MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » February 2012

Re: Software for signons on iSeries and network



fixed

I don't know, Shannon - it's a set of record or entry types for LDAP - it's primarily used on the i. I've heard that there are implementations of EIM for Windows and Linux, with APIs. But I've had the worst time finding out more about that.

EIM is basically a lookup table - it has what are called user registries - those are lists of users for a certain environment, such as Windows or the iSeries or an application that has users with privileges for certain functions.

I think that if you could get some user ID from something, such as OpenID (I don't know anything about it), then you can map from that to a user in another setting, and the APIs help you find those associations, as they are called.

If you know Pat Botz, he wrote a lot of EIM - if not the whole thing. He'd have ideas of its use and maybe how it fits with other mechanisms.

Regards
Vern

On 2/26/2012 6:52 PM, Shannon ODonnell wrote:
That's good to know Vern!

Does EIM also work with OpenID that companies such as Google use?

http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html




-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Vern Hamberg
Sent: Sunday, February 26, 2012 1:18 PM
To: Midrange Systems Technical Discussion
Subject: Re: Software for signons on iSeries and network

EIM is absolutely no extra cost - it has been a part of the OS since V5R2. It uses the LDAP server (IBM Directory) on the iSeries/i. Kerberos support has been around since V4-something or other.

This is a fantastic solution for single-sign-on - there is no need for synchronizing passwords, because they are never passed around the enterprise. Authentication is completely kerberos-based - Windows Authentication in a Windows domain IS Kerberos. And things like 5250 and Apache and network file shares and ODBC, even jt400 - can recognize that Kerberos was used. Then authorization only is based on profiles. Very cool!!

EIM is fairly easy to set up. It's essentially a lookup table - it maps, e.g., Windows users to iSeries user profile names. No passwords are stored.

The Kerberos support can be tricky - there be minefields out there. But I know of a company around here, where their network guy (not an i-er) got it all working.

Frank - if you want, I'm happy to discuss it with you - I've been working intimately with this stuff for the last several months. Call me at 888.rjs.soft - toll-free - ask for Vern. I won't try to sell you anything, I promise!!

Vern

On 2/26/2012 12:54 PM, Shannon ODonnell wrote:
What's the price-range on iSeries to achieve EIM?

A recurring problem we have all seen with solutions like this is that they are priced so high their use becomes prohibitive.



-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of DrFranken
Sent: Sunday, February 26, 2012 12:44 PM
To: Midrange Systems Technical Discussion
Subject: Re: Software for signons on iSeries and network

You need single sign-on along with Enterprise Identity Mapping. This capability eliminates IBM i passwords completely (except for admins).
The very short course is that IBM i and your active directory are connected allowing the kerberose ticket present in your Windows session to be passed through IBM i to active directory for validation. The UserID sent back to IBM i from active directory is then correlated with that in EIM and that is the user ID used on IBM i. Thus you do not need the same userID on Windows and IBM i, you have no password on i at all, and as a result changing your windows password doesn't have any affect whatever on your IBM i signon because that's the only password you have.

- Larry "DrFranken" Bolhuis

On 2/26/2012 1:36 PM, fbocch2595@xxxxxxx wrote:
Hi Folks, we’re looking for software that will authenticate iSeries signons against our active directory, and keep them in sync with a users network password. In other words allowing automatic signon via the network password, AND keep them in sync. The net outcome would be so that when a user changes their network password it would also change their 400 password.

Your thoughts on this?


Thanks, Frank

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.







Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact