118 lines
6.5 KiB
HTML
118 lines
6.5 KiB
HTML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<meta name="dc.date" scheme="iso8601" content="2005-09-13" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow"/>
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<title>Types of user configurations</title>
|
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
|
</head>
|
|
<body>
|
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
|
|
|
|
|
<a name="rzahqencco"></a>
|
|
<h3 id="rzahqencco">Types of user configurations</h3>
|
|
<p>It is helpful to think of integrated Windows users as fitting into three
|
|
basic types:</p>
|
|
<ul>
|
|
<li><span class="bold">Traditional user (password managed by i5/OS™)</span>
|
|
<br />By
|
|
default users are set to this type. This user works in both Windows and i5/OS. The i5/OS password and Windows password will be synchronized. Each time that
|
|
the integrated Windows server is restarted, the user's password will be reset
|
|
to the i5/OS password. Password changes can only be made in i5/OS. This user
|
|
type is recommended for running File Level Backup and remote Windows commands.
|
|
To set a Windows user to this configuration, use WRKUSRPRF to set the user
|
|
profile attribute LCLPWDMGT to *YES.</li>
|
|
<li><span class="bold">Windows password-managed user</span>
|
|
<br />This person does all or most of their work in Windows and may never, or rarely,
|
|
sign-on to i5/OS. If the user signs-on to i5/OS, they must use an authentication method
|
|
such as Kerberos to access i5/OS. This is discussed in the next section:
|
|
Windows user with Enterprise Identity Mapping (EIM) configured.
|
|
<p>When the
|
|
user profile attribute LCLPWDMGT(*NO) is defined for an i5/OS user, the i5/OS user profile password is set to *NONE. The i5/OS enrollment password is saved until Windows
|
|
enrollment is successfully completed. After the i5/OS user is enrolled to Windows, the Windows
|
|
user may change and manage their password in Windows without i5/OS overwriting
|
|
their password. Using this method allows for a more secure environment because
|
|
there are fewer passwords being managed. To read how to create a user of
|
|
this type, see <a href="rzahqchangepwdwindows.htm#rzahqchangepwdwindows">Changing the LCLPWDMGT user profile attribute</a>.</p></li>
|
|
<li><span class="bold">Windows user with Enterprise Identity Mapping (EIM) associations
|
|
automatically configured </span>
|
|
<br /> Specifying the user
|
|
profile attribute of EIMASSOC to be *TGT, TGTSRC, or *ALL allows the integrated
|
|
server to automatically define EIM Windows source associations. Using the
|
|
automatic definitions of associations makes configuring EIM easier. To read
|
|
how to create a user of this type, see <a href="rzahqeim.htm#rzahqeim">Enterprise Identity Mapping (EIM)</a>.</li>
|
|
<li><span class="bold">Windows user with Enterprise Identity Mapping (EIM) associations
|
|
manually configured </span>
|
|
<br />The user may choose to manually
|
|
define EIM Windows source associations. This method may be used to set the i5/OS user profile to be enrolled to a different Windows user profile name.
|
|
The user must manually define an i5/OS target association for the i5/OS user profile
|
|
and also a Windows source association for the same EIM identifier.</li></ul>
|
|
<a name="wq32"></a>
|
|
<table id="wq32" width="100%" summary="" border="1" frame="border" rules="all" class="singleborder">
|
|
<caption>Table 1. Types of user configurations</caption>
|
|
<thead valign="bottom">
|
|
<tr class="tablemainheaderbar">
|
|
<th id="wq33" align="left" valign="top">User type</th>
|
|
<th id="wq34" align="left" valign="top">Function provided</th>
|
|
<th id="wq35" align="left" valign="top">User profile definition</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody valign="top">
|
|
<tr>
|
|
<td headers="wq33"><span class="bold">Traditional</span></td>
|
|
<td headers="wq34">
|
|
<ul>
|
|
<li>Both i5/OS and Windows fully functional.</li>
|
|
<li>Easy to configure.</li>
|
|
<li>Password is changed from i5/OS.</li>
|
|
<li>i5/OS and Windows user ID and passwords will be identical.</li>
|
|
<li>Recommended for system administrators, users who frequently use i5/OS, or for systems
|
|
which use i5/OS for back up and restoration of user profiles.</li></ul></td>
|
|
<td headers="wq35">LCLPWDMGT(*YES) and no EIM Windows source associations
|
|
defined.</td>
|
|
</tr>
|
|
<tr>
|
|
<td headers="wq33"><span class="bold">Windows password-managed user</span></td>
|
|
<td headers="wq34">
|
|
<ul>
|
|
<li>Password can be changed from Windows.</li>
|
|
<li>Simple configuration.</li>
|
|
<li>Windows password administration makes this configuration more secure because
|
|
the i5/OS password is *NONE.</li>
|
|
<li>i5/OS sign-on requires an authentication method such as iSeries™ Navigator
|
|
provides with their support of i5/OS sign-on using Kerberos.</li></ul></td>
|
|
<td headers="wq35">LCLPWDMGT(*NO)</td>
|
|
</tr>
|
|
<tr>
|
|
<td headers="wq33"><span class="bold">Windows user with Enterprise Identity
|
|
Mapping (EIM) associations auto configured</span></td>
|
|
<td headers="wq34">Automatic creation of Windows source associations makes
|
|
it easier to set up and configure to use Kerberos enabled applications.</td>
|
|
<td headers="wq35">For example: EIMASSOC(*CHG *TARGET *ADD *CRTEIMID)</td>
|
|
</tr>
|
|
<tr>
|
|
<td headers="wq33"><span class="bold">Windows user with Enterprise Identity
|
|
Mapping (EIM) associations manually configured</span></td>
|
|
<td headers="wq34">Allows the user to define EIM associations for enrolled i5/OS user profiles to be different user profiles in Windows.</td>
|
|
<td headers="wq35">Use iSeries Navigator to manually define EIM i5/OS target associations and Windows source associations.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
|
</body>
|
|
</html>
|