× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2016

Re: Security on NFS mounts.

Rob:
**
Embedded replies below.

HTH,
Mark S. Waterbury

> On 8/4/2016 6:58 AM, Rob Berendt wrote:
Unless the Windows users are using biometrics, such as a fingerprint
reader on their laptop, won't they still log on to their PC's with their
password so we will still have the 'lost or forgotten password' issue?

To me, it seems better to maintain all "userIDs" and "passwords" in just one place, e.g. Windows Active Directory, and that way, it is less work when a user does lose or forget their password ... just one place to "fix" it ...? //("One version of the truth.")

I don't believe that ACS will use Windows credentials so they will still
need to log on to 5250. No bypass signon. Therefore can't change them to
*NONE. (What a HUGE step backward!) I wonder if someone submitted that
as a RFE if IBM would answer that in any way other than 'get off of 5250'?
/
/ACS fully supports Kerberos and EIM/SSO. (Perhaps it did not, initially, with early "Beta Test" versions of ACS?)

Do a "google" search for "IBM i access client solutions single sign-on" (without quotes) and look at the first PDF document (IBM manual) returned ... also look at the first few links ...such as "Test Drive SSO."

We actually did this awhile ago. Used the fingerprint reader. Eliminated
passwords for many users in both Windows and IBM i. We thought that was a
requirement for some medical devices we were making. Had it all rolled
out and working. When the medical issue was resolved it was all
abandoned. This was prior to ACS.

I understand the use of "biometric" devices and think they are a "good idea." But, you are not _required_ to use any of them, to gain most of the benefits of EIM/SSO. Think of them as an "enhancement" and "nice to have." I was trying to say that, by using EIM/SSO, your users only need to type in their password once a day, (in Windows), and then, all the other applications, including ACS, just use Kerberos (SSO). (Gradually, some of the users could even transition to using some "biometric" devices, like a fingerprint reader, if their laptop is so equipped.)

Looked at some software to help manage Kerberos but at $15/user we figured
we could get some monkey to key the updates for cheaper than that. "Oh
but we have all these cool reports!" "Nice, but I am looking for a
product to do ..."
You only need to make the association between an IBM i user profile and EIM/SSO, mapping the user profile to the corresponding Windows credentials and vice versa, one time -- "set it and forget it." From then on, you just maintain the Windows userIDs and passwords the same way you do t hat now, on the Windows Active Directory ... I am not sure why you would need to buy any additional software to do this? Prompt CHGUSRPRF, press F10 and page down to the last screen to see where you can specify the "EIM association" for a given IBM i user profile.

I also saw your other post where you mentioned "Domino" -- Domino also supports Kerberos and SSO ...

Rob Berendt



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.