233 lines
14 KiB
HTML
233 lines
14 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Plan an Enterprise Identity Mapping domain controller" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzalv_plan_eim_for_eserver.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzalv_plan_controller" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Plan an Enterprise Identity Mapping domain controller</title>
|
|
</head>
|
|
<body id="rzalv_plan_controller"><a name="rzalv_plan_controller"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Plan an Enterprise Identity Mapping domain controller</h1>
|
|
<div><p>As you gather information to define your Enterprise Identity Mapping (EIM)
|
|
domain, you need to determine which directory server product will act as the <a href="rzalveserverdmnctrlr.htm#rzalveserverdmnctrlr">EIM domain
|
|
controller</a>. EIM requires that the domain controller be hosted by a
|
|
directory server that supports Lightweight Directory Access Protocol (LDAP)
|
|
Version 3. Additionally, the directory server product must be able to accept
|
|
the <a href="rzalv_eim_ldap_schema.htm#rzalv_eim_ldap_schema">LDAP
|
|
schema and other considerations for EIM</a> and understand certain attributes
|
|
and object classes. </p>
|
|
<p>If your enterprise possesses more than one directory server that can host
|
|
an EIM domain controller, you should also consider whether to use secondary
|
|
replicated domain controllers. For example, if you expect to have a large
|
|
number of EIM mapping lookup operations occurring, replicas can improve the
|
|
performance of the lookup operations.</p>
|
|
<p>Also, you should consider whether to make your domain controller <em>local</em> or <em>remote</em> in
|
|
relationship to the system you expect to be running the largest number of
|
|
mapping lookup operations. By having the domain controller be local to the
|
|
high-volume system, you may improve the performance of the lookup operations
|
|
for the local system. Use the planning work sheets to record these planning
|
|
decisions, as well as those you make about your domain and other directory
|
|
information. </p>
|
|
<p> After you determine which directory server in your enterprise will host
|
|
your EIM domain controller, you need to make some decisions about domain controller
|
|
access.</p>
|
|
<div class="section"><h4 class="sectiontitle">Plan domain controller access</h4><p>You need to plan how
|
|
you and EIM-enable applications and operating systems will access the directory
|
|
server that hosts the EIM domain controller. To access an EIM domain you must: </p>
|
|
<ol><li>Be able to bind to the EIM domain controller</li>
|
|
<li>Make sure that the bind subject is a member of an EIM access control group,
|
|
or is the LDAP administrator. Refer to <a href="rzalvadminusrauthorities.htm#rzalvadminusrauthorities">Manage
|
|
EIM access control</a> for more information.</li>
|
|
</ol>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Select type of EIM binding</h4><p>EIM APIs support several
|
|
different mechanisms for establishing a connection, also known as binding,
|
|
with the EIM domain controller. Each type of binding mechanism provides a
|
|
different level of authentication and encryption for the connection. The possible
|
|
choices are:</p>
|
|
<ul><li><strong>Simple Binds</strong> <span class="br">A simple bind is an LDAP connection
|
|
where an LDAP client provides a bind distinguished name and a bind password
|
|
to the LDAP server for authentication. The bind distinguished name and password
|
|
are defined by the LDAP administrator in the LDAP directory. This is the weakest
|
|
form of authentication and the least secure as the bind distinguished name
|
|
and password are sent unencrypted and are vulnerable to eavesdropping. <span class="br">You use CRAM-MD5 (challenge-response authentication mechanism)
|
|
to add an additional level of protection for the bind password. With the CRAM-MD5
|
|
protocol, the client sends a hashed value instead of the clear text password
|
|
to the server for authentication.</span></span><p></p>
|
|
</li>
|
|
<li><strong>Server authentication with Secure Sockets Layer (SSL) - server side
|
|
authentication</strong> <span class="br">An LDAP server can be configured for
|
|
SSL or Transport Layer Security (TLS) connections. The LDAP server uses a
|
|
digital certificate to authenticate itself to the LDAP client and establishes
|
|
an encrypted communications session between them. Only the LDAP server is
|
|
authenticated by means of a certificate. The end user is authenticated by
|
|
means of a bind distinguished name and password. The strength of the authentication
|
|
is the same as for a simple bind, but all data (including the bind distinguished
|
|
name and password) is encrypted for privacy. </span></li>
|
|
<li><strong>Client authentication with SSL</strong> <span class="br">An LDAP server
|
|
can be configured to require that the end user be authenticated by means of
|
|
a digital certificate rather than a bind distinguished name and password for
|
|
SSL or TLS secure connections to the LDAP server. Both client and server are
|
|
authenticated and the session is encrypted. This option provides a stronger
|
|
level of user authentication and protects the privacy of all data transmitted. </span> </li>
|
|
<li><strong>Kerberos authentication</strong> <span class="br">An LDAP client can
|
|
be authenticated to the server by using a Kerberos ticket as an optional replacement
|
|
for a bind distinguished name and password. (Kerberos), which is a trusted
|
|
third-party network authentication system, allows a principal (a user or service)
|
|
to prove its identity to another service within an unsecured network. Authentication
|
|
of principals is completed through a centralized server called a key distribution
|
|
center (KDC). The KDC authenticates a user with a Kerberos ticket. These tickets
|
|
prove the principal's identity to other services in a network. After a principal
|
|
is authenticated by these tickets, the principal and service can exchange
|
|
encrypted data with a target service. This option provides a stronger level
|
|
of user authentication and protects the privacy of authentication information.</span></li>
|
|
</ul>
|
|
<p>The choice of a bind mechanism is based on the level of security required
|
|
by the EIM-enabled application and the authentication mechanisms supported
|
|
by the LDAP server that hosts the EIM domain. </p>
|
|
<p>Also, you might have
|
|
to perform additional configuration tasks for the LDAP server to enable the
|
|
authentication mechanism that you choose to use. Check the documentation for
|
|
the LDAP server that hosts your domain controller to determine what other
|
|
configuration tasks you may need to perform. </p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Example planning work sheet: domain controller information</h4><p>After
|
|
making your decisions about your EIM domain controller, use the planning worksheets
|
|
to record the EIM domain controller information that your EIM-enabled operating
|
|
systems and applications need. The information that you gather as part of
|
|
this process can be used by the LDAP administrator to define the bind identity
|
|
of the application or operating system to the LDAP directory server that hosts
|
|
the EIM domain controller. </p>
|
|
<p>The following sample portion of the planning
|
|
work sheets shows the type of information that you need to gather. It also
|
|
includes sample values that you could use when you configure the EIM domain
|
|
controller.</p>
|
|
<div class="p">
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Domain and domain
|
|
controller information for EIM planning worksheet</caption><thead align="left"><tr><th align="left" valign="top" width="50.25125628140703%" id="d0e98">Information needed to configure EIM domain
|
|
and domain controller</th>
|
|
<th valign="top" width="49.74874371859296%" id="d0e100">Example answers</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td valign="top" width="50.25125628140703%" headers="d0e98 ">A meaningful name for the domain. This could be the name
|
|
of a company, a department, or an application that uses the domain.</td>
|
|
<td valign="top" width="49.74874371859296%" headers="d0e100 "><samp class="codeph">MyDomain</samp></td>
|
|
</tr>
|
|
<tr><td valign="top" width="50.25125628140703%" headers="d0e98 ">Optional: If configuring an EIM domain in an already existing
|
|
LDAP directory, specify a parent distinguished name for the domain. This is
|
|
the distinguished name that represents the entry immediately above your domain
|
|
name entry in the directory information tree hierarchy, for example, <samp class="codeph">o=ibm,c=us</samp>. </td>
|
|
<td valign="top" width="49.74874371859296%" headers="d0e100 "><samp class="codeph">o=ibm,c=us</samp></td>
|
|
</tr>
|
|
<tr><td valign="top" width="50.25125628140703%" headers="d0e98 ">Resulting fully qualified EIM domain distinguished name.
|
|
This is the fully defined name of the EIM domain that describes the directory
|
|
location for EIM domain data. The fully qualified domain distinguished name
|
|
consists of, at a minimum, the DN for the domain (<samp class="codeph">ibm-eimDomainName=</samp>),
|
|
plus the domain name that you specified. If you choose to specify a parent
|
|
DN for the domain, then the fully qualified domain DN consists of the relative
|
|
domain DN (<samp class="codeph">ibm-eimDomainName=</samp>), the domain name (MyDomain),
|
|
and the parent DN (<samp class="codeph">o=ibm,c=us</samp>). <div class="note"><span class="notetitle">Note:</span> </div>
|
|
</td>
|
|
<td valign="top" width="49.74874371859296%" headers="d0e100 ">Either of these, depending on whether you choose a parent
|
|
DN: <ul><li><samp class="codeph">ibm-eimDomainName=MyDomain</samp></li>
|
|
<li><samp class="codeph">ibm-eimDomainName=MyDomain,o=ibm,c=us</samp></li>
|
|
</ul>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" width="50.25125628140703%" headers="d0e98 ">Connection address for the domain controller. This consists
|
|
of the type of connection (basic ldap or secure ldap, for example, <samp class="codeph">ldap://</samp> or <samp class="codeph">ldaps://</samp>)
|
|
plus the following information:</td>
|
|
<td valign="top" width="49.74874371859296%" headers="d0e100 "><samp class="codeph">ldap://</samp></td>
|
|
</tr>
|
|
<tr><td valign="top" width="50.25125628140703%" headers="d0e98 "> <ul><li>Optional: The host name or IP address</li>
|
|
<li>Optional: The port number</li>
|
|
</ul>
|
|
</td>
|
|
<td valign="top" width="49.74874371859296%" headers="d0e100 "> <ul><li><samp class="codeph">some.ldap.host</samp></li>
|
|
<li><samp class="codeph">389</samp></li>
|
|
</ul>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" width="50.25125628140703%" headers="d0e98 ">Resulting complete connection address for the domain controller. </td>
|
|
<td valign="top" width="49.74874371859296%" headers="d0e100 "><samp class="codeph">ldap://some.ldap.host:389</samp></td>
|
|
</tr>
|
|
<tr><td valign="top" width="50.25125628140703%" headers="d0e98 ">Bind mechanism required by applications or systems. Choices
|
|
include: <ul><li>Simple bind</li>
|
|
<li>CRAM MD5</li>
|
|
<li>Server authentication</li>
|
|
<li>Client authentication</li>
|
|
<li>Kerberos</li>
|
|
</ul>
|
|
</td>
|
|
<td valign="top" width="49.74874371859296%" headers="d0e100 ">Kerberos</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<p>If your EIM configuration and administration team consists
|
|
of multiple team members, you will need to determine the bind identity and
|
|
mechanism that each team member should use for accessing the EIM domain based
|
|
on their role. Also, you need to determine the bind identity and mechanism
|
|
for EIM application end users. You may find the following work sheet helpful
|
|
as an example for gathering this information.</p>
|
|
<div class="p">
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 2. Example bind identities planning work sheet</caption><thead align="left"><tr><th valign="top" width="25%" id="d0e205">EIM authority or role</th>
|
|
<th align="left" valign="top" width="25%" id="d0e207">Bind identity</th>
|
|
<th valign="top" width="25%" id="d0e209">Bind mechanism</th>
|
|
<th valign="top" width="25%" id="d0e211">Reason needed</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td valign="top" width="25%" headers="d0e205 ">EIM administrator</td>
|
|
<td valign="top" width="25%" headers="d0e207 ">eimadmin@krbrealm1.com</td>
|
|
<td valign="top" width="25%" headers="d0e209 ">kerberos</td>
|
|
<td valign="top" width="25%" headers="d0e211 ">configure and manage EIM</td>
|
|
</tr>
|
|
<tr><td valign="top" width="25%" headers="d0e205 ">LDAP administrator</td>
|
|
<td valign="top" width="25%" headers="d0e207 ">cn=administrator</td>
|
|
<td valign="top" width="25%" headers="d0e209 ">simple bind</td>
|
|
<td valign="top" width="25%" headers="d0e211 ">configure EIM domain controller</td>
|
|
</tr>
|
|
<tr><td valign="top" width="25%" headers="d0e205 ">EIM registry X administrator</td>
|
|
<td valign="top" width="25%" headers="d0e207 ">cn=admin2</td>
|
|
<td valign="top" width="25%" headers="d0e209 ">CRAM MD5</td>
|
|
<td valign="top" width="25%" headers="d0e211 ">manage specific registry definition</td>
|
|
</tr>
|
|
<tr><td valign="top" width="25%" headers="d0e205 ">EIM mapping lookup</td>
|
|
<td valign="top" width="25%" headers="d0e207 ">cn=MyApp,c=US</td>
|
|
<td valign="top" width="25%" headers="d0e209 ">simple bind</td>
|
|
<td valign="top" width="25%" headers="d0e211 ">perform application mapping lookup operations</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<p>After you have gathered the information that you need for configuring
|
|
your domain controller, you can <a href="rzalv_id_map_plan.htm#id_map_plan">develop an identity mapping plan</a>.</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalv_plan_eim_for_eserver.htm">Plan Enterprise Identity Mapping for eServer</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |