I all,
I take advantage of Erik's post to specify the possible configurations when you want to use several targets (IBM i).
To enable SSO on additional partitions, you need to do it in two steps, as with any EIM-based SSO:
1. Configure Kerberos for each partition, i.e. use the Navigator for i wizard and create the corresponding service accounts in the AD
2. Then configure EIM. And here you have two possibilities: either centralize the configuration on a partition (a global EIM domain), or have an independent EIM domain for each partition. I recommend this second solution, even if it is a little heavier to manage, because otherwise stopping the partition that hosts the EIM domain blocks the SSO of all partitions which can be dramatic. .You have the choice of this configuration in the first choice screen of the EIM wizard. Either "Join an existing domain" or "Create and join a new domain". So I recommend the latter, and you specify on the next window that you want to have the EIM controller (in the IBM i LDAP directory) on the partition itself ("On the local directory server").
If you want to have only one EIM domain, once the installation is complete, you can, for a single source (the AD account), have targets on each of the configured partitions.
I hope I have been clear.
------------------------------------------------------------
Dominique GAYTE
IBM Champion 2023
IMI Security Expert
------------------------------------------------------------
------------------------------
Dominique Gayte
------------------------------
Original Message:
Sent: Fri March 17, 2023 09:20 AM
From: Erik Aasland
Subject: EIM SSO with two or more target IBMi associations
In fact I'm going do add another LPAR.
We have 3 LPAR'S. Test, Production and HA.
The Test lpar is now using Kerberos.
Then the production LPAR is next.
I'm pretty sure the settings will be the same apart from name and ip on LPAR.
Ad/password server is still the same.
------------------------------
Erik Aasland
IBMi administrator
Fremtind Insurance
Original Message:
Sent: Wed March 15, 2023 08:28 PM
From: Satid Singkorapoom
Subject: EIM SSO with two or more target IBMi associations
Dear Krzysztof
I cannot find a case for using a single kerberos source for multiple IBM i user profiles WITHIN THE SAME LPAR/SYSTEM. Just like what Erik said, I find that you can do this for the same user profile in multiple IBM i LPARs/systems. When I did a Google search with "ibm i sso multiple realm", I found these information :
Scenario: Enabling single sign-on for IBM i at https://www.ibm.com/docs/en/i/7.2?topic=s-scenario-enabling-single-sign-i
Scenario: Propagating network authentication service and EIM across multiple systems at https://www.ibm.com/docs/en/i/7.2?topic=scenarios-scenario-propagating-network-authentication-service-eim-across-multiple-systems
These 2 URLs belong to the same manual. On the left panel of the web page, if you move upward, you will see a link to download the PDF file for the Single sign-on manual. Be sure to specify your IBM i release at the top of left panel.
------------------------------
Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
------------------------------
Satid S.
Original Message:
Sent: Wed March 15, 2023 09:32 AM
From: Krzysztof Jarzynski
Subject: EIM SSO with two or more target IBMi associations
We have implemented EIM SSO years ago, but never found a solution for a scenario where one A.D. (kerberos source) have two or more IBMi target profiles. I was told through IBM Case that this could be configured, but no further support was available through Case support.
Does anyone know something about that?
------------------------------
Krzysztof Jarzynski
------------------------------