× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



EIM can certainly be used for things other than SSO. EIM is designed to
allow you to keep track of ALL of a person's userIDs regardless of where
they are stored.

Further, Kerberos is NOT required to use EIM nor is it required for SSO.
We have enabled many different scenarios that don't use Kerberos, but use
EIM. If an application knows how to generate a Kerberos ticket, there is
no extra effort required.

If an application does not accept Kerberos there are often ways to allow
the user to continue to access i5/OS without supplying their i5/OS user
profile and password. For example, we have built plug-ins for HATS that
bypass the sign-on but doesn't use Kerberos. It does continue to use EIM,
but we use Identity Tokens generated in the plug-in and passed indirectly.
This is combined with a Telnet exit point that verifies the Identity
Token and maps from the WAS userID to the i5/OS userID.

If the application is using something other than Telnet, we often use an
exit point program for the specific interface they are using. We teach the
users to always enter their windows ID/pwd. The exit point uses LDAP bind
to remotely verify the userID and password, and again, we use EIM to map
to the i5/OS user profile.

We have also built a number of DSAPI plug-ins for Notes iAccess for Web.
Depending on what a customer is already using in their environment, we
have plug-ins that use LTPA tokens, ID Tokens, Kerberos tickets, and also
the windows userID/pwd approach described in the paragraph above.





Patrick Botz


Security Architecture Consulting & Implementation

IBM Systems and Technology Group Lab Services

mail: botz@xxxxxxxxxx

phone: 507.253.0917 / mobile: 507.250.5644



ibm.com/servers/eserver/services



midrange-l-bounces@xxxxxxxxxxxx wrote on 04/18/2007 12:43:14 PM:

The TPAs (third party applications) would have to be EIM enabled. Does
Kronos accept a Kerberos ticket to sign on? Probably not. We have
Kronos
here but I never touch the stuff. Without the ability to accept a
Kerberos ticket it isn't going to happen. Well, you can do anything
given
enough time, money and desire. I suppose you could front end the Kronos

to accept a Kerberos ticket yourself. Or, some initial program that
takes
your 5250 id and uses 5250 api's to "pretype" in the next screen.

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





<lgoodbar@xxxxxxxxxxxxxx>
Sent by: midrange-l-bounces@xxxxxxxxxxxx
04/18/2007 11:44 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
<midrange-l@xxxxxxxxxxxx>
cc

Fax to

Subject
RE: EIM without SSO






This is good stuff to know.

Am I correct in understanding that EIM maps Windows/AD IDs to an iSeries
profile? Does EIM work with third-party systems such as Kronos, etc.?

We are less interested in SSO, though I can see where the benefit. EIM
would help us map user IDs to our various systems, but TIM looks like it
offers workflow and additional management capabilities we're seeking.

--Loyd

Loyd Goodbar
Senior programmer/analyst
BorgWarner
TS Water Valley
662-473-5713
-----Original Message-----
From: midrange-l-bounces+lgoodbar=borgwarner.com@xxxxxxxxxxxx
[mailto:midrange-l-bounces+lgoodbar=borgwarner.com@xxxxxxxxxxxx] On
Behalf Of rob@xxxxxxxxx
Sent: Wednesday, April 18, 2007 08:55
To: Midrange Systems Technical Discussion
Subject: RE: EIM without SSO

There's a difference between "eliminating the need" and "forbidding".
"Eliminating the need" is simply telling the 5250 configuration to
bypass
the signon screen, and, using EIM and SSO to map their AD signon to an
i5
profile.
"Forbidding" is setting their password to a random string (or even
*NONE),
changing LCLPWDMGT to *NO, and using EIM and SSO to map their AD signon
to
an i5 profile and then telling the 5250 configuration to bypass the
signon
screen.

Rob Berendt

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.