Chapter 21. Managing User Enrollment

Enhanced Integration for NetWare includes support that allows AS/400 group and user profiles to be enrolled on one or more NDS trees and NetWare 3.12 servers. By enrolling AS/400 users and groups from AS/400, you can easily control their management from a centralized location by specifying where these user and group profiles are to be propagated to NetWare. 

The advantages of this support include: 

  • Central user ID administration 

  • You can manage enrollment of AS/400 and PC users on NetWare from a single AS/400. You can add, remove, or change users or groups on selected NDS trees or NetWare 3.12 servers by making changes from AS/400. You can also display information on AS/400 that shows which users are enrolled and on which NDS trees and NetWare 3.12 servers. 

  • Automatic propagation of AS/400 user profile attributes 

  • If a password for an AS/400 user profile changes, that change automatically propagates to the corresponding user object on all of the NDS trees or NetWare 3.12 servers that you specify. This function is especially helpful when managing users who are defined on several NetWare servers. 

    Other user profile attributes propagated to NetWare include the text field, profile login script, password expiration interval and expiration date, and login expiration date. 

  • Automatic creation of NetWare group and user objects 

  • You can automatically create NetWare objects by enrolling AS/400 users and groups on NetWare. When you enroll a group, you can also enroll all of its members. The new NetWare group and user objects are created with the same name as their AS/400 profiles. 

  • Automatic creation of NetWare authentication entries 

  • When you enroll users on NetWare, AS/400 automatically creates an authentication entry associated with the user's AS/400 profile to allow easy access to NetWare services. AS/400 uses the authentication entry to verify authorization to NetWare when starting a connection to a NetWare server. 

    You can also manually create authentication entries. See Chapter 16. "NetWare Authentication Entries and Connections" for more information 


* figure note not displayed.
Using these integration functions is not intended to completely replace the requirement to use NetWare administration tools, such as SYSCON and NetWare Administrator (NWADMIN). 
This chapter describes how you can enroll AS/400 and PC users on NetWare and centrally manage users' access to your NetWare network. 

User Enrollment Concepts

This section describes the process of user enrollment and discusses some considerations to keep in mind as you plan for user enrollment and management of NetWare users from AS/400. 

The following describes the process of enrolling AS/400 profiles on NetWare: 

  1. You enroll AS/400 group and user profiles to a NetWare tree or server by using the CHGNWSUSRA command. 
  2. When you enroll an AS/400 group or user profile, a NetWare user or group object is created on the NetWare tree or server. 
  3. Subsequent changes to the AS/400 profile will also be propagated to the corresponding NetWare user object. 
Figure 21-1 shows the steps that occur when you enroll AS/400 users on NetWare: 
(1) 
A connection is started to the NetWare server using the QNETWARE profile. 
(2) 
Information in AS/400 user and group profiles are propagated to NetWare. 
(3) 
NetWare objects with the same name as the AS/400 profile are created automatically on the specified servers in the NDS tree and in the Bindery for the NetWare 3.12 servers. 
(4) 
NetWare authentication entries, corresponding to the AS/400 profiles, are created automatically if the VRSEC value is set to 1. 
Figure 21-1. Enrolling AS/400 users on NetWare
 

* figure rv3d681 not                displayed.
 

QNETWARE User Profile

The QNETWARE user profile on AS/400 and NetWare enables AS/400 user enrollment. Therefore, a QNETWARE user object must be created in the Bindery for each NetWare 3.12 server and in each NDS tree that you want to manage from AS/400. QNETWARE must also have ADMIN authority to be able to create objects and to manage passwords in the network. Although it is not prohibited, you should not use the QNETWARE user object to log in to NetWare from a client workstation. 

The QNETWARE user profile is created automatically on AS/400 when Enhanced Integration for NetWare is installed. The QNETWARE user profile is created in the disabled state because it is not allowed to run AS/400 jobs; QNETWARE's only purpose is to enroll AS/400 users and to propagate AS/400 profile information to NetWare. 

AS/400 logs into each NetWare server using the QNETWARE user profile and communicates with the Enhanced Integration for NetWare NLM, sending the commands necessary to enroll AS/400 users and to update the group and user profile information in the network. 

Figure 21-2. AS/400 logs in to NetWare as QNETWARE to update profile information
 

* figure rv3d677 not                displayed.
 

Network Server User Attributes

The AS/400 network server user attributes store network information for a group or user profile. Many of the administrative commands use some of this information, such as the default server type, default context, and default NDS tree. 

The network server user attributes also contain a list of NDS trees (and associated user information) and NetWare 3.12 servers that are used by the user enrollment support to enroll the user or group on NetWare. 


* figure note not displayed.
You can set defaults for this same information on a system-wide basis by using the Change Network Server Attribute (CHGNWSA) command. 
You use the CHGNWSUSRA command to specify the network server user attributes and to start enrolling AS/400 users. It is with these attributes that you specify the NDS trees and NetWare 3.12 servers on which you want to enroll AS/400 users. 

Profile Characteristics

On AS/400, a user profile can be used as either a user or a group profile. That means someone can sign on to AS/400 with a group ID and do work on the system as a user. However, in NetWare, only user objects can be used to log in and run applications. Groups are separate object types that are used only to combine and then manage individual user objects as one entity. For example, you can specify file access rights on a group object basis, and the users belonging to those groups inherit those file rights. 

Advantages of Group Profiles

When you enroll AS/400 users, consider using groups rather than individual user profiles. This can greatly reduce the number of profiles you must define to be enrolled in your network. For example, if you specify that an AS/400 group profile and all its group members be enrolled to a NetWare server, any user profiles belonging to the group are automatically enrolled on NetWare. The group members do not need to be enrolled individually. 

When you use groups, you can also reduce the number of profiles that need to have their NetWare security defined. You can set rights and attributes for a group object, and the group members inherit those rights and attributes. 

You can also use groups to better manage access to your network resources. For example, if you install financial applications and data on a NetWare server, you can grant access for that server only to the FINANCE group. 

NetWare Object Rights and Attributes

If you plan to enroll AS/400 groups and all of their members, you can either: 

  • Create the group objects first on NetWare and then define their security rights. Then you can enroll AS/400 group members, and the NetWare security information is not overwritten. 
  • Have the group objects created on NetWare during user enrollment and then define their security rights. 
With either method, the users that are enrolled into these groups will belong to a NetWare group that already has its security rights set. The user objects inherit the same rights already set for the group object. 

Whether you enroll AS/400 user profiles individually or as group members, the corresponding NetWare user objects might be added to the NetWare group EVERYONE when they are created. For NetWare 3.12, user objects are always added to the EVERYONE group. For NetWare 4.1, user objects are only added to the EVERYONE group if it already exists in the same container where the user object is being created. Note that all users added to EVERYONE inherit the security rights defined for that group. 

Use of Multiple AS/400 Systems

AS/400 user enrollment from a single AS/400 works independently of any other AS/400 systems. Although you can enroll users on the same NDS tree or NetWare 3.12 server from multiple AS/400 systems, this is not recommended. 

If you want to use more than one AS/400 to enroll AS/400 users, consider having completely separate user profile sets. Otherwise, you could encounter undesirable enrollment situations. 

For example, MARLA is enrolled on NetWare SERVER1 from AS/400 A. MARLA is then enrolled on the same server from AS/400 B with a different password than the one used on AS/400 A. Now MARLA's password on AS/400 A no longer matches the password on SERVER1 and she cannot start connections to SERVER1 automatically from AS/400 A


Step 1--Set Up Your NetWare Servers for User Enrollment

QNETWARE 

You need to set up your NetWare servers for user enrollment by creating QNETWARE user objects on each NDS tree and NetWare 3.12 server on which you want to enroll AS/400 users. Generally, you should use the same password for QNETWARE on each server. If the password is not the same, you must create a QNETWARE authentication entry for each NetWare tree or server you are enrolling to, as described in "Step 2--Set Up AS/400 for User Enrollment"


* figure task not displayed.
To set up your NetWare servers for user enrollment: 
  1. Create a QNETWARE user object on NDS trees and NetWare 3.12 servers. 

  2. Before you can enroll AS/400 users on NetWare, AS/400 needs to be able to log in to NetWare with a login name of QNETWARE. The QNETWARE user object must have enough authority to create, change, and delete user and group objects. This could include properly positioning QNETWARE in an NDS tree, granting it ADMIN authority, or making it's security equivalent to an existing user object that has the necessary authority. 


    * figure tip not displayed.
    Use the NetWare SYSCON, NETADMIN, or NWADMIN utility to create the QNETWARE user object and to define its security. 
  3. Make sure the Enhanced Integration for NetWare NLM is installed and loaded on the NetWare servers. 
    • For NetWare 3.12, the NLM must be running on all servers on which users are to be enrolled. 
    • For NetWare 4.1, the NLM must be running on at least one server in the NDS tree on which users are to be enrolled. The best solution is to run the NLM on all, or most of, the NetWare servers in the tree. 
    Refer to "Step 3--Install the Enhanced Integration for NetWare NLM on the Servers" for installation instructions. 

Step 2--Set Up AS/400 for User Enrollment

When Enhanced Integration for NetWare is installed on AS/400, a default QNETWARE user profile is created with *NONE for a password. You need to change the QNETWARE profile so it can log in to the NDS trees or NetWare 3.12 servers on which AS/400 users are to be enrolled. 


* figure task not displayed.
To set up your AS/400 system for user enrollment: 
  1. Set the Retain Server Security (QRETSVRSEC) system value to 1 to indicate that security information such as passwords, which are needed to authenticate users' access to NetWare, can be retained on AS/400. 

  2.  
To change this value, enter WRKSYSVAL SYSVAL(QRETSVRSEC). When the Work with System Values display appears, use option 2 to change the system value. 
+--------------------------------------------------------------------------------+
|                              Change System Value                               |
|                                                                                |
| System value . . . . . :   QRETSVRSEC                                          |
| Description  . . . . . :   Retain server security data                         |
|                                                                                |
|                                                                                |
| Type choice, press Enter.                                                      |
|                                                                                |
|   Retain server security                                                       |
|     data . . . . . . . .   1              0=Do not retain data                 |
|                                           1=Retain data                        |
+--------------------------------------------------------------------------------+


    * figure note not                      displayed.
    Even if you set QRETSVRSEC to 0 and passwords cannot be stored, you can still enroll AS/400 users on NetWare. Refer to "Enrolling AS/400 Users when QRETSVRSEC=0" for more information. 
  1. Set the password for QNETWARE on AS/400. 

  2. If you used the same password for the QNETWARE user objects on most or all of the NetWare 3.12 servers and NDS trees, you should use the same password for QNETWARE on AS/400. 

    To set the password for the QNETWARE profile, enter: 

      CHGUSRPRF USRPRF(QNETWARE) PASSWORD(password)
    Note that you cannot enable the QNETWARE profile; AS/400 intercepts and ignores attempts to change the profile to an enabled state. If QNETWARE is enrolled on NetWare, you also cannot set the password for QNETWARE to *NONE. If you do, the QNETWARE user profile will automatically disable the QNETWARE user object on NetWare and then user enrollment will not be able to proceed. 
  3. If you want to propagate QNETWARE profile changes, including passwords, to the NDS trees and NetWare 3.12 servers on which you will enroll AS/400 users, you must use the CHGNWSUSRA command. Use this command to specify the NDS trees and NetWare 3.12 servers to which you want profile changes propagated. 

  4. For example, to propagate QNETWARE profile changes to all the NDS trees and NetWare 3.12 servers defined in the network server attributes, enter: 

      CHGNWSUSRA USRPRF(QNETWARE) PRFTYPE(*USER)
      NDSTREELST(*NWSA) NTW3SRVLST(*NWSA)
    If you do not use network server attributes, you can also use the CHGNWSUSRA command to specify the NDS context, NDS trees, and NetWare 3.12 servers on which you want the QNETWARE profile to be propagated. 
  5. If you want to enroll AS/400 users on any NDS trees or NetWare 3.12 servers to which the QNETWARE profile changes were not propagated in step 3, you must use the ADDNTWAUTE command. Use this command to create authentication entries for the QNETWARE profile on those NDS trees or NetWare 3.12 servers. 

  6. You also might choose this option if you want to have different passwords for QNETWARE on the various NDS trees or NetWare 3.12 servers. 

    To create an authentication entry for the QNETWARE user profile, which has a password of BOSS in NDS tree TREE1 in NDS context MAIN, enter: 

      ADDNTWAUTE SVRTYPE(*NDS) NDSTREE(TREE1) USRPRF(QNETWARE)
      PASSWORD(BOSS) NDSCTX(MAIN)
    To create a NetWare authentication entry for the QNETWARE user object, which has a password of BOSS in SERVER1, enter: 
      ADDNTWAUTE SVRTYPE(*NETWARE3) SERVER(SERVER1) USRPRF(QNETWARE)
      PASSWORD(BOSS)
    See Chapter 16. "NetWare Authentication Entries and Connections" for more information. 

Step 3--Create AS/400 Group and User Profiles

If you do not have AS/400 profiles, or if they do not represent the structure you want in your NetWare network, you need to create AS/400 group and user profiles. 


* figure note not displayed.
If your AS/400 is already set up with group and user profiles that you can propagate to NetWare, go to "Step 4--Enroll AS/400 Users on NetWare"
To create user or group profiles for users on AS/400 that need to access NetWare servers, use the Create User Profile (CRTUSRPRF) command. 

For example, to create a group profile named FINANCE for a group of users that needs to access a NetWare server for a specific financial application, enter: 

  CRTUSRPRF USRPRF(FINANCE)
To create a user profile named TOM and add it to the FINANCE group profile, enter: 
  CRTUSRPRF USRPRF(TOM) GRPPRF(FINANCE)

* figure note not displayed.
A user profile must have a primary group before you can specify a supplementary group. NetWare does not distinguish between a primary group and a supplementary group. 
After you create the AS/400 profiles, they are ready to be enrolled on NDS trees and NetWare 3.12 servers. 

Step 4--Enroll AS/400 Users on NetWare

You can automatically create NetWare objects by enrolling AS/400 users on one or more NDS trees and NetWare 3.12 servers. This means that certain AS/400 profile information is automatically propagated to NetWare. For example, any password and text changes are automatically propagated to all the NDS trees and NetWare 3.12 servers you specify. 

If you plan for most of your AS/400 users to be enrolled on the same set of NDS trees and NetWare 3.12 servers, you can define those servers and trees by using the Change Network Server Attributes (CHGNWSA) command. 

To ensure that AS/400 group and user profiles map correctly to NetWare, you must define an AS/400 profile as either a group or a user in an NDS tree or a NetWare 3.12 server: 

  • You can define AS/400 user profiles as group objects in an NDS tree or NetWare 3.12 server 

  • For example, an AS/400 user profile that has no other profiles referencing it as a group can be defined as a group profile on NetWare. 

  • You can define AS/400 group profiles as user objects on NetWare 

  • However, group members in these profiles are not automatically enrolled on NetWare. 

  • You can define an AS/400 profile as a user object in one NDS tree or NetWare 3.12 server and as a group object in a different NDS tree or NetWare 3.12 server 

* figure attn not displayed.
You cannot define an AS/400 profile as both a group and a user in an NDS tree or a NetWare 3.12 server. 
For a description of all the AS/400 profile attributes that are mapped to NetWare group and user objects, refer to "Mapping AS/400 Profiles to NetWare"

To enroll AS/400 users on NetWare, use the Change Network Server User Attributes (CHGNWSUSRA) command. 

Using the CHGNWSUSRA Command

Use the CHGNWSUSRA command to enroll AS/400 users on NetWare by specifying the NDS trees and NetWare 3.12 servers on which the AS/400 users are to be enrolled. For the NDS tree list, you can specify a list of NDS trees OR *NWSA. For the NetWare 3.12 server list, you can specify a list of NetWare 3.12 servers OR *NWSA. 

Before you can specify *NWSA, you must define the NDS trees and NetWare servers in the network server attributes (*NWSA) as described in "Step 9--Define Network Server Attributes (Optional)"


* figure task not displayed.
To enroll AS/400 users on NetWare: 
  1. Enter CHGNWSUSRA to see the Change NWS User Attributes (CHGNWSUSRA) display shown in Figure 21-3

  2.  
Figure 21-3. Change NWS User Attributes (CHGNWSUSRA) Display
+--------------------------------------------------------------------------------+
|                     Change NWS User Attributes (CHGNWSUSRA)                    |
|                                                                                |
| Type choices, press Enter.                                                     |
|                                                                                |
| User profile . . . . . . . . . .   PUBS          Name, *CURRENT                |
| Profile type . . . . . . . . . . > *GROUP        *USER, *GROUP                 |
| Prompt control . . . . . . . . . > *NETWARE      *ALL, *BASE, *LANSERVER...    |
| Propagate group members  . . . .   *ALL          *SAME, *NONE, *ALL            |
| Default server type  . . . . . .   *NETWARE      *SAME, *NWSA, *BASE...        |
| NDS tree . . . . . . . . . . . .   *NWSA                                       |
| NDS context  . . . . . . . . . .   *NWSA                                       |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                        More... |
| F3=Exit   F4=Prompt   F5=Refresh   F12=Cancel   F13=How to use this display    |
| F24=More keys                                                                  |
|                                                                                |
+--------------------------------------------------------------------------------+
    When you enroll group profiles, specify the profile type (PRFTYPE) as *GROUP. You can also specify propagate group members (PRPGRPMBR) as *ALL if you want all the group members to be enrolled. The default of *NONE specifies that group members are not to be enrolled. 
  1. Press PgDn to specify the NDS tree list and NetWare 3.12 server list shown in Figure 21-4

  2. Figure 21-4. Change NWS User Attributes (CHGNWSUSRA) Display, Part 2

+--------------------------------------------------------------------------------+
|                     Change NWS User Attributes (CHGNWSUSRA)                    |
|                                                                                |
| Type choices, press Enter.                                                     |
|                                                                                |
| NDS tree list:                                                                 |
|   NDS tree . . . . . . . . . . .   *NWSA                                       |
|   User object context  . . . . .                                               |
|                                                                                |
|   Default server . . . . . . . .                                               |
|                                                                                |
|   Profile object . . . . . . . .                                               |
|                                                                                |
|                + for more values                                               |
| NetWare 3.12 server list . . . .   *NWSA                                       |
|                                                                                |
|                + for more values                                               |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                         Bottom |
| F3=Exit   F4=Prompt   F5=Refresh   F12=Cancel   F13=How to use this display    |
| F24=More keys                                                                  |
|                                                                                |
+--------------------------------------------------------------------------------+
  1. Use the following information to fill in the NDS tree list fields: 
  2. NDS tree parameter 
    The NDS tree in which the AS/400 group or user is to be enrolled. 
    User object context 
    The location in the NDS tree where the NDS group or user object is to be created during enrollment. 
    Default server 
    The default server in the NDS tree that is to be used to enroll the AS/400 profiles. 

    * figure note not                          displayed.
    You can improve performance by specifying a server rather than using the default *ANY. If the specified server is not active when AS/400 attempts to connect to NetWare, AS/400 searches the NDS tree for other active servers. 
    Profile object 
    The distinguished name of the default NDS profile object that contains the login script to be used by the NetWare object when logging into the network. 
  3. Use the NetWare 3.12 server list fields to define a default list of NetWare 3.12 servers on which AS/400 will enroll AS/400 users. 
Specifying the Default List of NDS Trees and NetWare 3.12 Servers

If you define your NetWare servers and NDS trees in the network server attributes, as described in "Step 9--Define Network Server Attributes (Optional)", you can define default lists of NDS trees and NetWare 3.12 servers that you can specify with the CHGNWSUSRA command when enrolling individual user and group profiles. 

When you specify the NDS tree list (NDSTREELST) parameter as *NWSA, you avoid having to change AS/400 group or user profiles when NetWare servers are added to or removed from your network. Changes to any user or group profiles defined to use the *NWSA value are propagated automatically to new servers whenever new servers are added to the NWSA. 

To see what your NWSA values are, use the Display NWS Attributes (DSPNWSA) command with OPTION(*NETWARE). 

Specifying *NWSA--Examples

The following examples show how to enroll either a group profile or a user profile to the system default list of NetWare servers and NDS trees. 

Group Profile

To enroll the group profile FINANCE and all its group members on the NDS trees and NetWare 3.12 servers defined in the network server attributes (NWSA), enter: 

  CHGNWSUSRA USRPRF(FINANCE) PRFTYPE(*GROUP)  PRPGRPMBR(*ALL)
  NDSTREELST(*NWSA) NTW3SVRLST(*NWSA)
All the FINANCE group members, including JOHN who was created in Step 3, are now enrolled on NetWare. Future changes to the FINANCE profile or any user profiles for members of FINANCE, will be propagated to NetWare. 

User Profile

To enroll user profile JOHN on the NDS trees and NetWare 3.12 servers defined in the network server attributes (NWSA), enter: 

  CHGNWSUSRA USRPRF(JOHN) PRFTYPE(*USER)
  NDSTREELST(XYZ) NTW3SVRLST(*NWSA)

* figure note not displayed.
  • You cannot specify *NWSA as the NDS tree list if you want to specify additional servers that were not defined in the network server attributes. 

  • If an AS/400 group or user profile needs to be enrolled on servers other than those defined as network server attributes, you must use the CHGNWSUSRA command to specify all the NDS trees and NetWare 3.12 servers for that profile, even if most of them were already defined in the network server attributes. 

  • You might not want to specify *NWSA if your NetWare authorization differs from one NDS context to another and you want to enroll AS/400 users in the context that matches the desired authorization. 
Specifying an NDS Tree List

Figure 21-5. Specifying an NDS Tree List

+--------------------------------------------------------------------------------+
|                    Specify More Values for Parameter NDSTREELST                |
|                                                                                |
| Type choices, press Enter.                                                     |
|                                                                                |
| NDS tree list:                                                                 |
|   NDS tree . . . . . . . . . . . > TREE1                                       |
|   User object context  . . . . .   MAIN                                        |
|                                                                                |
|   Default server . . . . . . . .   IBMSRV1                                     |
|                                                                                |
|   Profile object . . . . . . . .   NWLOGIN                                     |
|                                                                                |
|                                                                                |
|   NDS tree . . . . . . . . . . . > TREE2                                       |
|   User object context  . . . . .   PUBS.ROCH.IBM                               |
|                                                                                |
|   Default server . . . . . . . .   PUBSRV1                                     |
|                                                                                |
|   Profile object . . . . . . . .   NWLOGIN                                     |
|                                                                                |
|                                                                        More... |
| F3=Exit   F4=Prompt   F5=Refresh   F12=Cancel   F13=How to use this display    |
| F24=More keys                                                                  |
|                                                                                |
+--------------------------------------------------------------------------------+
Specifying an NDS Tree List--Examples

The following examples show how to enroll either a group profile or a user profile in NDS tree XYZ

Group Profile

To enroll group profile FINANCE and all of its group members in context O=MAIN in NDS tree XYZ, enter: 

 CHGNWSUSRA USRPRF(FINANCE) PRFTYPE(*GROUP)  PRPGRPMBR(*ALL)
  NDSTREELST((XYZ 'O=MAIN' PUBSRV1 NWLOGIN))

The FINANCE group object and user objects corresponding to the AS/400 group members are created in the NDS tree. From now on, users added to or removed from AS/400 FINANCE group profile are added or removed from NDS tree XYZ. 

User Profile

To enroll user profile MIKE in context MAIN.PERSONNEL in NDS tree XYZ, enter: 

 CHGNWSUSRA USRPRF(MIKE) PRFTYPE(*USER)
  NDSTREELST((XYZ '.PERSONNEL.MAIN' PUBSRV1 NWLOGIN))

The MIKE user object is created in NDS tree XYZ and will use NWLOGIN as his login script. 

Specifying a NetWare 3.12 Server List

Figure 21-6. Specifying a NetWare 3.12 Server List

+--------------------------------------------------------------------------------+
|                     Change NWS User Attributes (CHGNWSUSRA)                    |
|                                                                                |
| Type choices, press Enter.                                                     |
|                                                                                |
| NDS tree list:                                                                 |
|   NDS tree . . . . . . . . . . .   *NWSA                                       |
|   User object context  . . . . .                                               |
|                                                                                |
|   Default server . . . . . . . .                                               |
|                                                                                |
|   Profile object . . . . . . . .                                               |
|                                                                                |
|                + for more values                                               |
| NetWare 3.12 server list . . . . > NTW3SRV1                                    |
|                                                                                |
|                                  > NTW3SRV2                                    |
|                                                                                |
|                + for more values > NTW3SRV3                                    |
|                                                                                |
|                                                                                |
|                                                                         Bottom |
| F3=Exit   F4=Prompt   F5=Refresh   F12=Cancel   F13=How to use this display    |
| F24=More keys                                                                  |
|                                                                                |
+--------------------------------------------------------------------------------+
Specifying a NetWare 3.12 Server List--Examples

The following examples show how to enroll either a group profile or a user profile on NetWare 3.12 servers. 

Group Profile

To enroll group profile FINANCE and all its group members on a NetWare 3.12 server named NTW3SRV1, enter: 

 CHGNWSUSRA USRPRF(FINANCE) PRFTYPE(*GROUP) PRPGRPMBR(*ALL)
  NTW3SVRLST(NTW3SRV1)

The FINANCE group object and user objects corresponding to the AS/400 group members are created on NTW3SRV1. From now on, users added to or removed from AS/400 FINANCE group are added to or removed from this NetWare 3.12 server. 

User Profile

To enroll user profile JOHN on servers NTW3SRV1 and NTW3SRV2, enter: 

 CHGNWSUSRA USRPRF(JOHN) PRFTYPE(*USER)
  NTW3SVRLST(NTW3SRV1 NTW3SRV2)

The JOHN user object is created on the NTW3SRV1 and NTW3SRV2 servers. 


Propagating Profile Changes to NetWare

After you use the CHGNWSUSRA command to enroll AS/400 users on NetWare, AS/400 profile changes are automatically propagated to NetWare. Only those AS/400 profiles that you defined to be enrolled, by using the CHGNWSUSRA command, are affected when you: 

  • Use the CHGNWSA command to change network server attributes if *NWSA was specified for the NDSTREELST or NTW3SVRLST parameters on the CHGNWSUSRA command. 
  • Use the CHGNWSUSRA command to change the NDSTREELST or NTW3SVRLST parameters for an AS/400 profile or to change the PRPGRPMBR parameter for an AS/400 group profile. 
  • Use the CHGPWD command to change the password of a user profile. 
  • Use the CHGUSRPRF command to: 
    • Change the password of an AS/400 user profile 
    • Change the set password to expired field of an AS/400 user profile 
    • Change the text (description) of an AS/400 group or user profile 
    • Change the status of an AS/400 group or user profile to *ENABLED or *DISABLED 
    • Add an AS/400 user profile to an AS/400 group that is being enrolled 
    • Remove an AS/400 user profile from an AS/400 group that is being enrolled 

    • * figure attn not                      displayed.
      If a user profile was enrolled only as a group member with the PRPGRPMBR(*ALL) parameter and does not belong to any other groups that were enrolled, and you remove that user profile from the group, the NetWare user object with the same name is deleted on all NDS trees and NetWare 3.12 servers specified with the CHGNWSUSRA command. 
    • Use the CRTUSRPRF command to add an AS/400 user profile to an AS/400 group that was enrolled 
    • Use the DLTUSRPRF command to delete an AS/400 profile. 
    • Sign on to AS/400 if passwords aren't stored on AS/400 and if you used one of the preceding commands. In this case, propagation is delayed until you sign on so AS/400 can obtain the password. 

    * figure note not displayed.
    You can unenroll the group or user and stop propagating group or user profile changes by using the CHGNWSUSRA command and specifying *NONE for the NDSTREELST and NTW3SRVLST parameters. 

Enrolling AS/400 Users when QRETSVRSEC=0

When the Retain Server Security (QRETSVRSEC) system value is set to 0, AS/400 cannot store passwords with authentication entries. Therefore, enrollment for group and user profiles is delayed until AS/400 can access the profile's password. This occurs when either: 

  • The user signs on to AS/400 
  • The password is changed using either the CHGUSRPRF or the CHGPWD command 

* figure task not displayed.
To enroll AS/400 users when QRETSVRSEC=0: 
  1. Make sure that QNETWARE has a NetWare authentication entry for each NDS tree and NetWare 3.12 server on which you want to enroll AS/400 users. 
  2. Use the CHGNWSUSRA command to define the NDS trees and NetWare 3.12 servers on which to enroll the AS/400 profile. 

  3. Enrollment is delayed until AS/400 temporarily accesses the profile's password. 

  4. To start enrollment, do one of the following: 
    • Have the AS/400 user sign on to AS/400. 
    • Have an AS/400 user with *SECADM authority set the profile's password using the CHGUSRPRF command. 
    • Have the AS/400 user change the profile's password using the CHGPWD command. 
    The AS/400 profile attributes are propagated to NetWare. If a NetWare object with this name does not exist, one is created with the same name as the AS/400 profile. If a NetWare object with this name does exist, it is updated with AS/400 profile changes. An authentication entry is not created. 

Mapping AS/400 Profiles to NetWare

When AS/400 group and user profiles are enrolled on NetWare servers, only information in the AS/400 profiles that is applicable to NetWare is sent to the servers. 


* figure note not displayed.
The profile information that is specified for the following AS/400 attributes overwrites the corresponding NetWare attributes. If NetWare users change these attributes, they can be overwritten whenever AS/400 profile changes are propagated. 
You can add additional NetWare group and user attributes, such as user properties for a telephone number, fax number, and last name, from the NetWare NWADMIN utility. 

AS/400 Group Profiles

When an AS/400 group profile is enrolled as a group object in NetWare, the following AS/400 attributes are propagated: 

Profile name 
The name of the AS/400 group profile, which corresponds to the name of the group object in NetWare. 
Text 
The text description field on an AS/400 group profile, which corresponds to a text description of the group object in NetWare. 


You can define this with the Text parameter using either the CRTUSRPRF or CHGUSRPRF command. 

NDS context 
The context of the NDS tree (specified with the CHGNWSA or CHGNWSUSRA command) in which the AS/400 group profile is to be placed as a NetWare group object. 


You can define this with the NDSTREELST parameter using either the CHGNWSA or CHGNWSUSRA command. 

AS/400 User Profiles

When you enroll an AS/400 user profile as a user object in NetWare, the AS/400 attributes in the following list can be propagated. The fields shown in bold italics are updated on NetWare everytime the AS/400 profile changes. 

Profile name 
The name of the user object in NetWare, which corresponds to the AS/400 profile name. 
NDS context 
The context of the NDS tree (specified with the CHGNWSA or CHGNWSUSRA command) in which the user profile is to be placed as a NetWare user object. 


You can define this with the NDSTREELST parameter using either the CHGNWSA or CHGNWSUSRA command. 


* figure note not displayed.
  • If you enroll an AS/400 group and all its members, the context for each member is the same as the group context. 
  • If you enroll a user as a member of multiple groups, and more than one of those groups is enrolled in an NDS tree, the context of the user object is the same as the first group it was enrolled into. 
    • If you enroll the main group that a user belongs to, the NDS context of the user object is the same as this group. 
    • If you do not enroll the main group that a user belongs to, but you do enroll one or more of the supplementary groups it belongs to, the NDS context of the user object is the same as the first supplementary group it was enrolled into. 
Profile login script 
The name of a login script that is run for a profile when the user logs in to the NetWare server or NDS tree. 


You can define this with the profile object entry field of the NDSTREELST parameter using either the CHGNWSA or CHGNWSUSRA command. 

Password 
The AS/400 password is used to set the user password on the NetWare servers. This corresponds to the PASSWORD parameter on either the CRTUSRPRF or CHGUSRPRF command. 
Password required 
If the AS/400 system value QSECURITY is 10, the NetWare user objects that are created do not require a password to sign on to the server. All other AS/400 QSECURITY levels require that a user object log in with a password. 
Unique password 
If the system value QPWDRQDDIF is 0 (meaning the new password does not have to be unique when it is changed), user objects do not require unique passwords when passwords are changed. Any other value for QPWDRQDDIF forces the user to have a unique password when passwords are changed. 
Password expiration interval 
The number of days a user object's password is valid. This corresponds to the password expiration interval (PWDEXPITV parameter) on the CRTUSRPRF or CHGUSRPRF command. If this value indicates that the system value QPWDEXPITV should be used, the system value is used to set the expiration interval. 
Password expiration date 
The Set password to expired field on the CRTUSRPRF or CHGUSRPRF command is used to indicate whether the password has expired. Whenever the Set password to expired field is changed to *YES for an AS/400 user profile, the Password expiration date is changed to the day before that date. For example, if you change the Set password to expired field to *YES on 4/17/97, the Password expiration date on NetWare is set to 4/16/97. 

* figure note not displayed.
By default, NetWare 3.12 user objects created during user enrollment are allowed to change passwords; however, NetWare 4.1 user objects are not. 
Login grace limit 
User objects are allowed 6 more logins after a password has expired. This is the default. 
Account disabled 
The Status field on the CRTUSRPRF or CHGUSRPRF command is used to indicate whether the user can log into the NetWare server or NDS tree. 
Text 
The Text description field on an AS/400 user profile, which corresponds to a text description of the user object in NetWare. 


You can define this with the Text parameter using either the CRTUSRPRF or CHGUSRPRF command. 


Checking AS/400 User Enrollment Status

After you enroll AS/400 group and user profiles on NetWare, you can use the Work with NWS User Enrollment (WRKNWSENR) command to determine their status. 

You can obtain enrollment status by user profile, profile type, and server type. Enter WRKNWSENR PRFTYPE(*GROUP) to display the objects by GROUP instead of the default, which is by USER. This is the only way to display enrollment status for groups that have no users. 

  1. Enter WRKNWSENR. 

  2. Figure 21-7. WRKNWSENR Display

+--------------------------------------------------------------------------------+
|                    Work with NWS User Enrollment (WRKNWSENR)                   |
|                                                                                |
| Type choices, press Enter.                                                     |
|                                                                                |
| User profile . . . . . . . . . .   *ALL          Name, generic*, *ALL          |
| Profile type . . . . . . . . . .   *GROUP        *USER, *GROUP                 |
| Server type  . . . . . . . . . .   *NETWARE      *NWSUSRA, *NWSA, *NETWARE     |
| NDS tree . . . . . . . . . . . .   *ALL                                        |
| Server . . . . . . . . . . . . .   *ALL                                        |
|                                                                                |
|                                                                                |
+--------------------------------------------------------------------------------+

    * figure note not displayed.
    If you specify *NWSA for the NDS tree and Server parameters, AS/400 displays those groups and users that are being enrolled into the NDS trees and NetWare 3.12 servers defined in the network server attributes. 
  1. Press Enter to view all the NetWare servers and NDS trees on which groups are to be enrolled. 

  2. The Work with NWS User Enrollment display in Figure 21-8 shows a list of NetWare servers and NDS trees and the current enrollment status of each group that has been enrolled or that is being enrolled. 

    Figure 21-8. Enrollment Status of All Groups Being Enrolled

+--------------------------------------------------------------------------------+
|                         Work with NWS User Enrollment                          |
|                                                             System:   RCHASM00 |
| Type options, press Enter.                                                     |
|   2=Change user profile   5=Display user profile   6=Retry entry               |
|   14=Change network user attributes   15=Display network user attributes       |
|   16=Display error details                                                     |
|                                                                                |
|      Tree/Server                   Enrollment  Error                           |
| Opt    Profile           Type      status      code    Text                    |
|      IBM_TREE1           *NDSTREE                                              |
|        GROUP1            *GROUP    *CURRENT            Scott and Marla         |
|        PUBS              *GROUP    *CURRENT            Edith and Merry         |
|      RCHHJA50            *NTW3SVR                                              |
|        FELLOWSHIP        *GROUP    *UPDPND             Dennis and Lee          |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                         Bottom |
| Parameters or command                                                          |
| ===>                                                                           |
| F3=Exit   F4=Prompt   F5=Refresh   F6=Print list   F9=Retrieve                 |
| F10=Display users     F12=Cancel   F17=Position to                             |
|                                                                                |
+--------------------------------------------------------------------------------+
    The Work with NWS User Enrollment display shows: 
    • A list of active NDS trees and NetWare 3.12 servers 
    • The enrollment status of the AS/400 group or user profile on each NDS tree and NetWare 3.12 server 
    • When you press F10, a list of all the members in each group that are also being enrolled. Pressing F10 toggles you back to the list of groups. 
    • Enrollment status values for the specified profile from an AS/400 perspective. Press F1 and then F2 to view an explanation of the status values that might appear. 

    • * figure tip not displayed.
      If the AS/400 profile is not enrolled on NetWare, use option 6 to retry the enrollment request even if the status is *CURRENT and there are no error codes. 
    • Error codes if problems have occurred. 

    • If error codes appear, use option 16 to view error details. See "User Enrollment Problems" for more information. 

User Enrollment Status Values

The following list describes the various status values that might appear on the Work with NWS User Enrollment display: 

*CURRENT 
AS/400 has enrolled the profile on NetWare and no more work is pending for the profile. 
*UPDPND 
A create or change has been specified for a profile, and the operation is in progress. If you have several profiles to be updated at once, such as when first enrolling a group and its members, there could be many profiles in this status at one time. 


For a NetWare 3.12 server, only one profile operation at a time is in progress. Other profiles changes are queued up, and are processed in turn as the updates proceed. 

For an NDS tree with multiple servers, you can direct profile update operations to specific servers when you use the CHGNWSUSRA or CHGNWSA command. If that server is down, AS/400 attempts other available servers. 

*DLTPND 
A delete operation has been specified for a profile, and the operation is in progress. This could occur if you have deleted a profile on AS/400, or have changed the enrollment request so that the profile is no longer to be enrolled on an NDS tree or NetWare 3.12 server. If you delete an AS/400 profile or change the profile to no longer be enrolled, the NetWare user or group object will be deleted. 
*UPDRCYPND 
An update operation was attempted but did not complete successfully. Because the status indicates recovery pending, the operation will be retried. The timing and number of retry attempts varies with the type of error. If the error was that a communications session could not be established with a server, the retry occurs every 15 minutes, for a period of about an hour. If no communications has been established in that time frame, no further attempts are made without manual operator action. If the error was due to a NetWare error, the operation is tried again 3 times before it becomes a permanent failure. If a numeric value appears in the Error code field, type 16 on the Option field to display an error message. 
*DLTRCYPND 
A delete operation was attempted, but did not complete successfully. Because the status indicates recovery pending, it means the operation will be retried. If a numeric value appears in the Error code field, you type 16 on the Option field to display an error message. 
*UPDFAIL 
A scheduled profile update failed, and all recovery attempts have ended. See "User Enrollment Problems" for more information. 
*DLTFAIL 
This means that a scheduled profile delete failed, and all recovery attempts have ended. See "User Enrollment Error Codes" for more information. 

Ending User Enrollment

You can unenroll users or groups from one or more NDS trees or NetWare servers for an AS/400 profile that was enrolled on NetWare whenever you: 

  • Use the CHGNWSA command to remove NDS trees or NetWare 3.12 servers in the network server attributes if *NWSA was specified on the CHGNWSUSRA command for the AS/400 profile. 

  • AS/400 will attempt to delete the NetWare user or group object with the same name as the AS/400 profile from the NDS trees or NetWare servers that were removed. 

  • Use the CHGNWSUSRA command to remove an NDS tree or NetWare 3.12 server for an AS/400 profile. 

  • AS/400 will attempt to delete the NetWare user or group object with the same name as the AS/400 profile from the NDS trees or NetWare servers that were removed. 

  • Use the CHGNWSUSRA command to change the PRPGRPMBR parameter from *ALL to *NONE for an AS/400 group profile. 

  • If an AS/400 user profile was enrolled only as a member of this group, AS/400 will attempt to delete the NetWare user or group object with the same name as the AS/400 profile from the NDS trees and NetWare 3.12 servers on which the group was enrolled. 

  • Use the CHGNWSUSRA command to change the NDSTREELST or NTW3SRVLST parameters to *NONE for an AS/400 profile. 

  • AS/400 will attempt to remove the NetWare object with the same name as the AS/400 profile from the NDS trees and NetWare servers on which it was enrolled. 

  • Use the CHGUSRPRF command to remove an AS/400 user profile from an AS/400 group that was enrolled. 

  • If a user profile was enrolled only as part of a group with the PRPGRPMBR(*ALL) parameter and does not belong to any other groups that were enrolled and you remove that user profile from the group, AS/400 will attempt to delete the NetWare user object with the same name on all NDS trees and NetWare 3.12 servers on which the group was enrolled. 

  • Use the DLTUSRPRF command to delete an AS/400 profile. 

* figure note not displayed.
If you use one of the preceding commands to remove an AS/400 profile from a NetWare server that AS/400 can no longer access, AS/400 cannot complete the request. In this case, the Work with NWS User Enrollment display will show the status of the AS/400 profile as either *DLTPND, *DLTRCYPND, or *DLTFAIL.These status codes are described in "User Enrollment Status Values"


If one of these status values appears, you can remove the entry from the display by using Option 4. The entry is then processed as though the delete request had completed successfully on the NetWare server once the remove entry request completes and the CPCA40F message "Remove request submitted successfully" appears. 

If you use option 4 to remove the entry, you must delete the NetWare object from the NDS tree or NetWare 3.12 Bindery by using the NetWare NETADMIN, NWADMIN, or SYSCON utility. 


User Enrollment and Authentication Commands

Table 21-1. User Enrollment Commands
 
Enter this AS/400 command  to... 
ADDNTWAUTE  Add a NetWare authentication entry to an AS/400 profile that contains the NetWare user name and password used to connect to a NetWare server. 
CHGNWSA  Define the NDS context and a default set of NetWare servers and NDS trees on which AS/400 users can be enrolled. 
CHGNWSUSRA  Enroll AS/400 group and user profiles on NetWare. 

If you specify NDSTREELST(*NONE) and NTW3SVRLST(*NONE), the profile is not enrolled on NetWare. 

CHGPWD  Change the password of a AS/400 user profile. If the user profile was enrolled on NetWare, the password of the NetWare user object with the same name is also changed. 
CHGUSRPRF  Change attributes such as the description of an AS/400 group or user profile. If the AS/400 profile was enrolled on NetWare, the attributes of the NetWare group or user object with the same name are also changed. 
CRTUSRPRF  Create a AS/400 user profile that can be enrolled on NetWare. 
DLTUSRPRF  Delete a NetWare group or user object if the AS/400 profile with the same name was enrolled on NetWare. 
WRKNTWAUTE  Create, change, display, or remove a NetWare authentication entry. 
WRKNWSENR  Check the status of AS/400 profiles being enrolled on NetWare. You can also change or display AS/400 profiles, change or display network user attributes, try the enrollment request again, remove entries for enrollment requests in a delete state, or display error details for AS/400 profiles being enrolled on NetWare. 



[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]