Planning an Enterprise Identity Mapping domain controller

 

As you gather information to define your Enterprise Identity Mapping (EIM) domain, determine which directory server product will act as the EIM domain controller.

EIM requires that the domain controller be hosted by a directory server that supports Lightweight Directory Access Protocol (LDAP) Version 3. Additionally, the directory server product must be able to accept the LDAP schema and other considerations for EIM and understand certain attributes and object classes.

If your enterprise possesses more than one directory server that can host an EIM domain controller, you should also consider whether to use secondary replicated domain controllers. For example, if you expect to have a large number of EIM mapping lookup operations occurring, replicas can improve the performance of the lookup operations.

Also, you should consider whether to make your domain controller local or remote in relationship to the system you expect to be running the largest number of mapping lookup operations. By having the domain controller be local to the high-volume system, you may improve the performance of the lookup operations for the local system. Use the planning work sheets to record these planning decisions, as well as those you make about your domain and other directory information.

After you determine which directory server in your enterprise will host your EIM domain controller, make some decisions about domain controller access.

 

Plan domain controller access

You need to plan how you and EIM-enable applications and operating systems will access the directory server that hosts the EIM domain controller. To access an EIM domain :

  1. Be able to bind to the EIM domain controller

  2. Make sure that the bind subject is a member of an EIM access control group, or is the LDAP administrator. Refer to Manage EIM access control for more information.

 

Select type of EIM binding

EIM APIs support several different mechanisms for establishing a connection, also known as binding, with the EIM domain controller. Each type of binding mechanism provides a different level of authentication and encryption for the connection. The possible choices are:

The choice of a bind mechanism is based on the level of security required by the EIM-enabled application and the authentication mechanisms supported by the LDAP server that hosts the EIM domain.

Also, you might have to perform additional configuration tasks for the LDAP server to enable the authentication mechanism that you choose to use. Check the documentation for the LDAP server that hosts your domain controller to determine what other configuration tasks you may need to perform.

 

Example planning work sheet: domain controller information

After making your decisions about your EIM domain controller, use the planning worksheets to record the EIM domain controller information that your EIM-enabled operating systems and applications need. The information that you gather as part of this process can be used by the LDAP administrator to define the bind identity of the application or operating system to the LDAP directory server that hosts the EIM domain controller.

The following sample portion of the planning work sheets shows the type of information that gather. It also includes sample values that you could use when you configure the EIM domain controller.

Table 1. Domain and domain controller information for EIM planning worksheet
Information needed to configure EIM domain and domain controller Example answers
A meaningful name for the domain. This could be the name of a company, a department, or an application that uses the domain. MyDomain
Optional: If configuring an EIM domain in an already existing LDAP directory, specify a parent distinguished name for the domain. This is the distinguished name that represents the entry immediately above your domain name entry in the directory information tree hierarchy, for example, o=ibm,c=us. o=ibm,c=us
Resulting fully qualified EIM domain distinguished name. This is the fully defined name of the EIM domain that describes the directory location for EIM domain data. The fully qualified domain distinguished name consists of, at a minimum, the DN for the domain (ibm-eimDomainName=), plus the domain name that you specified. If you choose to specify a parent DN for the domain, then the fully qualified domain DN consists of the relative domain DN (ibm-eimDomainName=), the domain name (MyDomain), and the parent DN (o=ibm,c=us).

Either of these, depending on whether you choose a parent DN:

  • ibm-eimDomainName=MyDomain

  • ibm-eimDomainName=MyDomain,o=ibm,c=us
Connection address for the domain controller. This consists of the type of connection (basic ldap or secure ldap, for example, ldap:// or ldaps://) plus the following information: ldap://

  • Optional: The host name or IP address

  • Optional: The port number

  • some.ldap.host

  • 389
Resulting complete connection address for the domain controller. ldap://some.ldap.host:389
Bind mechanism required by applications or systems. Choices include:

  • Simple bind

  • CRAM MD5

  • Server authentication

  • Client authentication

  • Kerberos
Kerberos

If your EIM configuration and administration team consists of multiple team members, you will need to determine the bind identity and mechanism that each team member should use for accessing the EIM domain based on their role. Also, determine the bind identity and mechanism for EIM application end users. You may find the following work sheet helpful as an example for gathering this information.

Table 2. Example bind identities planning work sheet
EIM authority or role Bind identity Bind mechanism Reason needed
EIM administrator eimadmin@krbrealm1.com kerberos configure and manage EIM
LDAP administrator cn=administrator simple bind configure EIM domain controller
EIM registry X administrator cn=admin2 CRAM MD5 manage specific registry definition
EIM mapping lookup cn=MyApp,c=US simple bind perform application mapping lookup operations

After you have gathered the information that you need for configuring your domain controller, you can develop an identity mapping plan.

 

Parent topic:

Planning Enterprise Identity Mapping for eServer