Charles is spot on - multiple users on a single desktop - each Windows user is mapped to one user profile - if you don't force logging out of Windows somehow, then it's the same as someone just leaving their windows box running unlocked with a 5250 session open - security breakdown - using SSO can't solve this human engineering issue.

A similar issue is, if a person needs to be an admin sometimes and a regular user otherwise - those would need multiple windows logins - each mapped to a different user profile - in the simplest scenario. There are some additional EIM config things that might help here - haven't studied that far yet.

I suppose, theoretically, that you COULD map many-one or one-many or many-many in EIM - again, I've not tried much of that. I know that in our app I could handle multiple mappings to our app users, maybe displaying the choices. But this still depends on a single windows domain user having been authenticated, not several.

The KISS principle applies strongly here.


On 4/3/2012 7:57 AM, Charles Wilt wrote:
You need to be clear about what you what to know about...

In a SSO w/EIM environment, the participating user profiles on the i
are configured with PASSWORD(*NONE)

So QPWDLVL doesn't really matter.

As far as multiple users using a 5250 session from a single
desktop...not going to work...
You'd either need to leave those users out of SSO or force them to
sign out of windows and back in under the next users AD credentials.

If you simply want to replicate passwords, that's not SSO nor EIM.


On Tue, Apr 3, 2012 at 8:22 AM, Jack Kingsley<iseriesflorida@xxxxxxxxx> wrote:
Can anyone elaborate on how they might have moved forward with such a
project, also, how did you handle the AD side of things with those
credentials and then having them match on the "I" side of things. Were you
forced to change your QPWDLVL at all, was/is there a way around only 10
characaters for the as400 profile, was this an issue. How were you able to
get around mutliple users using a computer for 5250 access once the AD
credentials were verified granting access to the desktop.
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].