On Wed, 16 Apr 2008 09:46:49 -0500, Paul Whelan <[EMAIL PROTECTED]> wrote:
>I'm trying to use the RACF command exit IRREVX01 to limit the types of
>searches submitted through a z/OS LDAP server and am seeing some very
>strange behaviour that I can't understand. If I tell the exit to reject any
>search command containing FILTER(*) the exit works perfectly and if I tell
>the exit to reject any search containing FILTER(SI1*) it also works perfectly.
>
>However, as we need to reject certain FILTER values I need to be a bit more
>selective and first of all find FILTER( in the command then process the
>FILTER argument(s) to decide whether to reject the command or not which is
>where I am coming unstuck. If I tell the exit to reject FILTER( (as a first
>pass before further refining the exit to check the arguments) it does not
>work, that is to say, it does not find FILTER(. It is also incapable of
>finding just FILTER.
>
Your exit seems to expect "FILTER(" exactly at the end of the command
buffer. It won't be there.
While the FILTER keyword may be last in the buffer, the string "FILTER("
would not be last, as the operand (e.g., "*)" ) will follow it.
Assuming your earlier versions looked for FILTER(*) at the end, that would
have worked. Or looking for FILTER(SI1*) at the end would have worked. But
not looking for FILTER( at the end.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
