<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Plan an Enterprise Identity Mapping domain controller" />
<meta name="DC.Relation" scheme="URI" content="rzalv_plan_eim_for_eserver.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzalv_plan_controller" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Plan an Enterprise Identity Mapping domain controller</title>
</head>
<body id="rzalv_plan_controller"><a name="rzalv_plan_controller"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Plan an Enterprise Identity Mapping domain controller</h1>
<div><p>As you gather information to define your Enterprise Identity Mapping (EIM)
domain, you need to determine which directory server product will act as the <a href="rzalveserverdmnctrlr.htm#rzalveserverdmnctrlr">EIM domain
controller</a>. EIM requires that the domain controller be hosted by a
directory server that supports Lightweight Directory Access Protocol (LDAP)
Version 3. Additionally, the directory server product must be able to accept
the <a href="rzalv_eim_ldap_schema.htm#rzalv_eim_ldap_schema">LDAP
schema and other considerations for EIM</a> and understand certain attributes
and object classes. </p>
<p>If your enterprise possesses more than one directory server that can host
an EIM domain controller, you should also consider whether to use secondary
replicated domain controllers. For example, if you expect to have a large
number of EIM mapping lookup operations occurring, replicas can improve the
performance of the lookup operations.</p>
<p>Also, you should consider whether to make your domain controller <em>local</em> or <em>remote</em> in
relationship to the system you expect to be running the largest number of
mapping lookup operations. By having the domain controller be local to the
high-volume system, you may improve the performance of the lookup operations
for the local system. Use the planning work sheets to record these planning
decisions, as well as those you make about your domain and other directory
information. </p>
<p> After you determine which directory server in your enterprise will host
your EIM domain controller, you need to make some decisions about domain controller
access.</p>
<div class="section"><h4 class="sectiontitle">Plan domain controller access</h4><p>You need to plan how
you and EIM-enable applications and operating systems will access the directory
server that hosts the EIM domain controller. To access an EIM domain you must: </p>
<ol><li>Be able to bind to the EIM domain controller</li>
<li>Make sure that the bind subject is a member of an EIM access control group,
or is the LDAP administrator. Refer to <a href="rzalvadminusrauthorities.htm#rzalvadminusrauthorities">Manage
EIM access control</a> for more information.</li>
</ol>
</div>
<div class="section"><h4 class="sectiontitle">Select type of EIM binding</h4><p>EIM APIs support several
different mechanisms for establishing a connection, also known as binding,
with the EIM domain controller. Each type of binding mechanism provides a
different level of authentication and encryption for the connection. The possible
choices are:</p>
<ul><li><strong>Simple Binds</strong> <span class="br">A simple bind is an LDAP connection
where an LDAP client provides a bind distinguished name and a bind password
to the LDAP server for authentication. The bind distinguished name and password
are defined by the LDAP administrator in the LDAP directory. This is the weakest
form of authentication and the least secure as the bind distinguished name
and password are sent unencrypted and are vulnerable to eavesdropping.  <span class="br">You use CRAM-MD5 (challenge-response authentication mechanism)
to add an additional level of protection for the bind password. With the CRAM-MD5
protocol, the client sends a hashed value instead of the clear text password
to the server for authentication.</span></span><p></p>
</li>
<li><strong>Server authentication with Secure Sockets Layer (SSL) - server side
authentication</strong> <span class="br">An LDAP server can be configured for
SSL or Transport Layer Security (TLS) connections. The LDAP server uses a
digital certificate to authenticate itself to the LDAP client and establishes
an encrypted communications session between them. Only the LDAP server is
authenticated by means of a certificate. The end user is authenticated by
means of a bind distinguished name and password. The strength of the authentication
is the same as for a simple bind, but all data (including the bind distinguished
name and password) is encrypted for privacy. </span></li>
<li><strong>Client authentication with SSL</strong> <span class="br">An LDAP server
can be configured to require that the end user be authenticated by means of
a digital certificate rather than a bind distinguished name and password for
SSL or TLS secure connections to the LDAP server. Both client and server are
authenticated and the session is encrypted. This option provides a stronger
level of user authentication and protects the privacy of all data transmitted. </span> </li>
<li><strong>Kerberos authentication</strong> <span class="br">An LDAP client can
be authenticated to the server by using a Kerberos ticket as an optional replacement
for a bind distinguished name and password. (Kerberos), which is a trusted
third-party network authentication system, allows a principal (a user or service)
to prove its identity to another service within an unsecured network. Authentication
of principals is completed through a centralized server called a key distribution
center (KDC). The KDC authenticates a user with a Kerberos ticket. These tickets
prove the principal's identity to other services in a network. After a principal
is authenticated by these tickets, the principal and service can exchange
encrypted data with a target service. This option provides a stronger level
of user authentication and protects the privacy of authentication information.</span></li>
</ul>
<p>The choice of a bind mechanism is based on the level of security required
by the EIM-enabled application and  the authentication mechanisms supported
by the LDAP server that hosts the EIM domain. </p>
<p>Also, you might have
to perform additional configuration tasks for the LDAP server to enable the
authentication mechanism that you choose to use. Check the documentation for
the LDAP server that hosts your domain controller to determine what other
configuration tasks you may need to perform. </p>
</div>
<div class="section"><h4 class="sectiontitle">Example planning work sheet: domain controller information</h4><p>After
making your decisions about your EIM domain controller, use the planning worksheets
to record the EIM domain controller information that your EIM-enabled operating
systems and applications need. The information that you gather as part of
this process can be used by the LDAP administrator to define the bind identity
of the application or operating system to the LDAP directory server that hosts
the EIM domain controller. </p>
<p>The following sample portion of the planning
work sheets shows the type of information that you need to gather. It also
includes sample values that you could use when you configure the EIM domain
controller.</p>
<div class="p"> 
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Domain and domain
controller information for EIM planning worksheet</caption><thead align="left"><tr><th align="left" valign="top" width="50.25125628140703%" id="d0e98">Information needed to configure EIM domain
and domain controller</th>
<th valign="top" width="49.74874371859296%" id="d0e100">Example answers</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="50.25125628140703%" headers="d0e98 ">A meaningful name for the domain.  This could be the name
of a company, a department, or an application that uses the domain.</td>
<td valign="top" width="49.74874371859296%" headers="d0e100 "><samp class="codeph">MyDomain</samp></td>
</tr>
<tr><td valign="top" width="50.25125628140703%" headers="d0e98 ">Optional: If configuring an EIM domain in an already existing
LDAP directory, specify a parent distinguished name for the domain. This is
the distinguished name that represents the entry immediately above your domain
name entry in the directory information tree hierarchy, for example, <samp class="codeph">o=ibm,c=us</samp>. </td>
<td valign="top" width="49.74874371859296%" headers="d0e100 "><samp class="codeph">o=ibm,c=us</samp></td>
</tr>
<tr><td valign="top" width="50.25125628140703%" headers="d0e98 ">Resulting fully qualified EIM domain distinguished name.
This is the fully defined name of the EIM domain that describes the directory
location for EIM domain data. The fully qualified domain distinguished name
consists of, at a minimum, the DN for the domain (<samp class="codeph">ibm-eimDomainName=</samp>),
plus the domain name that you specified. If you choose to specify a parent
DN for the domain, then the fully qualified domain DN consists of the relative
domain DN (<samp class="codeph">ibm-eimDomainName=</samp>), the domain name (MyDomain),
and the parent DN (<samp class="codeph">o=ibm,c=us</samp>). <div class="note"><span class="notetitle">Note:</span> </div>
</td>
<td valign="top" width="49.74874371859296%" headers="d0e100 ">Either of these, depending on whether you choose a parent
DN:  <ul><li><samp class="codeph">ibm-eimDomainName=MyDomain</samp></li>
<li><samp class="codeph">ibm-eimDomainName=MyDomain,o=ibm,c=us</samp></li>
</ul>
</td>
</tr>
<tr><td valign="top" width="50.25125628140703%" headers="d0e98 ">Connection address for the domain controller.  This consists
of the type of connection (basic ldap or secure ldap, for example, <samp class="codeph">ldap://</samp> or <samp class="codeph">ldaps://</samp>)
plus the following information:</td>
<td valign="top" width="49.74874371859296%" headers="d0e100 "><samp class="codeph">ldap://</samp></td>
</tr>
<tr><td valign="top" width="50.25125628140703%" headers="d0e98 "> <ul><li>Optional: The host name or IP address</li>
<li>Optional: The port number</li>
</ul>
</td>
<td valign="top" width="49.74874371859296%" headers="d0e100 "> <ul><li><samp class="codeph">some.ldap.host</samp></li>
<li><samp class="codeph">389</samp></li>
</ul>
</td>
</tr>
<tr><td valign="top" width="50.25125628140703%" headers="d0e98 ">Resulting complete connection address for the domain controller. </td>
<td valign="top" width="49.74874371859296%" headers="d0e100 "><samp class="codeph">ldap://some.ldap.host:389</samp></td>
</tr>
<tr><td valign="top" width="50.25125628140703%" headers="d0e98 ">Bind mechanism required by applications or systems.  Choices
include:  <ul><li>Simple bind</li>
<li>CRAM MD5</li>
<li>Server authentication</li>
<li>Client authentication</li>
<li>Kerberos</li>
</ul>
</td>
<td valign="top" width="49.74874371859296%" headers="d0e100 ">Kerberos</td>
</tr>
</tbody>
</table>
</div>
</div>
<p>If your EIM configuration and administration team consists
of multiple team members, you will need to determine the bind identity and
mechanism that each team member should use for accessing the EIM domain based
on their role. Also, you need to determine the bind identity and mechanism
for  EIM application end users. You may find the following work sheet helpful
as an example for gathering this information.</p>
<div class="p"> 
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 2. Example bind identities planning work sheet</caption><thead align="left"><tr><th valign="top" width="25%" id="d0e205">EIM authority or role</th>
<th align="left" valign="top" width="25%" id="d0e207">Bind identity</th>
<th valign="top" width="25%" id="d0e209">Bind mechanism</th>
<th valign="top" width="25%" id="d0e211">Reason needed</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="25%" headers="d0e205 ">EIM administrator</td>
<td valign="top" width="25%" headers="d0e207 ">eimadmin@krbrealm1.com</td>
<td valign="top" width="25%" headers="d0e209 ">kerberos</td>
<td valign="top" width="25%" headers="d0e211 ">configure and manage EIM</td>
</tr>
<tr><td valign="top" width="25%" headers="d0e205 ">LDAP administrator</td>
<td valign="top" width="25%" headers="d0e207 ">cn=administrator</td>
<td valign="top" width="25%" headers="d0e209 ">simple bind</td>
<td valign="top" width="25%" headers="d0e211 ">configure EIM domain controller</td>
</tr>
<tr><td valign="top" width="25%" headers="d0e205 ">EIM registry X administrator</td>
<td valign="top" width="25%" headers="d0e207 ">cn=admin2</td>
<td valign="top" width="25%" headers="d0e209 ">CRAM MD5</td>
<td valign="top" width="25%" headers="d0e211 ">manage specific registry definition</td>
</tr>
<tr><td valign="top" width="25%" headers="d0e205 ">EIM mapping lookup</td>
<td valign="top" width="25%" headers="d0e207 ">cn=MyApp,c=US</td>
<td valign="top" width="25%" headers="d0e209 ">simple bind</td>
<td valign="top" width="25%" headers="d0e211 ">perform application mapping lookup operations</td>
</tr>
</tbody>
</table>
</div>
</div>
<p>After you have gathered the information that you need for configuring
your domain controller, you can <a href="rzalv_id_map_plan.htm#id_map_plan">develop an identity mapping plan</a>.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalv_plan_eim_for_eserver.htm">Plan Enterprise Identity Mapping for eServer</a></div>
</div>
</div>
</body>
</html>