:pdadmin rsrccred create resource_name rsrcuser resource_userid rsrcpwd \resource_password rsrctype {web | group} user user_name





ivadmin_ssocred_delete()

Deletes a single signon credential.

Syntaxunsigned longivadmin_ssocred_delete(

ivadmin_context ctx,const char *ssoid,unsigned long ssotype,const char *userid,ivadmin_response *rsp

);

ParametersInput


ssoid Single signon resource name with which the single signon credential isassociated.

ssotype Single signon resource type. The following types are defined:v IVADMIN_SSOCRED_SSOWEBv IVADMIN_SSOCRED_SSOGROUP

userid The user ID associated with the single signon credential.

Output


DescriptionDeletes a single signon credential.

Command line equivalent:pdadmin rsrccred delete resource_name rsrctype {web | group} user user_name





ivadmin_ssocred_get()

Returns the specified single signon credential.

Syntaxunsigned longivadmin_ssocred_get(

ivadmin_context ctx,const char *ssoid,unsigned long ssotype,const char *userid,ivadmin_ssocred *ssocred,ivadmin_response *rsp

);

ParametersInput



ssotypeSingle signon resource type. The following types are defined:v IVADMIN_SSOCRED_SSOWEBv IVADMIN_SSOCRED_SSOGROUP

userid The user name associated with the single signon credential.

Output

ssocred Returned single signon credential. Free this credential when it is no longerneeded.


DescriptionReturns the specified single signon credential.

Specify the single signon credential type when using this function. The followingsingle signon credential types are defined:#define IVADMIN_SSOCRED_SSOWEB 0#define IVADMIN_SSOCRED_SSOGROUP 1

Command line equivalent:pdadmin rsrccred show resource_name rsrctype {web | group} user user_name





ivadmin_ssocred_getid()

Returns the name of the single signon resource associated with this credential.

Syntaxconst char *ivadmin_ssocred_getid(

ivadmin_ssocred ssocred);

ParametersInput

ssocred Pointer to the single signon credential.

DescriptionReturns the name of the single signon resource associated with this credential. Youmust call ivadmin_ssocred_get() to obtain an ivadmin_ssocred object beforecalling this function.

Do not free this string. This data is maintained in the single signon credentialstructure (ivadmin_ssocred).


The credential identifier is part of the information returned by the pdadmincommand.

Return ValuesReturns the name of the single signon resource associated with this credential.


ivadmin_ssocred_getssopassword()

Returns the password associated with this single signon credential.

Syntaxconst char *ivadmin_ssocred_getssopassword(


ParametersInput


DescriptionReturns the password associated with this single signon credential. You must callivadmin_ssocred_get() to obtain an ivadmin_ssocred object before calling thisfunction.


Return ValuesReturns the password associated with this single signon credential.


ivadmin_ssocred_getssouser()

Returns the name of the user associated with the specified single signon credential.

Syntaxconst char *ivadmin_ssocred_getssouser(


ParametersInput


DescriptionReturns the name of the user associated with the specified single signon credential.You must call ivadmin_ssocred_get() to obtain an ivadmin_ssocred object beforecalling this function.


Return ValuesReturns the name of the user associated with the specified single signon credential.


ivadmin_ssocred_gettype()

Returns the type of the single signon resource associated with the specified singlesignon credential.

Syntaxunsigned longivadmin_ssocred_gettype(


ParametersInput


DescriptionReturns the type of the single signon resource associated with the specified singlesignon credential.


The credential type is part of the information returned by the pdadmin command.

Return ValuesReturns the type of the single signon resource associated with the specified singlesignon credential. You must call ivadmin_ssocred_get () to obtain anivadmin_ssocred object before calling this function.

The defined types are:#define IVADMIN_SSOCRED_SSOWEB 0#define IVADMIN_SSOCRED_SSOGROUP 1

Do not free the resource credential type (integer) when it is no longer needed. Thisdata is maintained in the ivadmin_ssocred object.


ivadmin_ssocred_getuser()

Returns the name of the user associated with this single signon credential.

Syntaxconst char *ivadmin_ssocred_getuser(


ParametersInput


DescriptionReturns the name of the user associated with this single signon credential. Youmust call ivadmin_ssocred_get() to obtain an ivadmin_ssocred object beforecalling this function.



The user name is part of the information returned by the pdadmin command.

Return ValuesReturns the name of the user associated with this single signon credential.


ivadmin_ssocred_list()

Returns the list of single signon credentials for the specified user.

Syntaxunsigned longivadmin_ssocred_list(

ivadmin_context ctx,const char *userid,unsigned long *count,ivadmin_ssocred **ssocreds,ivadmin_response *rsp

);

ParametersInput


userid The user ID of the user for whom the single signon credentials are to beretrieved.

Output

count Number of single signon credentials returned.

ssocredsArray of pointers to single signon credentials. Free each single signoncredential pointer and the array of pointers when they are no longerneeded.


DescriptionReturns the list of single signon credentials for the specified user.

Command line equivalent:pdadmin rsrccred list user user_name





ivadmin_ssocred_set()

Creates or modifies a single signon credential.

Syntaxunsigned longivadmin_ssocred_set(

ivadmin_context ctx,const char *ssoid,unsigned long ssotype,const char *userid,const char *ssouserid,const char *ssopassword,ivadmin_response *rsp

);

ParametersInput



ssotypeSingle signon resource type. The following types are defined:v IVADMIN_SSOCRED_SSOWEBv IVADMIN_SSOCRED_SSOGROUP

userid User name associated with the single signon credential.

ssouseridThe user name that the user (as specified by the input parameter userid)uses to access the specified resource.

ssopasswordThe password that this user uses to access the specified resource.

Output


DescriptionCreates or modifies a single signon credential.

Command line equivalent:pdadmin rsrccred modify resource_name rsrctype {web | group} set \[-rsrcuser resource_userid] [-rsrcpwd resource_password] user user_name





ivadmin_ssogroup_addres()

Adds a single signon resource to a single signon resource group.

Syntaxunsigned longivadmin_ssogroup_addres(

ivadmin_context ctx,const char *ssogroupid,const char *ssoid,ivadmin_response *rsp

);

ParametersInput


ssogroupidSingle signon resource group name.

ssoid New member single signon resource name.

Output


DescriptionAdds a single signon resource to a single signon resource group. Access Managerdoes not support a resource group as a resource group member.

Command line equivalent:pdadmin rsrcgroup modify resource_group_name add rsrcname resource_name





ivadmin_ssogroup_create()

Creates a single signon group resource.

Syntaxunsigned longivadmin_ssogroup_create(

ivadmin_context ctx,const char *ssogroupid,const char *description,ivadmin_response *rsp

);

ParametersInput


ssogroupidSingle signon group resource name.

descriptionDescription of the single signon group resource.

Output


DescriptionCreates a single signon group resource.

Command line equivalent:pdadmin rsrcgroup create resource_group_name [-desc description]





ivadmin_ssogroup_delete()

Deletes a single signon group resource.

Syntaxunsigned longivadmin_ssogroup_delete(

ivadmin_context ctx,const char *ssogroupid,ivadmin_response *rsp

);

ParametersInput



Output


DescriptionDeletes a single signon group resource.

Command line equivalent:pdadmin rsrcgroup delete resource_group_name





ivadmin_ssogroup_get()

Returns the specified single signon group resource.

Syntaxunsigned longivadmin_ssogroup_get(

ivadmin_context ctx,const char *ssogroupid,ivadmin_ssogroup *ssogroup,ivadmin_response *rsp

);

ParametersInput



Output

ssogroupReturned single signon group resource. Free the memory containing thereturned single signon group resource when it is no longer needed


DescriptionReturns the specified single signon group resource. The ivadmin_ssogroup objectcontains the resource group name, the resource group description, and a list of thenames of the resource group members. The resource group members are theindividual Web resources (servers).

Command line equivalent:pdadmin rsrcgroup show resource_group_name





ivadmin_ssogroup_getdescription()

Returns the description of the single signon group resource.

Syntaxconst char *ivadmin_ssogroup_getdescription(

ivadmin_ssogroup ssogroup);

ParametersInput

ssogroupPointer to the single signon group resource.

DescriptionReturns the description of the single signon group resource. You must callivadmin_ssogroup_get() to obtain an ivadmin_ssogroup object before calling thisfunction.

Do not free this string. This data is maintained in the single signon group resourcestructure.



Return ValuesReturns the description of the single signon group resource.


ivadmin_ssogroup_getid()

Returns the name of the single signon group resource.

Syntaxconst char *ivadmin_ssogroup_getid(

ivadmin_ssogroup ssogroup);

ParametersInput


DescriptionReturns the name of the single signon group resource. You must callivadmin_ssogroup_get() to obtain an ivadmin_ssogroup object before calling thisfunction.

Do not free this string. This data is maintained in the single signon group resourcestructure.



Return ValuesReturns the name of the single signon group resource.


ivadmin_ssogroup_getresources()

Returns a list of the member single signon resource names for the specified singlesignon group.

Syntaxunsigned longivadmin_ssogroup_getresources(

ivadmin_ssogroup ssogroup,unsigned long *count,char *** ssoids

);

ParametersInput


Output

count Number of single signon resource names returned.

ssoids Array of pointers to single signon resource names. Free each single signonresource name pointer and the array of pointers when they are no longerneeded.

DescriptionReturns a list of the member single signon resource names.


The resource name is part of the information returned by the pdadmin command.





ivadmin_ssogroup_list

Returns a list of all the single signon group resource names.

Syntaxunsigned longivadmin_ssogroup_list(

ivadmin_context ctx,unsigned long *count,char ***ssogroupids,ivadmin_response *rsp

);

ParametersInput


Output

count The number of single signon group resource names returned.

ssogroupidsArray of pointers to single signon group resource names. Free each singlesignon group resource name pointer and the array of pointers when theyare no longer needed.


DescriptionReturns a list of all of the single signon group resource names.

Command line equivalent:pdadmin rsrcgroup list





ivadmin_ssogroup_removeres()

Removes a single signon resource from the specified single signon resource group.

Syntaxunsigned longivadmin_ssogroup_removeres(

ivadmin_context ctx,const char *ssogroupid,const char *ssoid,ivadmin_response *rsp

);

ParametersInput


ssogroupidsingle signon resource group name.

ssoid The member single signon resource name to remove.

Output


DescriptionRemoves a single signon resource from the specified single signon resource group.

Command line equivalent:pdadmin rsrcgroup modify resource_group_name remove rsrcname resource_name





ivadmin_ssoweb_create()

Creates a single signon Web resource.

Syntaxunsigned longivadmin_ssoweb_create(

ivadmin_context ctx,const char *ssowebid,const char *description,ivadmin_response *rsp

);

ParametersInput


ssowebidThe single signon Web resource name.

descriptionThe description of the single signon Web resource.

Output


DescriptionCreates a single signon Web resource. The name of the Web server does not needto match the junction. You can use this function call before joining the Web serverto the Access Manager WebSEAL server.

Command line equivalent:pdadmin rsrc create resource_name [-desc description]





ivadmin_ssoweb_delete()

Deletes the specified single signon Web resource.

Syntaxunsigned longivadmin_ssoweb_delete(

ivadmin_context ctx,const char *ssowebid,ivadmin_response *rsp

);

ParametersInput


ssowebidThe name of the single signon Web resource to delete.

Output


DescriptionDeletes the specified single signon Web resource.

Command line equivalent:pdadmin rsrc delete resource_name





ivadmin_ssoweb_get()

Returns the specified single signon Web resource.

Syntaxunsigned longivadmin_ssoweb_get(

ivadmin_context ctx,const char *ssowebid,ivadmin_ssoweb *ssoweb,ivadmin_response *rsp

);

ParametersInput


ssowebidThe name of the single signon Web resource to get.

Output

ssowebThe returned single signon Web resource. Free the memory for the singlesignon Web resource (ivadmin_ssoweb) when it is no longer needed.


DescriptionReturns the specified single signon Web resource.

Command line equivalent:pdadmin rsrc show resource_name





ivadmin_ssoweb_getdescription()

Returns the description of the specified single signon Web resource.

Syntaxconst char *ivadmin_ssoweb_getdescription(

ivadmin_ssoweb ssoweb);

ParametersInput

ssowebPointer to single signon Web resource.

DescriptionReturns the description of the specified single signon Web resource. You must callivadmin_ssoweb_get() to obtain an ivadmin_ssoweb object before calling thisfunction.

Do not free this string. This data is maintained in the single signon Web resourcestructure (ivadmin_ssoweb).



Return ValuesReturns the description of the specified single signon Web resource.


ivadmin_ssoweb_getid()

Returns the name (identifier) of the specified single signon Web resource.

Syntaxconst char *ivadmin_ssoweb_getid(

ivadmin_ssoweb ssoweb);

ParametersInput

ssowebPointer to single signon Web resource.

DescriptionReturns the name (identifier) of the specified single signon Web resource. You mustcall ivadmin_ssoweb_get() to obtain an ivadmin_ssoweb object before calling thisfunction.

Do not free this string. This data is maintained in the single signon Web resourcestructure (ivadmin_ssoweb).



Return ValuesReturns the name (identifier) of the specified single signon Web resource.


ivadmin_ssoweb_list()

Returns a list of all the single signon Web resource names.

Syntaxunsigned longivadmin_ssoweb_list(

ivadmin_context ctx,unsigned long *count,char ***ssowebids,ivadmin_response *rsp

);

ParametersInput


Output

count The number of single signon Web resource names returned.

ssowebidsArray of pointers to single signon Web resource names. Free each singlesignon Web resource name pointer and the array of pointers when it is nolonger needed.


DescriptionReturns a list of all the single signon Web resource names.

Command line equivalent:pdadmin rsrc list





ivadmin_user_create3()

Creates a user in the directory used by the Access Manager policy server andinitially associates that user with one or more groups.

Syntaxunsigned longivadmin_user_create3(

ivadmin_context ctx,const char *userid,const char *dn,const char *cn,const char *sn,const char *pwd,unsigned long group_count,const char **groups,unsigned long ssouser,unsigned long nopwdpolicy,ivadmin_response *rsp

);

ParametersInput


userid Access Manager user name.


cn User registry attribute common name.

sn User registry attribute surname.

pwd User registry attribute password.

group_countThe number of groups to which the user initially belongs.

groups The initial user registry groups to which the user belongs. Specify NULL toindicate no initial group membership.

ssouser The user is capable of having single signon credentials.


nopwdpolicyPassword policy is not enforced during creation. This has no effect onpassword policy enforcement after user creation.


Output


DescriptionCreates a user in the user registry used by the Access Manager policy server.Accounts are created invalid by default. Use ivadmin_user_setaccountvalid() toenable the account.


User registry difference: Leading and trailing blanks in a user name do not makethe name unique when using an LDAP or ActiveDirectory user registry. However, leading and trailingblanks do make the user name unique when using aDomino server as a user registry. To keep nameprocessing consistent regardless of what user registry isbeing used, do not define user names with leading ortrailing blanks.

Command line equivalents:pdadmin user create [-gsouser] [-no-password-policy] user_name dn cn sn \pwd group_name

pdadmin user create [-gsouser] [-no-password-policy] user_name dn cn sn \pwd ( group_name1 group_name2 ... group_nameN )





ivadmin_user_delete2()

Deletes the Access Manager user and optionally deletes the user from the userregistry.

Syntaxunsigned longivadmin_user_delete2(

ivadmin_context ctxconst char *userid,unsigned long registryivadmin_response *rsp

);

ParametersInput



registryDelete user from the user registry as well as from Access Manager.


Output


DescriptionDeletes Access Manager information about the user from the user registry. Theoptional pdadmin parameter -registry causes the entire user object to be deletedfrom the user registry.

Command line equivalent:pdadmin user delete [-registry] user_name

Return ValuesReturns the following boolean values:v IVADMIN_TRUE Defined as 1. The function executed successfully.v IVADMIN_FALSE Defined as 0. The function encountered an error.


ivadmin_user_get()

Gets the user object for the specified user.

Syntaxunsigned longivadmin_user_get(

ivadmin_context ctx,const char *userid,ivadmin_ldapuser *user,ivadmin_response *rsp

);

ParametersInput



Output

user Returned user. Free this memory when no longer needed.


DescriptionGets the user object for the specified user.

Free the memory used by the ivadmin_ldapuser object when it is no longerneeded.

Command line equivalent:pdadmin user show user_name





ivadmin_user_getaccexpdate()

Gets the account expiration date for the specified user.

Syntaxunsigned longivadmin_user_getaccexpdate(

ivadmin_context ctx,const char *userid,unsigned long *seconds,unsigned long *unlimited,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput


userid User name.

secondsReturned date and time of the expiration of the specified user account.This is the number of seconds since 00:00:00 Universal time,1 January 1970 (same as time_t).

unlimitedReturns the account-expiration-not-restricted indicator.




Output


DescriptionGets the account expiration date for the specified user.

Command line equivalent:pdadmin policy get account-expiry-date [-user user_name]





ivadmin_user_getaccountvalid()

Returns the account-valid indicator from the specified user object.

Syntaxunsigned longivadmin_user_getaccountvalid(

ivadmin_ldapuser user);

ParametersInput

user Pointer to the user structure.

DescriptionReturns the account valid indicator from the specified user object.


The account-valid status is part of the information returned by the pdadmincommand.





ivadmin_user_getauthmech()

Returns the authentication mechanism from the specified user object.

Syntaxunsigned longivadmin_user_getauthmech(


ParametersInput


DescriptionReturns the authentication mechanism from the specified user object.


The authentication mechanism is part of the information returned by the pdadmincommand.

Return ValuesReturns the authentication mechanism from the specified user object.

Returns the following boolean values:




ivadmin_user_getbydn()

Obtains an Access Manager user object by using the user registry distinguishedname.

Syntaxunsigned longivadmin_user_getbydn(

ivadmin_context ctx,const char *dn,ivadmin_ldapuser *user,ivadmin_response *rsp

);

ParametersInput


dn User registry distinguished name of the user.

Output

user Returned user. Free the memory for this object when it is no longerneeded.


DescriptionObtains an Access Manager user object by using the user registry distinguishedname.

Command line equivalent:pdadmin user show-dn dn





ivadmin_user_getcn()

Returns the user registry common name attribute from the specified user object.

Syntaxconst char *ivadmin_user_getcn(


ParametersInput


DescriptionReturns the user registry common name attribute from the specified user object.

Do not free the character string that is returned. This data is maintained in theivadmin_ldapuser object.


The user registry common name for the user is part of the information returned bythe pdadmin command.

Return ValuesReturns the user registry common name attribute from the specified user object.


ivadmin_user_getdescription()

Returns the user description from the specified user object.

Syntaxconst char *ivadmin_user_getdescription(


ParametersInput


DescriptionReturns the user description from the specified user object.



The user description is part of the information returned by the pdadmincommand.

Return ValuesReturns the user description from the specified user object.


ivadmin_user_getdisabletimeint()

Gets the amount of time to disable the specified user account if the maximumnumber of login failures is exceeded.

Syntaxunsigned longivadmin_user_getdisabletimeint(

ivadmin_context ctx,const char *userid,unsigned long *seconds,unsigned long *disable,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput


userid User name.

Output

secondsDisable the user account for the specified number of seconds if themaximum number of login failures is exceeded.

disable Disable the user account if the maximum number of login failures isexceeded. Administrator action is required to enable the account.





DescriptionGets the amount of time to disable each user account if the maximum number oflogin failures is exceeded.

Command line equivalent:pdadmin policy get disable-time-interval [-user user_name]





ivadmin_user_getdn()

Returns the user registry distinguished name from the specified user object.

Syntaxconst char *ivadmin_user_getdn(


ParametersInput


DescriptionReturns the user registry distinguished name from the specified user object.



The user registry distinguished name for the user is part of the informationreturned by the pdadmin command.

Return ValuesReturns the user registry distinguished name from the specified user object.


ivadmin_user_getid()

Returns the user name from the specified user object.

Syntaxconst char *ivadmin_user_getid(


ParametersInput


DescriptionReturns the user name from the specified user object.



The user name (login identifier) is part of the information returned by thepdadmin command.

Return ValuesReturns the user name from the specified user object.


ivadmin_user_getmaxlgnfails()

Gets the maximum number of login failures allowed for the specified user account.

Syntaxunsigned longivadmin_user_getmaxlgnfails(

ivadmin_context ctx,const char *userid,unsigned long *failures,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput


userid User name.

Output

failuresMaximum number of login failures allowed.




DescriptionGets the maximum number of login failures allowed for the specified user account.

Command line equivalent:pdadmin policy get max-login-failures [-user user_name]





ivadmin_user_getmaxpwdage()

Gets the maximum password age for the specified user account.

Syntaxunsigned longivadmin_user_getmaxpwdage(

ivadmin_context ctx,const char *userid,unsigned long *seconds,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput


userid User name.

Output

secondsReturned maximum lifetime, in seconds, before expiration of the password.




DescriptionGets the maximum password age for the specified user account.

Command line equivalent:pdadmin policy get max-password-age [-user user_name]





ivadmin_user_getmaxpwdrepchars()

Gets the maximum number of repeated characters allowed in a password for thespecified user account.

Syntaxunsigned longivadmin_user_getmaxpwdrepchars(

ivadmin_context ctx,const char *userid,unsigned long *chars,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput


userid User name.

Output





DescriptionGets the maximum number of repeated characters allowed in a password for thespecified user account.

Command line equivalent:pdadmin policy get max-password-repeated-chars [-user user_name]





ivadmin_user_getmemberships()

Gets the groups in which the specified user is a member.

Syntaxunsigned longivadmin_user_getmemberships(

ivadmin_context ctx,const char *userid,unsigned long *count,char ***groupids,ivadmin_response *rsp

);

ParametersInput



Output

count Number of group names returned.

groupidsArray of pointers to group names. Free each group name character pointerand the array of pointers when they are no longer needed.


DescriptionGets the groups in which the specified user is a member.

Command line equivalent:pdadmin user show-groups user_name





ivadmin_user_getminpwdalphas()

Gets the minimum number of alphabetic characters allowed in a password for thespecified user account.

Syntaxunsigned longivadmin_user_getminpwdalphas(


);

ParametersInput


userid User name.

Output





DescriptionGets the minimum number of alphabetic characters allowed in a password for thespecified user account.

Command line equivalent:pdadmin policy get min-password-alphas [-user user_name]





ivadmin_user_getminpwdlen()

Gets the minimum password length for the specified user account.

Syntaxunsigned longivadmin_user_getminpwdlen(

ivadmin_context ctx,const char *userid,unsigned long *length,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput


userid User name.

Output

length Returned minimum allowed password length.




DescriptionGets the minimum password length for the specified user account.

Command line equivalent:pdadmin policy get min-password-length [-user user_name]





ivadmin_user_getminpwdnonalphas()

Gets the minimum number of nonalphabetic characters allowed in a password forthe specified user account.

Syntaxunsigned longivadmin_user_getminpwdnonalphas(


);

ParametersInput


userid User name.

Output





DescriptionGets the minimum number of nonalphabetic characters allowed in a password forthe specified user account.

Command line equivalent:pdadmin policy get min-password-non-alphas [-user user_name]





ivadmin_user_getpasswordvalid()

Returns the password valid indicator.

Syntaxunsigned longivadmin_user_getpasswordvalid(


ParametersInput


DescriptionReturns the password valid indicator. Supported values are IVADMIN_TRUE andIVADMIN_FALSE.


The password valid status is part of the information returned by the pdadmincommand.


IVADMIN_TRUEDefined as 1. Indicates that the password is valid.

IVADMIN_FALSEDefined as 0. Indicates that the password has expired.


ivadmin_user_getpwdspaces()

Gets whether spaces are allowed in passwords for the specified user account.

Syntaxunsigned longivadmin_user_getpwdspaces(

ivadmin_context ctx,const char *userid,unsigned long *allowed,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput


userid User name.

Output






DescriptionGets whether spaces are allowed in passwords for the specified user account.

Command line equivalent:pdadmin policy get password-spaces [-user user_name]





ivadmin_user_getsn()

Returns the user registry surname attribute for the specified user.

Syntaxconst char *ivadmin_user_getsn(


ParametersInput


DescriptionReturns the user registry surname attribute for the specified user.

Do not free the character string that is returned. This data is maintained in theivadmin_ldapuser structure.


The user registry surname for the user is part of the information returned by thepdadmin command.

Return ValuesReturns the user registry surname attribute for the specified user.


ivadmin_user_getssouser()

Returns a setting that indicates if the user account has single signon capabilities.

Syntaxunsigned longivadmin_user_getssouser(


ParametersInput


DescriptionReturns a setting that indicates if the user account has single signon capabilities.


The single signon status for the user is part of the information returned by thepdadmin command.

Return ValuesThe following values are returned:

IVADMIN_TRUEDefined as 1. Indicates that the user account is single signon capable.

IVADMIN_FALSEDefined as 0. Indicates that the user account is not single signon capable.


ivadmin_user_gettodaccess()

Gets the time of day access policy for the specified user.

Syntaxunsigned longivadmin_user_gettodaccess(

ivadmin_context ctx,const char *userid,unsigned long *days,unsigned long *start,unsigned long *end,unsigned long *reference,unsigned long *unset,ivadmin_response *rsp

);

ParametersInput

ctx Context to communicate with the Access Manager policy server

userid User registry user name.

Output




referenceThe time zone: Universal Time Coordinated (UTC) or local.




DescriptionGets the time of day access policy for the specified user.

Command line equivalent:pdadmin policy get todaccess -user userID





ivadmin_user_import2()

Creates an Access Manager user by importing an existing user in the user registry.

Syntaxunsigned longivadmin_user_import2(

ivadmin_context ctx,const char *userid,const char *dn,const char *groupid,unsigned long ssouser,ivadmin_response *rsp

);

ParametersInput


userid User name.


groupidThe initial user registry group to which the user belongs. This value can beNULL to indicate no initial group membership.

ssouser User is capable of having single signon credentials.


Output


DescriptionCreates an Access Manager user by importing an existing user in the user registry.

Accounts are created invalid by default. You must useivadmin_user_setaccountvalid() to enable the account.

Command line equivalent:pdadmin user import [-gsouser] user_name dn





ivadmin_user_list()

Lists the Access Manager users that match the specified pattern.

Syntaxunsigned longivadmin_user_list(

ivadmin_context ctx,const char *pattern,unsigned long maxreturn,unsigned long *count,char ***userids,ivadmin_response *rsp

);

ParametersInput


patternPattern match for user names. IVADMIN_ALLPATTERN indicates all users.

maxreturnMaximum number to return. IVADMIN_MAXRETURN indicatesunlimited. This number can be limited by the user registry server so thatthe maximum returned is really the minimum of the server configurationand this value.

Output


userids Array of pointers to user names. Free each user-name character pointerand the array of pointers when they are no longer needed. The orderreturned is the order created.


DescriptionLists the names of the Access Manager users in the user registry that match thespecified pattern. Returns an array of pointers to character strings containing theuser IDs.

The following constants are defined:#define IVADMIN_MAXRETURN 0#define IVADMIN_ALLPATTERN "*"

Free each user name character pointer and the array of pointers when they are nolonger needed.

Command line equivalent:pdadmin user list pattern max_return






ivadmin_user_listbydn()

Returns the list of user registry distinguished names whose user registry commonname attribute matches the pattern specified.

Syntaxunsigned longivadmin_user_listbydn(

ivadmin_context ctx,const char *pattern,unsigned long maxreturn,unsigned long *count,char ***dns,ivadmin_response *rsp

);

ParametersInput


pattern Pattern match for user registry common name attribute.IVADMIN_ALLPATTERN indicates all users.

maxreturnMaximum number to return. IVADMIN_MAXRETURN indicatesunlimited. This number can be limited by the user registry server so thatthe maximum returned is really the minimum of the server configurationand this value.

Output

count Number of user registry distinguished names returned.

dns Array of pointers to user registry distinguished names. Free eachdistinguished name character pointer and the array of pointers when theyare no longer needed. The order returned is the order created.


DescriptionReturns the list of user registry distinguished names whose user registry commonname attribute matches the pattern specified. Returns an array of pointers tocharacter strings containing each user’s distinguished name.

Free each distinguished name character pointer and the array of pointers whenthey are no longer needed.

Command line equivalent:pdadmin user list-dn pattern max_return






ivadmin_user_setaccexpdate()

Sets the account expiration date for specified user.

Syntaxunsigned longivadmin_user_setaccexpdate(

ivadmin_context ctx,const char *userid,unsigned long seconds,unsigned long unlimited,unsigned long unset,ivadmin_response *rsp

);

ParametersInput


userid User name.

secondsDate and time of the expiration of specified user account. This is thenumber of seconds since 00:00:00 Universal time, 1 January 1970 (same astime_t).

unlimitedDo not expire specified user account and ignore the seconds parameter ifset to true.




Output


DescriptionSets the account expiration date for specified user.

Command line equivalent:pdadmin policy set account-expiry-date {unlimited | absolute_time | unset} \[-user user_name]





ivadmin_user_setaccountvalid()

Enables or disables the specified Access Manager user account.

Syntaxunsigned longivadmin_user_setaccountvalid(

ivadmin_context ctx,const char *userid,unsigned long valid,ivadmin_response *rsp

);

ParametersInput


userid User name.

valid Boolean indicator of account validity.


Output


DescriptionEnables or disables the specified Access Manager user account. Use this function toenable an account after it has been created with ivadmin_user_create3() orivadmin_user_import().

Command line equivalent:pdadmin user modify user_name account-valid {yes | no}





ivadmin_user_setauthmech()

Modifies the user authentication mechanism setting.

Syntaxunsigned longivadmin_user_setauthmech(

ivadmin_context ctx,const char *userid,unsigned long authmech,ivadmin_response *rsp

);

ParametersInput


userid User name.

authmechNew authentication mechanism:v IVADMIN_USER_AUTHMETHDCEv IVADMIN_USER_AUTHMETHLDAP

Output


DescriptionModifies the user authentication mechanism setting. A value ofIVADMIN_USER_LDAPAUTHMETH should be specified for all non-DCEauthentication mechanisms.

The following values are defined:#define IVADMIN_USER_DCEAUTHMETH 0#define IVADMIN_USER_LDAPAUTHMETH 1

Command line equivalent:pdadmin user modify user_name authentication-mechanism mech





ivadmin_user_setdescription()

Modifies the user description.

Syntaxunsigned longivadmin_user_setdescription(

ivadmin_context ctx,const char *userid,const char *description,ivadmin_response *rsp

);

ParametersInput


userid User name.


Output


DescriptionModifies the user description. The description is an arbitrary text string. Forexample:Diana Lucas, Credit Dept HCUS

Command line equivalent:pdadmin user modify user_name description description





ivadmin_user_setdisabletimeint()

Sets the time to disable the specified user account when the maximum number oflogin failures is exceeded.

Syntaxunsigned longivadmin_user_setdisabletimeint(

ivadmin_context ctx,const char *userid,unsigned long seconds,unsigned long disable,unsigned long unset,ivadmin_response *rsp

);

ParametersInput


userid User name.

secondsDisable the user account for the specified number of seconds when themaximum number of login failures is exceeded.

disable Disable the user account when the maximum number of login failures isexceeded. Administrator action is required to enable the account.




Output


DescriptionSets the time to disable the specified user account when the maximum number oflogin failures is exceeded.

Command line equivalent:pdadmin policy set disable-time-interval {number | unset | disable} \[-user user_name]





ivadmin_user_setmaxlgnfails()

Sets the maximum number of login failures allowed for the specified user account.

Syntaxunsigned longivadmin_user_setmaxlgnfails(

ivadmin_context ctx,const char *userid,unsigned long failures,unsigned long unset,ivadmin_response *rsp

);

ParametersInput


userid User name.




Output


DescriptionSet the maximum number of login failures allowed for the specified user account.

Command line equivalent:pdadmin policy set max-login-failures number | unset [-user user_name]





ivadmin_user_setmaxpwdage()

Sets the maximum password age for the specified user account.

Syntaxunsigned longivadmin_user_setmaxpwdage(

ivadmin_context ctx,const char *userid,unsigned long seconds,unsigned long unset,ivadmin_response *rsp

);

ParametersInput


userid User name.

secondsMaximum lifetime, in seconds, before expiration of password.



Output


DescriptionSets the maximum password age for the specified user account.

Command line equivalent:pdadmin policy set max-password-age {unset | relative_time} [-user user_name]





ivadmin_user_setmaxpwdrepchars()

Sets the maximum number of repeated characters allowed in a password for thespecified user account.

Syntaxunsigned longivadmin_user_setmaxpwdrepchars(

ivadmin_context ctx,const char *userid,unsigned long chars,unsigned long unset,ivadmin_response *rsp

);

ParametersInput


userid User name.




Output


DescriptionSets the maximum number of repeated characters allowed in a password for thespecified user account.

Command line equivalent:pdadmin policy set max-password-repeated-chars number | unset [-user user_name]





ivadmin_user_setminpwdalphas()

Sets the minimum number of alphabetic characters allowed in a password for thespecified user account.

Syntaxunsigned longivadmin_user_setminpwdalphas(


);

ParametersInput


userid User name.




Output


DescriptionSets the minimum number of alphabetic characters allowed in a password for thespecified user account.

Command line equivalent:pdadmin policy set min-password-alphas {unset | number}[-user user_name]





ivadmin_user_setminpwdlen()

Sets the minimum password length for the specified user account.

Syntaxunsigned longivadmin_user_setminpwdlen(

ivadmin_context ctx,const char *userid,unsigned long length,unsigned long unset,ivadmin_response *rsp

);

ParametersInput


userid User name.

length Minimum allowed password length to be set.



Output


DescriptionSets the minimum password length for the specified user account.

Command line equivalent:pdadmin policy set min-password-length {unset | number} [-user user_name]





ivadmin_user_setminpwdnonalphas()

Sets the minimum number of nonalphabetic characters allowed in a password forthe specified user account.

Syntaxunsigned longivadmin_user_setminpwdnonalphas(


);

ParametersInput


userid User name.




Output


DescriptionSets the minimum number of nonalphabetic characters allowed in a password forthe specified user account.

Command line equivalent:pdadmin policy set min-password-non-alphas {unset | number} [-user user_name]





ivadmin_user_setpassword()

Modifies the user password.

Syntaxunsigned longivadmin_user_setpassword(

ivadmin_context ctx,const char *userid,const char *pwd,ivadmin_response *rsp

);

ParametersInput


userid User name.

pwd New password.

Output


DescriptionModifies the user password.

If the user that is having its password set is the same user that created the securitycontext, ctx, no further authorization checks are performed.

Command line equivalent:pdadmin user modify user_name password password





ivadmin_user_setpasswordvalid()

Expires the Access Manager account password.

Syntaxunsigned longivadmin_user_setpasswordvalid(

ivadmin_context ctx,const char *userid,unsigned long valid,ivadmin_response *rsp

);

ParametersInput


userid User name.

valid Indicates whether the password is valid or has expired.

Supported values are IVADMIN_FALSE (expired) or IVADMIN_TRUE(valid).

Output


DescriptionExpires the Access Manager account password. This forces the user to change thepassword at the next login attempt.

Command line equivalent:pdadmin user modify user_name password-valid {yes | no}





ivadmin_user_setpwdspaces()

Sets whether spaces are allowed in passwords for the specified user account.

Syntaxunsigned longivadmin_user_setpwdspaces(

ivadmin_context ctx,const char *userid,unsigned long allowed,unsigned long unset,ivadmin_response *rsp

);

ParametersInput


userid User name.





Output


DescriptionSets whether spaces are allowed in passwords for the specified user account.

Command line equivalent:pdadmin policy set password-spaces {yes | no | unset} [-user user_name]





ivadmin_user_setssouser()

Enables or disables the single sign on capabilities of an Access Manager user.

Syntaxunsigned longivadmin_user_setssouser(

ivadmin_context ctx,const char *userid,unsigned long ssouser,ivadmin_response *rsp

);

ParametersInput


userid User name.

ssouser User is capable of having single signon credentials.


Output


DescriptionEnables or disables the single sign on capabilities of an Access Manager user.

Command line equivalent:pdadmin user modify user-name gsouser {yes | no}





ivadmin_user_settodaccess()

Sets the time of day access policy for the specified user.

Syntaxunsigned longivadmin_user_settodaccess(

ivadmin_context ctx,const char *userid,unsigned long days,unsigned long start,unsigned long end,unsigned long reference,unsigned long unset,ivadmin_response *rsp

);

ParametersInput


userid User registry user name.




referenceThe time zone: Universal Coordinated Time (UTC) or local.



Output


DescriptionSets the time of day access policy for the specified user.

Command line equivalent:pdadmin policy set todaccess todaccess_string -user userID





Appendix A. Deprecated APIs

The APIs listed in Table 33 have been deprecated in IBM Tivoli Access Manager(Access Manager) Version 3.9. The ivadmin_deprecated.h header file contains theprototypes and definitions for these deprecated APIs. Avoid including this headerfile because the symbols it declares are not supported. Instead, change existingapplications to use the replacement APIs listed in the table.

Table 33. APIs deprecated in Access Manager Version 3.9

Deprecated API Replacement API

ivadmin_cfg_configureserver ivadmin_cfg_configureserver2

ivadmin_group_addmember ivadmin_group_addmembers

ivadmin_group_removemember ivadmin_group_removemembers

ivadmin_user_create2 ivadmin_user_create3

The APIs listed in Table 34 were deprecated in previous versions of TivoliSecureWay Policy Director.

Table 34. APIs deprecated in previous versions of Tivoli SecureWay Policy Director

Deprecated API Replacement API

ivadmin_group_create ivadmin_group_create2

ivadmin_group_delete ivadmin_group_delete2

ivadmin_group_import ivadmin_group_import2

ivadmin_protobj_get ivadmin_protobj_get2

ivadmin_protobj_list2 ivadmin_protobj_list3

ivadmin_user_create ivadmin_user_create3

ivadmin_user_delete ivadmin_user_delete2

ivadmin_user_import ivadmin_user_import2



Appendix B. User registry differences

The following user registry differences are known to exist in this version of IBMTivoli Access Manager (Access Manager.)1. Leading and trailing blanks in user names and group names are ignored when

using LDAP or Microsoft Active Directory as the user registry in an AccessManager secure domain. However, when using a Lotus Domino server as auser registry, leading and trailing blanks are significant. To ensure thatprocessing is consistent regardless of what user registry is being used, defineusers and groups in the user registry without leading or trailing blanks in theirnames.

2. The forward slash character (/) should be avoided in user and group namesdefined using distinguished name strings. The forward slash character istreated differently in different user registries:

Lotus Domino serverUsers and groups can not be created with names using a distinguishedname string containing a forward slash character. To avoid the problem,either do not use a forward slash character or define the user withoutusing the distinguished name designation:pdadmin user create myuser username/locinfo test test testpwd

instead of using this one:pdadmin user create myuser cn=username/o=locinfo test test testpwd

Microsoft Active DirectoryUsers and groups can be created with names using a distinguishedname string containing a forward slash character. However, subsequentoperations on the object might fail as some Active Directory functionsinterpret the forward slash character as a separator between the objectname and the host name. To avoid the problem, do not use a forwardslash character to define the user.

3. When using a multi-domain Microsoft Active Directory user registry, multipleusers and groups can be defined with the same short name as long as theyreside in different domains. To query information associated with a specificuser or group, use the full name, including the domain, of the user or group toensure that you are getting the correct information. If the domain informationis omitted, information about the user or group defined in the default domainis returned, which might not be the expected user or group. The sole use of ashort name to identify a user or group should be avoided for the same reason.

4. When using iPlanet Version 5.0 as the user registry, a user that is created,added to a group, and then deleted from the user registry retains its groupmembership. If a user with the same name is created at some later time, thenew user automatically inherits the old group membership and might be giveninappropriate permissions. It is strongly recommended that the user be removedfrom all groups before the user is deleted. This problem does not occur whenusing the other supported user registries.

5. Attempting to add a duplicate user to a group produces different results basedon the user registry being used. Table 35 on page 288 outlines the differences.


Table 35. User registry differences when adding a duplicate user to a group

Operation LDAP Lotus Domino server Microsoft ActiveDirectory

Add one user andthat user is duplicate

Error No error Error

Add multiple users,first user is duplicate

Error for all users No error Error for all users

Add multiple users, auser other than thefirst is a duplicate

Error for all users No error Partial completionmessage

6. Attempting to remove a user from a group who is not a member of the groupproduces different results based on the user registry being used. Table 36outlines the differences.

Table 36. User registry differences when removing a user from a group who is not amember of the group

Operation LDAP Lotus Domino server Microsoft ActiveDirectory

Remove one user,user is not in thegroup

Error Error Error

Remove multipleusers, first user notin the group

Error for all users Error Error for all users

Remove multipleusers, a user otherthan the first is not inthe group

Error for all users Partial completionmessage

Partial completionmessage

7. The maximum lengths of various names associated with a user vary dependingon the user registry being used. See Table 37 for a comparison of the maximumlengths allowed and the recommended maximum length to use to ensurecompatibility with all the user registries supported by Access Manager.

Table 37. Maximum lengths for names based on user registry

Maximumlength of:

LDAP Microsoft ActiveDirectory

Lotus Dominoserver

Recommendedmaximum value

First name(LDAP CN)

256 64 960 64

Middle name 128 64 65535 64

Last name 128 64 960 64

Registry UID(LDAP DN)

1024 2048 255 This value isuser

registry-specificand must be

changed whenchanging user

registries.


Table 37. Maximum lengths for names based on user registry (continued)

Maximumlength of:

LDAP Microsoft ActiveDirectory

Lotus Dominoserver

Recommendedmaximum value

Access Manageruser identity

256 2048 - 1 -length_of_

domain_name

200 - 4 -length_of_

domain_name

This value isuser

registry-specificand must be

changed whenchanging user

registries.

8. Users created in a Lotus Domino server or Microsoft Active Directory userregistry are automatically given the capability to own single signon credentialsand this capability can not be removed. When using an LDAP user registry, thiscapability must be explicitly granted to a user and subsequently can beremoved.

9. When the Access Manager policy server is using either Microsoft ActiveDirectory or a Lotus Domino server as its user registry, existing TivoliSecureWay Policy Director, Version 3.8 clients are not able to connect to thepolicy server. Either use a different user registry or upgrade the clients toAccess Manager.

Appendix B. User registry differences 289


Appendix C. Administration C API, Java method, andcommand line equivalents

This appendix shows the mapping that exists between the administration C APIfunctions, the administration Java classes and methods, and the command lineinterface (CLI). In some cases, a given operation can be performed different ways.Note that in some cases two or more method calls might be necessary to achievethe same effect as a single C API function.

No Java classes and methods are associated with the following objects in thisversion of IBM Tivoli Access Manager (Access Manager):v Extended access control list actions, corresponding to the ivadmin_action_* C

APIv Configuration, corresponding to the ivadmin_config_* C APIv Protected object policies, corresponding to the ivadmin_pop_* C APIv Web resources, corresponding to the ivadmin_ssoweb_* C APIv Web resource groups, corresponding to the ivadmin_ssogroup_* C APIv Resource credentials, corresponding to the ivadmin_ssocred_* C APIv Server, corresponding to the ivadmin_server_* C API

Information about the administration Java classes and methods can be found in theIBM Tivoli Access Manager Administration Java Classes Developer’s Reference.

Information about the pdadmin command line interface can be found in the IBMTivoli Access Manager Base Administrator’s Guide.


Tabl

e38

.M

appi

ngbe

twee

nad

min

istr

atio

nC

AP

I,Ja

vam

etho

ds,

and

the

com

man

dlin

ein

terf

ace

CA

PI

Java

Cla

ssan

dM

eth

odC

omm

and

Lin

eE

qu

ival

ent

ivad

min

_acl

_att

rdel

key

()P

DA

cl.d

elet

eAtt

rib

ute

PD

Acl

obje

ct.d

elet

eAtt

rib

ute

pdad

min

acl

modi

fyac

l_na

mede

lete

attr

ibut

eat

trib

ute_

name

ivad

min

_acl

_att

rdel

val(

)P

DA

cl.d

elet

eAtt

rib

ute

Val

ue

PD

Acl

obje

ct.d

elet

eAtt

rib

ute

Val

ue

pdad

min

acl

modi

fyac

l_na

mede

lete

attr

ibut

eat

trib

ute_

name

attr

ibut

e_va

lue

ivad

min

_acl

_att

rget

()P

DA

clob

ject

.get

Att

rib

ute

Val

ues

pdad

min

acl

show

acl_

name

attr

ibut

eat

trib

ute_

name

ivad

min

_acl

_att

rlis

t()

PD

Acl

obje

ct.g

etA

ttri

bu

teN

ames

pdad

min

acl

list

acl_

name

attr

ibut

e

ivad

min

_acl

_att

rpu

t()

PD

Acl

.set

Att

rib

ute

Val

ue

PD

Acl

obje

ct.s

etA

ttri

bu

teV

alu

epd

admi

nac

lmo

dify

acl_

name

set

attr

ibut

eat

trib

ute_

name

attr

ibut

e_va

lue

ivad

min

_acl

_cre

ate(

)P

DA

cl.c

reat

eAcl

pdad

min

acl

crea

teac

l_na

me

ivad

min

_acl

_del

ete(

)P

DA

cl.d

elet

eAcl

pdad

min

acl

dele

teac

l_na

me

ivad

min

_acl

_get

()P

DA

clco

nstr

ucto

rpd

admi

nac

lsh

owac

l_na

me

ivad

min

_acl

_get

anyo

ther

()P

DA

clob

ject

.get

PD

Acl

En

tryA

nyO

ther

pdad

min

acl

show

any-

othe

r

ivad

min

_acl

_get

des

crip

tion

()P

DA

clob

ject

.get

Des

crip

tion

pdad

min

acl

show

acl_

name

ivad

min

_acl

_get

grou

p()

PD

Acl

obje

ct.g

etP

DA

clE

ntr

iesG

rou

ppd

admi

nac

lsh

owac

l_na

me

ivad

min

_acl

_get

id()

PD

Acl

obje

ct.g

etId

pdad

min

acl

show

acl_

name

ivad

min

_acl

_get

un

auth

()P

DA

clob

ject

.get

PD

Acl

En

tryU

nA

uth

pdad

min

acl

show

acl_

name

ivad

min

_acl

_get

use

r()

PD

Acl

obje

ct.g

etP

DA

clE

ntr

iesU

ser

pdad

min

acl

show

acl_

name

ivad

min

_acl

_lis

t()

PD

Acl

.list

Acl

spd

admi

nac

lli

st

ivad

min

_acl

_lis

tgro

up

s()

PD

Acl

obje

ct.g

etP

DA

clE

ntr

iesG

rou

ppd

admi

nac

lsh

owac

l_na

me

ivad

min

_acl

_lis

tuse

rs()

PD

Acl

obje

ct.g

etP

DA

clE

ntr

iesU

ser

pdad

min

acl

show

acl_

name

ivad

min

_acl

_rem

ovea

nyo

ther

()P

DA

cl.r

emov

ePD

Acl

En

tryA

nyO

ther

PD

Acl

obje

ct.r

emov

ePD

Acl

En

tryA

nyO

ther

pdad

min

acl

modi

fyac

l_na

mere

move

any-

othe

r

ivad

min

_acl

_rem

oveg

rou

p()

PD

Acl

.rem

oveP

DA

clE

ntr

yGro

up

PD

Acl

obje

ct.r

emov

ePD

Acl

En

tryG

rou

ppd

admi

nac

lmo

dify

acl_

name

remo

vegr

oupgr

oup_

name

ivad

min

_acl

_rem

oveu

nau

th()

PD

Acl

.rem

oveP

DA

clE

ntr

yUn

Au

thP

DA

clob

ject

.rem

oveP

DA

clE

ntr

yUn

Au

thpd

admi

nac

lmo

dify

acl_

name

remo

veun

auth

enti

cate

d

ivad

min

_acl

_rem

oveu

ser(

)P

DA

cl.r

emov

ePD

Acl

En

tryU

ser

PD

Acl

obje

ct.r

emov

ePD

Acl

En

tryU

ser

pdad

min

acl

modi

fyac

l_na

mere

move

user

user

_nam

e

ivad

min

_acl

_set

anyo

ther

()P

DA

cl.s

etP

DA

clE

ntr

yAn

yOth

erP

DA

clob

ject

.set

PD

Acl

En

tryA

nyO

ther

pdad

min

acl

modi

fyac

l_na

mese

tan

y-ot

herpe

rms


Tabl

e38

.M

appi

ngbe

twee

nad

min

istr

atio

nC

AP

I,Ja

vam

etho

ds,

and

the

com

man

dlin

ein

terf

ace

(con

tinue

d)

CA

PI

Java

Cla

ssan

dM

eth

odC

omm

and

Lin

eE

qu

ival

ent

ivad

min

_acl

_set

des

crip

tion

()P

DA

cl.s

etD

escr

ipti

onP

DA

clob

ject

.set

Des

crip

tion

pdad

min

acl

modi

fyac

l_na

mede

scri

ptio

nde

scri

ptio

n

ivad

min

_acl

_set

grou

p()

PD

Acl

.set

PD

Acl

En

tryG

rou

pP

DA

clob

ject

.set

PD

Acl

En

tryG

rou

ppd

admi

nac

lmo

dify

acl_

name

set

grou

pgr

oup_

name

perm

s

ivad

min

_acl

_set

un

auth

()P

DA

cl.s

etP

DA

clE

ntr

yUn

Au

thP

DA

clob

ject

.set

PD

Acl

En

tryU

nA

uth

pdad

min

acl

modi

fyac

l_na

mese

tun

auth

enti

cate

dpe

rms

ivad

min

_acl

_set

use

r()

PD

Acl

.set

PD

Acl

En

tryU

ser

PD

Acl

obje

ct.s

etP

DA

clE

ntr

yUse

rpd

admi

nac

lmo

dify

acl_

name

set

user

user

_nam

epe

rms

ivad

min

_act

ion

_cre

ate(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

acti

oncr

eate

name

desc

ript

ion

acti

on_t

ype

ivad

min

_act

ion

_cre

ate_

in_g

rou

p()

Not

supp

orte

dat

this

tim

e.pd

admi

nac

tion

crea

tena

mede

scri

ptio

nac

tion

_typ

eac

tion

_gro

up_n

ame

ivad

min

_act

ion

_del

ete(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

acti

onde

lete

name

ivad

min

_act

ion

_del

ete_

from

_gro

up

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

acti

onde

lete

name

acti

on_g

roup

_nam

e

ivad

min

_act

ion

_get

des

crip

tion

Not

supp

orte

dat

this

tim

e.pd

admi

nac

tion

list

ivad

min

_act

ion

_get

des

crip

tion

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

acti

onli

st

ivad

min

_act

ion

_get

id()

Not

supp

orte

dat

this

tim

e.pd

admi

nac

tion

list

ivad

min

_act

ion

_get

typ

e()

Not

supp

orte

dat

this

tim

e.pd

admi

nac

tion

list

ivad

min

_act

ion

_gro

up

_cre

ate(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

acti

ongr

oup

crea

teac

tion

_gro

up_n

ame

ivad

min

_act

ion

_gro

up

_del

ete(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

acti

ongr

oup

dele

teac

tion

_gro

up_n

ame

ivad

min

_act

ion

_gro

up

_lis

t()

Not

supp

orte

dat

this

tim

e.pd

admi

nac

tion

grou

pli

st

ivad

min

_act

ion

_lis

t()

Not

supp

orte

dat

this

tim

e.pd

admi

nac

tion

list

ivad

min

_act

ion

_lis

t_in

_gro

up

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

acti

onli

stac

tion

_gro

up_n

ame

ivad

min

_cfg

_ad

dre

pli

ca()

Not

supp

orte

dat

this

tim

e.sv

rssl

cfg

-add

_rep

lica

-fcf

g_fi

le-h

host

_nam

e[-

ppo

rt]

[-k

rank

]

ivad

min

_cfg

_ch

grep

lica

()N

otsu

ppor

ted

atth

isti

me.

svrs

slcf

g-c

hg_r

epli

ca-f

cfg_

file

-hho

st_n

ame[-

ppo

rt]

[-k

rank

]

ivad

min

_cfg

_con

figu

rese

rver

()S

vrS

slC

fgC

RE

AT

ES

vrS

slC

fgR

EP

LA

CE

svrs

slcf

g-c

onfi

g-f

cfg_

file

-dkd

b_di

r_na

me-n

serv

er_n

ame..

.

ivad

min

_cfg

_ren

ewse

rver

cert

()N

otsu

ppor

ted

atth

isti

me.

svrs

slcf

g-c

hgce

rt-f

cfg_

file

-nse

rver

_nam

e[-

Aad

min_

ID]

-Pad

min_

pwd

Appendix C. Administration C API, Java method, and command line equivalents 293

Tabl

e38

.M

appi

ngbe

twee

nad

min

istr

atio

nC

AP

I,Ja

vam

etho

ds,

and

the

com

man

dlin

ein

terf

ace

(con

tinue

d)

CA

PI

Java

Cla

ssan

dM

eth

odC

omm

and

Lin

eE

qu

ival

ent

ivad

min

_cfg

_rm

vrep

lica

()N

otsu

ppor

ted

atth

isti

me.

svrs

slcf

g-r

mv_r

epli

ca-f

cfg_

file

-hho

st_n

ame[-

ppo

rt]

[-k

rank

]

ivad

min

_cfg

_set

app

lica

tion

cert

()N

otsu

ppor

ted

atth

isti

me.

svrs

slcf

g-m

odif

y-f

cfg_

file

[-t

time

out]

[-C

cert

_fil

e][-

lli

sten

ing_

mode]

ivad

min

_cfg

_set

key

rin

gpw

d()

Not

supp

orte

dat

this

tim

e.sv

rssl

cfg

-chg

pwd

-fcf

g_fi

le-n

serv

er_n

ame[-

Aad

min_

ID]

[-P

admi

n_pw

d]

ivad

min

_cfg

_set

list

enin

g()

Not

supp

orte

dat

this

tim

e.sv

rssl

cfg

-fcf

g_fi

le-m

odif

y-l

yes

ivad

min

_cfg

_set

por

t()

Not

supp

orte

dat

this

tim

e.sv

rssl

cfg

-con

fig

-fcf

g_fi

le-d

kdb_

dir_

name

-nse

rver

_nam

e..

.

ivad

min

_cfg

_set

sslt

imeo

ut(

)N

otsu

ppor

ted

atth

isti

me.

svrs

slcf

g-m

odif

y-f

cfg_

file

-tti

meou

t[-

Cce

rt_f

ile]

[-l

list

enin

g_mo

de]

ivad

min

_cfg

_un

con

figu

rese

rver

()S

vrS

slC

fgU

NC

ON

FIG

svrs

slcf

g-u

ncon

fig

-fcf

g_fi

le-n

serv

er_n

ame[-

Aad

min_

ID]

-Pad

min_

pwd

ivad

min

_con

text

_cle

ard

elcr

ed()

Not

supp

orte

dat

this

tim

e.no

tap

plic

able

ivad

min

_con

text

_cre

ate(

)P

DC

onte

xtco

nstr

ucto

rno

tap

plic

able

ivad

min

_con

text

_cre

ated

efau

lt()

PD

Con

text

cons

truc

tor

not

appl

icab

le

ivad

min

_con

text

_del

ete(

)no

tap

plic

able

not

appl

icab

le

ivad

min

_con

text

_get

acce

xpd

ate(

)P

DP

olic

yob

ject

.get

Acc

tExp

Dat

epd

admi

npo

licy

get

acco

unt-

expi

ry-d

ate

ivad

min

_con

text

_get

dis

able

tim

ein

t()

PD

Pol

icy

obje

ct.g

etA

cctD

isab

leT

imeI

nte

rval

pdad

min

poli

cyge

tdi

sabl

e-ti

me-i

nter

val

ivad

min

_con

text

_get

max

lgn

fail

s()

PD

Pol

icy

obje

ct.g

etM

axFa

iled

Log

ins

pdad

min

poli

cyge

tma

x-lo

gin-

fail

ures

ivad

min

_con

text

_get

max

pw

dag

e()

PD

Pol

icy

obje

ct.g

etM

axP

wd

Age

pdad

min

poli

cyge

tma

x-pa

sswo

rd-a

ge

ivad

min

_con

text

_get

max

pw

dre

pch

ars(

)P

DP

olic

yob

ject

.get

Max

Pw

dR

epC

har

spd

admi

npo

licy

get

max-

pass

word

-rep

eate

d-ch

ars

ivad

min

_con

text

_get

min

pw

dal

ph

as()

PD

Pol

icy

obje

ct.g

etM

inP

wd

Alp

has

pdad

min

poli

cyge

tmi

n-pa

sswo

rd-a

lpha

s

ivad

min

_con

text

_get

min

pw

dle

n()

PD

Pol

icy

obje

ct.g

etM

inP

wd

Len

pdad

min

poli

cyge

tmi

n-pa

sswo

rd-l

engt

h

ivad

min

_con

text

_get

min

pw

dn

onal

ph

as()

PD

Pol

icy

obje

ct.g

etM

inP

wd

Non

Alp

has

pdad

min

poli

cyge

tmi

n-pa

sswo

rd-n

on-a

lpha

s

ivad

min

_con

text

_get

pw

dsp

aces

()P

DP

olic

yob

ject

.pw

dS

pac

esA

llow

edpd

admi

npo

licy

get

pass

word

-spa

ces

ivad

min

_con

text

_get

tod

acce

ss()

PD

Pol

icy

obje

ct.g

etA

cces

sib

leD

ays

PD

Pol

icy

obje

ct.g

etA

cces

sSta

rtT

ime

PD

Pol

icy

obje

ct.g

etA

cces

sEn

dT

ime

pdad

min

poli

cyge

tto

d-ac

cess


Tabl

e38

.M

appi

ngbe

twee

nad

min

istr

atio

nC

AP

I,Ja

vam

etho

ds,

and

the

com

man

dlin

ein

terf

ace

(con

tinue

d)

CA

PI

Java

Cla

ssan

dM

eth

odC

omm

and

Lin

eE

qu

ival

ent

ivad

min

_con

text

_get

use

rreg

()P

DU

ser.g

etU

serR

gypd

admi

nad

min

show

conf

igur

atio

n

ivad

min

_con

text

_set

acce

xpd

ate(

)P

DP

olic

y.se

tAcc

tExp

Dat

eP

DP

olic

yob

ject

.set

Acc

tExp

Dat

epd

admi

npo

licy

set

acco

unt-

expi

ry-d

ate

[unl

imit

ed|

abso

lute

_tim

e|

unse

t]

ivad

min

_con

text

_set

del

cred

()N

otsu

ppor

ted

atth

isti

me.

not

appl

icab

le

ivad

min

_con

text

_set

dis

able

tim

ein

t()

PD

Pol

icy.

setA

cctD

isab

leT

ime

PD

Pol

icy

obje

ct.s

etA

cctD

isab

leT

ime

pdad

min

poli

cyse

tdi

sabl

e-ti

me-i

nter

val

[num

ber|

unse

t|

disa

ble]

ivad

min

_con

text

_set

max

lgn

fail

s()

PD

Pol

icy.

setM

axFa

iled

Log

ins

PD

Pol

icy

obje

ct.s

etM

axFa

iled

Log

ins

pdad

min

poli

cyse

tma

x-lo

gin-

fail

ures

[num

ber|

unse

t]

ivad

min

_con

text

_set

max

pw

dag

e()

PD

Pol

icy.

setM

axP

wd

Age

PD

Pol

icy

obje

ct.s

etM

axP

wd

Age

pdad

min

poli

cyse

tma

x-pa

sswo

rd-a

ge[rel

ativ

e_ti

me|

unse

t]

ivad

min

_con

text

_set

max

pw

dre

pch

ars(

)P

DP

olic

y.se

tMax

Pw

dR

epC

har

sP

DP

olic

yob

ject

.set

Max

Pw

dR

epC

har

spd

admi

npo

licy

set

max-

pass

word

-rep

eate

d-ch

ars

[num

ber|

unse

t]

ivad

min

_con

text

_set

min

pw

dal

ph

as()

PD

Pol

icy.

setM

inP

wd

Alp

has

PD

Pol

icy

obje

ct.s

etM

inP

wd

Alp

has

pdad

min

poli

cyse

tmi

n-pa

sswo

rd-a

lpha

s[num

ber|

unse

t]

ivad

min

_con

text

_set

min

pw

dle

n()

PD

Pol

icy.

setM

inP

wd

Len

PD

Pol

icy

obje

ct.s

etM

inP

wd

Len

pdad

min

poli

cyse

tmi

n-pa

sswo

rd-l

engt

h[num

ber|

unse

t]

ivad

min

_con

text

_set

min

pw

dn

onal

ph

as()

PD

Pol

icy.

setM

inP

wd

Non

Alp

has

PD

Pol

icy

obje

ct.s

etM

inP

wd

Non

Alp

has

pdad

min

poli

cyse

tma

x-pa

sswo

rd-n

on-a

lpha

s[num

ber|

unse

t]

ivad

min

_con

text

_set

pw

dsp

aces

()P

DP

olic

y.se

tPw

dS

pac

esA

llow

edP

DP

olic

yob

ject

.set

Pw

dS

pac

esA

llow

edpd

admi

npo

licy

set

pass

word

-spa

ces

[yes

|no

|un

set]

ivad

min

_con

text

_set

tod

acce

ss()

PD

Pol

icy.

setT

odA

cces

sP

DP

olic

yob

ject

.set

Tod

Acc

ess

pdad

min

poli

cyse

tto

d-ac

cess

toda

cces

s_va

lue

ivad

min

_fre

e()

not

appl

icab

leno

tap

plic

able

ivad

min

_gro

up

_ad

dm

emb

ers(

)P

DG

rou

p.a

dd

Mem

ber

sP

DG

roup

obje

ct.a

dd

Mem

ber

spd

admi

ngr

oup

modi

fygr

oup_

name

add

(use

r_na

me1

user

_nam

e2..

.)

ivad

min

_gro

up

_cre

ate2

()P

DG

rou

p.c

reat

eGro

up

pdad

min

grou

pcr

eate

grou

p_na

medn

cn

ivad

min

_gro

up

_del

ete2

()P

DG

rou

p.d

elet

eGro

up

pdad

min

grou

pde

lete

[-re

gist

ry]gr

oup_

name

ivad

min

_gro

up

_get

()P

DG

rou

pco

nstr

ucto

rpd

admi

ngr

oup

show

grou

p_na

me

ivad

min

_gro

up

_get

byd

n()

PD

Gro

up

cons

truc

tor

pdad

min

grou

psh

ow-d

ndn

ivad

min

_gro

up

_get

cn()

Will

not

besu

ppor

ted

.pd

admi

ngr

oup

show

grou

p_na

me

ivad

min

_gro

up

_get

des

crip

tion

()P

DG

roup

obje

ct.g

etD

escr

ipti

onpd

admi

ngr

oup

show

grou

p_na

me


Tabl

e38

.M

appi

ngbe

twee

nad

min

istr

atio

nC

AP

I,Ja

vam

etho

ds,

and

the

com

man

dlin

ein

terf

ace

(con

tinue

d)

CA

PI

Java

Cla

ssan

dM

eth

odC

omm

and

Lin

eE

qu

ival

ent

ivad

min

_gro

up

_get

dn

()P

DG

roup

obje

ct.g

etR

gyN

ame

pdad

min

grou

psh

owgr

oup_

name

ivad

min

_gro

up

_get

id()

PD

Gro

upob

ject

.get

Idpd

admi

ngr

oup

show

grou

p_na

me

ivad

min

_gro

up

_get

mem

ber

s()

PD

Gro

upob

ject

.get

Mem

ber

spd

admi

ngr

oup

show

-mem

bers

grou

p_na

me

ivad

min

_gro

up

_im

por

t2()

PD

Gro

up

.imp

ortG

rou

ppd

admi

ngr

oup

impo

rtgr

oup_

name

dn

ivad

min

_gro

up

_lis

t()

PD

Gro

up

.list

Gro

up

spd

admi

ngr

oup

list

patt

ern

max_

retu

rn

ivad

min

_gro

up

_lis

tbyd

n()

PD

Gro

up

.list

Gro

up

spd

admi

ngr

oup

list

-dnpa

tter

nma

x_re

turn

ivad

min

_gro

up

_rem

ovem

emb

ers(

)P

DG

rou

p.r

emov

eMem

ber

sP

DG

roup

obje

ct.r

emov

eMem

ber

spd

admi

ngr

oup

modi

fygr

oup_

name

remo

ve(u

ser_

name

1us

er_n

ame2

...)

ivad

min

_gro

up

_set

des

crip

tion

()P

DG

rou

p.s

etD

escr

ipti

onP

DG

roup

obje

ct.s

etD

escr

ipti

onpd

admi

ngr

oup

modi

fygr

oup_

name

desc

ript

ion

desc

ript

ion

ivad

min

_mes

sage

_get

cou

nt(

)no

tap

plic

able

not

appl

icab

le

ivad

min

_ob

ject

spac

e_cr

eate

()P

DP

rotO

bje

ctS

pac

e.cr

eate

Pro

tOb

ject

Sp

ace

pdad

min

obje

ctsp

ace

crea

teob

ject

spac

e_na

me

ivad

min

_ob

ject

spac

e_d

elet

e()

PD

Pro

tOb

ject

Sp

ace.

del

eteP

rotO

bje

ctS

pac

epd

admi

nob

ject

spac

ede

lete

obje

ctsp

ace_

name

ivad

min

_ob

ject

spac

e_li

st()

PD

Pro

tOb

ject

Sp

ace.

list

Pro

tOb

ject

Sp

aces

pdad

min

obje

ctsp

ace

list

ivad

min

_pop

_att

ach

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

atta

chob

ject

_nam

epo

p_na

me

ivad

min

_pop

_att

rdel

key

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

modi

fypo

p_na

mede

lete

attr

ibut

eat

trib

ute_

name

ivad

min

_pop

_att

rdel

val(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

modi

fypo

p_na

mede

lete

attr

ibut

eat

trib

ute_

name

attr

ibut

e_va

lue

ivad

min

_pop

_att

rget

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

show

pop_

name

attr

ibut

e

ivad

min

_pop

_att

rlis

t()

Not

supp

orte

dat

this

tim

e.pd

admi

npo

pli

stpo

p_na

meat

trib

ute

ivad

min

_pop

_att

rpu

t()

Not

supp

orte

dat

this

tim

e.pd

admi

npo

pmo

dify

pop_

name

set

attr

ibut

eat

trib

ute_

name

attr

ibut

e_va

lue

ivad

min

_pop

_cre

ate(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

crea

tepo

p_na

me

ivad

min

_pop

_del

ete(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

dele

tepo

p_na

me

ivad

min

_pop

_det

ach

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

deta

chpo

p_na

me

ivad

min

_pop

_fin

d()

Not

supp

orte

dat

this

tim

e.pd

admi

npo

pfi

ndpo

p_na

me

ivad

min

_pop

_get

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

show

pop_

name

ivad

min

_pop

_get

aud

itle

vel(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

show

pop_

name


Tabl

e38

.M

appi

ngbe

twee

nad

min

istr

atio

nC

AP

I,Ja

vam

etho

ds,

and

the

com

man

dlin

ein

terf

ace

(con

tinue

d)

CA

PI

Java

Cla

ssan

dM

eth

odC

omm

and

Lin

eE

qu

ival

ent

ivad

min

_pop

_get

des

crip

tion

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

show

pop_

name

ivad

min

_pop

_get

id()

Not

supp

orte

dat

this

tim

e.pd

admi

npo

psh

owpo

p_na

me

ivad

min

_pop

_get

qop

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

show

pop_

name

ivad

min

_pop

_get

tod

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

show

pop_

name

ivad

min

_pop

_get

war

nm

ode(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

show

pop_

name

ivad

min

_pop

_lis

t()

Not

supp

orte

dat

this

tim

e.pd

admi

npo

pli

st

ivad

min

_pop

_rem

ovei

pau

th()

Not

supp

orte

dat

this

tim

e.pd

admi

npo

pmo

dify

pop_

name

set

ipau

thre

move

netw

ork

netm

ask

ivad

min

_pop

_set

anyo

ther

nw

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

modi

fypo

p_na

mese

tip

auth

anyo

ther

nwau

then

tica

tion

_lev

el

ivad

min

_pop

_set

anyo

ther

nw

_for

bid

den

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

modi

fypo

p_na

mese

tip

auth

anyo

ther

nwfo

rbid

den

ivad

min

_pop

_set

aud

itle

vel(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

modi

fypo

p_na

mese

tau

dit-

leve

l[a

ll|

none

|au

dit_

leve

l_li

st]

ivad

min

_pop

_set

des

crip

tion

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

modi

fypo

p_na

mese

tde

scri

ptio

nde

scri

ptio

n

ivad

min

_pop

_set

ipau

th()

Not

supp

orte

dat

this

tim

e.pd

admi

npo

pmo

dify

pop_

name

set

ipau

thad

dne

twor

kne

tmas

kau

then

tica

tion

_lev

el

ivad

min

_pop

_set

ipau

th_f

orb

idd

en()

Not

supp

orte

dat

this

tim

e.pd

admi

npo

pmo

dify

pop_

name

set

ipau

thad

dne

twor

kne

tmas

kfo

rbid

den

ivad

min

_pop

_set

qop

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

modi

fypo

p_na

mese

tqo

p[n

one

|in

tegr

ity

|pr

ivac

y]

ivad

min

_pop

_set

tod

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

modi

fypo

p_na

mese

tto

d-ac

cess

tod_

valu

e

ivad

min

_pop

_set

war

nm

ode(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

pop

modi

fypo

p_na

mese

twa

rnin

g[

on|

off

]

ivad

min

_pro

tob

j_at

tach

acl(

)P

DP

rotO

bje

ct.a

ttac

hA

clP

DP

rotO

bjec

tob

ject

.att

ach

Acl

pdad

min

acl

atta

chob

ject

_nam

eac

l_na

me

ivad

min

_pro

tob

j_at

trd

elk

ey()

PD

Pro

tOb

ject

.del

eteA

ttri

bu

teP

DP

rotO

bjec

tob

ject

.del

eteA

ttri

bu

tepd

admi

nob

ject

modi

fyob

ject

_nam

ede

lete

attr

ibut

e_na

me

ivad

min

_pro

tob

j_at

trd

elva

l()

PD

Pro

tOb

ject

.del

eteA

ttri

bu

teV

alu

eP

DP

rotO

bjec

tob

ject

.del

eteA

ttri

bu

teV

alu

epd

admi

nob

ject

modi

fyob

ject

_nam

ede

lete

attr

ibut

e_na

meat

trib

ute_

valu

e


Tabl

e38

.M

appi

ngbe

twee

nad

min

istr

atio

nC

AP

I,Ja

vam

etho

ds,

and

the

com

man

dlin

ein

terf

ace

(con

tinue

d)

CA

PI

Java

Cla

ssan

dM

eth

odC

omm

and

Lin

eE

qu

ival

ent

ivad

min

_pro

tob

j_at

trge

t()

PD

Pro

tObj

ect

obje

ct.g

etA

ttri

bu

teV

alu

espd

admi

nob

ject

show

obje

ct_n

ameat

trib

ute

attr

ibut

e_na

me

ivad

min

_pro

tob

j_at

trli

st()

PD

Pro

tObj

ect

obje

ct.g

etA

ttri

bu

teN

ames

pdad

min

obje

ctli

stob

ject

_nam

eat

trib

ute

ivad

min

_pro

tob

j_at

trp

ut(

)P

DP

rotO

bje

ct.s

etA

ttri

bu

teV

alu

eP

DP

rotO

bjec

tob

ject

.set

Att

rib

ute

Val

ue

pdad

min

obje

ctmo

dify

obje

ct_n

amese

tat

trib

ute

attr

ibut

e_na

meat

trib

ute_

valu

e

ivad

min

_pro

tob

j_cr

eate

()P

DP

rotO

bje

ct.c

reat

ePro

tOb

ject

pdad

min

obje

ctcr

eate

obje

ct_n

ame

ivad

min

_pro

tob

j_d

elet

e()

PD

Pro

tOb

ject

.del

eteP

rotO

bje

ctpd

admi

nob

ject

dele

teob

ject

_nam

e

ivad

min

_pro

tob

j_d

etac

hac

l()

PD

Pro

tOb

ject

.det

ach

Acl

PD

Pro

tObj

ect

obje

ct.d

etac

hA

clpd

admi

nac

lde

tach

obje

ct_n

ame

ivad

min

_pro

tob

j_ge

t2()

PD

Pro

tOb

ject

cons

truc

tor

pdad

min

obje

ctsh

owob

ject

_nam

e

ivad

min

_pro

tob

j_ge

tacl

()P

DP

rotO

bjec

tob

ject

.get

Acl

pdad

min

obje

ctsh

owob

ject

_nam

e

ivad

min

_pro

tob

j_ge

tdes

c()

PD

Pro

tObj

ect

obje

ct.g

etD

escr

ipti

onpd

admi

nob

ject

show

obje

ct_n

ame

ivad

min

_pro

tob

j_ge

tid

()P

DP

rotO

bjec

tob

ject

.get

Idpd

admi

nob

ject

show

obje

ct_n

ame

ivad

min

_pro

tob

j_ge

tpol

icya

ttac

hab

le()

PD

Pro

tObj

ect

obje

ct.is

Pol

icyA

ttac

hab

lepd

admi

nob

ject

show

obje

ct_n

ame

ivad

min

_pro

tob

j_ge

tpop

()N

otsu

ppor

ted

atth

isti

me.

not

appl

icab

le

ivad

min

_pro

tob

j_ge

ttyp

e()

Will

not

besu

ppor

ted

.pd

admi

nob

ject

show

obje

ct_n

ame

ivad

min

_pro

tob

j_li

st3(

)P

DP

rotO

bje

ct.li

stP

rotO

bje

cts

pdad

min

obje

ctli

stdi

rect

ory_

name

ivad

min

_pro

tob

j_li

stb

yacl

()P

DP

rotO

bje

ct.li

stP

rotO

bje

ctsB

yAcl

pdad

min

acl

find

acl_

name

ivad

min

_pro

tob

j_se

tdes

c()

PD

Pro

tOb

ject

.set

Des

crip

tion

PD

Pro

tObj

ect

obje

ct.s

etD

escr

ipti

onpd

admi

nob

ject

modi

fyob

ject

_nam

ede

scri

ptio

nde

scri

ptio

n

ivad

min

_pro

tob

j_se

tnam

e()

Will

not

besu

ppor

ted

.pd

admi

nob

ject

modi

fyob

ject

_nam

ena

mena

meco

nfli

ct_r

esol

utio

nre

solu

tion

_mod

ifie

r

ivad

min

_pro

tob

j_se

tpol

icya

ttac

hab

le()

PD

Pro

tOb

ject

.set

Pol

icyA

ttac

hab

leP

DP

rotO

bjec

tob

ject

.set

Pol

icyA

ttac

hab

lepd

admi

nob

ject

modi

fyob

ject

_nam

eis

Poli

cyAt

tach

able

[yes

|no

]

ivad

min

_pro

tob

j_se

ttyp

e()

Will

not

besu

ppor

ted

.pd

admi

nob

ject

modi

fyob

ject

_nam

ety

pety

pe

ivad

min

_res

pon

se_g

etco

de(

)no

tap

plic

able

not

appl

icab

le

ivad

min

_res

pon

se_g

etco

un

t()

not

appl

icab

leno

tap

plic

able

ivad

min

_res

pon

se_g

etm

essa

ge()

not

appl

icab

leno

tap

plic

able

ivad

min

_res

pon

se_g

etm

odif

ier(

)no

tap

plic

able

not

appl

icab

le

ivad

min

_res

pon

se_g

etok

()no

tap

plic

able

not

appl

icab

le


Tabl

e38

.M

appi

ngbe

twee

nad

min

istr

atio

nC

AP

I,Ja

vam

etho

ds,

and

the

com

man

dlin

ein

terf

ace

(con

tinue

d)

CA

PI

Java

Cla

ssan

dM

eth

odC

omm

and

Lin

eE

qu

ival

ent

ivad

min

_ser

ver_

gett

ask

list

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

serv

erli

stta

sksse

rver

_nam

e

ivad

min

_ser

ver_

per

form

task

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

serv

erta

skse

rver

_nam

eta

sk_t

o_pe

rfor

m

ivad

min

_ser

ver_

rep

lica

te()

Not

supp

orte

dat

this

tim

e.pd

admi

nse

rver

repl

icat

ese

rver

_nam

e

ivad

min

_sso

cred

_cre

ate(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

rsrc

cred

crea

tere

sour

ce_n

amers

rcus

erre

sour

ce_u

seri

drs

rcpw

dre

sour

ce_p

wdrs

rcty

pe[w

eb|

grou

p]us

erus

er_n

ame

ivad

min

_sso

cred

_del

ete(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

rsrc

cred

dele

tere

sour

ce_n

amers

rcty

pe[w

eb|

grou

p]us

erus

er_n

ame

ivad

min

_sso

cred

_get

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

rsrc

cred

show

reso

urce

_nam

ers

rcty

pe[w

eb|

grou

p]us

erus

er_n

ame

ivad

min

_sso

cred

_get

id()

Not

supp

orte

dat

this

tim

e.pd

admi

nrs

rccr

edsh

owre

sour

ce_n

amers

rcty

pe[w

eb|

grou

p]us

erus

er_n

ame

ivad

min

_sso

cred

_get

ssop

assw

ord

()N

otsu

ppor

ted

atth

isti

me.

not

appl

icab

le

ivad

min

_sso

cred

_get

ssou

ser(

)N

otsu

ppor

ted

atth

isti

me.

not

appl

icab

le

ivad

min

_sso

cred

_get

typ

e()

Not

supp

orte

dat

this

tim

e.pd

admi

nrs

rccr

edsh

owre

sour

ce_n

amers

rcty

pe[w

eb|

grou

p]us

erus

er_n

ame

ivad

min

_sso

cred

_get

use

r()

Not

supp

orte

dat

this

tim

e.pd

admi

nrs

rccr

edsh

owre

sour

ce_n

amers

rcty

pe[w

eb|

grou

p]us

erus

er_n

ame

ivad

min

_sso

cred

_lis

t()

Not

supp

orte

dat

this

tim

e.pd

admi

nrs

rccr

edli

stus

erus

er_n

ame

ivad

min

_sso

cred

_set

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

rsrc

cred

modi

fyre

sour

ce_n

amers

rcty

pe[w

eb|

grou

p][-

rsrc

user

reso

urce

_use

rid]

[-rs

rcpw

dre

sour

ce_p

wd]

user

user

_nam

e

ivad

min

_sso

grou

p_a

dd

res(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

rsrc

grou

pmo

dify

reso

urce

_gro

up_n

amead

drs

rcna

mere

sour

ce_n

ame

ivad

min

_sso

grou

p_c

reat

e()

Not

supp

orte

dat

this

tim

e.pd

admi

nrs

rcgr

oup

crea

tere

sour

ce_g

roup

_nam

e[-

desc

desc

ript

ion]

ivad

min

_sso

grou

p_d

elet

e()

Not

supp

orte

dat

this

tim

e.pd

admi

nrs

rcgr

oup

dele

tere

sour

ce_g

roup

_nam

e

ivad

min

_sso

grou

p_g

et()

Not

supp

orte

dat

this

tim

e.pd

admi

nrs

rcgr

oup

show

reso

urce

_gro

up_n

ame

ivad

min

_sso

grou

p_g

etd

escr

ipti

on()

Not

supp

orte

dat

this

tim

e.pd

admi

nrs

rcgr

oup

show

reso

urce

_gro

up_n

ame

ivad

min

_sso

grou

p_g

etid

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

rsrc

grou

psh

owre

sour

ce_g

roup

_nam

e

ivad

min

_sso

grou

p_g

etre

sou

rces

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

rsrc

grou

psh

owre

sour

ce_g

roup

_nam

e


Tabl

e38

.M

appi

ngbe

twee

nad

min

istr

atio

nC

AP

I,Ja

vam

etho

ds,

and

the

com

man

dlin

ein

terf

ace

(con

tinue

d)

CA

PI

Java

Cla

ssan

dM

eth

odC

omm

and

Lin

eE

qu

ival

ent

ivad

min

_sso

grou

p_l

ist(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

rsrc

grou

pli

st

ivad

min

_sso

grou

p_r

emov

eres

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

rsrc

grou

pmo

dify

reso

urce

_gro

up_n

amere

move

rsrc

name

reso

urce

_nam

e

ivad

min

_sso

web

_cre

ate(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

rsrc

crea

tere

sour

ce_n

ame[-

desc

desc

ript

ion]

ivad

min

_sso

web

_del

ete(

)N

otsu

ppor

ted

atth

isti

me.

pdad

min

rsrc

dele

tere

sour

ce_n

ame

ivad

min

_sso

web

_get

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

rsrc

show

reso

urce

_nam

e

ivad

min

_sso

web

_get

des

crip

tion

()N

otsu

ppor

ted

atth

isti

me.

pdad

min

rsrc

show

reso

urce

_nam

e

ivad

min

_sso

web

_get

id()

Not

supp

orte

dat

this

tim

e.pd

admi

nrs

rcsh

owre

sour

ce_n

ame

ivad

min

_sso

web

_lis

t()

Not

supp

orte

dat

this

tim

e.pd

admi

nrs

rcli

st

ivad

min

_use

r_cr

eate

3()

PD

Use

r.cre

ateU

ser

pdad

min

user

crea

te[-

gsou

ser]

[-no

-pas

swor

d-po

licy

]us

er_n

ame

dncn

snpw

d(

grou

p1gr

oup2

....

)

ivad

min

_use

r_d

elet

e2()

PD

Use

r.del

eteU

ser

pdad

min

user

dele

te[-

regi

stry

]us

er_n

ame

ivad

min

_use

r_ge

t()

PD

Use

rco

nstr

ucto

rpd

admi

nus

ersh

owus

er_n

ame

ivad

min

_use

r_ge

tacc

exp

dat

e()

PD

Pol

icy

obje

ct.g

etA

cctE

xpD

ate

pdad

min

user

get

acco

unt-

expi

ry-d

ate

[-us

erus

er_n

ame]

ivad

min

_use

r_ge

tacc

oun

tval

id()

PD

Use

rob

ject

.isA

ccou

ntV

alid

pdad

min

user

show

user

_nam

e

ivad

min

_use

r_ge

tau

thm

ech

()W

illno

tbe

supp

orte

d.

pdad

min

user

show

user

_nam

e

ivad

min

_use

r_ge

tbyd

n()

PD

Use

rco

nstr

ucto

rpd

admi

nus

ersh

ow-d

ndn

ivad

min

_use

r_ge

tcn

()P

DU

ser

obje

ct.g

etFi

rstN

ame

pdad

min

user

show

user

_nam

e

ivad

min

_use

r_ge

tdes

crip

tion

()P

DU

ser

obje

ct.g

etD

escr

ipti

onpd

admi

nus

ersh

owus

er_n

ame

ivad

min

_use

r_ge

tdis

able

tim

ein

t()

PD

Pol

icy

obje

ct.g

etA

cctD

isab

leT

imeI

nte

rval

pdad

min

poli

cyge

tdi

sabl

e-ti

me-i

nter

val

[-us

erus

er_n

ame]

ivad

min

_use

r_ge

tdn

()P

DU

ser

obje

ct.g

etR

gyN

ame

pdad

min

user

show

user

_nam

e

ivad

min

_use

r_ge

tid

()P

DU

ser

obje

ct.g

etId

pdad

min

user

show

user

_nam

e

ivad

min

_use

r_ge

tmax

lgn

fail

s()

PD

Pol

icy

obje

ct.g

etM

axFa

iled

Log

ins

pdad

min

poli

cyge

tma

x-lo

gin-

fail

ures

[-us

erus

er_n

ame]

ivad

min

_use

r_ge

tmax

pw

dag

e()

PD

Pol

icy

obje

ct.g

etM

axP

wd

Age

pdad

min

poli

cyge

tma

x-pa

sswo

rd-a

ge[-

user

user

_nam

e]


Tabl

e38

.M

appi

ngbe

twee

nad

min

istr

atio

nC

AP

I,Ja

vam

etho

ds,

and

the

com

man

dlin

ein

terf

ace

(con

tinue

d)

CA

PI

Java

Cla

ssan

dM

eth

odC

omm

and

Lin

eE

qu

ival

ent

ivad

min

_use

r_ge

tmax

pw

dre

pch

ars(

)P

DP

olic

yob

ject

.get

Max

Pw

dR

epC

har

spd

admi

npo

licy

get

max-

pass

word

-rep

eate

d-ch

ars

[-us

erus

er_n

ame]

ivad

min

_use

r_ge

tmem

ber

ship

s()

PD

Use

rob

ject

.get

Gro

up

spd

admi

nus

ersh

ow-g

roup

sus

er_n

ame

ivad

min

_use

r_ge

tmin

pw

dal

ph

as()

PD

Pol

icy

obje

ct.g

etM

inP

wd

Alp

has

pdad

min

poli

cyge

tmi

n-pa

sswo

rd-a

lpha

s[-

user

user

_nam

e]

ivad

min

_use

r_ge

tmin

pw

dle

n()

PD

Pol

icy

obje

ct.g

etM

inP

wd

Len

pdad

min

poli

cyge

tmi

n-pa

sswo

rd-l

engt

h[-

user

user

_nam

e]

ivad

min

_use

r_ge

tmin

pw

dn

onal

ph

as()

PD

Pol

icy

obje

ct.g

etM

inP

wd

Non

Alp

has

pdad

min

poli

cyge

tmi

n-pa

sswo

rd-n

on-a

lpha

s[-

user

user

_nam

e]

ivad

min

_use

r_ge

tpas

swor

dva

lid

()P

DU

ser

obje

ct.is

Pas

swor

dV

alid

pdad

min

user

show

user

_nam

e

ivad

min

_use

r_ge

tpw

dsp

aces

()P

DP

olic

yob

ject

.pw

dS

pac

esA

llow

edpd

admi

npo

licy

get

pass

word

-spa

ces

[-us

erus

er_n

ame]

ivad

min

_use

r_ge

tsn

()P

DU

ser

obje

ct.g

etL

astN

ame

pdad

min

user

show

user

_nam

e

ivad

min

_use

r_ge

tsso

use

r()

PD

Use

rob

ject

.isS

SO

Use

rpd

admi

nus

ersh

owus

er_n

ame

ivad

min

_use

r_ge

ttod

acce

ss()

PD

Pol

icy

obje

ct.g

etA

cces

sib

leD

ays

PD

Pol

icy

obje

ct.g

etA

cces

sSta

rtT

ime

PD

Pol

icy

obje

ct.g

etA

cces

sEn

dT

ime

pdad

min

poli

cyge

tto

d-ac

cess

-use

rus

er_n

ame

ivad

min

_use

r_im

por

t2()

PD

Use

r.im

por

tUse

rpd

admi

nus

erim

port

[-gs

ouse

r]us

er_n

ame

dn

ivad

min

_use

r_li

st()

PD

Use

r.lis

tUse

rspd

admi

nus

erli

stpa

tter

nma

x_re

turn

ivad

min

_use

r_li

stb

ydn

()P

DU

ser.l

istU

sers

pdad

min

user

list

-dnpa

tter

nma

x_re

turn

ivad

min

_use

r_se

tacc

exp

dat

e()

PD

Pol

icy.

setA

cctE

xpD

ate

PD

Pol

icy

obje

ct.s

etA

cctE

xpD

ate

pdad

min

poli

cyse

tac

coun

t-ex

piry

-dat

e[u

nlim

ited

|ab

solu

te_t

ime|

unse

t][-

user

user

_nam

e]

ivad

min

_use

r_se

tacc

oun

tval

id()

PD

Use

r.set

Acc

oun

tVal

idP

DU

ser

obje

ct.s

etA

ccou

ntV

alid

pdad

min

user

modi

fyus

er_n

ameac

coun

t-va

lid

[yes

|no

]

ivad

min

_use

r_se

tau

thm

ech

()W

illno

tbe

supp

orte

d.

pdad

min

user

modi

fyus

er_n

ameau

then

tica

tion

-me

chan

ismme

ch

ivad

min

_use

r_se

tdes

crip

tion

()P

DU

ser.s

etD

escr

ipti

onP

DU

ser

obje

ct.s

etD

escr

ipti

onpd

admi

nus

ermo

dify

user

_nam

ede

scri

ptio

nde

scri

ptio

n

ivad

min

_use

r_se

tdis

able

tim

ein

t()

PD

Pol

icy.

setA

cctD

isab

leT

ime

PD

Pol

icy

obje

ct.s

etA

cctD

isab

leT

ime

pdad

min

poli

cyse

tdi

sabl

e-ti

me-i

nter

val

[num

ber|

unse

t|

disa

ble]

[-us

erus

er_n

ame]


Tabl

e38

.M

appi

ngbe

twee

nad

min

istr

atio

nC

AP

I,Ja

vam

etho

ds,

and

the

com

man

dlin

ein

terf

ace

(con

tinue

d)

CA

PI

Java

Cla

ssan

dM

eth

odC

omm

and

Lin

eE

qu

ival

ent

ivad

min

_use

r_se

tmax

lgn

fail

s()

PD

Pol

icy.

setM

axFa

iled

Log

ins

PD

Pol

icy

obje

ct.s

etM

axFa

iled

Log

ins

pdad

min

poli

cyse

tma

x-lo

gin-

fail

ures

[num

ber|

unse

t][-

user

user

_nam

e]

ivad

min

_use

r_se

tmax

pw

dag

e()

PD

Pol

icy.

setM

axP

wd

Age

PD

Pol

icy

obje

ct.s

etM

axP

wd

Age

pdad

min

poli

cyse

tma

x-pa

sswo

rd-a

ge[u

nset

|re

lati

ve_t

ime]

[-us

erus

er_n

ame]

ivad

min

_use

r_se

tmax

pw

dre

pch

ars(

)P

DP

olic

y.se

tMax

Pw

dR

epC

har

sP

DP

olic

yob

ject

.set

Max

Pw

dR

epC

har

spd

admi

npo

licy

set

max-

pass

word

-rep

eate

d-ch

ars

[num

ber|

unse

t][-

user

user

_nam

e]

ivad

min

_use

r_se

tmin

pw

dal

ph

as()

PD

Pol

icy.

setM

inP

wd

Alp

has

PD

Pol

icy

obje

ct.s

etM

inP

wd

Alp

has

pdad

min

poli

cyse

tmi

n-pa

sswo

rd-a

lpha

s[num

ber|

unse

t][-

user

user

_nam

e]

ivad

min

_use

r_se

tmin

pw

dle

n()

PD

Pol

icy.

setM

inP

wd

Len

PD

Pol

icy

obje

ct.s

etM

inP

wd

Len

pdad

min

poli

cyse

tmi

n-pa

sswo

rd-l

engt

h[num

ber|

unse

t][-

user

user

_nam

e]

ivad

min

_use

r_se

tmin

pw

dn

onal

ph

as()

PD

Pol

icy.

setM

inP

wd

Non

Alp

has

PD

Pol

icy

obje

ct.s

etM

inP

wd

Non

Alp

has

pdad

min

poli

cyse

tmi

n-pa

sswo

rd-n

on-a

lpha

s[num

ber|

unse

t][-

user

user

_nam

e]

ivad

min

_use

r_se

tpas

swor

d()

PD

Use

r.set

Pas

swor

dP

DU

ser

obje

ct.s

etP

assw

ord

pdad

min

user

modi

fyus

er_n

amepa

sswo

rdpa

sswo

rd

ivad

min

_use

r_se

tpas

swor

dva

lid

()P

DU

ser.s

etP

assw

ord

Val

idP

DU

ser

obje

ct.s

etP

assw

ord

Val

idpd

admi

nus

ermo

dify

user

_nam

epa

sswo

rd-v

alid

[yes

|no

]

ivad

min

_use

r_se

tpw

dsp

aces

()P

DP

olic

y.se

tPw

dS

pac

esA

llow

edP

DP

olic

yob

ject

.set

Pw

dS

pac

esA

llow

edpd

admi

npo

licy

set

pass

word

-spa

ces

[yes

|no

|un

set]

[-us

erus

er_n

ame]

ivad

min

_use

r_se

tsso

use

r()

PD

Use

r.set

SS

OU

ser

PD

Use

rob

ject

.set

SS

OU

ser

pdad

min

user

modi

fyus

er_n

amegs

ouse

r[y

es|

no]

ivad

min

_use

r_se

ttod

acce

ss()

PD

Pol

icy.

setT

odA

cces

sP

DP

olic

yob

ject

.set

Tod

Acc

ess

pdad

min

poli

cyse

tto

d-ac

cess

tod_

valu

e-u

ser

user

_nam

e


Appendix D. Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.


Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this information and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement, or any equivalent agreementbetween us.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM’s application programming interfaces.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.

TrademarksThe following terms are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United States, other countries, or both:


AIXDB2IBMIBM logoOS/390SecureWayTivoliTivoli logoUniversal DatabaseWebSpherez/OSzSeries

Lotus is a registered trademark of Lotus Development Corporation and/or IBMCorporation.

Domino is a trademark of International Business Machines Corporation and LotusDevelopment Corporation in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the UnitedStates, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Sun Microsystems, Inc. in the United States and other countries.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, and service names may be trademarks or service marksof others.

Appendix D. Notices 305


Index

Aaccess control list entries, table 29access control list entry types 28access control lists, table 28accessibility xviiiaccount functions, table 19, 20accounts 18action group functions, table 31action groups

overview 30adding development systems 4ADK 2ADK component 2administration API

installing 3administration tasks 43any-authenticated 28any-other 28API differences 291application developer kit (ADK) 2application development kit (ADK) 2application, deploying 4applications, building 3audit log 34audit records 34azn_creds_get_pac() function 9

Bbooks

feedback xiiionline xiiiordering xiii

building applications 3

Ccleanup of the Administration API 15commands, pdadmin 2commands, svrsslcfg 2components 2container objects 24conventions xviiicreating LDAP users 9creating objects 9creating objects, example 10creating Privilege Attribute Certificate data 9creating protected objects 186Customer Support xviii

Ddelegating user credentials 9deleting a security context 15demonstration program 4deploying an application 4deprecated functions 285

ivadmin_cfg_configureserver() 285ivadmin_group_addmember() 285

deprecated functions (continued)ivadmin_group_create() 285ivadmin_group_delete() 285ivadmin_group_import() 285ivadmin_group_removemember() 285ivadmin_protobj_get() 285ivadmin_protobj_list2() 285ivadmin_user_create() 285ivadmin_user_create2() 285ivadmin_user_delete() 285ivadmin_user_import() 285

detecting errors 13development systems, adding 4

Ee-mail contact xviiierror codes 14error conditions 10error handling 13error message modifiers 15error messages, text 13errors, detecting 13establishing security contexts 7examples

creating objects 10functions that read values 12ivadmin_context_delete() 15modifying the maximum password age 10program 4returned data types 11set operations 10setting account expiration dates 10

extended action functions, table 30extended actions, overview 30

Ffeedback about publications xviiifiles, installation directories 3freeing memory 15functions

azn_creds_get_pac() 9deprecated 285ivadmin_acl_attrdelkey() 48ivadmin_acl_attrdelval() 49ivadmin_acl_attrget() 50ivadmin_acl_attrlist() 51ivadmin_acl_attrput() 52ivadmin_acl_create() 53ivadmin_acl_delete() 54ivadmin_acl_get() 55ivadmin_acl_getanyother() 56ivadmin_acl_getdescription() 57ivadmin_acl_getgroup() 58ivadmin_acl_getid() 59ivadmin_acl_getunauth() 60ivadmin_acl_getuser() 61ivadmin_acl_list() 62ivadmin_acl_listgroups() 63


functions (continued)ivadmin_acl_listusers() 64ivadmin_acl_removeanyother() 65ivadmin_acl_removegroup() 66ivadmin_acl_removeunauth() 67ivadmin_acl_removeuser() 68ivadmin_acl_setanyother() 69ivadmin_acl_setdescription() 70ivadmin_acl_setgroup() 71ivadmin_acl_setunauth() 72ivadmin_acl_setuser() 73ivadmin_action_create_in_group() 76ivadmin_action_create() 74ivadmin_action_delete_from_group() 79ivadmin_action_delete() 78ivadmin_action_getdescription 80ivadmin_action_getid() 81ivadmin_action_gettype() 82ivadmin_action_group_create() 83ivadmin_action_group_delete() 84ivadmin_action_group_list() 85ivadmin_action_list_in_group() 87ivadmin_action_list() 86ivadmin_cfg_addreplica() 88ivadmin_cfg_chgreplica() 89ivadmin_cfg_configureserver2() 90ivadmin_cfg_renewservercert() 92ivadmin_cfg_rmvreplica() 93ivadmin_cfg_setapplicationcert() 94ivadmin_cfg_setkeyringpwd() 95ivadmin_cfg_setlistening() 96ivadmin_cfg_setport() 97ivadmin_cfg_setssltimeout() 98ivadmin_cfg_unconfigureserver() 99ivadmin_context_cleardelcred() 100ivadmin_context_create() 8, 9, 101ivadmin_context_createdefault 8ivadmin_context_createdefault() 7, 8, 103ivadmin_context_delete() 15, 104ivadmin_context_getaccexpdate() 105ivadmin_context_getdisabletimeint() 106ivadmin_context_getmaxlgnfails() 107ivadmin_context_getmaxpwdage() 108ivadmin_context_getmaxpwdrepchars() 109ivadmin_context_getminpwdalphas() 110ivadmin_context_getminpwdlen() 112ivadmin_context_getminpwdnonalphas() 111ivadmin_context_getpwdspaces() 113ivadmin_context_gettodaccess() 114ivadmin_context_getuserreg() 115ivadmin_context_setaccexpdate() 116ivadmin_context_setdelcred() 9, 117ivadmin_context_setdisabletimeint() 118ivadmin_context_setmaxlgnfails 119ivadmin_context_setmaxpwdage() 120ivadmin_context_setmaxpwdrepchars() 121ivadmin_context_setminpwdalphas() 122ivadmin_context_setminpwdlen() 124ivadmin_context_setminpwdnonalphas() 123ivadmin_context_settodaccess() 126ivadmin_free() 15, 127ivadmin_group_addmembers() 128ivadmin_group_create2() 129ivadmin_group_delete2() 131ivadmin_group_get() 132ivadmin_group_getbydn() 133ivadmin_group_getcn() 134

functions (continued)ivadmin_group_getdescription() 135ivadmin_group_getdn 136ivadmin_group_getid() 137ivadmin_group_getmembers() 138ivadmin_group_import2() 139ivadmin_group_list() 140ivadmin_group_listbydn() 142ivadmin_group_removemembers() 144ivadmin_group_setdescription() 145ivadmin_message_getcount() 15ivadmin_objectspace_create() 146ivadmin_objectspace_delete() 148ivadmin_objectspace_list() 149ivadmin_pop_attach() 150ivadmin_pop_attrdelkey() 151ivadmin_pop_attrdelval() 152ivadmin_pop_attrget() 153ivadmin_pop_attrlist() 154ivadmin_pop_attrput() 155ivadmin_pop_create() 156ivadmin_pop_delete() 157ivadmin_pop_detach() 158ivadmin_pop_find() 159ivadmin_pop_get() 160ivadmin_pop_getauditlevel() 161ivadmin_pop_getdescription() 162ivadmin_pop_getid() 163ivadmin_pop_getqop() 164ivadmin_pop_gettod() 165ivadmin_pop_getwarnmode() 167ivadmin_pop_list() 168ivadmin_pop_removeipauth() 169ivadmin_pop_setanyothernw_forbidden() 171ivadmin_pop_setanyothernw() 34, 170ivadmin_pop_setauditlevel() 172ivadmin_pop_setdescription() 173ivadmin_pop_setipauth_forbidden() 175ivadmin_pop_setipauth() 34, 174ivadmin_pop_setqop() 176ivadmin_pop_settod() 177ivadmin_pop_setwarnmode() 179ivadmin_protobj_attachacl() 180ivadmin_protobj_attrdelkey() 181ivadmin_protobj_attrdelval() 182ivadmin_protobj_attrget() 183ivadmin_protobj_attrlist() 184ivadmin_protobj_attrput() 185ivadmin_protobj_create() 186ivadmin_protobj_delete() 187ivadmin_protobj_detachacl() 188ivadmin_protobj_get2() 189ivadmin_protobj_getacl() 191ivadmin_protobj_getdesc() 192ivadmin_protobj_getid() 193ivadmin_protobj_getpolicyattachable() 194ivadmin_protobj_getpop() 195ivadmin_protobj_gettype() 196ivadmin_protobj_list3() 197ivadmin_protobj_listbyacl() 199ivadmin_protobj_setdesc() 200ivadmin_protobj_setname() 201ivadmin_protobj_setpolicyattachable() 202ivadmin_protobj_settype() 203ivadmin_response_getcode() 14, 204ivadmin_response_getcount() 13, 14, 205ivadmin_response_getmessage() 14, 206


functions (continued)ivadmin_response_getmodifier() 15, 207ivadmin_response_getok() 13, 208ivadmin_server_gettasklist() 209ivadmin_server_performtask() 211ivadmin_server_replicate() 213ivadmin_ssocred_create() 214ivadmin_ssocred_delete() 215ivadmin_ssocred_get() 216ivadmin_ssocred_getid() 217ivadmin_ssocred_getssopassword() 218ivadmin_ssocred_getssouser() 219ivadmin_ssocred_gettype() 220ivadmin_ssocred_getuser() 221ivadmin_ssocred_list() 222ivadmin_ssocred_set() 223ivadmin_ssogroup_addres() 224ivadmin_ssogroup_create() 225ivadmin_ssogroup_delete() 226ivadmin_ssogroup_get() 227ivadmin_ssogroup_getdescription() 228ivadmin_ssogroup_getid() 229ivadmin_ssogroup_getresources() 230ivadmin_ssogroup_list() 231ivadmin_ssogroup_removeres() 232ivadmin_ssoweb_create() 233ivadmin_ssoweb_delete() 234ivadmin_ssoweb_get() 235ivadmin_ssoweb_getdescription() 236ivadmin_ssoweb_getid() 237ivadmin_ssoweb_list() 238ivadmin_user_create3() 9, 17, 239ivadmin_user_delete2() 17, 241ivadmin_user_get() 242ivadmin_user_getaccexpdate() 243ivadmin_user_getaccountvalid() 244ivadmin_user_getauthmech() 245ivadmin_user_getbydn() 246ivadmin_user_getcn() 247ivadmin_user_getdescription() 248ivadmin_user_getdisabletimeint() 249ivadmin_user_getdn() 250ivadmin_user_getid() 251ivadmin_user_getmaxlgnfails() 252ivadmin_user_getmaxpwdage() 253ivadmin_user_getmaxpwdrepchars() 254ivadmin_user_getmemberships() 255ivadmin_user_getminpwdalphas() 256ivadmin_user_getminpwdlen() 257ivadmin_user_getminpwdnonalphas() 258ivadmin_user_getpasswordvalid() 259ivadmin_user_getpwdspaces() 260ivadmin_user_getsn() 261ivadmin_user_getssouser() 262ivadmin_user_gettodaccess() 263ivadmin_user_import2() 264ivadmin_user_list() 13, 265ivadmin_user_listbydn() 267ivadmin_user_setaccexpdate() 10, 269ivadmin_user_setaccountvalid() 270ivadmin_user_setauthmech() 271ivadmin_user_setdescription() 272ivadmin_user_setdisabletimeint() 273ivadmin_user_setmaxlgnfails() 274ivadmin_user_setmaxpwdage() 10, 275ivadmin_user_setmaxpwdrepchars() 276ivadmin_user_setminpwdalphas() 277

functions (continued)ivadmin_user_setminpwdlen() 278ivadmin_user_setminpwdnonalphas() 279ivadmin_user_setpassword() 280ivadmin_user_setpasswordvalid() 281ivadmin_user_setpwdspaces() 282ivadmin_user_setssouser() 283ivadmin_user_settodaccess() 284

functions ivadmin_context_setpwdspaces() 125functions, deprecated

ivadmin_cfg_configureserver() 285ivadmin_group_addmember() 285ivadmin_group_create() 285ivadmin_group_delete() 285ivadmin_group_import() 285ivadmin_group_removemember() 285ivadmin_protobj_get() 285ivadmin_protobj_list2() 285ivadmin_user_create() 285ivadmin_user_create2() 285ivadmin_user_delete() 285ivadmin_user_import() 285

Ggetting administration tasks 43getting objects 11group attributes, table 21group functions, table 21groups

access control list entry type 28overview 17

IIBM Global Security Toolkit 3IBM SecureWay Directory client 3initialization of response objects 13installation 3installation directories 3installation requirements 3ivadmin_acl object 28ivadmin_acl_attrdelkey() function 48ivadmin_acl_attrdelval() function 49ivadmin_acl_attrget() function 50ivadmin_acl_attrlist() function 51ivadmin_acl_attrput() function 52ivadmin_acl_create() function 53ivadmin_acl_delete() function 54ivadmin_acl_get() function 55ivadmin_acl_getanyother() function 56ivadmin_acl_getdescription() function 57ivadmin_acl_getgroup() function 58ivadmin_acl_getid() function 59ivadmin_acl_getunauth() function 60ivadmin_acl_getuser() function 61ivadmin_acl_list() function 62ivadmin_acl_listgroups() function 63ivadmin_acl_listusers() function 64ivadmin_acl_removeanyother() function 65ivadmin_acl_removegroup() function 66ivadmin_acl_removeunauth() function 67ivadmin_acl_removeuser() function 68ivadmin_acl_setanyother() function 69ivadmin_acl_setdescription() function 70ivadmin_acl_setgroup() function 71

Index 309

ivadmin_acl_setunauth() function 72ivadmin_acl_setuser() function 73ivadmin_action_create_in_group() function 76ivadmin_action_create() function 74ivadmin_action_delete_from_group() function 79ivadmin_action_delete() function 78ivadmin_action_getdescription() function 80ivadmin_action_getid() function 81ivadmin_action_gettype() function 82ivadmin_action_group_create() function 83ivadmin_action_group_delete() function 84ivadmin_action_group_list() function 85ivadmin_action_list_in_group() function 87ivadmin_action_list() function 86ivadmin_cfg_addreplica() function 88ivadmin_cfg_chgreplica() function 89ivadmin_cfg_configureserver() deprecated function 285ivadmin_cfg_configureserver2() function 90ivadmin_cfg_renewservercert() function 92ivadmin_cfg_rmvreplica() function 93ivadmin_cfg_setapplicationcert() function 94ivadmin_cfg_setkeyringpwd() function 95ivadmin_cfg_setlistening() function 96ivadmin_cfg_setport() function 97ivadmin_cfg_setssltimeout() function 98ivadmin_cfg_unconfigureserver() function 99ivadmin_context object 8, 15ivadmin_context_cleardelcred() function 100ivadmin_context_create() function 8, 9, 101ivadmin_context_createdefault() function 7, 8, 103ivadmin_context_delete() function 15, 104ivadmin_context_getaccexpdate() function 105ivadmin_context_getdisabletimeint() function 106ivadmin_context_getmaxlgnfails() function 107ivadmin_context_getmaxpwdage() function 108ivadmin_context_getmaxpwdrepchars() function 109ivadmin_context_getminpwdalphas() function 110ivadmin_context_getminpwdlen() function 112ivadmin_context_getminpwdnonalphas() function 111ivadmin_context_getpwdspaces() function 113ivadmin_context_gettodaccess() function 114ivadmin_context_getuserreg() function 115ivadmin_context_setaccexpdate() function 116ivadmin_context_setdelcred() function 9, 117ivadmin_context_setdisabletimeint() function 118ivadmin_context_setmaxlgnfails() function 119ivadmin_context_setmaxpwdage() function 10, 120ivadmin_context_setmaxpwdrepchars() function 121ivadmin_context_setminpwdalphas() function 122ivadmin_context_setminpwdlen() function 124ivadmin_context_setminpwdnonalphas() function 123ivadmin_context_setpwdspaces() function 125ivadmin_context_settodaccess() functions 126IVADMIN_FALSE 13ivadmin_free() function 15, 127ivadmin_group_addmember() deprecated function 285ivadmin_group_addmembers() function 128ivadmin_group_create() deprecated function 285ivadmin_group_create2() function 129ivadmin_group_delete() deprecated function 285ivadmin_group_delete2() function 131ivadmin_group_get() function 132ivadmin_group_getbydn() function 133ivadmin_group_getcn() function 134ivadmin_group_getdescription() function 135ivadmin_group_getdn() function 136ivadmin_group_getid() function 137

ivadmin_group_getmembers() function 138ivadmin_group_import() deprecated function 285ivadmin_group_import2() function 139ivadmin_group_list() function 140ivadmin_group_listbydn() function 142ivadmin_group_removemember() deprecated function 285ivadmin_group_removemembers() function 144ivadmin_group_setdescription() function 145ivadmin_message_getcount() function 15ivadmin_objectspace_create() function 146ivadmin_objectspace_delete() function 148ivadmin_objectspace_list() function 149ivadmin_pop object 33ivadmin_pop_attach() function 150ivadmin_pop_attrdelkey() function 151ivadmin_pop_attrdelval() function 152ivadmin_pop_attrget() function 153ivadmin_pop_attrlist() function 154ivadmin_pop_attrput() function 155ivadmin_pop_create() function 156ivadmin_pop_delete() function 157ivadmin_pop_detach() function 158ivadmin_pop_find() function 159ivadmin_pop_get() function 160ivadmin_pop_getauditlevel() function 161ivadmin_pop_getdescription() function 162ivadmin_pop_getid() function 163ivadmin_pop_getqop() function 164ivadmin_pop_gettod() function 165ivadmin_pop_getwarnmode() function 167ivadmin_pop_list() function 168ivadmin_pop_removeipauth() function 169ivadmin_pop_setanyothernw_forbidden() function 171ivadmin_pop_setanyothernw() function 34, 170ivadmin_pop_setauditlevel() function 172ivadmin_pop_setdescription function() 173ivadmin_pop_setipauth_forbidden() function 175ivadmin_pop_setipauth() function 34, 174ivadmin_pop_setqop() function 176ivadmin_pop_settod() function 177ivadmin_pop_setwarnmode() function 179ivadmin_protobj_attachacl() function 180ivadmin_protobj_attrdelkey() function 181ivadmin_protobj_attrdelval() function 182ivadmin_protobj_attrget() function 183ivadmin_protobj_attrlist() function 184ivadmin_protobj_attrput() function 185ivadmin_protobj_create() function 186ivadmin_protobj_delete() function 187ivadmin_protobj_detachacl() function 188ivadmin_protobj_get() deprecated function 285ivadmin_protobj_get2() function 189ivadmin_protobj_getacl() function 191ivadmin_protobj_getdesc() function 192ivadmin_protobj_getid() function 193ivadmin_protobj_getpolicyattachable() function 194ivadmin_protobj_getpop() function 195ivadmin_protobj_gettype() function 196ivadmin_protobj_list2() deprecated function 285ivadmin_protobj_list3() function 197ivadmin_protobj_listbyacl() function 199ivadmin_protobj_setdesc() function 200ivadmin_protobj_setname() function 201ivadmin_protobj_setpolicyattachable() function 202ivadmin_protobj_settype() function 203ivadmin_response object 8, 10, 13, 15IVADMIN_RESPONSE_ERROR 15


ivadmin_response_getcode() function 14, 204ivadmin_response_getcount() function 13, 14, 205ivadmin_response_getmessage() function 14, 206ivadmin_response_getmodifier() function 15, 207ivadmin_response_getok() function 13, 208IVADMIN_RESPONSE_INFO 15IVADMIN_RESPONSE_WARNING 15ivadmin_server_gettasklist() function 209ivadmin_server_performtask() function 211ivadmin_server_replicate() function 213ivadmin_ssocred_create() function 214ivadmin_ssocred_delete() function 215ivadmin_ssocred_get() function 216ivadmin_ssocred_getid() function 217ivadmin_ssocred_getssopassword() function 218ivadmin_ssocred_getssouser() function 219ivadmin_ssocred_gettype() function 220ivadmin_ssocred_getuser() function 221ivadmin_ssocred_list() function 222ivadmin_ssocred_set() function 223ivadmin_ssogroup_addres() function 224ivadmin_ssogroup_create() function 225ivadmin_ssogroup_delete() function 226ivadmin_ssogroup_get() function 227ivadmin_ssogroup_getdescription() function 228ivadmin_ssogroup_getid() function 229ivadmin_ssogroup_getresources() function 230ivadmin_ssogroup_list() function 231ivadmin_ssogroup_removeres() function 232ivadmin_ssoweb_create() function 233ivadmin_ssoweb_delete() function 234ivadmin_ssoweb_get() function 235ivadmin_ssoweb_getdescription() function 236ivadmin_ssoweb_getid() function 237ivadmin_ssoweb_list() function 238IVADMIN_TRUE 13ivadmin_user_create() deprecated function 285ivadmin_user_create2() deprecated function 285ivadmin_user_create3() function 9, 17, 239ivadmin_user_delete() deprecated function 285ivadmin_user_delete2() function 17, 241ivadmin_user_get() function 242ivadmin_user_getaccexpdate() function 243ivadmin_user_getaccountvalid() function 244ivadmin_user_getauthmech() function 245ivadmin_user_getbydn() function 246ivadmin_user_getcn() function 247ivadmin_user_getdescription() function 248ivadmin_user_getdisabletimeint() function 249ivadmin_user_getdn() function 250ivadmin_user_getid() function 251ivadmin_user_getmaxlgnfails() function 252ivadmin_user_getmaxpwdage() function 253ivadmin_user_getmaxpwdrepchars() function 254ivadmin_user_getmemberships() function 255ivadmin_user_getminpwdalphas() function 256ivadmin_user_getminpwdlen() function 257ivadmin_user_getminpwdnonalphas() function 258ivadmin_user_getpasswordvalid() function 259ivadmin_user_getpwdspaces() function 260ivadmin_user_getsn() function 261ivadmin_user_getssouser() function 262ivadmin_user_gettodaccess() function 263ivadmin_user_import() deprecated function 285ivadmin_user_import2() function 264ivadmin_user_list() function 13, 265ivadmin_user_listbydn() function 267

ivadmin_user_setaccexpdate() function 10, 269ivadmin_user_setaccountvalid() function 270ivadmin_user_setauthmech() function 271ivadmin_user_setdescription() function 272ivadmin_user_setdisabletimeint() function 273ivadmin_user_setmaxlgnfails() function 274ivadmin_user_setmaxpwdage() function 275ivadmin_user_setmaxpwdrepchars() function 276ivadmin_user_setminpwdalphas() function 277ivadmin_user_setminpwdlen() function 278ivadmin_user_setminpwdnonalphas() function 279ivadmin_user_setpassword() function 280ivadmin_user_setpasswordvalid() function 281ivadmin_user_setpwdspaces() function 282ivadmin_user_setssouser() function 283ivadmin_user_settodaccess() function 284

LLDAP users, creating 9libraries, linking 4libraries, shared 2linking libraries 4listing object information 12

Mmanuals


memory, freeing 15modifying values for objects 10

Nnotification wait time 44

Oobject information, listing 12object values, reading 12objects

creating 9, 10getting 11initialization of response objects 13ivadmin_acl 28ivadmin_context 8, 15ivadmin_pop 33ivadmin_response 8, 10, 13, 15modifying values 10PDProtObject 24PDProtObjectSpace 23setting values 10

online publications xviiordering publications xvii

Ppassword functions, table 20, 21passwords 20pdadmin command line utility 2performing administration tasks 43prerequisite publications xiiiPrivilege Attribute Certificate data, creating 9

Index 311

protected object attributes 25protected object functions, table 24, 25protected object policies 33

administering 33defined 23

protected object policy (POP) 23protected object policy extended attributes, table 35protected object policy objects 33protected object policy objects, table 33, 34protected object policy settings 34protected object policy settings, table 34, 35protected object space functions, table 24protected object spaces 23protected objects 23, 24publications


Rreading object values 12registry, user 3related publications xvreplica databases, notification threads 44replica databases, notifying of updates 43, 44requirements, for installation 3resource objects 24response objects, initialization 13returned error conditions 10rsp 13

Ssecure domain 3Secure Sockets Layer (SSL) 1security context, deleting 15security contexts, establishing

backward compatibility 8delegating user credentials 9examples

ivadmin_context_createdefault 8overview 7required input parameters 8returned objects 8

secUser 17servers and databases, table 45set operations, example operations 10setting object values 10shared libraries 2shutdown of the Administration API 15software requirements 3SSL 1svrsslcfg command line utility 2

TTivoli Customer Support xviiiTivoli Information Center xviitypes, returned by get functions 11

Uunauthenticated 28user account functions, table 19, 20

user accounts 18user credentials, delegating 9user functions, table 18user password functions, table 20, 21user passwords 20user registry 3

differences xix, 287user registry users, creating 9users 17, 28users, creating for user registry 9using the administration API 7

Wwait time 44warning attribute 34


Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.

GC32-0843-00

Documents

Administration C API Developer’s Referencepublib.boulder.ibm.com/.../en_US/PDF/am39_adminC_devref.pdfVersion 39. GC32-0843-00 IBM Tivoli Access Manager Administration C API Developer’s