Both of the options in the previous post will work.
Boring explanation best read by only those who need to know or are
stubbornly curious....
To create an EIM domain on a system, you have to use the LDAP admin userID
and password or use a profile with qsecofr like privileges. You do not
need to use the Admin ID and password to JOIN an existing EIM domain. But
the wizard only has two options: 1) Create AND join a new domain; or 2)
Join an existing domain.
When you run the EIM wizard and choose to create a new and join EIM domain
on a system that has never been configured to host an EIM domain before,
you get asked for credentials twice. The first time is because the wizard
needs to make changes to the LDAP server on the system you are configuring
before it can create the new domain. These credentials are used by wizard
itself to do wizard stuff. The second time you are asked for credentials
is because the wizard, in addition to creating an EIM domain, also
configures the system to JOIN the new domain. Joining an EIM domain means
that a system is configured to use that domain whenever it needs to do
identity mapping. In order to use an EIM domain, the system needs to
authenticate to the EIM domain (in reality you are authenticating to the
LDAP server). These credentials are not used by the wizard -- they are
stored in the system's EIM configuration. These credentials do not have
to -- in fact, really shouldn't -- be the LDAP admin credentials. They
can be any of a couple of different types of credentials you want,
including a regular old LDAP userID (which you have to create), or i5/OS
user profile credentials, or Kerberos credetials (e.g. Windows domain
userIDs and passwords). If you use credentials other than the LDAP admin
or QSECOFR user profile (which you also should not use either), then you
have to use the access control menu optin to grant that the userID you
choose at least "Identity Lookup Operations" privilege. You could also
give it privilege to the EIM registry definition that represents the
system being configured, or even EIM admin. These privileges allow these
credentials to only muck with the EIM tree in the LDAP server.
Why not use the LDAP admin credentials? Primarily because it violates the
security principle of least privilege (i.e. use least amount of authority
that is sufficient to perform the required operation).
Patrick Botz
Vice President, Security Consulting
Group8 Security, Inc
Business : 1-775-852-8887
Home/Office: 1-507-285-9048
Mobile : 1-507-250-5644
http://www.group8security.com
mailto:Pat.Botz@xxxxxxxxxxxxxxxxxx
___________________________
CONFIDENTIALITY NOTICE: This email message and any attachment to this email message contain information that may be privileged and confidential. This email and any attachments are intended solely for the use of the individual or entity named above (the recipient) and may not be forwarded to or shared with any third party. If you are not the intended recipient and have received this email in error, please notify us by return e-mail or by telephone at 775-852-8887 and delete this message. This notice is automatically appended to each email message leaving Group8 Security, Inc. Thank You.
ALopez@xxxxxxxxxx wrote:
I actually had to go into TCPIP servers into the Directory Server
option properties and from there I could change the password
I thought you wanted to blow the original configuration away and start
from scratch. If you use the wizard you should be able to change the
administrator password, and even if you can't, you can change the user
type to [iSeries] User Profile and password. You can then just run the
wizard as QSECOFR......
midrange.com
