× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2004

Single Server Signons

Wayne,

You wrote:
****************************************************************************************************
From: "Wayne Johnston" <wdjohnston@xxxxxxxxxxx>
subject: Single Server Signons

I'm looking into ways to consolidate the number login profiles that are
required in our environment.  I would be very interested in anything you
all have done to step in this directions.  Our current environment
includes:

2 AS/400s @ V5R1
2 email systems
Microsoft NT server
Microsoft Server 2000 on an IPCS card

I'm consolidating the 2 email system into one, and moving them to the
2nd AS/400.  I can specify the operating system password in the email
package, so that brings 3 down to 1.  I would especially like to 'link'
the AS/400 user profiles in some manor so that a change on one server
will force a change on the other.  Or, better yet, I would like one
AS/400 to be the master authenticator.

Will LDAP help me get where I want to go?

Thanks
Wayne
*********************************************************************************************************

Your "prayers" are somewhat answered certainly in V5R3 and perhaps V5R2
as far as the iSeries is concerned.   IBM has created the capability for
single signons using the Kerberos architecture, although they can not
call it Kerberos because MIT won't let them.   I just saw a presentation
by Wayne Evans at the Phoenix, AZ AS/400 Users group where he explained,
in excruciating detail, how it works.  As you suspect, you designate one
of your iSeries as being the master authenticator for the "Kerberos"
domain.    As you might suspect, once a person has been authenticated to
the domain they can access any application on any of the iSeries in that
domain subject to the restrictions for access by their profile on each
iSeries.   Basically, this new technology, who's name I can't remember,
will require a user to sign on using the sign-on menu, only once.   

Now, as you might imagine, there is no free lunch; this takes some
setup in the beginning.   First, I would recommend you have your
security squared away on each iSeries for each user; the obvious.   Then
you'll have to set up the master authenticator server with all the folks
userids, etc., for each domain iSeries and then you'll have to set up
the "ticket" server which gives an access ticket to a specific iSeries
along with the encapsulated authentication from the authenticator
server.   The authenticator server and the "ticket" server can be on the
same box.

However, this new technology does not help you with your PCs and tying
them into the mix.   Perhaps it will in future as IBM expands the
"Kerberos" architecture.

Hope this helps.

Dave Odom
Arizona

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.