Re: Mapped drive on iSeries

[Vernon Hamberg <vhamberg@xxxxxxxxxxxxxxx>]

Hi Darryl

As to SSO - I had a hard time getting the drift at first. So did the IBM 
vendor support guys. It seems we'd hit page 2 of the Redbook and find 
something I was supposed to just know. Then page 2 of the next book, 
and, voila, the same thing. With their help I eventually wrote SSO 
support into a product at my previous job.

Now they have put together an SSO 101 article - it's at 
http://www.ibm.com/developerworks/ibmi/library/i-sso/

You probably know - SSO is actually Kerberos. No one can use the word 
"Kerbers" in their SSO implementation, due to restrictions from MIT. IBM 
& others call it Network Authentication Service, Windows uses Kerberos 
as its default authentication mechanism - and AD is the trusted 3rd party.

There is a wizard in Navigator that can create a Windows BAT file with 
commands to set you up in the Active Directory server - you'll need to 
get the cooperation of the Windows networking folks, of course.

You mention Windows AD terminology - there is also Kerberos terminology 
itself - the main one I needed to understand was "principal" - mainly, 
that is a user - it can be a Windows principal, which means a Windows 
user. It can be an IBM i principal, which is a user profile.

The IBM docs talk about EIM - that is the IBM i function that maps a 
principal (user) in one system or app to a principal (user) in another. 
In particular, this lets you have different user names in the 2 systems.

EIM uses LDAP (IBM Directory Services on i) to hold the mapping of 
principals.

I think it's worth trying the stuff in that article. I know of places 
that have done it all themselves. IBM Lab Services has tools to simplify 
the process of mapping EIM, which can be really tedious in Navigator. 
Another resource is Pat Botz, formerly Lead Security Architect at IBM. 
http://www.botzandassociates.com/ - he has a webinar on SSO in a day on 
his site at http://www.botzandassociates.com/download/sso-in-a-day

There's a great article - dialogue about Kerberos from MIT - at 
http://web.mit.edu/kerberos/dialogue.html - pretty fun!

Feel free to contact me off-list, I might be able to help a little.

HTH
Vern

On 2/23/2015 7:32 PM, Darryl Freinkel wrote:
> I have had this problem and the solution was simple.
>
> We kept the ibm_i password in the basic 10 character format.
>
> After experiencing issues similar to these, I contacted IBM and the rule they gave me was the password when entered must be single case. It can be either all upper case or all lower case. Since implementing this rule, our problems went away.
>
> Another solution is to implement single signon (sso). I have not been able to implement sso. The IBM documents make it difficult for a non windows engineers to map IBM terminology with windows AD terminology.
>
> Darryl Freinkel
>
>
> Sent from my iPad
>
> > On Feb 23, 2015, at 3:58 PM, rob@xxxxxxxxx wrote:
> >
> > Mixed case passwords are a pain and have to be implemented carefully.
> > I'll trust the other repliers have put the correct links.
> > Comes up on this list a lot.
> > Other than the mixed case issue all passwords are kept in sync between IBM
> > i and Windows using Tivoli Identity Manager.
> >
> >
> > Rob Berendt
> > --
> > IBM Certified System Administrator - IBM i 6.1
> > Group Dekko
> > Dept 1600
> > Mail to:  2505 Dekko Drive
> >           Garrett, IN 46738
> > Ship to:  Dock 108
> >           6928N 400E
> >           Kendallville, IN 46755
> > http://www.dekko.com
> >
> > --
> > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
> > To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> > To subscribe, unsubscribe, or change list options,
> > visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> > or email: MIDRANGE-L-request@xxxxxxxxxxxx
> > Before posting, please take a moment to review the archives
> > at http://archive.midrange.com/midrange-l.