That's good to know Vern!

Does EIM also work with OpenID that companies such as Google use?

http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html




-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Vern Hamberg
Sent: Sunday, February 26, 2012 1:18 PM
To: Midrange Systems Technical Discussion
Subject: Re: Software for signons on iSeries and network

EIM is absolutely no extra cost - it has been a part of the OS since V5R2. It uses the LDAP server (IBM Directory) on the iSeries/i. Kerberos support has been around since V4-something or other.

This is a fantastic solution for single-sign-on - there is no need for synchronizing passwords, because they are never passed around the enterprise. Authentication is completely kerberos-based - Windows Authentication in a Windows domain IS Kerberos. And things like 5250 and Apache and network file shares and ODBC, even jt400 - can recognize that Kerberos was used. Then authorization only is based on profiles. Very cool!!

EIM is fairly easy to set up. It's essentially a lookup table - it maps, e.g., Windows users to iSeries user profile names. No passwords are stored.

The Kerberos support can be tricky - there be minefields out there. But I know of a company around here, where their network guy (not an i-er) got it all working.

Frank - if you want, I'm happy to discuss it with you - I've been working intimately with this stuff for the last several months. Call me at 888.rjs.soft - toll-free - ask for Vern. I won't try to sell you anything, I promise!!

Vern

On 2/26/2012 12:54 PM, Shannon ODonnell wrote:
What's the price-range on iSeries to achieve EIM?

A recurring problem we have all seen with solutions like this is that they are priced so high their use becomes prohibitive.



-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of DrFranken
Sent: Sunday, February 26, 2012 12:44 PM
To: Midrange Systems Technical Discussion
Subject: Re: Software for signons on iSeries and network

You need single sign-on along with Enterprise Identity Mapping. This capability eliminates IBM i passwords completely (except for admins).
The very short course is that IBM i and your active directory are connected allowing the kerberose ticket present in your Windows session to be passed through IBM i to active directory for validation. The UserID sent back to IBM i from active directory is then correlated with that in EIM and that is the user ID used on IBM i. Thus you do not need the same userID on Windows and IBM i, you have no password on i at all, and as a result changing your windows password doesn't have any affect whatever on your IBM i signon because that's the only password you have.

- Larry "DrFranken" Bolhuis

On 2/26/2012 1:36 PM, fbocch2595@xxxxxxx wrote:
Hi Folks, we’re looking for software that will authenticate iSeries signons against our active directory, and keep them in sync with a users network password. In other words allowing automatic signon via the network password, AND keep them in sync. The net outcome would be so that when a user changes their network password it would also change their 400 password.

Your thoughts on this?


Thanks, Frank

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.