friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzalv_5.4.0.1/rzalvlookupoperationexamplesexample3.htm

116 lines
7.5 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Lookup operation examples: Example 3" />
<meta name="abstract" content="Use this example to learn how the search flow works for a lookup operation that returns a target user identity from a default registry policy association." />
<meta name="description" content="Use this example to learn how the search flow works for a lookup operation that returns a target user identity from a default registry policy association." />
<meta name="DC.Relation" scheme="URI" content="rzalveservereimmaplookup.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzalvlookupoperationexamplesexample3" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Lookup operation examples: Example 3</title>
</head>
<body id="rzalvlookupoperationexamplesexample3"><a name="rzalvlookupoperationexamplesexample3"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Lookup operation examples: Example 3</h1>
<div><p>Use this example to learn how the search flow works for a lookup
operation that returns a target user identity from a default registry policy
association.</p>
<p>In Figure 13, an administrator wants to map all desktop workstation users
in a Windows<sup>®</sup> Active
Directory registry to a single i5/OS™ user profile named <samp class="codeph">general_user</samp> in
an i5/OS registry
that he named <samp class="codeph">System_A</samp> in Enterprise Identity Mapping (EIM).
Kerberos is the authentication method that Windows uses and the name of the Windows Active
Directory registry as the administrator defined it in EIM is <samp class="codeph">Desktops</samp>.
One of the user identities that the administrator wants to map from is a Kerberos
principal named <samp class="codeph">sajones</samp>.</p>
<p>The administrator creates a default registry policy association with the
following information: </p>
<ul><li>A source registry of <samp class="codeph">Desktops</samp>. </li>
<li>A target registry of <samp class="codeph">System_A</samp>.</li>
<li>A target user identity of <samp class="codeph">general_user</samp>.</li>
</ul>
<p><strong>Figure 13:</strong> A lookup operation returns a target user identity from
a default registry policy association. </p>
<p><br /><img src="rzalv506.gif" alt="Example 3. A lookup operation returns a target user identity from a default registry policy association." /><br /></p>
<div class="p">This configuration allows a mapping lookup operation to map all the Kerberos
principals in the <samp class="codeph">Desktops</samp> registry, including the <samp class="codeph">sajones</samp> principal,
to the i5/OS user
profile named <samp class="codeph">general_user</samp> as follows:
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><thead align="left"><tr><th valign="top" id="d0e88">Source user identity and registry</th>
<th valign="top" id="d0e90">---&gt;</th>
<th valign="top" id="d0e92">Default registry policy association</th>
<th valign="top" id="d0e94">---&gt;</th>
<th valign="top" id="d0e96">Target user identity</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e88 "><samp class="codeph">sajones</samp> in <samp class="codeph">Desktops</samp> registry</td>
<td valign="top" headers="d0e90 ">---&gt;</td>
<td valign="top" headers="d0e92 ">Default registry policy association</td>
<td valign="top" headers="d0e94 ">---&gt;</td>
<td valign="top" headers="d0e96 "><samp class="codeph">general_user</samp> (in <samp class="codeph">System_A</samp> registry)</td>
</tr>
</tbody>
</table>
</div>
</div>
<p>The lookup operation search flows in this manner:</p>
<ol><li>The user <samp class="codeph">sajones</samp> logs on and authenticates to her Windows desktop
by means of her Kerberos principal in the <samp class="codeph">Desktops</samp> registry. </li>
<li>The user opens iSeries™ Navigator to access data on System A.</li>
<li>i5/OS uses
an EIM API to perform an EIM lookup operation with a source user identity
of <samp class="codeph">sajones</samp>, a source registry of <samp class="codeph">Desktops</samp>,
and a target registry of <samp class="codeph">System_A</samp>.</li>
<li>The EIM lookup operation checks whether mapping lookups are enabled for
the source registry <samp class="codeph">Desktops</samp> and target registry <samp class="codeph">System_A</samp>.
They are. </li>
<li>The lookup operation checks for a specific identifier source association
that matches the supplied source user identity of <samp class="codeph">sajones</samp> in
a source registry of <samp class="codeph">Desktops</samp>. It does not find a matching
identifier association. </li>
<li>The lookup operation checks whether the domain is enabled to use policy
associations. It is. </li>
<li>The lookup operation checks whether the target registry (<samp class="codeph">System_A</samp>)
is enabled to use policy associations. It is. </li>
<li>The lookup operation checks whether the source registry (<samp class="codeph">Desktops</samp>)
is an X.509 registry. It is not.</li>
<li>The lookup operation checks whether there is a default registry policy
association that matches the source registry definition name (<samp class="codeph">Desktops</samp>)
and the target registry definition name (<samp class="codeph">System_A</samp>). </li>
<li>The lookup operation determines that there is one and returns <samp class="codeph">general_user</samp> as
the target user identity.</li>
</ol>
<p>Sometimes an EIM lookup operation returns ambiguous results. This can happen,
for example, when more than one target user identity matches the specified
lookup operation criteria. Some EIM-enabled applications, including i5/OS applications
and products are not designed to handle these ambiguous results and may fail
or give unexpected results. You may need to take action to resolve this situation.
For example, you may need to either change your EIM configuration or define
lookup information for each target user identity to prevent multiple matching
target user identities. Also, you can test a mapping to determine whether
the changes you make work as expected.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalveservereimmaplookup.htm" title="This information explains the process for Enterprise Identity Mapping (EIM) mapping and view examples.">EIM lookup operations</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink