Network
Server User Attributes
The AS/400 network server user attributes store network information
for a group or user profile. Many of the administrative commands use some
of this information, such as the default server type, default context,
and default NDS tree.
The network server user attributes also contain a list of NDS trees
(and associated user information) and NetWare 3.12 servers that are used
by the user enrollment support to enroll the user or group on NetWare.
-
-
You can set defaults for this same information on a system-wide basis by
using the Change Network Server Attribute (CHGNWSA) command.
You use the CHGNWSUSRA command to specify the network server user attributes
and to start enrolling AS/400 users. It is with these attributes that you
specify the NDS trees and NetWare 3.12 servers on which you want to enroll
AS/400 users.
Profile
Characteristics
On AS/400, a user profile can be used as either a user or a group profile.
That means someone can sign on to AS/400 with a group ID and do work on
the system as a user. However, in NetWare, only user objects can be used
to log in and run applications. Groups are separate object types that are
used only to combine and then manage individual user objects as one entity.
For example, you can specify file access rights on a group object basis,
and the users belonging to those groups inherit those file rights.
Advantages
of Group Profiles
When you enroll AS/400 users, consider using groups rather than individual
user profiles. This can greatly reduce the number of profiles you must
define to be enrolled in your network. For example, if you specify that
an AS/400 group profile and all its group members be enrolled to a NetWare
server, any user profiles belonging to the group are automatically enrolled
on NetWare. The group members do not need to be enrolled individually.
When you use groups, you can also reduce the number of profiles that
need to have their NetWare security defined. You can set rights and attributes
for a group object, and the group members inherit those rights and attributes.
You can also use groups to better manage access to your network resources.
For example, if you install financial applications and data on a NetWare
server, you can grant access for that server only to the FINANCE group.
NetWare
Object Rights and Attributes
If you plan to enroll AS/400 groups and all of their members, you can
either:
-
Create the group objects first on NetWare and then define their security
rights. Then you can enroll AS/400 group members, and the NetWare security
information is not overwritten.
-
Have the group objects created on NetWare during user enrollment and then
define their security rights.
With either method, the users that are enrolled into these groups will
belong to a NetWare group that already has its security rights set. The
user objects inherit the same rights already set for the group object.
Whether you enroll AS/400 user profiles individually or as group members,
the corresponding NetWare user objects might be added to the NetWare group
EVERYONE when they are created. For NetWare
3.12, user objects are always added to the EVERYONE group. For NetWare
4.1, user objects are only added to the EVERYONE group if it already exists
in the same container where the user object is being created. Note that
all users added to EVERYONE inherit the security rights defined for that
group.
Use
of Multiple AS/400 Systems
AS/400 user enrollment from a single AS/400 works independently of any
other AS/400 systems. Although you can enroll users on the same NDS tree
or NetWare 3.12 server from multiple AS/400 systems, this is not recommended.
If you want to use more than one AS/400 to enroll AS/400 users, consider
having completely separate user profile sets. Otherwise, you could encounter
undesirable enrollment situations.
For example, MARLA is enrolled on NetWare SERVER1 from AS/400 A.
MARLA is then enrolled on the same server from AS/400 B with a different
password than the one used on AS/400 A. Now MARLA's password on
AS/400 A no longer matches the password on SERVER1 and she cannot
start connections to SERVER1 automatically from AS/400 A.
Step
1--Set Up Your NetWare Servers for User Enrollment
QNETWARE
You need to set up your NetWare servers for user enrollment by creating
QNETWARE user objects on each NDS tree and NetWare 3.12 server on which
you want to enroll AS/400 users. Generally, you should use the same password
for QNETWARE on each server. If the password is not the same, you must
create a QNETWARE authentication entry for each NetWare tree or server
you are enrolling to, as described in "Step 2--Set
Up AS/400 for User Enrollment".
-
-
To set up your NetWare servers for user enrollment:
-
Create a QNETWARE user object on NDS trees and NetWare 3.12 servers.
Before you can enroll AS/400 users on NetWare, AS/400 needs to be
able to log in to NetWare with a login name of QNETWARE. The QNETWARE user
object must have enough authority to create, change, and delete user and
group objects. This could include properly positioning QNETWARE in an NDS
tree, granting it ADMIN authority, or making it's security equivalent to
an existing user object that has the necessary authority.
-
-
Use the NetWare SYSCON, NETADMIN, or NWADMIN utility to create the QNETWARE
user object and to define its security.
-
Make sure the Enhanced Integration for NetWare NLM is installed and loaded
on the NetWare servers.
-
For NetWare 3.12, the NLM must be running on all servers on which users
are to be enrolled.
-
For NetWare 4.1, the NLM must be running on at least one server in the
NDS tree on which users are to be enrolled. The best solution is to run
the NLM on all, or most of, the NetWare servers in the tree.
Refer to "Step 3--Install the Enhanced
Integration for NetWare NLM on the Servers" for installation instructions.
Step
2--Set Up AS/400 for User Enrollment
When Enhanced Integration for NetWare is installed on AS/400, a default
QNETWARE user profile is created with *NONE for a password. You need to
change the QNETWARE profile so it can log in to the NDS trees or NetWare
3.12 servers on which AS/400 users are to be enrolled.
-
-
To set up your AS/400 system for user enrollment:
-
Set the Retain Server Security (QRETSVRSEC) system value to 1
to indicate that security information such as passwords, which are needed
to authenticate users' access to NetWare, can be retained on AS/400.
To change this value, enter WRKSYSVAL SYSVAL(QRETSVRSEC). When
the Work with System Values display appears, use option 2 to change the
system value.
+--------------------------------------------------------------------------------+
| Change System Value |
| |
| System value . . . . . : QRETSVRSEC |
| Description . . . . . : Retain server security data |
| |
| |
| Type choice, press Enter. |
| |
| Retain server security |
| data . . . . . . . . 1 0=Do not retain data |
| 1=Retain data |
+--------------------------------------------------------------------------------+
-
-
Even if you set QRETSVRSEC to 0 and passwords cannot be stored, you can
still enroll AS/400 users on NetWare. Refer to "Enrolling
AS/400 Users when QRETSVRSEC=0" for more information.
-
Set the password for QNETWARE on AS/400.
If you used the same password for the QNETWARE user objects on most
or all of the NetWare 3.12 servers and NDS trees, you should use the same
password for QNETWARE on AS/400.
To set the password for the QNETWARE profile, enter:
CHGUSRPRF USRPRF(QNETWARE) PASSWORD(password)
Note that you cannot enable the QNETWARE profile; AS/400 intercepts and
ignores attempts to change the profile to an enabled state. If QNETWARE
is enrolled on NetWare, you also cannot set the password for QNETWARE to
*NONE. If you do, the QNETWARE user profile will automatically disable
the QNETWARE user object on NetWare and then user enrollment will not be
able to proceed.
-
If you want to propagate QNETWARE profile changes,
including passwords, to the NDS trees and NetWare 3.12 servers on which
you will enroll AS/400 users, you must use the CHGNWSUSRA command. Use
this command to specify the NDS trees and NetWare 3.12 servers to which
you want profile changes propagated.
For example, to propagate QNETWARE profile changes to all the NDS
trees and NetWare 3.12 servers defined in the network server attributes,
enter:
CHGNWSUSRA USRPRF(QNETWARE) PRFTYPE(*USER)
NDSTREELST(*NWSA) NTW3SRVLST(*NWSA)
If you do not use network server attributes, you can also use the CHGNWSUSRA
command to specify the NDS context, NDS trees, and NetWare 3.12 servers
on which you want the QNETWARE profile to be propagated.
-
If you want to enroll AS/400 users on any NDS trees or NetWare 3.12 servers
to which the QNETWARE profile changes were not propagated in step 3,
you must use the ADDNTWAUTE command. Use this command to create authentication
entries for the QNETWARE profile on those NDS trees or NetWare 3.12 servers.
You also might choose this option if you want to have different
passwords for QNETWARE on the various NDS trees or NetWare 3.12 servers.
To create an authentication entry for the QNETWARE user profile, which
has a password of BOSS in NDS tree TREE1 in NDS context MAIN, enter:
ADDNTWAUTE SVRTYPE(*NDS) NDSTREE(TREE1) USRPRF(QNETWARE)
PASSWORD(BOSS) NDSCTX(MAIN)
To create a NetWare authentication entry for the QNETWARE user object,
which has a password of BOSS in SERVER1, enter:
ADDNTWAUTE SVRTYPE(*NETWARE3) SERVER(SERVER1) USRPRF(QNETWARE)
PASSWORD(BOSS)
See Chapter 16. "NetWare Authentication
Entries and Connections" for more information.
Step
3--Create AS/400 Group and User Profiles
If you do not have AS/400 profiles, or if they do not represent the
structure you want in your NetWare network, you need to create AS/400 group
and user profiles.
-
-
If your AS/400 is already set up with group and user profiles that you
can propagate to NetWare, go to "Step 4--Enroll AS/400
Users on NetWare".
To create user or group profiles for users on AS/400 that need to access
NetWare servers, use the Create User Profile (CRTUSRPRF) command.
For example, to create a group profile named FINANCE for a
group of users that needs to access a NetWare server for a specific financial
application, enter:
CRTUSRPRF USRPRF(FINANCE)
To create a user profile named TOM and add it to the FINANCE group
profile, enter:
CRTUSRPRF USRPRF(TOM) GRPPRF(FINANCE)
-
-
A user profile must have a primary group before you can specify a supplementary
group. NetWare does not distinguish between a primary group and a supplementary
group.
After you create the AS/400 profiles, they are ready to be enrolled on
NDS trees and NetWare 3.12 servers.
Step
4--Enroll AS/400 Users on NetWare
You can automatically create NetWare objects by enrolling AS/400 users
on one or more NDS trees and NetWare 3.12 servers. This means that certain
AS/400 profile information is automatically propagated to NetWare. For
example, any password and text changes are automatically propagated to
all the NDS trees and NetWare 3.12 servers you specify.
If you plan for most of your AS/400 users to be enrolled on the same
set of NDS trees and NetWare 3.12 servers, you can define those servers
and trees by using the Change Network Server Attributes (CHGNWSA) command.
To ensure that AS/400 group and user profiles map correctly to NetWare,
you must define an AS/400 profile as either a group or a user in an NDS
tree or a NetWare 3.12 server:
-
You can define AS/400 user profiles as group objects in an NDS tree or
NetWare 3.12 server
For example, an AS/400 user profile that has no other profiles referencing
it as a group can be defined as a group profile on NetWare.
-
You can define AS/400 group profiles as user objects on NetWare
However, group members in these profiles are not automatically enrolled
on NetWare.
-
You can define an AS/400 profile as a user object in one NDS tree or NetWare
3.12 server and as a group object in a different NDS tree or NetWare 3.12
server
-
-
You cannot define an AS/400 profile as both a group and a user in
an NDS tree or a NetWare 3.12 server.
For a description of all the AS/400 profile attributes that are mapped
to NetWare group and user objects, refer to "Mapping
AS/400 Profiles to NetWare".
To enroll AS/400 users on NetWare, use the Change Network Server User
Attributes (CHGNWSUSRA) command.
Using
the CHGNWSUSRA Command
Use the CHGNWSUSRA command to enroll AS/400 users on NetWare by specifying
the NDS trees and NetWare 3.12 servers on which the AS/400 users are to
be enrolled. For the NDS tree list, you can specify a list of NDS trees
OR *NWSA. For the NetWare 3.12 server list, you can specify a list of NetWare
3.12 servers OR *NWSA.
Before you can specify *NWSA, you must define the NDS trees and NetWare
servers in the network server attributes (*NWSA) as described in "Step
9--Define Network Server Attributes (Optional)".
-
-
To enroll AS/400 users on NetWare:
-
Enter CHGNWSUSRA to see the Change NWS User Attributes (CHGNWSUSRA)
display shown in Figure 21-3.
Figure 21-3. Change NWS User Attributes (CHGNWSUSRA)
Display
+--------------------------------------------------------------------------------+
| Change NWS User Attributes (CHGNWSUSRA) |
| |
| Type choices, press Enter. |
| |
| User profile . . . . . . . . . . PUBS Name, *CURRENT |
| Profile type . . . . . . . . . . > *GROUP *USER, *GROUP |
| Prompt control . . . . . . . . . > *NETWARE *ALL, *BASE, *LANSERVER... |
| Propagate group members . . . . *ALL *SAME, *NONE, *ALL |
| Default server type . . . . . . *NETWARE *SAME, *NWSA, *BASE... |
| NDS tree . . . . . . . . . . . . *NWSA |
| NDS context . . . . . . . . . . *NWSA |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| More... |
| F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display |
| F24=More keys |
| |
+--------------------------------------------------------------------------------+
When you enroll group profiles, specify the profile type (PRFTYPE)
as *GROUP. You can also specify propagate group members (PRPGRPMBR) as
*ALL if you want all the group members to be enrolled. The default of *NONE
specifies that group members are not to be enrolled.
-
Press PgDn to specify the NDS tree list and NetWare 3.12 server list shown
in Figure 21-4.
Figure 21-4. Change NWS User Attributes
(CHGNWSUSRA) Display, Part 2
+--------------------------------------------------------------------------------+
| Change NWS User Attributes (CHGNWSUSRA) |
| |
| Type choices, press Enter. |
| |
| NDS tree list: |
| NDS tree . . . . . . . . . . . *NWSA |
| User object context . . . . . |
| |
| Default server . . . . . . . . |
| |
| Profile object . . . . . . . . |
| |
| + for more values |
| NetWare 3.12 server list . . . . *NWSA |
| |
| + for more values |
| |
| |
| |
| |
| Bottom |
| F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display |
| F24=More keys |
| |
+--------------------------------------------------------------------------------+
-
Use the following information to fill in the NDS tree list fields:
-
NDS tree parameter
-
The NDS tree in which the AS/400 group or user is to be enrolled.
-
User object context
-
The location in the NDS tree where the NDS group or user object is to be
created during enrollment.
-
Default server
-
The default server in the NDS tree that is to be used to enroll the AS/400
profiles.
-
-
You can improve performance by specifying a server rather than using the
default *ANY. If the specified server is not active when AS/400
attempts to connect to NetWare, AS/400 searches the NDS tree for other
active servers.
-
Profile object
-
The distinguished name of the default NDS profile object that contains
the login script to be used by the NetWare object when logging into the
network.
-
Use the NetWare 3.12 server list fields to define a default list
of NetWare 3.12 servers on which AS/400 will enroll AS/400 users.
Specifying the Default List of NDS Trees and NetWare
3.12 Servers
If you define your NetWare servers and NDS trees in the network server
attributes, as described in "Step 9--Define
Network Server Attributes (Optional)", you can define default lists
of NDS trees and NetWare 3.12 servers that you can specify with the CHGNWSUSRA
command when enrolling individual user and group profiles.
When you specify the NDS tree list (NDSTREELST) parameter as *NWSA,
you avoid having to change AS/400 group or user profiles when NetWare servers
are added to or removed from your network. Changes to any user or group
profiles defined to use the *NWSA value are propagated automatically to
new servers whenever new servers are added to the NWSA.
To see what your NWSA values are, use the Display NWS Attributes (DSPNWSA)
command with OPTION(*NETWARE).
Specifying *NWSA--Examples
The following examples show how to enroll either a group profile or
a user profile to the system default list of NetWare servers and NDS trees.
Group Profile
To enroll the group profile FINANCE and all its group members on the
NDS trees and NetWare 3.12 servers defined in the network server attributes
(NWSA), enter:
CHGNWSUSRA USRPRF(FINANCE) PRFTYPE(*GROUP) PRPGRPMBR(*ALL)
NDSTREELST(*NWSA) NTW3SVRLST(*NWSA)
All the FINANCE group members, including JOHN who was created
in Step 3, are now enrolled on NetWare. Future changes to the FINANCE
profile or any user profiles for members of FINANCE, will be propagated
to NetWare.
User Profile
To enroll user profile JOHN on the NDS trees and NetWare 3.12 servers
defined in the network server attributes (NWSA), enter:
CHGNWSUSRA USRPRF(JOHN) PRFTYPE(*USER)
NDSTREELST(XYZ) NTW3SVRLST(*NWSA)
-
-
You cannot specify *NWSA as the NDS tree list if you want to specify
additional servers that were not defined in the network server attributes.
If an AS/400 group or user profile needs to be enrolled on servers
other than those defined as network server attributes, you must use the
CHGNWSUSRA command to specify all the NDS trees and NetWare 3.12 servers
for that profile, even if most of them were already defined in the network
server attributes.
-
You might not want to specify *NWSA if your NetWare authorization differs
from one NDS context to another and you want to enroll AS/400 users in
the context that matches the desired authorization.
Specifying an NDS Tree List
Figure 21-5. Specifying an NDS Tree List
+--------------------------------------------------------------------------------+
| Specify More Values for Parameter NDSTREELST |
| |
| Type choices, press Enter. |
| |
| NDS tree list: |
| NDS tree . . . . . . . . . . . > TREE1 |
| User object context . . . . . MAIN |
| |
| Default server . . . . . . . . IBMSRV1 |
| |
| Profile object . . . . . . . . NWLOGIN |
| |
| |
| NDS tree . . . . . . . . . . . > TREE2 |
| User object context . . . . . PUBS.ROCH.IBM |
| |
| Default server . . . . . . . . PUBSRV1 |
| |
| Profile object . . . . . . . . NWLOGIN |
| |
| More... |
| F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display |
| F24=More keys |
| |
+--------------------------------------------------------------------------------+
Specifying an NDS Tree List--Examples
The following examples show how to enroll either a group profile or
a user profile in NDS tree XYZ.
Group Profile
To enroll group profile FINANCE and all of its group members in context
O=MAIN in NDS tree XYZ, enter:
CHGNWSUSRA USRPRF(FINANCE) PRFTYPE(*GROUP) PRPGRPMBR(*ALL)
NDSTREELST((XYZ 'O=MAIN' PUBSRV1 NWLOGIN))
The FINANCE group object and user objects corresponding to the AS/400 group
members are created in the NDS tree. From now on, users added to or removed
from AS/400 FINANCE group profile are added or removed from NDS tree XYZ.
User Profile
To enroll user profile MIKE in context MAIN.PERSONNEL in NDS tree XYZ,
enter:
CHGNWSUSRA USRPRF(MIKE) PRFTYPE(*USER)
NDSTREELST((XYZ '.PERSONNEL.MAIN' PUBSRV1 NWLOGIN))
The MIKE user object is created in NDS tree XYZ and will use NWLOGIN as
his login script.
Specifying a NetWare 3.12 Server List
Figure 21-6. Specifying a NetWare 3.12 Server
List
+--------------------------------------------------------------------------------+
| Change NWS User Attributes (CHGNWSUSRA) |
| |
| Type choices, press Enter. |
| |
| NDS tree list: |
| NDS tree . . . . . . . . . . . *NWSA |
| User object context . . . . . |
| |
| Default server . . . . . . . . |
| |
| Profile object . . . . . . . . |
| |
| + for more values |
| NetWare 3.12 server list . . . . > NTW3SRV1 |
| |
| > NTW3SRV2 |
| |
| + for more values > NTW3SRV3 |
| |
| |
| Bottom |
| F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display |
| F24=More keys |
| |
+--------------------------------------------------------------------------------+
Specifying a NetWare 3.12 Server List--Examples
The following examples show how to enroll either a group profile or
a user profile on NetWare 3.12 servers.
Group Profile
To enroll group profile FINANCE and all its group members on a NetWare
3.12 server named NTW3SRV1, enter:
CHGNWSUSRA USRPRF(FINANCE) PRFTYPE(*GROUP) PRPGRPMBR(*ALL)
NTW3SVRLST(NTW3SRV1)
The FINANCE group object and user objects corresponding to the AS/400 group
members are created on NTW3SRV1. From now on, users added to or removed
from AS/400 FINANCE group are added to or removed from this NetWare 3.12
server.
User Profile
To enroll user profile JOHN on servers NTW3SRV1 and NTW3SRV2, enter:
CHGNWSUSRA USRPRF(JOHN) PRFTYPE(*USER)
NTW3SVRLST(NTW3SRV1 NTW3SRV2)
The JOHN user object is created on the NTW3SRV1 and NTW3SRV2 servers.
Propagating
Profile Changes to NetWare
After you use the CHGNWSUSRA command to enroll AS/400 users on NetWare,
AS/400 profile changes are automatically propagated to NetWare. Only those
AS/400 profiles that you defined to be enrolled, by using the CHGNWSUSRA
command, are affected when you:
-
Use the CHGNWSA command to change network server attributes if *NWSA was
specified for the NDSTREELST or NTW3SVRLST parameters on the CHGNWSUSRA
command.
-
Use the CHGNWSUSRA command to change the NDSTREELST or NTW3SVRLST parameters
for an AS/400 profile or to change the PRPGRPMBR parameter for an AS/400
group profile.
-
Use the CHGPWD command to change the password of a user profile.
-
Use the CHGUSRPRF command to:
-
Change the password of an AS/400 user profile
-
Change the set password to expired field of an AS/400 user profile
-
Change the text (description) of an AS/400 group or user profile
-
Change the status of an AS/400 group or user profile to *ENABLED or *DISABLED
-
Add an AS/400 user profile to an AS/400 group that is being enrolled
-
Remove an AS/400 user profile from an AS/400 group that is being enrolled
-
-
If a user profile was enrolled only as a group member with the PRPGRPMBR(*ALL)
parameter and does not belong to any other groups that were enrolled, and
you remove that user profile from the group, the NetWare user object with
the same name is deleted on all NDS trees and NetWare 3.12 servers specified
with the CHGNWSUSRA command.
-
Use the CRTUSRPRF command to add an AS/400 user profile to an AS/400 group
that was enrolled
-
Use the DLTUSRPRF command to delete an AS/400 profile.
-
Sign on to AS/400 if passwords aren't stored on AS/400 and if you used
one of the preceding commands. In this case, propagation is delayed until
you sign on so AS/400 can obtain the password.
-
-
You can unenroll the group or user and stop propagating group or user profile
changes by using the CHGNWSUSRA command and specifying *NONE for the NDSTREELST
and NTW3SRVLST parameters.
Enrolling
AS/400 Users when QRETSVRSEC=0
When the Retain Server Security (QRETSVRSEC) system value is set to
0, AS/400 cannot store passwords with authentication entries. Therefore,
enrollment for group and user profiles is delayed until AS/400 can access
the profile's password. This occurs when either:
-
The user signs on to AS/400
-
The password is changed using either the CHGUSRPRF or the CHGPWD command
-
-
To enroll AS/400 users when QRETSVRSEC=0:
-
Make sure that QNETWARE has a NetWare authentication entry for each NDS
tree and NetWare 3.12 server on which you want to enroll AS/400 users.
-
Use the CHGNWSUSRA command to define the NDS trees and NetWare 3.12 servers
on which to enroll the AS/400 profile.
Enrollment is delayed until AS/400 temporarily accesses the profile's
password.
-
To start enrollment, do one of the following:
-
Have the AS/400 user sign on to AS/400.
-
Have an AS/400 user with *SECADM authority set the profile's password using
the CHGUSRPRF command.
-
Have the AS/400 user change the profile's password using the CHGPWD command.
The AS/400 profile attributes are propagated to NetWare. If a NetWare object
with this name does not exist, one is created with the same name as the
AS/400 profile. If a NetWare object with this name does exist, it is updated
with AS/400 profile changes. An authentication entry is not created.
Mapping
AS/400 Profiles to NetWare
When AS/400 group and user profiles are enrolled on NetWare servers,
only information in the AS/400 profiles that is applicable to NetWare is
sent to the servers.
-
-
The profile information that is specified for the following AS/400 attributes
overwrites the corresponding NetWare attributes. If NetWare users change
these attributes, they can be overwritten whenever AS/400 profile changes
are propagated.
You can add additional NetWare group and user attributes, such as user
properties for a telephone number, fax number, and last name, from the
NetWare NWADMIN utility.
AS/400
Group Profiles
When an AS/400 group profile is enrolled as a group object in NetWare,
the following AS/400 attributes are propagated:
-
Profile name
-
The name of the AS/400 group profile, which corresponds to the name of
the group object in NetWare.
-
Text
-
The text description field on an AS/400 group profile, which corresponds
to a text description of the group object in NetWare.
You can define this with the Text parameter using either the CRTUSRPRF
or CHGUSRPRF command.
-
NDS context
-
The context of the NDS tree (specified with the CHGNWSA or CHGNWSUSRA command)
in which the AS/400 group profile is to be placed as a NetWare group object.
You can define this with the NDSTREELST parameter using either the
CHGNWSA or CHGNWSUSRA command.
AS/400
User Profiles
When you enroll an AS/400 user profile as a user object in NetWare,
the AS/400 attributes in the following list can be propagated. The fields
shown in bold italics are updated on NetWare everytime the AS/400 profile
changes.
-
Profile name
-
The name of the user object in NetWare, which corresponds to the AS/400
profile name.
-
NDS context
-
The context of the NDS tree (specified with the CHGNWSA or CHGNWSUSRA command)
in which the user profile is to be placed as a NetWare user object.
You can define this with the NDSTREELST parameter using either the
CHGNWSA or CHGNWSUSRA command.
-
-
If you enroll an AS/400 group and all its members, the context for each
member is the same as the group context.
-
If you enroll a user as a member of multiple groups, and more than one
of those groups is enrolled in an NDS tree, the context of the user object
is the same as the first group it was enrolled into.
-
If you enroll the main group that a user belongs to, the NDS context of
the user object is the same as this group.
-
If you do not enroll the main group that a user belongs to, but you do
enroll one or more of the supplementary groups it belongs to, the NDS context
of the user object is the same as the first supplementary group it was
enrolled into.
-
Profile login script
-
The name of a login script that is run for a profile when the user logs
in to the NetWare server or NDS tree.
You can define this with the profile object entry field of the NDSTREELST
parameter using either the CHGNWSA or CHGNWSUSRA command.
-
Password
-
The AS/400 password is used to set the user password on the NetWare servers.
This corresponds to the PASSWORD parameter on either the CRTUSRPRF or CHGUSRPRF
command.
-
Password required
-
If the AS/400 system value QSECURITY is 10, the NetWare user objects that
are created do not require a password to sign on to the server. All other
AS/400 QSECURITY levels require that a user object log in with a password.
-
Unique password
-
If the system value QPWDRQDDIF is 0 (meaning the new password does not
have to be unique when it is changed), user objects do not require unique
passwords when passwords are changed. Any other value for QPWDRQDDIF forces
the user to have a unique password when passwords are changed.
-
Password expiration interval
-
The number of days a user object's password is valid. This corresponds
to the password expiration interval (PWDEXPITV parameter) on the CRTUSRPRF
or CHGUSRPRF command. If this value indicates that the system value QPWDEXPITV
should be used, the system value is used to set the expiration interval.
-
Password expiration date
-
The Set password to expired field on the CRTUSRPRF or CHGUSRPRF command
is used to indicate whether the password has expired. Whenever the Set
password to expired field is changed to *YES for an AS/400 user profile,
the Password expiration date is changed to the day before that date. For
example, if you change the Set password to expired field to *YES on 4/17/97,
the Password expiration date on NetWare is set to 4/16/97.
-
-
By default, NetWare 3.12 user objects created during user enrollment are
allowed to change passwords; however, NetWare 4.1 user objects are not.
-
Login grace limit
-
User objects are allowed 6 more logins after a password has expired. This
is the default.
-
Account disabled
-
The Status field on the CRTUSRPRF or CHGUSRPRF command is used to indicate
whether the user can log into the NetWare server or NDS tree.
-
Text
-
The Text description field on an AS/400 user profile, which corresponds
to a text description of the user object in NetWare.
You can define this with the Text parameter using either the CRTUSRPRF
or CHGUSRPRF command.
Checking
AS/400 User Enrollment Status
After you enroll AS/400 group and user profiles on NetWare, you can
use the Work with NWS User Enrollment (WRKNWSENR) command to determine
their status.
You can obtain enrollment status by user profile, profile type, and
server type. Enter WRKNWSENR PRFTYPE(*GROUP) to display the objects by
GROUP instead of the default, which is by USER. This is the only way to
display enrollment status for groups that have no users.
-
Enter WRKNWSENR.
Figure 21-7. WRKNWSENR Display
+--------------------------------------------------------------------------------+
| Work with NWS User Enrollment (WRKNWSENR) |
| |
| Type choices, press Enter. |
| |
| User profile . . . . . . . . . . *ALL Name, generic*, *ALL |
| Profile type . . . . . . . . . . *GROUP *USER, *GROUP |
| Server type . . . . . . . . . . *NETWARE *NWSUSRA, *NWSA, *NETWARE |
| NDS tree . . . . . . . . . . . . *ALL |
| Server . . . . . . . . . . . . . *ALL |
| |
| |
+--------------------------------------------------------------------------------+
-
-
If you specify *NWSA for the NDS tree and Server parameters, AS/400 displays
those groups and users that are being enrolled into the NDS trees and NetWare
3.12 servers defined in the network server attributes.
-
Press Enter to view all the NetWare servers and NDS trees on which groups
are to be enrolled.
The Work with NWS User Enrollment display in Figure
21-8 shows a list of NetWare servers and NDS trees and the current
enrollment status of each group that has been enrolled or that is being
enrolled.
Figure 21-8. Enrollment Status of All Groups
Being Enrolled
+--------------------------------------------------------------------------------+
| Work with NWS User Enrollment |
| System: RCHASM00 |
| Type options, press Enter. |
| 2=Change user profile 5=Display user profile 6=Retry entry |
| 14=Change network user attributes 15=Display network user attributes |
| 16=Display error details |
| |
| Tree/Server Enrollment Error |
| Opt Profile Type status code Text |
| IBM_TREE1 *NDSTREE |
| GROUP1 *GROUP *CURRENT Scott and Marla |
| PUBS *GROUP *CURRENT Edith and Merry |
| RCHHJA50 *NTW3SVR |
| FELLOWSHIP *GROUP *UPDPND Dennis and Lee |
| |
| |
| |
| |
| Bottom |
| Parameters or command |
| ===> |
| F3=Exit F4=Prompt F5=Refresh F6=Print list F9=Retrieve |
| F10=Display users F12=Cancel F17=Position to |
| |
+--------------------------------------------------------------------------------+
The Work with NWS User Enrollment display shows:
-
A list of active NDS trees and NetWare 3.12 servers
-
The enrollment status of the AS/400 group or user profile on each NDS tree
and NetWare 3.12 server
-
When you press F10, a list of all the members in each group that are also
being enrolled. Pressing F10 toggles you back to the list of groups.
-
Enrollment status values for the specified profile from an AS/400 perspective.
Press F1 and then F2 to view an explanation of the status values that might
appear.
-
-
If the AS/400 profile is not enrolled on NetWare, use option 6 to retry
the enrollment request even if the status is *CURRENT and there are no
error codes.
-
Error codes if problems have occurred.
If error codes appear, use option 16 to view error details. See
"User Enrollment Problems" for more
information.
User
Enrollment Status Values
The following list describes the various status values that might appear
on the Work with NWS User Enrollment display:
-
*CURRENT
-
AS/400 has enrolled the profile on NetWare and no more work is pending
for the profile.
-
*UPDPND
-
A create or change has been specified for a profile, and the operation
is in progress. If you have several profiles to be updated at once, such
as when first enrolling a group and its members, there could be many profiles
in this status at one time.
For a NetWare 3.12 server, only one profile operation at a time
is in progress. Other profiles changes are queued up, and are processed
in turn as the updates proceed.
For an NDS tree with multiple servers, you can direct profile update
operations to specific servers when you use the CHGNWSUSRA or CHGNWSA command.
If that server is down, AS/400 attempts other available servers.
-
*DLTPND
-
A delete operation has been specified for a profile, and the operation
is in progress. This could occur if you have deleted a profile on AS/400,
or have changed the enrollment request so that the profile is no longer
to be enrolled on an NDS tree or NetWare 3.12 server. If you delete an
AS/400 profile or change the profile to no longer be enrolled, the NetWare
user or group object will be deleted.
-
*UPDRCYPND
-
An update operation was attempted but did not complete successfully. Because
the status indicates recovery pending, the operation will be retried. The
timing and number of retry attempts varies with the type of error. If the
error was that a communications session could not be established with a
server, the retry occurs every 15 minutes, for a period of about an hour.
If no communications has been established in that time frame, no further
attempts are made without manual operator action. If the error was due
to a NetWare error, the operation is tried again 3 times before it becomes
a permanent failure. If a numeric value appears in the Error code field,
type 16 on the Option field to display an error message.
-
*DLTRCYPND
-
A delete operation was attempted, but did not complete successfully. Because
the status indicates recovery pending, it means the operation will be retried.
If a numeric value appears in the Error code field, you type 16 on the
Option field to display an error message.
-
*UPDFAIL
-
A scheduled profile update failed, and all recovery attempts have ended.
See "User Enrollment Problems" for
more information.
-
*DLTFAIL
-
This means that a scheduled profile delete failed, and all recovery attempts
have ended. See "User Enrollment Error
Codes" for more information.
Ending
User Enrollment
You can unenroll users or groups from one or more NDS trees or NetWare
servers for an AS/400 profile that was enrolled on NetWare whenever you:
-
Use the CHGNWSA command to remove NDS trees or NetWare 3.12 servers in
the network server attributes if *NWSA was specified on the CHGNWSUSRA
command for the AS/400 profile.
AS/400 will attempt to delete the NetWare user or group object with
the same name as the AS/400 profile from the NDS trees or NetWare servers
that were removed.
-
Use the CHGNWSUSRA command to remove an NDS tree or NetWare 3.12 server
for an AS/400 profile.
AS/400 will attempt to delete the NetWare user or group object with
the same name as the AS/400 profile from the NDS trees or NetWare servers
that were removed.
-
Use the CHGNWSUSRA command to change the PRPGRPMBR parameter from *ALL
to *NONE for an AS/400 group profile.
If an AS/400 user profile was enrolled only as a member of this
group, AS/400 will attempt to delete the NetWare user or group object with
the same name as the AS/400 profile from the NDS trees and NetWare 3.12
servers on which the group was enrolled.
-
Use the CHGNWSUSRA command to change the NDSTREELST or NTW3SRVLST parameters
to *NONE for an AS/400 profile.
AS/400 will attempt to remove the NetWare object with the same name
as the AS/400 profile from the NDS trees and NetWare servers on which it
was enrolled.
-
Use the CHGUSRPRF command to remove an AS/400 user profile from an AS/400
group that was enrolled.
If a user profile was enrolled only as part of a group with the
PRPGRPMBR(*ALL) parameter and does not belong to any other groups that
were enrolled and you remove that user profile from the group, AS/400 will
attempt to delete the NetWare user object with the same name on all NDS
trees and NetWare 3.12 servers on which the group was enrolled.
-
Use the DLTUSRPRF command to delete an AS/400 profile.
-
-
If you use one of the preceding commands to remove an AS/400 profile from
a NetWare server that AS/400 can no longer access, AS/400 cannot complete
the request. In this case, the Work with NWS User Enrollment display will
show the status of the AS/400 profile as either *DLTPND, *DLTRCYPND, or
*DLTFAIL.These status codes are described in "User
Enrollment Status Values".
If one of these status values appears, you can remove the entry
from the display by using Option 4. The entry is then processed as though
the delete request had completed successfully on the NetWare server once
the remove entry request completes and the CPCA40F message "Remove request
submitted successfully" appears.
If you use option 4 to remove the entry, you must delete the NetWare
object from the NDS tree or NetWare 3.12 Bindery by using the NetWare NETADMIN,
NWADMIN, or SYSCON utility.
User
Enrollment and Authentication Commands
Table 21-1. User Enrollment Commands
Enter this AS/400 command |
to... |
ADDNTWAUTE |
Add a NetWare authentication entry to an AS/400
profile that contains the NetWare user name and password used to connect
to a NetWare server. |
CHGNWSA |
Define the NDS context and a default set of NetWare
servers and NDS trees on which AS/400 users can be enrolled. |
CHGNWSUSRA |
Enroll AS/400 group and user profiles on NetWare.
If you specify NDSTREELST(*NONE) and NTW3SVRLST(*NONE),
the profile is not enrolled on NetWare. |
CHGPWD |
Change the password of a AS/400 user profile.
If the user profile was enrolled on NetWare, the password of the NetWare
user object with the same name is also changed. |
CHGUSRPRF |
Change attributes such as the description of
an AS/400 group or user profile. If the AS/400 profile was enrolled on
NetWare, the attributes of the NetWare group or user object with the same
name are also changed. |
CRTUSRPRF |
Create a AS/400 user profile that can be enrolled
on NetWare. |
DLTUSRPRF |
Delete a NetWare group or user object if the
AS/400 profile with the same name was enrolled on NetWare. |
WRKNTWAUTE |
Create, change, display, or remove a NetWare
authentication entry. |
WRKNWSENR |
Check the status of AS/400 profiles being enrolled
on NetWare. You can also change or display AS/400 profiles, change or display
network user attributes, try the enrollment request again, remove entries
for enrollment requests in a delete state, or display error details for
AS/400 profiles being enrolled on NetWare. |
1
[ Top of Page | Previous
Page | Next Page | Table
of Contents | Index ] |