eimConnect

Purpose

Connects to the EIM domain.

Format

#include <eim.h>


int eimConnect(EimHandle      * eim,
               EimConnectInfo   connectInfo,
               EimRC          * eimrc)

Parameters

eim

(Input) The EIM handle that a previous call to eimCreateHandle returns.

connectInfo

(Input) Connect information. This parameter provides the information required to bind to LDAP. If the system is configured to connect to a secure port, EimSSLInfo is required.

For the EIM_SIMPLE connect type, the creds field should contain the EimSimpleConnectInfo structure with a binddn and password.

If the connect type is EIM_SIMPLE and you provide no binddn or password, the connection information extracted from the RACF database during the eimCreateHandle API call is used.

Note: Both the bindDn and bindPw must be NULL. Also, the previous call to eimCreateHandle must have been made with a NULL ldapURL in order for eimCreateHandle to have extracted the information from the RACF database. The resulting handle should then be used with eimConnect. If the ldapURL was not NULL, then no information was extracted from the RACF database and a NULL bindDn and bindPw will result in an EIMERR_PARM_REQ error.

EimPasswordProtect determines the level of password protection on the LDAP bind.

EIM_PROTECT_NO (0): The clear-text password is sent on the bind.
EIM_PROTECT_CRAM_MD5 (1): The protected password is sent on the bind. The server side must support cram-md5 protocol to send the protected password.
EIM_PROTECT_CRAM_MD5_OPTIONAL (2): The protected password is sent on the bind if the cram-md5 protocol is supported. Otherwise, the clear-text password is sent.

For EIM_KERBEROS, the default logon credentials are used. The kerberos_creds field must be NULL.

For EIM_CLIENT_AUTHENTICATION, the creds field is ignored. The ssl field must point to a valid EimSSLInfo structure. The keyring field is required in the EimSSLInfo structure. It can be the name of a System SSL key database file or a RACF keyring name. The keyring_pw field is required when the keyring is the name of a System SSL key database field. The certificateLabel field is optional. If it is NULL the default certificate in the keyring is used.

The structure layouts follow:

  enum EimPasswordProtect {
      EIM_PROTECT_NO,              
      EIM_PROTECT_CRAM_MD5,
      EIM_PROTECT_CRAM_MD5_OPTIONAL
  };

  enum EimConnectType {
      EIM_SIMPLE,
      EIM_KERBEROS,
      EIM_CLIENT_AUTHENTICATION
  };

 
  typedef struct EimSimpleConnectInfo 
  {
       enum EimPasswordProtect protect;
       char * bindDn;
       char * bindPw;
  } EimSimpleConnectInfo;

  typedef struct EimSSLInfo 
  {
       char * keyring;
       char * keyring_pw;
       char * certificateLabel;
  } EimSSLInfo; 

 
  typedef struct EimConnectInfo
  {
       enum EimConnectType type;
       union {
           gss_cred_id_t * kerberos;
           EimSimpleConnectInfo simpleCreds;
       } creds;
     EimSSLInfo * ssl;
   } EimConnectInfo;

eimrc

(Input/Output) The structure in which to return error code information. If the return value is not 0, EIM sets eimrc with additional information. This parameter can be NULL. For the format of the structure, see EimRC -- EIM return code parameter for C/C++.

Related Information

See the following:

Authorization

z/OS authorization

The calling application can be running in system key or supervisor state or one of the following:

The RACF user ID of the caller's address space has READ access to the BPX.SERVER profile in the FACILITY class
The current RACF user ID has READ authority to the IRR.RDCEKEY profile in the FACILITY class

Applications that are not authorized (problem program state and keys) must be program controlled (extattr +p) and the FACILITY class must be active and RACLISTed before the application will be granted authority to use this SAF service.

Return Values

The following table lists the return values from the API. Following each return value is the list of possible values for the messageCatalogMessageID field in the eimrc parameter for that value.

Return Value	Meaning
0	Request was successful.
EACCES	Access denied. Not enough permissions to access data.
EBADDATA	eimrc is not valid.
EBUSY	Unable to allocate internal system object. EIMERR_NOLOCK (26) (z/OS does not return this value.) Unable to allocate internal system object.
ECONVERT	Data conversion error. EIMERR_DATA_CONVERSION (13) (z/OS does not return this value.) Error occurred when converting data between code pages.
EINVAL	Input parameter was not valid. EIMERR_CONN_INVAL (54) Connection type is not valid. EIMERR_HANDLE_INVAL (17) EimHandle is not valid. EIMERR_NOT_SECURE (32) The system is not configured to connect to a secure port. Connection type of EIM_CLIENT_AUTHENTICATION is not valid. EIMERR_PARM_REQ (34) Missing required parameter. Please check the API documentation. EIMERR_PTR_INVAL (35) (z/OS does not return this value.) Pointer parameter is not valid. EIMERR_SSL_REQ (42) The system is configured to connect to a secure port. EimSSLInfo is required. EIMERR_CREDS_MUST_BE_NULL (58) The connectInfo parameter of the EIM API does not have a NULL value for the creds field in the EimConnectInfo structure.
EISCONN	A connection has already been established. EIMERR_CONN (11) Connection already exists.
EMVSSAFEXTRERR	A connection has already been established. EIMERR_ZOS_R_DCEKEY (6008) Callable service failed. EIMERR_ZOS_R_DCEKEY_BINDPW (6009) Callable service failed. Bind password is missing.
EMVSSAF2ERR	SAF/RACF error EIMERR_ZOS_NO_ACEE (6010) No task or address space ACEE found.
ENOMEM	Unable to allocate required space. EIMERR_NOMEM (27) No memory available. Unable to allocate required space.
ENOTSUP	Connection type is not supported. EIMERR_CONN_NOTSUPP (12) Connection type is not supported.
EUNKNOWN	Unexpected exception. EIMERR_LDAP_ERR (23) Unexpected LDAP error. EIMERR_UNKNOWN (44) Unknown error or unknown system state.

Example

The following example illustrates connecting to an EIM domain:

#include <eim.h>
#include <string.h>
 
 
.
.
. 
int           rc;
char          eimerr[200];
EimRC       * err;
EimHandle     handle;

EimConnectInfo con; 

/* Set up error structure.                 */
memset(eimerr,0x00,200);
err = (EimRC *)eimerr;
err->memoryProvidedByCaller = 200;

/* Set up connection information           */
con.type = EIM_SIMPLE;
con.creds.simpleCreds.protect = EIM_PROTECT_NO;
con.creds.simpleCreds.bindDn = "cn=admin";
con.creds.simpleCreds.bindPw = "secret";
con.ssl = NULL;
.
.
.
/* Connect to LDAP URL defined by handle with specified connection credentials */
rc = eimConnect(&handle, con, err);	
.
.
.

The following example illustrates connecting to an EIM domain using the default Kerberos credential for authentication:

#include <eim.h>
#include <string.h>
.
.
.
int rc;
char eimerr [200];
EimRC *err;
EimHandle handle;
EimConnectInfo con;

/*Set up error structure.*/
memset(eimerr,0x00,200);
err =(EimRC *)eimerr;
err->memoryProvidedByCaller =200;

/*Create new eim handle for a specified ldapURL */
ldapURL ="ldap://eimsystem:389/ibm-eimDomainName=myEimDomain,o=mycompany,c=us"; 
rc =eimCreateHandle(&handle,ldapURL,err);
.
.
.
/*Set up connection information */
memset(&con, 0x00, sizeof(con));
con.type =EIM_KERBEROS;

/*Connect to LDAP URL defined in handle with the specified connection credentials*/
rc =eimConnect(&handle,con,err);
.
.
.