Identity mapping

In order to set up an EIM client, the bos.eim.rte and ldap.client filesets must be installed. The EIM server also requires the ldap.server fileset. After the appropriate filesets are installed, the /usr/sbin/chnfsim is used to configure EIM. The minimum setup options are as follows:

/usr/sbin/chnfsim -c -a -t [type] -h [EIM server] -e [LDAP/EIM domain] -f [LDAP suffix] -w [administrator password]

This configures both EIM clients and servers to use a specific EIM server for identity mapping. If the host name specified in the command is the local host name, then an LDAP server will also be setup.

After the configuration step is complete, the EIM administrator can populate the LDAP server with NFS identity mapping data. An individual user or group, such as John Doe, is known as a mapping identity. The NFS owner string of that user, johndoe@austin.ibm.com, is known as an identity mapping. To input the LDAP server with this data, the following command should be run:

/usr/sbin/chnfsim -a -u -i "John Doe" -n johndoe -d austin.ibm.com

The mapping identity is the descriptive name of the user or group, and the identity mapping is the name@domain NFS owner string. Realm to domain mappings are also stored in the LDAP server. To input that the Kerberos realm kerb.austin.ibm.com maps to the NFS domain austin.ibm.com, the following command should be run:

/usr/sbin/chnfsim -a -r kerb.austin.ibm.com -d austin.ibm.com

In order to configure NFS to use the mapping data in EIM, the NFS registry daemon needs to be restarted. The NFS registry daemon checks for the availability of an EIM server upon startup, and if one is found, all mapping functions will go through EIM and all local mappings will no longer be used.