114 lines
7.7 KiB
HTML
114 lines
7.7 KiB
HTML
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<meta name="dc.date" scheme="iso8601" content="2005-09-13" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow"/>
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<title>Enterprise Identity Mapping (EIM)</title>
|
||
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
||
|
</head>
|
||
|
<body>
|
||
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
||
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
||
|
|
||
|
<a name="rzahqeim"></a>
|
||
|
<h2 id="rzahqeim">Enterprise Identity Mapping (EIM)</h2>
|
||
|
<p><span class="bold">What is EIM?</span></p>
|
||
|
<p>Enterprise Identity Mapping (EIM) is a way to consolidate a user's various
|
||
|
UserIDs and passwords together under a single account. Using it, a user can
|
||
|
log on just once to a system, and then EIM will work together with other services
|
||
|
behind the scenes to authenticate the user to all of his accounts.</p>
|
||
|
<p>This is called a single sign-on environment. Authentication still takes
|
||
|
place whenever users attempt to access a new system; however, they will not
|
||
|
be prompted for passwords. EIM reduces the need for users to keep track of
|
||
|
and manage multiple user names and passwords to access other systems in the
|
||
|
network. Once a user is authenticated to the network, the user can access
|
||
|
services and applications across the enterprise without the need for multiple
|
||
|
passwords to these different systems.</p>
|
||
|
<p>The Information Center has an entire topic devoted to EIM. See <a href="../rzalv/rzalvmst.htm">Enterprise Identity Mapping</a>.</p>
|
||
|
<p>To learn the features of the different ways to enroll users to the Windows
|
||
|
environment, see <a href="rzahqencco.htm#rzahqencco">Types of user configurations</a>.</p>
|
||
|
<p><span class="bold">The EIMASSOC user profile attribute</span></p>
|
||
|
<p>EIMASSOC is a user profile attribute specifically designed to aid in configuring
|
||
|
EIM. At the i5/OS™ command prompt type <tt>CHGUSRPRF</tt> and the
|
||
|
user profile name and then press F4 to prompt. Then page down to the very
|
||
|
bottom and you will see a section labled <tt>EIM association</tt>. Here is a summary of what the fields mean:</p>
|
||
|
<ul>
|
||
|
<li><span class="bold">Element 1: EIM identifier</span> This is the UserID that
|
||
|
EIM uses to identify you. Think of it as your Master ID under which all your
|
||
|
other user IDs will be stored. If you specify *USRPRF the system will use
|
||
|
your i5/OS user profile name as the EIM identifier. Alternatively, you can
|
||
|
specify any valid character-string. If you enter *DLT in this field and press
|
||
|
enter, you will be presented with a list of changed options for deleting EIM
|
||
|
associations.</li>
|
||
|
<li><span class="bold">Element 2: Association type</span> This value specifies
|
||
|
how the i5/OS user profile that you are editing will be associated with the EIM
|
||
|
identifier. With Windows environment on iSeries™, the values of *TARGET, *TGTSRC, or
|
||
|
*ALL will allow auto-creation or deletion of i5/OS target and Windows source associations.</li>
|
||
|
<li><span class="bold">Element 3: Association action</span> The special values
|
||
|
are:
|
||
|
<ul>
|
||
|
<li>*REPLACE The Windows source associations will be removed from all EIM
|
||
|
identifiers that have an association for this user profile. For the enrolled
|
||
|
user, a new Windows source association will be added to the specified EIM
|
||
|
identifier.</li>
|
||
|
<li>*ADD For the enrolled user, a Windows source association will be added.</li>
|
||
|
<li>*REMOVE The Windows source association will be removed.</li></ul></li>
|
||
|
<li><span class="bold">Element 4: Create EIM identifier</span> This value specifies
|
||
|
whether the EIM identifier should be created if it does not already exist.
|
||
|
The special values allowed are, *NOCRTEIMID, an EIM identifier will not be
|
||
|
created, or, *CRTEIMID, an EIM identifier will be created if it does not exist.</li></ul>
|
||
|
<p><span class="bold">Automatic and Manual EIM associations</span></p>
|
||
|
<p>In a typical EIM configured environment, which uses single sign-on, i5/OS target associations and Windows source associations are typically defined.
|
||
|
With integrated Windows server user administration, the system administrator
|
||
|
may decide to define enrolled Windows users to have EIM associations automatically
|
||
|
defined. For instance, if an enrolled Windows user has EIMASSOC(*USRPRF *TARGET
|
||
|
*ADD *CRTEIMID) specified, i5/OS will automatically create an i5/OS target and
|
||
|
a Windows source association. The EIMASSOC information is not stored in the
|
||
|
user profile. Also, this information is not saved or restored with the user
|
||
|
profile. And, if the i5/OS system is not configured for EIM, then no association
|
||
|
processing is done and the EIMASSOC information is ignored.</p>
|
||
|
<p>If i5/OS is configured to use EIM and EIMASSOC processing is defined for
|
||
|
the enrolled user, integrated Windows server user administration will auto
|
||
|
create or delete Windows source associations for the user in the Windows EIM
|
||
|
registry. For a user enrolled locally to the Windows environment, the Windows
|
||
|
EIM registry name is the fully qualified, local Domain Name System (DNS) name.
|
||
|
The Windows EIM registry type is defined to be Windows 2000. For users enrolled
|
||
|
to a Windows domain, the Windows registry name is the fully qualified domain
|
||
|
DNS name and the Windows registry type is defined to be Kerberos - case ignore.
|
||
|
If EIMASSOC is defined for a user, and i5/OS is configured to use EIM, and the Windows
|
||
|
EIM registry doesn't exist, integrated Windows server user administration
|
||
|
will create the Windows EIM registry.</p>
|
||
|
<p><span class="bold">Use EIM associations to allow different Windows user profile
|
||
|
names</span></p>
|
||
|
<p>EIM provides a mechanism to associate user profiles in a directory system.
|
||
|
EIM allows for an EIM identifier to have an i5/OS user profile target association defined
|
||
|
and a Windows user profile source association to be defined. It is possible
|
||
|
for a user administrator to define a Windows source association using a different
|
||
|
Windows user profile name than the i5/OS target association user profile name.
|
||
|
Integrated Windows user administration will use the defined EIM Windows source
|
||
|
association Windows user profile, if it exists, for Windows user enrollment.
|
||
|
The i5/OS target association needs to be defined. Using the EIM identifier,
|
||
|
the Windows source association needs to be defined by the administrator. The
|
||
|
Windows source association needs to be defined for the same EIM identifier
|
||
|
in the correct Windows EIM registry name and type. For a user enrolled locally
|
||
|
to Windows, the Windows EIM registry name is the fully qualified, local domain
|
||
|
name server (DNS) name. The Windows EIM registry type is defined to be EIM_REGTYPE_WIN2K.
|
||
|
For users enrolled to a Windows domain, the Windows registry name is the fully
|
||
|
qualified domain DNS name and the Windows registry type is defined to be EIM_REGTYPE_KERBEROS_IG.</p>
|
||
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
||
|
</body>
|
||
|
</html>
|