Identity mapping

Identity mapping provides a method for the local NFS server and client to translate foreign users and groups to local users and groups.

IBM i uses Enterprise Identity Mapping (EIM) technology, which is based on LDAP, to perform its identity mapping. All NFS identity mapping data is stored on an LDAP server.

For simple environments where all clients and servers exist in a single NFS domain namespace that matches the DNS suffix configured for the machine under CFGTCP option 12, EIM configuration is not necessary. In that case, IBM i uses local name resolution to convert string representations of users and groups to native user identifiers.

For environments where the client and server do not participate in the same NFS domain namespace or where Kerberos 5 is used, the EIM service must be configured.

If the IBM i machine is not currently part of an EIM domain, the system must either be joined to an existing EIM domain or a new one must be created. See Configuring Enterprise Identity Mapping.

Once the initial EIM configuration is complete or if the IBM i machine is already part of an EIM domain, it is necessary to add the correct NFS registries to the domain.

For NFSv4 on IBM i, user name mappings must be located in registries with the ‘NFS_' prefix. For example, when searching for a user mapping for the ‘rochester.ibm.com' namespace, IBM i expects the registry name to be ‘NFS_rochester.ibm.com'.

Group name mappings must be located in registries with the ‘NFSGR_' prefix. For example, when searching for a group mapping for the ‘rochester.ibm.com' namespace, IBM i expects the registry name to be ‘NFSGR_rochester.ibm.com'.

See Managing Enterprise Identity Mapping registry definitions for information about how to add the appropriate registries to the EIM domain.

After the configuration step is complete, the EIM administrator can populate the LDAP server with NFS identity mapping data. See Managing Enterprise Identity Mapping identifiers for information about how to work with EIM identifiers.

After IBM i has been configured to use the mapping data in EIM, the NFS registry daemon (QNFSRGYD) needs to be restarted. The NFS registry daemon checks for the availability of an EIM server upon startup, and if one is found, mapping functions use the EIM.