API Exported Enumerations
SmApi.h includes the following enumerations used by the Directory API:
casso126
SmApi.h includes the following enumerations used by the Directory API:
- Sm_DirApi_Capability_t (directory capabilities)
- Sm_PolicyResolution_t (policy resolutions)
Directory Capabilities
Sm_DirApi_Capability_t enumerates the capabilities that can be configured for a custom directory.
The following table lists the directory capabilities enumerated in Sm_DirApi_Capability_t. Descriptions of each capability follow the table.
Name | Value |
Sm_DirApi_Capability_ForceResetUserPassword | 0x00000001 |
Sm_DirApi_Capability_ChangeUserPassword | 0x00000002 |
Sm_DirApi_Capability_DisableUser | 0x00000004 |
Sm_DirApi_Capability_SetUserAttributes | 0x00000008 |
Sm_DirApi_Capability_Recursive | 0x00000010 |
For a custom directory to have a specific capability, you must define the required user attributes for that capability. For example, to enable
CA Single Sign-On
to change a user’s password, you need to identify a Password Attribute. CA Single Sign-On
then uses that attribute to get and set the user password.- Sm_DirApi_Capability_ForceResetUserPassword. The custom directory is capable of forcing user password reset.To enableCA Single Sign-Onto force a reset of the password, define the following user attributes:
- Password attribute. An attribute thatCA Single Sign-Oncan use to get and set the user password. In theCA Single Sign-OnAdministrative UI, enter that attribute name in the Password Attribute field on the User Attributes tab on the User Directory Dialog box. In the sample, the attribute name is password.
- Disabled Flag. An attribute thatCA Single Sign-Oncan use to get and set the disabled state of a user. In theCA Single Sign-OnAdministrative UI, enter that attribute name in the Disabled Flag field on the User Attributes tab on the User Directory Dialog box. In the sample, the attribute name is Disabled.
When users are forced to change their passwords, the Policy Server calls SmDirSetUserDisabledState(). In the sample code, the user’s Disabled Flag is set to Sm_Api_Disabled_PWMustChange (the disabled reason). - Sm_DirApi_Capability_ChangeUserPassword. The custom directory is capable of changing the user password. To change the password, you need to identify a Password Attribute, which is an attribute thatCA Single Sign-Oncan use to get and set the user password. In theCA Single Sign-OnAdministrative UI, enter that attribute name in the Password Attribute field on the User Attributes tab on the User Directory Dialog box.TheCA Single Sign-OnPolicy Server calls SmDirChangeUserPassword() so that you can change the value in the password field for an entry in your custom directory.
- Sm_DirApi_Capability_DisableUser. The custom directory is capable of disabling a user account. To disable a user, you need to identify a Disabled Flag, which is an attribute thatCA Single Sign-Oncan use to get and set the disabled state of a user. In theCA Single Sign-OnAdministrative UI, enter that attribute name in the Disabled Flag field on the User Attributes tab on the User Directory Dialog box.When an administrator uses theCA Single Sign-OnAdministrative UI to disable or enable a user account, or when Password Services disables a user account, theCA Single Sign-OnPolicy Server calls SmDirSetUserDisabledState().InCA Single Sign-On, user accounts can be disabled for a number of reasons, and these reasons are represented by the members of the data structure Sm_Api_DisabledReason_t.
- Sm_DirApi_Capability_SetUserAttributes.CA Single Sign-Oncan set user attributes in the custom directory.TheCA Single Sign-OnPolicy Server calls SmDirSetUserAttr() so that you can useCA Single Sign-Onto set a user attribute in your custom directory.
- Sm_DirApi_Capability_Recursive. The custom directory is capable of supporting recursion. For example, the custom directory may support nested groups.The following functions in the Directory API have a parameter to hold a recursive flag:
- SmDirGetUserGroups()
- SmDirValidateUserPolicyRelationship()
To send information about the directory capabilities to the
CA Single Sign-On
Policy Server, implement the function SmDirQueryVersion(). Use the capabilities parameter (pnCapabilites
) to pass one or more values enumerated in Sm_DirApi_Capability_t. CA Single Sign-On
then checks for those capabilities.For example, if a user attempts to change a password, the
CA Single Sign-On
Policy Server calls SmDirQueryVersion() to check for the capability Sm_DirApi_Capability_ChangeUserPassword. If the custom directory does not have that capability, the user receives an error message.An example of setting the directory capabilities is shown in the sample code. First, initialize
*pnCapabilities
to zero, then set *pnCapabilities
as follows:*pnCapabilities =*pnCapabilities | Sm_DirApi_Capability_<supported_capability>;
For example:
*pnCapabilities =*pnCapabilities | Sm_DirApi_Capability_ChangeUserPassword;*pnCapabilities =*pnCapabilities | Sm_DirApi_Capability_DisableUser;
Ensure that no other application changes data in fields intended for use by
CA Single Sign-On
. For example, no other application should change data in the field that holds the disabled state of a CA Single Sign-On
user.Policy Resolutions
Sm_PolicyResolution_t, defined in SmApi.h, enumerates the values that describe the relationship between two policy objects. The following Directory API functions use Sm_PolicyResolution_t:
- SmDirAddEntry()
- SmDirGetDirObjInfo()
- SmDirRemoveEntry()
- SmDirValidateUserPolicyRelationship()