[PATCH, v3 3/8] audispd-zos-remote plugin - ITDS LDAP interface

Klaus Heinrich Kiwi klausk at linux.vnet.ibm.com
Thu Dec 13 15:49:27 UTC 2007


This patch brings the LDAP interface for the zos-remote plugin.
Functions here aim to initialize (read as: take necessary arguments),
connect and submit the LDAP extended operation to the RACF server.
There's also code to get the z/OS server response, filling an
internally-defined struct that is then checked for errors. 
The connection itself can be reestablished if the plugin thinks it timed
out, after trying to submit the event directly. In case of event bursts,
this prevents the plugin of trying a connection upon every event
arrival, avoiding at the same time a synchronous keepalive operation.

Signed-off-by: Klaus Heinrich Kiwi <klausk at br.ibm.com>

diff -purN audit-1.6.2/audisp/plugins/zos-remote/zos-remote-ldap.c audit-1.6.2_zos-remote/audisp/plugins/zos-remote/zos-remote-ldap.c
--- audit-1.6.2/audisp/plugins/zos-remote/zos-remote-ldap.c	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_zos-remote/audisp/plugins/zos-remote/zos-remote-ldap.c	2007-12-04 10:57:15.000000000 -0200
@@ -0,0 +1,608 @@
+/***************************************************************************
+ *   Copyright (C) 2007 International Business Machines  Corp.             *
+ *   All Rights Reserved.                                                  *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU General Public License as published by  *
+ *   the Free Software Foundation; either version 2 of the License, or     *
+ *   (at your option) any later version.                                   *
+ *                                                                         *
+ *   This program is distributed in the hope that it will be useful,       *
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
+ *   GNU General Public License for more details.                          *
+ *                                                                         *
+ *   You should have received a copy of the GNU General Public License     *
+ *   along with this program; if not, write to the                         *
+ *   Free Software Foundation, Inc.,                                       *
+ *   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
+ *                                                                         *
+ * Authors:                                                                *
+ *   Klaus Heinrich Kiwi <klausk at br.ibm.com>                               *
+ ***************************************************************************/
+
+#include "zos-remote-ldap.h"
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "zos-remote-log.h"
+
+/***************************************************************************
+ *   Audit response struct                                                 *
+ ***************************************************************************/
+typedef struct audit_resp_item
+{
+        ber_int_t version;      /* Version of Response data itself */
+        ber_int_t itemTag;      /* Copy of itemTag from Operation */
+        ber_int_t majorCode;    /* Majorcode. Main return code of this Outcome */
+        ber_int_t minorCode1;   /* minorCode1. SAFRc   or other Rc */
+        ber_int_t minorCode2;   /* minorCode2. RacfRc  or other Rc */
+        ber_int_t minorCode3;   /* minorCode3. RacfRsn or other Rc */
+} audit_resp_item_t;
+
+typedef struct audit_response
+{
+        ber_int_t respVersion;          /* Overall version */
+        ber_int_t respMajor;            /* Overall major code */
+        unsigned int numItems;          /* Number of response items */
+        audit_resp_item_t **itemList;   /* response ItemList */
+} audit_response_t;
+
+
+/***************************************************************************
+ *   z/OS Remote-services Major return code handling                       *
+ ***************************************************************************/
+struct zos_remote_error
+{
+        int code;
+        char *str;
+};
+
+static struct zos_remote_error zos_remote_errlist[] = {
+        {ZOS_REMOTE_MAJOR_SUCCESS,      "Success"},
+        {ZOS_REMOTE_MAJOR_WARNINGMODE,  "WARNINGMODE - Event was logged, with warnings"},
+        {ZOS_REMOTE_MAJOR_NOTREQ,       "NOTREQ - No logging required"},
+        {ZOS_REMOTE_MAJOR_UNDETERMINED, "UNDETERMINED - Undetermined result"},
+        {ZOS_REMOTE_MAJOR_UNAUTHORIZED, "UNAUTHORIZED - The user does not have authority the R_auditx service"},
+        {ZOS_REMOTE_MAJOR_RACROUTE,     "RACROUTE - The R_auditx service returned an unexpected error"},
+        {ZOS_REMOTE_MAJOR_VAL_ERR,      "VAL_ERR - Value error in request"},
+        {ZOS_REMOTE_MAJOR_ENC_ERR,      "ENC_ERR - DER decoding error in request"},
+        {ZOS_REMOTE_MAJOR_UNSUF_AUTH,   "UNSUF_AUTH - The user has unsuficient authority for the requested function"},
+        {ZOS_REMOTE_MAJOR_EMPTY,        "EMPTY - Empty request received - No items found within the ItemList"},
+        {ZOS_REMOTE_MAJOR_INVALID_VER,  "INVALID_VER - Invalid RequestVersion"},
+        {ZOS_REMOTE_MAJOR_INTERNAL_ERR, "INTERNAL_ERR - An internal error was encountered within the ICTX component"},
+        {-1, NULL}
+};
+
+/***************************************************************************
+ *   Internal functions prototypes                                         *
+ ***************************************************************************/
+static int _zos_remote_init(ZOS_REMOTE *);
+static void _zos_remote_destroy(ZOS_REMOTE *);
+static int zos_remote_connect(ZOS_REMOTE *);
+static void zos_remote_disconnect(ZOS_REMOTE *);
+static int submit_xop_s(ZOS_REMOTE *, struct berval *);
+static int decode_response(audit_response_t *, struct berval *);
+
+/***************************************************************************
+ *   Exported functions                                                    *
+ ***************************************************************************/
+int submit_request_s(ZOS_REMOTE *zos_remote, BerElement *ber)
+{
+        int rc, retry = 1;                /* retry once and give up */
+        struct berval bv;
+
+        rc = ber_flatten2(ber, &bv, 0);   /* 0 = Use ber's buffer */
+        if (rc == -1) {
+                log_err("Error flattening BER element");
+                return ICTX_E_ABORT;
+        }
+
+retry:
+        rc = submit_xop_s(zos_remote, &bv);
+        switch (rc) {
+        case ICTX_SUCCESS:
+                break;
+        case ICTX_E_TRYAGAIN:
+                /* 
+                 * Usually means that the server connection timed-out
+                 * So we flush the LDAP connection by unsetting the
+                 * 'connected' flag and trying again.
+                 */
+                if (retry > 0) {
+                        log_debug("Connection seems down - retrying");
+                        retry--;
+                        _zos_remote_destroy(zos_remote);
+                        rc = _zos_remote_init(zos_remote);
+                        if (rc != ICTX_SUCCESS)
+                                log_err("Error - failed to re-initialize LDAP session");
+                        else
+                                goto retry;        /* go to submit_xop_s once more */
+                }
+                log_err("Can't establish connection");
+                break;
+        case ICTX_E_ABORT:
+                break;
+        default:
+                log_err("Event resulted failure, code: 0x%x", rc);
+        }
+
+        return rc;
+}
+
+int zos_remote_init(ZOS_REMOTE *zos_remote, char *server, int port,
+              char *user, char *password, int timeout)
+{       
+        zos_remote->server = strdup(server);
+        zos_remote->port = port;
+        zos_remote->user = strdup(user);
+        zos_remote->password = strdup(password);
+        zos_remote->timeout = timeout;
+        zos_remote->connected = 0;
+        
+        if (!zos_remote->server || !zos_remote->user || !zos_remote->password) {
+                log_err("Error allocating memory for session members");
+                return ICTX_E_FATAL;
+        }
+
+        return _zos_remote_init(zos_remote);
+}
+
+void zos_remote_destroy(ZOS_REMOTE *zos_remote)
+{
+        _zos_remote_destroy(zos_remote);
+
+        free(zos_remote->server);
+        free(zos_remote->user);
+        free(zos_remote->password);
+}
+
+char *zos_remote_err2string(int err)
+{
+        int i;
+
+        for (i = 0; zos_remote_errlist[i].str != NULL; i++) {
+                if (err == zos_remote_errlist[i].code)
+                        return zos_remote_errlist[i].str;
+        }
+        return "Unknown error";
+}
+
+/***************************************************************************
+ *   Internal Functions                                                    *
+ ***************************************************************************/
+static int _zos_remote_init(ZOS_REMOTE *zos_remote)
+{
+        int version, rc;
+        char *uri = NULL;
+            
+#ifdef LDAP_DEPRECATED
+
+        log_debug("Initializing z/OS Remote-services LDAP connection at ldap://%s:%d",
+                  zos_remote->server, zos_remote->port);
+        zos_remote->ld = ldap_init(zos_remote->server
+                             zos_remote->port ? zos_remote->port : LDAP_PORT);
+        if (zos_remote->ld == NULL) {
+                log_err("Error initializing LDAP session: %s",
+                        strerror(errno));
+                rc = ICTX_E_FATAL;
+                goto end;
+        }
+#else
+        /* build ldap URI */
+        if (zos_remote->port == 0 || zos_remote->port == LDAP_PORT)
+                rc = asprintf(&uri, "ldap://%s", zos_remote->server);
+        else
+                rc = asprintf(&uri, "ldap://%s:%d", zos_remote->server,
+                              zos_remote->port);
+
+        if (rc == -1) {
+                log_err("Out of memory building LDAP server URI");
+                rc = ICTX_E_FATAL;
+                uri = NULL;
+                goto end;
+        }
+
+        log_debug("Initializing z/OS Remote-services LDAP connection at %s", uri);
+        /* Get a handle to an LDAP connection */
+        rc = ldap_initialize(&zos_remote->ld, uri);
+        if (rc != LDAP_SUCCESS) {
+                log_err("Error initializing LDAP session: %s",
+                        ldap_err2string(rc));
+                rc = ICTX_E_FATAL;
+                goto free_uri;
+        }
+#endif
+
+        /* 
+         * Ensure the LDAP protocol version supported by the client
+         * to 3. (Extended operations are part of version 3). 
+         */
+        rc = ldap_get_option(zos_remote->ld, LDAP_OPT_PROTOCOL_VERSION,
+                             &version);
+        if (rc != LDAP_OPT_SUCCESS) {
+                log_err("Error getting LDAP session options");
+                rc = ICTX_E_FATAL;
+                goto unbind;
+        }
+
+        if (version < LDAP_VERSION3) {
+                log_debug("Setting LDAP session version to %d",
+                          LDAP_VERSION3);
+                version = LDAP_VERSION3;
+                rc = ldap_set_option(zos_remote->ld, LDAP_OPT_PROTOCOL_VERSION,
+                                     &version);
+                if (rc != LDAP_OPT_SUCCESS) {
+                        log_err("Error setting LDAP session version");
+                        rc = ICTX_E_FATAL;
+                        goto unbind;
+                }
+        }
+
+        goto free_uri;
+
+unbind:
+        ldap_unbind_ext_s(zos_remote->ld, NULL, NULL);
+        zos_remote->ld = NULL;
+
+free_uri:
+        free(uri);
+
+end:
+        return rc;
+}
+
+static void _zos_remote_destroy(ZOS_REMOTE *zos_remote)
+{
+    zos_remote_disconnect(zos_remote);
+    zos_remote->ld = NULL;
+}
+
+static int zos_remote_connect(ZOS_REMOTE *zos_remote)
+{
+        struct berval cred;
+        int rc;
+        char bindusr[255];
+
+        snprintf(bindusr, 255, "racfid=%s,cn=ictx", zos_remote->user);
+
+        log_debug("Attempting BIND. User '%s', password '<not shown>'",
+                  bindusr);
+
+        cred.bv_val = (char *) zos_remote->password;
+        cred.bv_len = strlen(zos_remote->password);
+        
+        rc = ldap_sasl_bind_s(zos_remote->ld, bindusr,
+                              LDAP_SASL_SIMPLE, &cred,
+                              NULL, NULL, NULL);
+        
+
+        switch (rc) {
+        case LDAP_SUCCESS:
+                log_debug("LDAP BIND succeeded");
+                zos_remote->connected = 1;
+                rc = ICTX_SUCCESS;
+                break;
+        case LDAP_SERVER_DOWN:
+        case LDAP_BUSY:
+        case LDAP_UNAVAILABLE:
+        case LDAP_TIMEOUT:
+        case LDAP_CONNECT_ERROR:
+                log_warn("z/OS Remote-services connection failed: %s",
+                         ldap_err2string(rc));
+                rc = ICTX_E_TRYAGAIN;
+                break;
+        default:
+                log_err("Error - z/OS Remote-services initialization failed: %s",
+                        ldap_err2string(rc));
+                rc = ICTX_E_FATAL;
+        }
+
+        return rc;
+}
+
+
+static void zos_remote_disconnect(ZOS_REMOTE *zos_remote)
+{
+        if (zos_remote->ld) {
+                log_debug("Unbinding LDAP session");
+
+#ifdef LDAP_DEPRECATED
+                ldap_unbind(zos_remote->ld);
+#else
+                ldap_unbind_ext_s(zos_remote->ld, NULL, NULL);
+#endif
+        }
+        zos_remote->connected = 0;
+        
+}
+
+/*
+ * Sync-submit extended operation given in *bv
+ * return ICTX_SUCCESS if submission (and response)
+ * succeeded.
+ * Log errors using log_err() functions
+ */
+int submit_xop_s(ZOS_REMOTE *zos_remote, struct berval *bv)
+{
+        LDAPMessage *result;
+        audit_response_t response;
+        int rc, errcode, msgId;
+        unsigned int i;
+        char *errmsg, *oid;
+        struct berval *bv_response;
+        struct timeval t;
+
+        if (zos_remote->connected == 0) {
+                rc = zos_remote_connect(zos_remote);
+                if (rc != ICTX_SUCCESS)
+                    return rc;
+        }
+
+        /* call LDAP - won't block */
+        rc = ldap_extended_operation(zos_remote->ld, ICTX_OIDAUDITREQUEST,
+                                     bv, NULL, NULL, &msgId);
+        if (rc == LDAP_SERVER_DOWN) {
+                zos_remote->connected = 0;
+                return ICTX_E_TRYAGAIN;
+        } else if (rc != LDAP_SUCCESS) {
+                log_err("LDAP extended operation submission failure: %s",
+                        ldap_err2string(rc));
+                return ICTX_E_ABORT;
+        } else
+                log_debug("Sent LDAP extended operation request, msgId=0x%x",
+                          msgId);
+
+
+        /* call blocking ldap_result with specified timeout */
+        t.tv_sec = zos_remote->timeout;
+        t.tv_usec = 0;
+        rc = ldap_result(zos_remote->ld, msgId, 1, &t, &result);
+
+        if (rc == -1) {
+                /* error in ldap operation */
+                ldap_get_option(zos_remote->ld, LDAP_OPT_ERROR_NUMBER, &errcode);
+                switch (errcode) {
+                case LDAP_SERVER_DOWN:
+                        /* Connection may have timed out, let's retry */
+                        zos_remote->connected = 0;
+                        rc = ICTX_E_TRYAGAIN;
+                        break;
+                default:
+                        log_err("ldap_result unexpected failure: %s (0x%x)",
+                                ldap_err2string(rc), rc);
+                        rc = ICTX_E_ABORT;
+                }
+                goto end;
+        } else if (rc == 0) {
+                /* timeout reached */
+                log_warn("LDAP extended operation timed out");
+                rc = ICTX_E_ABORT;
+                goto end;
+        } else if (rc != LDAP_RES_EXTENDED) {
+                /* not an extended operation response! */
+                log_err("LDAP extended operation resulted in unexpected answer: 0x%x", rc);
+                rc = ICTX_E_ABORT;
+                goto free_result;
+        }
+
+        log_debug("Got LDAP Extended result");
+        /* 
+         * we have an extended operation result
+         * first parse_result will check for errcode, later
+         * parse_extended_result will give us the oid and the BER value
+         */
+        rc = ldap_parse_result(zos_remote->ld, result, &errcode, NULL,
+                               &errmsg, NULL, NULL, 0);
+        if (rc != LDAP_SUCCESS) {
+                log_err("LDAP parse result internal failure (code 0x%x)",
+                        rc);
+                rc = ICTX_E_ABORT;
+                goto free_result;
+        }
+
+        if (errcode != LDAP_SUCCESS) {
+                log_err("LDAP extended operation failed: %s", errmsg);
+                rc = ICTX_E_ABORT;
+                goto free_errmsg;
+        }
+
+        rc = ldap_parse_extended_result(zos_remote->ld, result, &oid,
+                                        &bv_response, 0);
+        if (rc != LDAP_SUCCESS) {
+                log_err("Failed to parse ldap extended result (code 0x%x)",
+                        rc);
+                rc = ICTX_E_ABORT;
+                goto free_errmsg;
+        }
+
+        if (oid && strcmp(oid, ICTX_OIDAUDITRESPONSE) != 0) {
+                /* oid == null shouldn't be a problem to log_err */
+                log_err("LDAP extended operation returned an invalid oid: %s", oid);
+                rc = ICTX_E_ABORT;
+                goto free_bv;
+        }
+
+        rc = decode_response(&response, bv_response);
+        if (rc != ICTX_SUCCESS) {
+                log_err("Error decoding extended operation response");
+                goto free_bv;
+        }
+
+        if (response.respMajor == ZOS_REMOTE_MAJOR_SUCCESS) {
+                /* submission was successful, no further processing needed */
+                log_debug("Successfully submited Remote audit Request");
+                rc = ICTX_SUCCESS;
+                goto free_response;
+        } else if (response.respMajor == ZOS_REMOTE_MAJOR_EMPTY) {
+                /* something is going on. Set error and stop processing */
+                log_warn("Warning - LDAP extended operation returned empty result");
+                rc = ICTX_E_ABORT;
+                goto free_response;
+        } else if (response.respMajor == ZOS_REMOTE_MAJOR_WARNINGMODE ||
+                   response.respMajor == ZOS_REMOTE_MAJOR_NOTREQ)
+                rc = ICTX_SUCCESS;      /* don't fail, but continue processing */
+        else
+                rc = ICTX_E_ABORT;      /* set return code and continue processing */
+
+        /* If it's not success nor empty, let's check for errors in the response */
+        for (i = 0; i < response.numItems; i++) {
+                switch ((response.itemList[i])->majorCode) {
+                        /* 0 <= Major Code <= 14 */
+                case ZOS_REMOTE_MAJOR_SUCCESS:
+                        break;
+                case ZOS_REMOTE_MAJOR_WARNINGMODE:
+                case ZOS_REMOTE_MAJOR_NOTREQ:
+                        log_debug("Warning - LDAP extended operation returned '%s' for item %d",
+                                 zos_remote_err2string((response.itemList[i])->majorCode),
+                                 (response.itemList[i])->itemTag);
+                        log_debug("SAF code: 0x%x, RACF code: 0x%x, RACF reason: 0x%x",
+                                 (response.itemList[i])->minorCode1,
+                                 (response.itemList[i])->minorCode2,
+                                 (response.itemList[i])->minorCode3);
+                        break;
+                case ZOS_REMOTE_MAJOR_UNDETERMINED:
+                case ZOS_REMOTE_MAJOR_UNAUTHORIZED:
+                case ZOS_REMOTE_MAJOR_RACROUTE:
+                        log_err("Error - LDAP extended operation returned '%s' for item %d",
+                                zos_remote_err2string((response.itemList[i])->majorCode),
+                                (response.itemList[i])->itemTag);
+                        log_err("SAF code: 0x%x, RACF code: 0x%x, RACF reason: 0x%x",
+                                (response.itemList[i])->minorCode1,
+                                (response.itemList[i])->minorCode2,
+                                (response.itemList[i])->minorCode3);
+                        break;
+                        /* 16 <= Major Code <= 20 */
+                case ZOS_REMOTE_MAJOR_VAL_ERR:
+                case ZOS_REMOTE_MAJOR_ENC_ERR:
+                        log_err("Error - LDAP extended operation returned '%s' for item %d",
+                                zos_remote_err2string((response.itemList[i])->majorCode),
+                                (response.itemList[i])->itemTag);
+                        log_err("Item field: %d, reson %d",
+                                (response.itemList[i])->
+                                minorCode1,
+                                (response.itemList[i])->minorCode2);
+                        break;
+                        /* 24 <= Major code <= 100 */
+                case ZOS_REMOTE_MAJOR_UNSUF_AUTH:
+                case ZOS_REMOTE_MAJOR_EMPTY:
+                case ZOS_REMOTE_MAJOR_INVALID_VER:
+                case ZOS_REMOTE_MAJOR_INTERNAL_ERR:
+                        log_err("Error - LDAP extended operation returned '%s' for item %d",
+                                zos_remote_err2string((response.itemList[i])->majorCode),
+                                (response.itemList[i])->itemTag);
+                        break;
+                default:
+                        log_err("Error - LDAP extended operation returned an unknown Major code for item %d", 
+                                (response.itemList[i])->majorCode);
+                }
+        }
+
+free_response:
+        for (; response.numItems > 0; response.numItems--)
+                free(response.itemList[response.numItems - 1]);
+        free(response.itemList);
+
+free_bv:
+        if (bv_response)
+                ber_bvfree(bv_response);
+        if (oid)
+                ldap_memfree(oid);
+
+free_errmsg:
+        ldap_memfree(errmsg);
+
+free_result:
+        ldap_msgfree(result);
+
+end:
+        return rc;
+}
+
+static int decode_response(audit_response_t * r, struct berval *bv)
+{
+        BerElement *ber;
+        ber_len_t len;
+        int rc;
+
+        if (!bv) {
+                log_err("LDAP extended operation returned NULL message");
+                return ICTX_E_ABORT;
+        } else if ((ber = ber_init(bv)) == NULL) {
+                log_err("Error initializing BER response data");
+                return ICTX_E_ABORT;
+        }
+
+        log_debug("---Got an encoded request response:");
+        debug_bv(bv);
+
+        r->respVersion = 0;
+        r->respMajor = 0;
+        r->numItems = 0;
+        r->itemList = NULL;
+
+        rc = ber_scanf(ber, "{ii", &r->respVersion, &r->respMajor);
+        if (r->respVersion != ICTX_REQUESTVER) {
+                log_err("Invalid version returned by z/OS Remote-services server");
+                log_err("Should be %d, got %d", ICTX_REQUESTVER,
+                        r->respVersion);
+                rc = ICTX_E_ABORT;
+                goto free_ber;
+        }
+
+        if (r->respMajor == ZOS_REMOTE_MAJOR_SUCCESS ||
+            r->respMajor == ZOS_REMOTE_MAJOR_EMPTY) {
+                rc = ICTX_SUCCESS;
+                /* No further processing required */
+                goto free_ber;
+        }
+
+        /* Inspect ber response otherwise */
+        while (ber_peek_tag(ber, &len) == LBER_SEQUENCE) {
+                r->numItems++;
+                r->itemList = (audit_resp_item_t **) realloc(r->itemList,
+                                                             r->numItems *
+                                                             sizeof
+                                                             (audit_resp_item_t
+                                                              *));
+                if (errno == ENOMEM) {
+                        if (r->itemList)
+                                free(r->itemList);
+                        rc = ICTX_E_FATAL;
+                        goto free_ber;
+                }
+
+                audit_resp_item_t *item = (audit_resp_item_t *)
+                        malloc(sizeof(audit_resp_item_t));
+
+                if (!item) {
+                        rc = ICTX_E_FATAL;
+                        goto free_ber;
+                }
+
+                rc |= ber_scanf(ber, "{{iiiiii}}",
+                                &item->version,
+                                &item->itemTag,
+                                &item->majorCode,
+                                &item->minorCode1, &item->minorCode2,
+                                &item->minorCode3);
+                r->itemList[r->numItems - 1] = item;
+        }
+        rc |= ber_scanf(ber, "}");
+
+        if (rc == -1) {
+                for (; r->numItems > 0; r->numItems--)
+                        free(r->itemList[r->numItems - 1]);
+                free(r->itemList);
+                rc = ICTX_E_ABORT;
+        }
+        else
+            rc = ICTX_SUCCESS;
+
+free_ber:
+        ber_free(ber, 1);
+
+        return rc;
+}
diff -purN audit-1.6.2/audisp/plugins/zos-remote/zos-remote-ldap.h audit-1.6.2_zos-remote/audisp/plugins/zos-remote/zos-remote-ldap.h
--- audit-1.6.2/audisp/plugins/zos-remote/zos-remote-ldap.h	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_zos-remote/audisp/plugins/zos-remote/zos-remote-ldap.h	2007-12-04 11:07:26.000000000 -0200
@@ -0,0 +1,311 @@
+/***************************************************************************
+ *   Copyright (C) 2007 International Business Machines  Corp.             *
+ *   All Rights Reserved.                                                  *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU General Public License as published by  *
+ *   the Free Software Foundation; either version 2 of the License, or     *
+ *   (at your option) any later version.                                   *
+ *                                                                         *
+ *   This program is distributed in the hope that it will be useful,       *
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
+ *   GNU General Public License for more details.                          *
+ *                                                                         *
+ *   You should have received a copy of the GNU General Public License     *
+ *   along with this program; if not, write to the                         *
+ *   Free Software Foundation, Inc.,                                       *
+ *   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
+ *                                                                         *
+ * Authors:                                                                *
+ *   Klaus Heinrich Kiwi <klausk at br.ibm.com>                               *
+ ***************************************************************************/
+
+#ifndef _ZOS_REMOTE_LDAP_H
+#define _ZOS_REMOTE_LDAP_H
+
+#include <lber.h>
+#include <ldap.h>
+
+
+/***************************************************************************
+ *   LDAP Extended Op OID for ICTX Audit                                   *
+ ***************************************************************************/
+/* ICTX EIM component AUDIT Request OID */
+#define ICTX_OIDAUDITREQUEST     "1.3.18.0.2.12.68"
+
+/* The AUDIT Response OID */
+#define ICTX_OIDAUDITRESPONSE    "1.3.18.0.2.12.69"
+
+/* This implementation version
+   Request and response must match this */
+#define ICTX_REQUESTVER          0x1
+
+/* Needed for BER-encoding */
+#define ASN1_IA5STRING_TAG       0x16
+
+/***************************************************************************
+ *   the ASN.1 struct for the remote audit request and response:           *
+ *                                                                         *
+ *   RequestValue ::= SEQUENCE  {                                          *
+ *       RequestVersion    INTEGER,                                        *
+ *       ItemList    SEQUENCE OF                                           *
+ *           Item    SEQUENCE {                                            *
+ *               ItemVersion    INTEGER,                                   *
+ *               ItemTag        INTEGER,                                   *
+ *               LinkValue    OCTET STRING SIZE(8),                        *
+ *               Violation    BOOLEAN,                                     *
+ *               Event        INTEGER,                                     *
+ *               Qualifier    INTEGER,                                     *
+ *               Class        IA5String,                                   *
+ *               Resource    IA5String,                                    *
+ *               LogString    IA5String,                                   *
+ *               DatafieldList    SEQUENCE OF                              *
+ *                   DataField    SEQUENCE {                               *
+ *                       TYPE    INTEGER,                                  *
+ *                       VALUE    IA5STRING                                *
+ *                   }                                                     *
+ *           }                                                             *
+ *   }                                                                     *
+ *                                                                         *
+ *   Response ::= SEQUENCE {                                               *
+ *       Version        INTEGER,                                           *
+ *       ResponseCode    INTEGER,                                          *
+ *       ItemList    SEQUENCE OF                                           *
+ *           Item    SEQUENCE {                                            *
+ *               ItemVersion    INTEGER,                                   *
+ *               ItemTag        INTEGER,                                   *
+ *               MajorCode    INTEGER,                                     *
+ *               MinorCode1    INTEGER,                                    *
+ *               MinorCode2    INTEGER,                                    *
+ *               MinorCode3    INTEGER                                     *
+ *           }                                                             *
+ *   }                                                                     *
+ ***************************************************************************/
+
+/***************************************************************************
+ *   z/OS Remote-services Audit Minor return codes meaning
+
+Major Code    Meaning
+----------    ---------------------------------------------------------
+0-14          - MinorCode1 is the SAF return code
+              - MinorCode2 is the RACF return code
+              - MinorCode3 is the RACF reason code
+
+16-20         - MinorCode1 identifies the extended operation request
+                parameter number (see audit request ASN.1 definition):
+                 0 - Item
+                 1 - ItemVersion
+                 2 - ItemTag
+                 3 - LinkValue
+                 4 - Violation
+                 5 - Event
+                 6 - Qualifier
+                 7 - Class
+                 8 - Resource
+                 9 - LogString
+                10 - DataFieldList
+                11 - DataField *
+                12 - TYPE *
+                13 - VALUE *
+              - MinorCode2 indicates one of the Following:
+                32 - incorrect length
+                36 - incorrect value
+                40 - encoding error
+              - MinorCode3 has no defined meaning
+
+24-100        - MinorCode1 has no defined meaning
+              - MinorCode2 has no defined meaning
+              - MinorCode3 has no defined meaning
+
+* There can be multiple DataField, TYPEs and VALUEs in a request. If any of them is bad
+  you get the same 11, 12 or 13 MinorCode1. There is no further breakdown of which one
+  is bad.
+
+ ***************************************************************************/
+
+/***************************************************************************
+ *   Audit Request 'event' field meaning                                   *
+ ***************************************************************************/
+#define ZOS_REMOTE_EVENT_AUTHENTICATION            0x1
+#define ZOS_REMOTE_EVENT_AUTHORIZATION             0x2
+#define ZOS_REMOTE_EVENT_AUTHORIZATION_MAPPING     0x3
+#define ZOS_REMOTE_EVENT_KEY_MGMT                  0x4
+#define ZOS_REMOTE_EVENT_POLICY_MGMT               0x5
+#define ZOS_REMOTE_EVENT_ADMIN_CONFIG              0x6
+#define ZOS_REMOTE_EVENT_ADMIN_ACTION              0x7
+
+/***************************************************************************
+ *   Audit Request 'qualifier' field meaning                               *
+ ***************************************************************************/
+#define ZOS_REMOTE_QUALIF_SUCCESS                  0x0
+#define ZOS_REMOTE_QUALIF_INFO                     0x1
+#define ZOS_REMOTE_QUALIF_WARN                     0x2
+#define ZOS_REMOTE_QUALIF_FAIL                     0x3
+
+/***************************************************************************
+ *   Relocate types for Audit Request                                      *
+ ***************************************************************************/
+/* SAF identifier for bind user */
+#define ZOS_REMOTE_RELOC_SAF_BIND_USER             100
+
+/* Reguestor's bind user identifier */
+#define ZOS_REMOTE_RELOC_REQ_BIND_USER             101
+
+/* Originating security domain */
+#define ZOS_REMOTE_RELOC_ORIG_SECURITY             102
+
+/* Originating registry / realm */
+#define ZOS_REMOTE_RELOC_ORIG_REALM                103
+
+/* Originating user name */
+#define ZOS_REMOTE_RELOC_ORIG_USER                 104
+
+/* Mapped security domain */
+#define ZOS_REMOTE_RELOC_MAPPED_SECURITY           105
+
+/* Mapped registry / realm */
+#define ZOS_REMOTE_RELOC_MAPPED_REALM              106
+
+/* Mapped user name */
+#define ZOS_REMOTE_RELOC_MAPPED_USER               107
+
+/* Operation performed */
+#define ZOS_REMOTE_RELOC_OPERATION                 108
+
+/* Mechanism / object name */
+#define ZOS_REMOTE_RELOC_OBJECT                    109
+
+/* Method  / function used */
+#define ZOS_REMOTE_RELOC_FUNCTION                  110
+
+/* Key / certificate name */
+#define ZOS_REMOTE_RELOC_CERTIFICATE               111
+
+/* Caller subject initiating security event  */
+#define ZOS_REMOTE_RELOC_INITIATING_EVENT          112
+
+/* Date and time security event occurred  */
+#define ZOS_REMOTE_RELOC_TIMESTAMP                 113
+
+/* Application specific data. (i.e. Other) */
+#define ZOS_REMOTE_RELOC_OTHER                     114
+
+/***************************************************************************
+ *   z/OS Remote-services Audit Major return codes                         *
+ ***************************************************************************/
+#define ZOS_REMOTE_MAJOR_SUCCESS                   0
+
+/* Event was logged, with warnings */
+#define ZOS_REMOTE_MAJOR_WARNINGMODE               2
+
+/* No logging required
+   No audit controls are set to require it */
+#define ZOS_REMOTE_MAJOR_NOTREQ                    3
+
+/* Class not active/ractlisted, 
+   covering profile not found or 
+   RACF is not installed */
+#define ZOS_REMOTE_MAJOR_UNDETERMINED              4
+
+/* The user does not have authority the R_auditx service.
+    The userid associated with the LDAP server must have
+    at least READ access to the FACILITY class profile IRR.RAUDITX. */
+#define ZOS_REMOTE_MAJOR_UNAUTHORIZED              8
+
+
+/* The R_auditx service returned an unexpected error.
+   Compare the returned minor codes with the SAF RACF codes
+   documented in Security Server Callable Services */
+#define ZOS_REMOTE_MAJOR_RACROUTE                  12
+
+/* A value specified in the extended operation request is 
+   incorrect or unsupported. Check the returned minor codes
+   to narrow the reason */
+#define ZOS_REMOTE_MAJOR_VAL_ERR                   16
+
+/* A DER decoding error was encountered in an item.
+   Processing Terminated. Partial results may be returned */
+#define ZOS_REMOTE_MAJOR_ENC_ERR                   20
+
+/* The requestor does not have sufficient authority for the
+   requested function. The userid associated with the LDAP bind
+   user must have at least READ access to the FACILITY class
+   profile IRR.LDAP.REMOTE.AUDIT. */
+#define ZOS_REMOTE_MAJOR_UNSUF_AUTH                24
+
+/* No items are found within the ItemList sequence of the extended
+   operation request, so no response items are returned */
+#define ZOS_REMOTE_MAJOR_EMPTY                     28
+
+/* Invalid RequestVersion */
+#define ZOS_REMOTE_MAJOR_INVALID_VER               61
+
+/* An internal error was encountered within the ICTX component */
+#define ZOS_REMOTE_MAJOR_INTERNAL_ERR              100
+
+/***************************************************************************
+ *   Some standard sizes for remote audit request items                    *
+ ***************************************************************************/
+#define ZOS_REMOTE_LINK_VALUE_SIZE                 8
+#define ZOS_REMOTE_CLASS_SIZE                      8
+#define ZOS_REMOTE_RESOURCE_SIZE                   240
+#define ZOS_REMOTE_LOGSTRING_SIZE                  200
+
+
+/***************************************************************************
+ *   Some standard Error defines                                           *
+ ***************************************************************************/
+#define ICTX_SUCCESS                         0x00
+
+/* maybe a temporary failure? */
+#define ICTX_E_TRYAGAIN                      0x01
+
+/* permanent failure - abort event submission */
+#define ICTX_E_ABORT                         0x02
+
+/* Fatal failure - abort program */
+#define ICTX_E_FATAL                         0x03
+
+/* generic error */
+#define ICTX_E_ERROR                         0x10
+
+/***************************************************************************
+ *   structure representing an z/OS Remote-services session                *
+ ***************************************************************************/
+typedef struct opaque
+{
+    char *server;
+    unsigned int port;
+    char *user;
+    char *password;
+    unsigned int timeout;
+    LDAP *ld;
+    int connected;
+} ZOS_REMOTE;
+
+/***************************************************************************
+ *   LDAP XOP operations                                                   *
+ ***************************************************************************/
+/* 
+ * Initializes z/OS Remote-services (LDAP to ITDS) connection,
+ * binds to ITDS Server using configured RACF ID
+ * Args are:
+ * server, bind user, bind password, server port, timeout
+ * Caller must call zos_remote_destroy() to free memory allocation
+ */
+int zos_remote_init(ZOS_REMOTE *, char *, int, char *, char *, int);
+
+/* 
+ * Uninitializes z/OS Remote-services (LDAP) connection
+ */
+void zos_remote_destroy(ZOS_REMOTE *);
+
+/* 
+ * sync submit request - possibly reconnect to server
+ * if the connection if found to be dead
+ */
+int submit_request_s(ZOS_REMOTE *, BerElement *);
+
+
+#endif                          /* _ZOS_REMOTE_LDAP_H */

-- 
Klaus Heinrich Kiwi <klausk at linux.vnet.ibm.com>
IBM STG, Linux Technology Center




More information about the Linux-audit mailing list