|TechTip: Enterprise Identity Mapping: A Hidden Jewel|
|Security - IBM i (OS/400, i5/OS)|
|Written by Steve Pitcher|
|Friday, 06 April 2012 00:00|
In an age of many disparate systems, managing authority can be a pain in the neck. IBM’s Enterprise Identity Mapping on IBM i can help you work the kinks out.
Much has been written about Enterprise Identity Mapping (EIM) since it was released about 10 years ago. EIM allows you to simplify management of multiple user registries, facilitates single sign-on, and actually allows you to eliminate the need for passwords on your IBM i servers. And it’s free!
Sadly, I don’t hear about many people who are actually using it. Perhaps because it works so well and it’s relatively simple to configure that you don’t hear or read much about it.
Let’s have a quick look at how to set this up.
For the sake of an example, here’s a scenario that may be quite common. First, let’s assume you have 500 users who all log into an Active Directory domain with computers running Windows. Next, we also assume these 500 users sign into your IBM i on Power Systems via IBM i Access for Windows 5250 sessions.
It’s very likely that you have users with accounts in Active Directory who are not named the same as their accounts in IBM i. Users lock themselves out of IBM I, and you waste time trying to figure out what account they have in IBM i in order to unlock it.
Perhaps you have users with a forced password reset every 60 days in Windows and every 30 days in IBM i—another waste of time, this time on the user’s end. Wouldn’t it make more sense to have one password for users to remember?
Those 500 users can turn into literally thousands of account/password combinations, clumsy synchronization setups, and overall account management hell for both administrators and users.
EIM makes things simple.
Here’s how you set it up:
With this setup, when a user (John Smith, for instance) logs into Windows using user id jsmith, he will authenticate to IBM i via a Kerberos ticket. EIM does the magic behind the scenes to process an IBM i login request to John Smith’s IBM i account called johns. This is a very simplistic explanation of how it works, so if you want further details and some background information, please have a look at the IBM i 7.1 Information Center.
John Smith now doesn’t have to remember two sets of passwords. He has one set of credentials that takes him multiple places. If he changes his password in Windows, then he doesn’t have to change it anywhere else. Your help desk will drastically reduce “forgotten password” calls. Now, jump up on your desk and give your office a loud Charlie Sheen–inspired “WINNING!”
The most difficult part of implementing EIM is the initial mapping setup. You’ll need to create a few spreadsheets and spend some time to ensure you don’t miss anyone. It may take a little time to understand which users will be mapped to which accounts, but once it’s done and the mappings are set, you don’t have to worry about that account again unless a user is added to a new target registry. If that’s the case, then you just add the mapping. This is truly a “set it and forget it” feature!
Also, please remember to begin backing up this data. EIM data is stored in QUSRDIRDB, QUSRDIRCL, and the Integrated File System (IFS) directory /QIBM/UserData/OS400/DirSrv. As well, back up QUSRSYS/QGLDCFG (a *USRSPC object) and QUSRSYS/QGLDVLDL (a *VLDL object). In case you ever need to restore something, it’s best to include those files/directories in the nightly backup job.
Imagine the power of EIM if you have five or ten registries. Simplify your environment and make your users happy by enabling this awesome feature.
|Last Updated on Friday, 06 April 2012 00:00|