× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Hi Darryl

As to SSO - I had a hard time getting the drift at first. So did the IBM vendor support guys. It seems we'd hit page 2 of the Redbook and find something I was supposed to just know. Then page 2 of the next book, and, voila, the same thing. With their help I eventually wrote SSO support into a product at my previous job.

Now they have put together an SSO 101 article - it's at http://www.ibm.com/developerworks/ibmi/library/i-sso/

You probably know - SSO is actually Kerberos. No one can use the word "Kerbers" in their SSO implementation, due to restrictions from MIT. IBM & others call it Network Authentication Service, Windows uses Kerberos as its default authentication mechanism - and AD is the trusted 3rd party.

There is a wizard in Navigator that can create a Windows BAT file with commands to set you up in the Active Directory server - you'll need to get the cooperation of the Windows networking folks, of course.

You mention Windows AD terminology - there is also Kerberos terminology itself - the main one I needed to understand was "principal" - mainly, that is a user - it can be a Windows principal, which means a Windows user. It can be an IBM i principal, which is a user profile.

The IBM docs talk about EIM - that is the IBM i function that maps a principal (user) in one system or app to a principal (user) in another. In particular, this lets you have different user names in the 2 systems.

EIM uses LDAP (IBM Directory Services on i) to hold the mapping of principals.

I think it's worth trying the stuff in that article. I know of places that have done it all themselves. IBM Lab Services has tools to simplify the process of mapping EIM, which can be really tedious in Navigator. Another resource is Pat Botz, formerly Lead Security Architect at IBM. http://www.botzandassociates.com/ - he has a webinar on SSO in a day on his site at http://www.botzandassociates.com/download/sso-in-a-day

There's a great article - dialogue about Kerberos from MIT - at http://web.mit.edu/kerberos/dialogue.html - pretty fun!

Feel free to contact me off-list, I might be able to help a little.

HTH
Vern

On 2/23/2015 7:32 PM, Darryl Freinkel wrote:
I have had this problem and the solution was simple.

We kept the ibm_i password in the basic 10 character format.

After experiencing issues similar to these, I contacted IBM and the rule they gave me was the password when entered must be single case. It can be either all upper case or all lower case. Since implementing this rule, our problems went away.

Another solution is to implement single signon (sso). I have not been able to implement sso. The IBM documents make it difficult for a non windows engineers to map IBM terminology with windows AD terminology.

Darryl Freinkel


Sent from my iPad

On Feb 23, 2015, at 3:58 PM, rob@xxxxxxxxx wrote:

Mixed case passwords are a pain and have to be implemented carefully.
I'll trust the other repliers have put the correct links.
Comes up on this list a lot.
Other than the mixed case issue all passwords are kept in sync between IBM
i and Windows using Tivoli Identity Manager.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.