Setting up the EIM domain controller

After you set up the LDAP server and RACF®, you need to use the RACF eimadmin utility to create and configure an EIM domain controller.

To create an EIM domain controller in this situation:

1. Create an EIM domain by issuing the following command:

   eimadmin –aD -d 'ibm-eimDomainName=My Domain,o=IBM,c=US' 
   -h ldap://v25ec099.svl.ibm.com:3389 
   -b “cn=LDAP Administrator” -w secret

   The example shows that the new domain name is "My Domain." It also shows that the TDBM_SUFFIX statement in the ldap.profile file is defined as o=IBM®,c=US.

2. Grant the EIM user access to the EIM domain for performing lookup services by issuing the following command:

   eimadmin -aC -c MAPPING -q "cn=eim user, o=IBM, c=US" -f DN 
   -d 'ibm-eimDomainName=My Domain,o=IBM,c=US' 
   -h ldap://v25ec099.svl.ibm.com:3389 
   -b 'cn=LDAP Administrator' -w secret

3. Create the source registry in the EIM domain by issuing the following command:

   eimadmin -aR -r "My Source Registry" -y KERBEROS
   -d 'ibm-eimDomainName=My Domain,o=IBM,c=US'
   -h ldap://v25ec099.svl.ibm.com:3389
   -b 'cn=LDAP Administrator' -w secret

4. Create the target registry in the EIM domain by issuing the following command:

   eimadmin -aR -r "My Target Registry" -y RACF
   -d 'ibm-eimDomainName=My Domain,o=IBM,c=US'
   -h ldap://v25ec099.svl.ibm.com:3389
   -b 'cn=LDAP Administrator' -w secret

5. Add the enterprise identifier “Cat” to the EIM domain by issuing the following command:

   eimadmin -aI -i "Cat" -d 'ibm-eimDomainName=My Domain,o=IBM,c=US'
   -h ldap://v25ec099.svl.ibm.com:3389
   -b 'cn=LDAP Administrator' -w secret

   You can add multiple enterprise identifiers to the same EIM domain at any time.

6. Associate registry user IDs with the identifiers in the EIM domain by issuing the following commands:

   eimadmin -aA -u "Kitty" -r "My Source Registry" -t SOURCE
   -i "Cat" -d 'ibm-eimDomainName=My Domain,o=IBM,c=US'
   -h ldap://v25ec099.svl.ibm.com:3389
   -b 'cn=LDAP Administrator' -w secret
   
   eimadmin -aA -u "Buffy" -r "My Target Registry" -t TARGET
   -o "db2/stlec1/va1adist" -i "Cat"
   -d 'ibm-eimDomainName=My Domain,o=IBM,c=US'
   -h ldap://v25ec099.svl.ibm.com:3389
   -b 'cn=LDAP Administrator' -w secret

   Specify the "-o" flag with the "db2/location-name/subsystem-name"+ "dist" value when you define a user ID for Db2 to use as the primary authorization ID in your target registry. As the examples show, when Db2 calls the SAF user mapping plug-in service to retrieve the primary authorization ID, Db2 specifies the additional db2/location-name/subsystem-name"+ "dist" information for the plug-in service to look up.

   If a target identity is found with the same information, the target identity "Buffy" is returned. If the target identity does not contain any additional information, user ID "Buffy" is also returned to Db2. However, if the target registry contains multiple user identities and if none of them contains the recommended additional information, no user identity is returned to Db2.