This module describes how you, as a software developer, can use eDirectory security in your applications.
First of all, some of the terminology changes when you go behind the scenes to the programmer’s perspective. Here are some of the most important changes:
Object Rights are called [Entry Rights]
Properties are called Attributes
All Properties Rights are called [All Attributes Rights]
Most of Security programming is very simple when you know how to read and write information about objects in the eDirectory tree. Reading and writing objects and their information is discussed in detail in other chapters, so the focus here is on what is specific to security.
Let’s look at what a program would do to read the Access Control Lists (ACLs) of a particular object. Once you become familiar with eDirectory programming in general as described in the other chapters, there’s not much new to security. The following program is presented in pseudo-code to simplify our discussion:
NWCallsInit() This function initializes the Unicode tables and low-level interface functions. NWDSCreateContextHandle() Get a context allocated for our program to communicate with eDirectory NWDSAllocBuf() Allocate a buffer for the ACL results to be stored in NWDSAllocBuf() Used to store attribute names in NWDSRead NWDSRead() infoType=1, allAttrs=FALSE, iterationHandle=-1 NWDSGetAttrCount() How many attributes are in the buffer? Better just be one! NWGetAttrName() We already know the name is ACL, but we need the valCount while (valcount-) Loop through the buffer, and process each ACL { NWDSComputeAttrValSize() How big is our next attribute value? OurMem=malloc() Allocate memory to store the next value NWDSGetAttrVal() Put the attribute value (our ACL) in the buffer we just allocated memory for /* when we use the NWDSGetAttrVal() we’ll be using a structure Object_ACL_T, which holds all of the ACL information we need. We can process this information to it needs to */ free(OurMem) We need to keep memory clean! } NWDSFreeBuf() Free each of the buffers we allocated earlier NWDSFreeContext() Free the context we allocated earlier NWDSFreeUnicodeTables() Now we’ve done all the eDirectory housecleaning items
You use the standard functions NWDSModifyObject and NWDSRead for reading and writing ACLs to objects. You will notice from the comments in this pseudocode that reference is made to an Object_ACL_T structure. This is the structure that holds the contents of the ACL. The structure type definition is:
typedef struct { pnstr8 protectedAttrName; pnstr8 subjectName; nuint32 privileges; }Object_ACL_T;
Generally, you refer to specific attributes of an object when granting rights. As discussed earlier from the administrator’s perspective on security, you can use special notations to refer to all object rights or all property rights. These notations are summarized below:
When you use [Public] as the subject name, you are, in effect, granting all users those rights.
When you use [Inheritance Mask] as the subject name, you are setting up an Inherited Rights Filter.
When you use [Entry Rights] as the attribute name, you are giving the rights to the object.
When you use [All Attributes Rights] as the attribute name, you are giving (or reading) the rights to the entire set of attributes.
Let’s say that user Joe.Sales.MyCompany was given rights to all attributes of the printer object Printer1.Accounting.MyCompany. The protectedAttrName would be [All Attributes Rights], which indicates Joe has rights to all properties, or attributes. The subjectName would be “Joe.Sales.MyCompany”, to indicate the user who has the rights. And the privileges, which is a 32-bit value, would have the lower bits set according to the privileges granted to user Joe (see Section 5.18, eDirectory Access Control Rights).