Using remote authorization and audit

The remote authorization and audit services are enabled when the ICTX extended operations component is configured for IBM Tivoli Directory Server. Refer to Configuring the IBM Tivoli Directory Server for remote services support for instructions.

An application or resource manager that uses the remote audit or authorization LDAP extended operation must be capable of generating a request, sending it through the network to the appropriate z/OS IBM TDS server, and interpreting the response from the z/OS IBM TDS server. The following steps represent the typical sequence of events that are specific to the LDAP extended operations for the remote authorization and auditing:
  1. The application must perform a simple bind to the server using an authorized racfid=userid,cn=ictx bind distinguished name.
  2. The application must build a DER-encoded extended operation request having the defined ASN.1 syntax that is specific to the audit or authorization request. That request can then be included with the z/OS IBM TDS server handle and specific request OID on the LDAP client call, such as ldap_extended_operation_s(), to build the LDAP message and send it to the server.
  3. The z/OS IBM TDS receives the request and routes it to the ICTX component, where it is decoded and processed. ICTX verifies the correct syntax and the requestor's authority before invoking the SAF authorization check or audit service to satisfy the request. The result of the SAF service is a DER-encoded response that LDAP returns.
  4. The application must decode the response in order to interpret the results. A nonzero LdapResult code indicates the request was not processed by the ICTX component. A nonzero LdapResult is accompanied by a reason string in the response that may provide additional diagnostic information.
    Note: A zero LdapResult code does not necessarily imply the request was processed successfully (or for authorization, that a user has the specified access). It does, however, indicate that an extended operation ResponseValue was returned. The application should verify that the ICTX ResponseCode within the ResponseValue indicates success (0). A nonzero ResponseCode indicates one or more request items resulted in errors (or unauthorized users). The application should check the MajorCode within each response item to determine which returned failures. The application should be aware that ICTX may not return a response item corresponding to each request item in the event of a severe error, such as an error encountered in the DER encoding.
The application may send as many requests as needed throughout a single bound session, and should unbind from IBM TDS when it has finished processing ICTX requests.
Parent topic: Accessing RACF remotely to perform authorization checks and create audit records