|
midrange.com
Depending on the interfaces you want to enable for this, it may be
possible. What you are asking is for two different things.
First, you want to authenticate with -- what to OS/400 is -- a "foreign"
authentication mechanism. Second, based on the ID in this other
authentication mechanism you want to choose the appropriate "local" user
profile to run under.
As long as you control the interfaces (cleint and server) that are doing
the authentication, then you can make this work. You have to change the
client side that actually prompts the user for authentication (e.g. the FTP
client, or the Telnet Client) and provide an exit point for the server side
that verifies the authetication mechanism provided by the client. This is
exactly what we did to enable SSO with Windows Domain sign-on to many of
the OS owned interfaces.
To get the second part, you would include in your exit point program a call
to EIM to map from the ID provided by the user to an ID you wanted that
user to use for that specific application. I won't go into all of the
possible ways you could configure the info in EIM to do what you want,
suffice it to say that you could make it do what you have stated below.
The reality of the situation is that you probably don't own the client-side
code for at least some of the interfaces you would want to enable to use a
different authentication mechanism. Also, there is no approach that will
work today for changing the behavior of a green screen sign-on from a dumb
terminal.
Patrick Botz
Senior Technical Staff Member
eServer Security Architect
(507) 253-0917, T/L 553-0917
email: botz@xxxxxxxxxx
jared
<jhunter@xxxxxxxx
.edu> To
Sent by: Midrange Systems Technical
midrange-l-bounce Discussion
s@xxxxxxxxxxxx <midrange-l@xxxxxxxxxxxx>
cc
08/05/2004 02:24 Subject
PM Re: Replacing the AS400 signon
manager?
Please respond to
Midrange Systems
Technical
Discussion
> Others have responded more clearly than me.
>
> What "very strong authentication" may mean can differ from one to
> another. For example, how would one stop and prompt for a retinal scan
> during the middle of a ftp session, versus during the middle of a 5250
> signon?
That's actually a lot closer to what I'm asking. How can I start an
out-of-band authentication protocol with the client host (based on retinal
scans, or cryptographic certificates, or midi keyboards, whatever) and use
the result of that conversation to either allow or disallow signon?
And maybe I want to let the connection proceed, but under a different user
profile...is that possible?
-Jared
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
