350 lines
25 KiB
HTML
350 lines
25 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="task" />
|
||
|
<meta name="DC.Title" content="Create and join a new local domain" />
|
||
|
<meta name="abstract" content="This information explains how to create a new Enterprise Identity Mapping (EIM) domain for your enterprise and to configure the local directory server to be the EIM domain controller for the new domain." />
|
||
|
<meta name="description" content="This information explains how to create a new Enterprise Identity Mapping (EIM) domain for your enterprise and to configure the local directory server to be the EIM domain controller for the new domain." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzalvcnfg.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzalvcnfgconfigwiz2" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Create and join a new local domain</title>
|
||
|
</head>
|
||
|
<body id="rzalvcnfgconfigwiz2"><a name="rzalvcnfgconfigwiz2"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Create and join a new local domain</h1>
|
||
|
<div><p>This information explains how to create a new Enterprise Identity
|
||
|
Mapping (EIM) domain for your enterprise and to configure the local directory
|
||
|
server to be the EIM domain controller for the new domain.</p>
|
||
|
<div class="section"><p>When you use the EIM Configuration wizard to create and join a
|
||
|
new domain, you can choose to configure the EIM domain controller on the local
|
||
|
system as part of creating your EIM configuration. If necessary, the EIM Configuration
|
||
|
wizard ensures that you provide basic configuration information for the directory
|
||
|
server. Also, if Kerberos is not currently configured on the iSeries™ server,
|
||
|
the wizard prompts you to launch the Network Authentication Service Configuration
|
||
|
wizard.</p>
|
||
|
<div class="p">When you complete the EIM Configuration wizard, you can accomplish
|
||
|
these tasks: <ul><li>Create a new EIM domain.</li>
|
||
|
<li>Configure the local directory server to act as the EIM domain controller.</li>
|
||
|
<li>Configure network authentication service for the system.</li>
|
||
|
<li>Create EIM registry definitions for the local i5/OS™ registry and the Kerberos registry.</li>
|
||
|
<li>Configure the system to participate in the new EIM domain.</li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
<p>To configure your system to create and join a new EIM domain,
|
||
|
you must have all the following special authorities: </p>
|
||
|
<ul><li>Security administrator (*SECADM).</li>
|
||
|
<li>All object (*ALLOBJ). </li>
|
||
|
<li>System configuration (*IOSYSCFG). </li>
|
||
|
</ul>
|
||
|
<p>To use the EIM Configuration wizard to create and join a new local
|
||
|
domain, complete these steps:</p>
|
||
|
</div>
|
||
|
<ol><li class="stepexpand"><span>In iSeries Navigator,
|
||
|
select the system for which you want to configure EIM and expand <span class="uicontrol">Network
|
||
|
> Enterprise Identity Mapping</span>.</span></li>
|
||
|
<li class="stepexpand"><span>Right-click <span class="uicontrol">Configuration</span> and select <span class="uicontrol">Configure...</span> to
|
||
|
start the EIM Configuration wizard. </span> <div class="note"><span class="notetitle">Note:</span> This option is labeled <span class="uicontrol">Reconfigure...</span> if
|
||
|
EIM has been previously configured on the system.</div>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Welcome</span> page of the wizard, select <span class="uicontrol">Create
|
||
|
and join a new domain</span>, and click <span class="uicontrol">Next</span>.</span></li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM Domain Location</span> page,
|
||
|
select <span class="uicontrol">On the local Directory server</span> and click <span class="uicontrol">Next</span>.</span> <div class="note"><span class="notetitle">Note:</span> This option configures the local directory server to act as the
|
||
|
EIM domain controller. Because this directory server stores all EIM data for
|
||
|
the domain, it must be active and remain active to support EIM mapping lookups
|
||
|
and other operations.</div>
|
||
|
<p>If network authentication service is not currently
|
||
|
configured on the iSeries server, or additional network authentication
|
||
|
configuration information is needed to configure a single signon environment,
|
||
|
the <span class="uicontrol">Network Authentication Services Configuration</span> page
|
||
|
displays. This page allows you start the Network Authentication Service Configuration
|
||
|
wizard so that you can <a href="../rzakh/rzakhconfig.htm">configure network authentication service</a>. Or, you can
|
||
|
configure Network Authentication Service at a later time by using the configuration
|
||
|
wizard for this service through iSeries Navigator. When you complete
|
||
|
network authentication service configuration, the EIM Configuration wizard
|
||
|
continues.</p>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>To configure network authentication service, complete these steps:</span><ol type="a"><li class="substepexpand"><span>On the <span class="uicontrol">Configure Network Authentication Service</span> page,
|
||
|
select <span class="uicontrol">Yes</span> to start the Network Authentication Service
|
||
|
Configuration wizard. With this wizard, you can configure several i5/OS interfaces
|
||
|
and services to participate in a Kerberos realm as well as configure a single
|
||
|
signon environment that uses both EIM and network authentication service.</span></li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Specify Realm Information</span> page,
|
||
|
specify the name of the default realm in the <span class="uicontrol">Default realm</span> field.
|
||
|
If you are using Microsoft<sup>®</sup> Active Directory for Kerberos authentication,
|
||
|
select <span class="uicontrol">Microsoft Active Directory is used for Kerberos authentication</span>,
|
||
|
and click <span class="uicontrol">Next</span>.</span></li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Specify KDC Information</span> page,
|
||
|
specify the fully qualified name of the Kerberos server for this realm in
|
||
|
the <span class="uicontrol">KDC</span> field, specify <tt>88</tt> in the <span class="uicontrol">Port</span> field,
|
||
|
and click <span class="uicontrol">Next</span>.</span></li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Specify Password Server Information</span> page,
|
||
|
select either <span class="uicontrol">Yes</span> or <span class="uicontrol">No</span> for
|
||
|
setting up a password server. The password server allows principals to change
|
||
|
passwords on the Kerberos server. If you select <span class="uicontrol">Yes</span>,
|
||
|
enter the password server name in the <span class="uicontrol">Password server</span> field.
|
||
|
In the <span class="uicontrol">Port</span> field, accept the default value of <samp class="codeph">464</samp>,
|
||
|
and click Next.</span></li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Select Keytab Entries</span> page, select <span class="uicontrol">i5/OS
|
||
|
Kerberos Authentication</span>, and cllick <span class="uicontrol">Next</span>.</span> <div class="note"><span class="notetitle">Note:</span> In addition you can also create keytab entries for the IBM<sup>®</sup> Directory
|
||
|
Server for iSeries (LDAP), iSeries NetServer™,
|
||
|
and iSeries HTTP
|
||
|
server if you want these services to use Kerberos authentication. You may
|
||
|
need to perform additional configuration for these services before they can
|
||
|
use Kerberos authentication.</div>
|
||
|
</li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Create i5/OS Keytab Entry</span> page,
|
||
|
enter and confirm a password, and click <span class="uicontrol">Next</span>. This
|
||
|
is the same password you will use when you add the i5/OS principals to the Kerberos server.</span></li>
|
||
|
<li class="substepexpand"><strong>Optional: </strong><span>On the <span class="uicontrol">Create Batch File</span> page,
|
||
|
select <span class="uicontrol">Yes</span>, specify the following information, and
|
||
|
click <span class="uicontrol">Next</span>:</span> <ul><li>In the <span class="uicontrol">Batch file</span> field, update the directory path.
|
||
|
Click <span class="uicontrol">Browse</span> to locate the appropriate directory path,
|
||
|
or edit the path in the <span class="uicontrol">Batch file</span> field.</li>
|
||
|
<li>In the <span class="uicontrol">Include password</span> field, select <span class="uicontrol">Yes</span>.
|
||
|
This ensures that all passwords associated with the i5/OS service principal are included in
|
||
|
the batch file. It is important to note that passwords are displayed in clear
|
||
|
text and can be read by anyone with read access to the batch file. Therefore,
|
||
|
it is essential that you delete the batch file from the Kerberos server and
|
||
|
from the PC immediately after you use it. If you do not include the password,
|
||
|
you will be prompted for the password when you run the batch file.<div class="note"><span class="notetitle">Note:</span> You
|
||
|
can also manually add the service principals that are generated by the wizard
|
||
|
to Microsoft Active
|
||
|
Directory. To learn how to do this, see <a href="../rzakh/rzakhdefineiseries.htm">Add i5/OS principals to the Kerberos server</a></div>
|
||
|
</li>
|
||
|
<li>On the <span class="uicontrol">Summary</span> page, review the network authentication
|
||
|
service configuration details, and click <span class="uicontrol">Finish</span> to
|
||
|
return to the EIM Configuration wizard.</li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>If the local directory server is not currently configured, the <span class="uicontrol">Configure
|
||
|
Directory Server</span> page displays when the EIM Configuration wizard
|
||
|
resumes. Provide the following information to configure the local directory
|
||
|
server:</span> <div class="note"><span class="notetitle">Note:</span> If you configure the local directory server before
|
||
|
you use the EIM Configuration wizard, the <span class="uicontrol">Specify User for Connection</span> page
|
||
|
displays instead. Use this page to specify the distinguished name and password
|
||
|
for the LDAP administrator to ensure that the wizard has enough authority
|
||
|
to administer the EIM domain and the objects in it and continue with the next
|
||
|
step in this procedure. Click <span class="uicontrol">Help</span>, if necessary, to
|
||
|
determine what information to provide for this page.</div>
|
||
|
<ol type="a"><li><span>In the <span class="uicontrol">Port</span> field, accept the default
|
||
|
port number <samp class="codeph">389</samp>, or specify a different port number to use
|
||
|
for nonsecure EIM communications with the directory server.</span></li>
|
||
|
<li><span>In the <span class="uicontrol">Distinguished name</span> field, specify
|
||
|
the LDAP distinguished name (DN) that identifies the LDAP administrator for
|
||
|
the directory server. The EIM Configuration wizard creates this LDAP administrator
|
||
|
DN and uses it to configure the directory server as the domain controller
|
||
|
for the new domain that you are creating.</span></li>
|
||
|
<li><span>In the <span class="uicontrol">Password</span> field, specify the password
|
||
|
for the LDAP administrator.</span></li>
|
||
|
<li><span>In the <span class="uicontrol">Confirm password</span> field, specify
|
||
|
the password a second time for validation purposes.</span></li>
|
||
|
<li><span>Click <span class="uicontrol">Next</span>.</span></li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Specify Domain </span> page, provide the
|
||
|
following information:</span><ol type="a"><li><span>In the <span class="uicontrol">Domain</span> field, specify the name
|
||
|
of the EIM domain that you want to create. Accept the default name of <samp class="codeph">EIM</samp>,
|
||
|
or use any string of characters that makes sense to you. However, you cannot
|
||
|
use special characters such as <strong>= + < > , # ; \ </strong> and <strong>*</strong>.</span></li>
|
||
|
<li><span>In the <span class="uicontrol">Description</span> field, enter text
|
||
|
to describe the domain.</span></li>
|
||
|
<li><span>Click <strong>Next</strong>.</span></li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>On the <strong>Specify Parent DN for Domain</strong> page, select <span class="uicontrol">Yes</span> to
|
||
|
specify a parent DN for the domain that you are creating, or specify <span class="uicontrol">No</span> to
|
||
|
have EIM data stored in a directory location with a suffix whose name is derived
|
||
|
from the EIM domain name.</span> <div class="note"><span class="notetitle">Note:</span> When you create a domain on a local
|
||
|
directory server, a parent DN is optional. By specifying a parent DN, you
|
||
|
can specify where in the local LDAP namespace EIM data should reside for the
|
||
|
domain. When you do not specify a parent DN, EIM data resides in its own suffix
|
||
|
in the namespace. If you select <strong>Yes</strong>, use the list box to select the
|
||
|
local LDAP suffix to use as the parent DN, or enter text to create and name
|
||
|
a new parent DN. It is not necessary to specify a parent DN for the new domain.
|
||
|
Click <span class="uicontrol">Help</span> for further information about using a parent
|
||
|
DN.</div>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Registry Information</span> page, specify
|
||
|
whether to add the local user registries to the EIM domain as registry definitions.
|
||
|
Select one or both of these user registry types:</span> <div class="note"><span class="notetitle">Note:</span> You do not
|
||
|
have to create the registry definitions at this time. If you choose to create
|
||
|
the registry definitions later, you need to <a href="rzalvadminaddusrreg.htm#rzalvadminaddusrreg">add the system registry definitions</a> and <a href="rzalvmanageconfigprops.htm#manage_config_props">update the EIM configuration properties</a>.</div>
|
||
|
<ol type="a"><li class="substepexpand"><span>Select <span class="uicontrol">Local i5/OS</span> to add a registry
|
||
|
definition for the local registry.</span> In the field provide, accept
|
||
|
the default value for the registry definition name or specify a different
|
||
|
value for the registry definition name. The EIM registry name is an arbitrary
|
||
|
string that represents the registry type and specific instance of that registry. </li>
|
||
|
<li class="substepexpand"><span>Select <span class="uicontrol">Kerberos</span> to add a registry definition
|
||
|
for a Kerberos registry. In the field provided, accept the default value for
|
||
|
the registry definition name or specify a different value for the registry
|
||
|
definition name.</span> The default registry definition name is the same
|
||
|
as the realm name. By accepting the default name and using the same Kerberos
|
||
|
registry name as the realm name, you can increase performance in retrieving
|
||
|
information from the registry. Select <span class="uicontrol">Kerberos user identities
|
||
|
are case sensitive</span>, if necessary.</li>
|
||
|
<li class="substepexpand"><span>Click <span class="uicontrol">Next</span>.</span></li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM System User</span> page, select
|
||
|
a <span class="uicontrol">User type</span> that you want the system to use when performing
|
||
|
EIM operations on behalf of operating system functions.</span> These operations
|
||
|
include mapping lookup operations and deletion of associations when deleting
|
||
|
a local i5/OS user
|
||
|
profile. You can select one of the following types of users: <span class="uicontrol">Distinguished
|
||
|
name and password</span>, <span class="uicontrol">Kerberos keytab file and principal</span>,
|
||
|
or <span class="uicontrol">Kerberos principal and password</span>. Which user types
|
||
|
you can select vary based on the current system configuration. For example,
|
||
|
if Network Authentication Service is not configured for the system, then Kerberos
|
||
|
user types may not be available for selection. The user type that you select
|
||
|
determines the other information that you must provide to complete the page
|
||
|
as follows: <div class="note"><span class="notetitle">Note:</span> You must specify a user that is currently defined in the
|
||
|
directory server which is hosting the EIM domain controller. The user that
|
||
|
you specify must have privileges to perform mapping lookup and registry administration
|
||
|
for the local user registry at a minimum. If the user that you specify does
|
||
|
not have these privileges, then certain operating system functions related
|
||
|
to the use of single signon and the deletion of user profiles may fail.<p>If
|
||
|
you have not configured the directory server prior to running this wizard,
|
||
|
the only user type you can select is <span class="uicontrol">Distinguished name and password</span> and
|
||
|
the only distinguished name you can specify is the LDAP administrator's DN.</p>
|
||
|
</div>
|
||
|
<ul><li>If you select <span class="uicontrol">Distinguished name and password</span>,
|
||
|
provide the following information: <ul><li>In the <span class="uicontrol">Distinguished name</span> field, specify the LDAP
|
||
|
distinguished name that identifies the user for the system to use when performing
|
||
|
EIM operations.</li>
|
||
|
<li>In the <span class="uicontrol">Password</span> field, specify the password for
|
||
|
the distinguished name.</li>
|
||
|
<li>In the <span class="uicontrol">Confirm password</span> field, specify the password
|
||
|
a second time for verification purposes.</li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
<li>If you select <span class="uicontrol">Kerberos principal and password</span>,
|
||
|
provide the following information: <ul><li>In the <span class="uicontrol">Principal</span> field, specify the Kerberos principal
|
||
|
name for the system to use when performing EIM operations</li>
|
||
|
<li>In the <span class="uicontrol">Realm</span> field, specify the fully qualified
|
||
|
Kerberos realm name for which the principal is a member. The name of the principal
|
||
|
and realm uniquely identify the Kerberos users in the keytab file. For example,
|
||
|
the principal <samp class="codeph">jsmith</samp> in the realm <samp class="codeph">ordept.myco.com</samp> is
|
||
|
represented in the keytab file as <samp class="codeph">jsmith@ordept.myco.com</samp>.</li>
|
||
|
<li>In the <span class="uicontrol">Password</span> field, enter the password for the
|
||
|
user.</li>
|
||
|
<li>In the <span class="uicontrol">Confirm password</span> field, specify the password
|
||
|
a second time for verification purposes. </li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
<li>If you select <span class="uicontrol">Kerberos keytab file and principal</span>,
|
||
|
provide the following information: <ul><li>In the <span class="uicontrol">Keytab file</span> field, specify the fully qualified
|
||
|
path and keytab file name that contains the Kerberos principal for the system
|
||
|
to use when performing EIM operations. Or, click <span class="uicontrol">Browse...</span> to
|
||
|
browse through directories in the iSeries integrated file system to select
|
||
|
a keytab file.</li>
|
||
|
<li>In the <span class="uicontrol">Principal</span> field, specify the Kerberos principal
|
||
|
name for the system to use when performing EIM operations.</li>
|
||
|
<li>In the <span class="uicontrol">Realm</span> field, specify the fully qualified
|
||
|
Kerberos realm name for which the principal is a member. The name of the principal
|
||
|
and realm uniquely identify the Kerberos users in the keytab file. For example,
|
||
|
the principal <samp class="codeph">jsmith</samp> in the realm <samp class="codeph">ordept.myco.com</samp> is
|
||
|
represented in the keytab file as <samp class="codeph">jsmith@ordept.myco.com</samp>.</li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
<li>Click <span class="uicontrol">Verify Connection</span> to ensure that the wizard
|
||
|
can use the specified user information to successfully establish a connection
|
||
|
to the EIM domain controller.</li>
|
||
|
<li>Click <span class="uicontrol">Next</span>.</li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>In the <span class="uicontrol">Summary</span> panel, review the configuration
|
||
|
information that you have provided. If all information is correct, click <span class="uicontrol">Finish</span>. </span></li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalvcnfg.htm" title="Use this information to learn how to use the Enterprise Identity Mapping (EIM) Configuration wizard to configure EIM for your iSeries servers.">Configure Enterprise Identity Mapping</a></div>
|
||
|
</div>
|
||
|
</div><div class="nested1" xml:lang="en-us" id="finalizeyoureimconfigurationforthedomain"><a name="finalizeyoureimconfigurationforthedomain"><!-- --></a><h2 class="topictitle2"> Finalize your EIM configuration for the domain</h2>
|
||
|
<div><div class="section">When the wizard finishes, it adds the new domain to the <span class="uicontrol">Domain
|
||
|
Management</span> folder and you have created a basic EIM configuration
|
||
|
for this server. However, you must complete these tasks to finalize your EIM
|
||
|
configuration for the domain: </div>
|
||
|
<ol><li class="stepexpand"><span>Use the EIM Configuration wizard on each additional server that
|
||
|
you want to have <a href="rzalvcnfgconfigwizard.htm#rzalvcnfgconfigwizard">join
|
||
|
the domain</a>.</span></li>
|
||
|
<li class="stepexpand"><span>Add EIM registry definitions to the EIM domain, if necessary, for
|
||
|
other non-iSeries servers and applications that you want to participate in
|
||
|
the EIM domain.</span> These registry definitions refer to the actual
|
||
|
user registries that must participate in the domain. You can either <a href="rzalvadminaddusrreg.htm#rzalvadminaddusrreg">add system registry definitions</a> or <a href="rzalvadminaddappreg.htm#rzalvadminaddappreg">add application registry
|
||
|
definitions</a> depending on your EIM implementation needs.</li>
|
||
|
<li class="stepexpand"><span>Based on your EIM implementation needs, determine whether to: </span> <ul><li><a href="rzalvadminidentcreate.htm#rzalvadminidentcreate">Create EIM
|
||
|
identifiers</a> for each unique user or entity in the domain and <a href="rzalvcrtidentifierassoc.htm#create_id_assoc">create identifier associations</a> for
|
||
|
them.</li>
|
||
|
<li><a href="rzalvcrtpolassoc.htm#create_pol_assoc">Create policy associations</a> to
|
||
|
map a group of users to a single target user identity.</li>
|
||
|
<li>Create a combination of these. </li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>Use the EIM <a href="rzalvtestmappings.htm#testmapping">test
|
||
|
a mapping</a> function to test the identity mappings for your EIM configuration. </span></li>
|
||
|
<li class="stepexpand"><span>If the only EIM user you have defined is the DN for the LDAP administrator,
|
||
|
then your EIM user has a high level of authority to all data on the directory
|
||
|
server. Therefore, you might consider creating one or more DNs as additional
|
||
|
users that have more appropriate and limited <a href="../rzalv/rzalveservereimauths.htm">access control</a> for EIM data. </span> To learn more
|
||
|
about creating DNs for the directory server, see <a href="../rzahy/rzahyunderdn.htm">Distinguished names</a> in the IBM Directory Server for iSeries (LDAP)
|
||
|
topic. The number of additional EIM users that you define depends on your
|
||
|
security policy's emphasis on the separation of security duties and responsibilities.
|
||
|
Typically, you might create at least the two following types of DNs:<ul><li><strong>A user that has EIM administrator access control</strong><p>This EIM administrator
|
||
|
DN provides the appropriate level of authority for an administrator who is
|
||
|
responsible for managing the EIM domain. This EIM administrator DN could
|
||
|
be used to connect to the domain controller when managing all aspects of the
|
||
|
EIM domain by means of iSeries Navigator.</p>
|
||
|
</li>
|
||
|
<li><strong>At least one user that has all of the following access controls</strong>:<ul><li>Identifier administrator</li>
|
||
|
<li>Registry administrator</li>
|
||
|
<li>EIM mapping operations</li>
|
||
|
</ul>
|
||
|
This user provides the appropriate level of access control required for
|
||
|
the system user that performs EIM operations on behalf of the operating system.</li>
|
||
|
</ul>
|
||
|
<div class="note"><span class="notetitle">Note:</span> To use this new DN for the system user instead of the LDAP administrator
|
||
|
DN, you must change the EIM configuration properties for the iSeries server.
|
||
|
See <a href="../rzalv/rzalvmanageconfigprops.htm">Manage
|
||
|
EIM configuration properties</a> to learn how to change the system user
|
||
|
DN.</div>
|
||
|
</li>
|
||
|
</ol>
|
||
|
<div class="section"><p>Additionally, you might want to use Secure Sockets Layer (SSL)
|
||
|
or Transport Layer Security (TLS) to <a href="rzalvseccon.htm#rzalvseccon">configure
|
||
|
a secure connection to the EIM domain controller</a> to protect the transmission
|
||
|
of EIM data. If you enable SSL for the directory server, you must update EIM
|
||
|
configuration properties to specify that the iSeries server uses a secure SSL connection.
|
||
|
Also, you must update the properties for the domain to specify that EIM uses
|
||
|
SSL connections for managing the domain through iSeries Navigator.</p>
|
||
|
<div class="note"><span class="notetitle">Note:</span> You might
|
||
|
need to perform additional tasks if you created a basic network authentication
|
||
|
service configuration, especially if you are implementing a single signon
|
||
|
environment. You can find information on these additional steps by reviewing
|
||
|
the complete configuration steps demonstrated by the scenario, <a href="../rzamz/rzamzenablessoos400.htm">Enable single signon
|
||
|
for i5/OS</a>.</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
|
||
|
</body>
|
||
|
</html>
|