Chapter 21. Managing User Enrollment

Enhanced Integration for NetWare includes support that allows AS/400 group and user profiles to be enrolled on one or more NDS trees and NetWare 3.12 servers. By enrolling AS/400 users and groups from AS/400, you can easily control their management from a centralized location by specifying where these user and group profiles are to be propagated to NetWare. 

The advantages of this support include: 

  • Central user ID administration 

  • You can manage enrollment of AS/400 and PC users on NetWare from a single AS/400. You can add, remove, or change users or groups on selected NDS trees or NetWare 3.12 servers by making changes from AS/400. You can also display information on AS/400 that shows which users are enrolled and on which NDS trees and NetWare 3.12 servers. 

  • Automatic replication of user's password changes 

  • If a password for an AS/400 user profile changes, that change automatically propagates to the corresponding user object on all of the NDS trees or NetWare 3.12 servers that you specify. AS/400 propagates password changes that are made on the same AS/400 system on which the user was enrolled on NetWare. This function is especially helpful when managing users who are defined on several NetWare servers. The Text field in an AS/400 profile is also propagated to NetWare automatically. 

  • Automatic creation of NetWare group and user objects 

  • You can automatically create NetWare objects by enrolling AS/400 users on NetWare. You enroll users on NetWare from AS/400 by propagating a few login characteristics, such as the user name and password, from an AS/400 profile to NetWare. When you enroll a group, you can also enroll all of its members. The new NetWare group and user objects are created with the same name as their AS/400 profiles. 

  • Automatic creation of NetWare authentication entries 

  • When you enroll users on NetWare, AS/400 automatically creates an authentication entry associated with the user's AS/400 profile to allow easy access to NetWare services. AS/400 uses the authentication entry to verify authorization to NetWare when starting a connection to a NetWare server. 

    You can also manually create authentication entries. See Chapter 16. "NetWare Authentication Entries and Connections" for more information. 

Note:
Using these integration functions is not intended to completely replace the requirement to use NetWare administration tools, such as SYSCON and NetWare Administrator (NWADMIN). 

This chapter describes how you can enroll AS/400 and PC users on NetWare and centrally manage users' access to your NetWare network. 


User Enrollment Concepts

This section describes the process of user enrollment and discusses some considerations to keep in mind as you plan for user enrollment and management of NetWare users from AS/400. 

Figure 21-1 shows the steps that occur when you enroll AS/400 users on NetWare: 
 
(1) A connection is started to the NetWare server using the QNETWARE profile. 
(2) Information in AS/400 user and group profiles are propagated to NetWare. 
(3) NetWare objects with the same name as the AS/400 profile are created automatically on the specified servers in the NDS tree and in the Bindery for the NetWare 3.12 servers. 
(4) NetWare authentication entries, corresponding to the AS/400 profiles, are created automatically if the QRETSVRSEC value is set to 1. 

Figure 21-1. Enrolling AS/400 users on NetWare
 
 

* figure rv3d681 not            displayed.
 

QNETWARE User Profile

The QNETWARE user profile on AS/400 and NetWare enables AS/400 user enrollment. Therefore, a QNETWARE user object must be created in the Bindery for each NetWare 3.12 server and in each NDS tree that you want to manage from AS/400. QNETWARE must also have ADMIN authority or SUPERVISOR authority on NetWare 3.12 servers to be able to create objects and to manage passwords in the network. Although it is not prohibited, you should not use the QNETWARE user object to log in to NetWare from a client workstation. 

The QNETWARE user profile is created automatically on AS/400 when Enhanced Integration for NetWare is installed. The QNETWARE user profile is created in the disabled state because it is not allowed to run AS/400 jobs; QNETWARE's only purpose is to enroll AS/400 users and to propagate AS/400 profile information to NetWare. 

AS/400 logs into each NetWare server using the QNETWARE user profile and communicates with the Enhanced Integration for NetWare NLM, sending the commands necessary to enroll AS/400 users and to update the group and user profile information in the network. 

Figure 21-2. AS/400 logs in to NetWare as QNETWARE to update profile information
 
 

* figure rv3d677 not            displayed.
 

Network Server User Attributes

  The AS/400 network server user attributes store network information for a group or user profile. Many of the administrative commands use some of this information, such as the default server type, default context, and default NDS tree. 

The network server user attributes also contain a list of NDS trees (and associated user information) and a NetWare 3.12 server list that are used by the user enrollment support to enroll the user or group on NetWare. 

Note:
You can set defaults for this same information on a system-wide basis by using the Change Network Server Attribute (CHGNWSA) command. 

You use the CHGNWSUSRA command to specify the network server user attributes and to start enrolling AS/400 users. It is with these attributes that you specify the NDS trees and NetWare 3.12 servers on which you want to enroll AS/400 users. 

Profile Characteristics

On AS/400, a user profile can be used as either a user or a group profile. That means someone can sign on to AS/400 with a group ID and do work on the system as a user. However, in NetWare, only user objects can be used to log in and run applications. Groups are separate object types that are used only to combine and then manage individual user objects as one entity. For example, you can specify file access rights on a group object basis, and the users belonging to those groups inherit those file rights. 

Advantages of Group Profiles

When you enroll AS/400 users, consider using groups rather than individual user profiles.   This can greatly reduce the number of profiles you must define to be propagated in your network. For example, if you specify that an AS/400 group profile and all its group members be propagated to a NetWare server, any user profiles belonging to the group are automatically enrolled on NetWare. The group members do not need to be enrolled individually. 

When you use groups, you can also reduce the number of profiles that need to have their NetWare security defined. You can set rights and attributes for a group object, and the group members inherit those rights and attributes. 

You can also use groups to better manage access to your network resources. For example, if you install financial applications and data on a NetWare server, you can grant access to that server only to the FINANCE group and its group members. 

NetWare Object Rights and Attributes

If you plan to usually enroll AS/400 groups and all of their members, you can either: 

  • Create the group objects first on NetWare and then define their security rights. Then you can enroll AS/400 group members, and the NetWare security information is not overwritten. 
  • Have the group objects created on NetWare during user enrollment and then define their security rights. 
With either method, the users that are enrolled into these groups will belong to a NetWare group that already has its security rights set. The user objects inherit the same rights already set for the group object. 

You must set NetWare object security rights and attributes from NetWare by using the SYSCON, NETADMIN, or NWADMIN utilities. 

Whether you enroll AS/400 user profiles individually or as group members, the corresponding NetWare user objects might be added to the NetWare group EVERYONE when they are created.   For NetWare 3.12, user objects are always added to the EVERYONE group. For NetWare 4.1, user objects are only added to the EVERYONE group if it already exists in the same container where the user object is being created. Note that all users added to EVERYONE inherit the security rights defined for that group. 

Use of Multiple AS/400 Systems

AS/400 user enrollment from a single AS/400 works independently of any other AS/400 systems.   Although you can enroll users on the same NDS tree or NetWare 3.12 server from multiple AS/400 systems, this is not recommended. 

If you want to use more than one AS/400 to enroll AS/400 users, consider having completely separate user profile sets. Otherwise, you could encounter undesirable enrollment situations. 

For example, MARLA is enrolled on NetWare SERVER1 from AS/400 A. MARLA is then enrolled on the same server from AS/400 B with a different password than the one used on AS/400 A. Now MARLA's password on AS/400 A no longer matches the password on SERVER1 and she cannot start connections to SERVER1 automatically from AS/400 A


Step 1--Set Up Your NetWare Servers for User Enrollment

You need to set up your NetWare servers for user enrollment by creating QNETWARE   user objects on each NDS tree and NetWare 3.12 server on which you want to enroll AS/400 users. Generally, the same password is used for QNETWARE on each server. If the password is not the same, you must create QNETWARE authentication entries, as described in "Step 2--Set Up AS/400 for User Enrollment"

To set up your NetWare servers for user enrollment:

  1. Create a QNETWARE user object on NDS trees and NetWare 3.12 servers. 

  2. Before you can enroll AS/400 users on NetWare, AS/400 needs to be able to log in to NetWare with a login name of QNETWARE. The QNETWARE user object must have enough authority to create, change, and delete user and group objects. This could include properly positioning QNETWARE in an NDS tree, granting it ADMIN authority, or making it's security equivalent to an existing user object that has the necessary authority. 

    Tip:
    Use the NetWare SYSCON, NETADMIN, or NWADMIN utility to create the QNETWARE user object and to define its security. 

  3. Make sure the Enhanced Integration for NetWare NLM is installed and loaded on the NetWare servers. 
    • For NetWare 3.12, the NLM must be running on all servers on which users are to be enrolled. 
    • For NetWare 4.1, the NLM must be running on at least one server in the NDS tree on which users are to be enrolled. The best solution is to run the NLM on all, or most of, the NetWare servers in the tree. 
    Refer to "Step 3--Install the Enhanced Integration for NetWare NLM on the Servers" for installation instructions. 

Step 2--Set Up AS/400 for User Enrollment

When Enhanced Integration for NetWare is installed on AS/400, a default QNETWARE user profile is created with *NONE for a password.   You need to change the QNETWARE profile so it can log in to the NDS trees or NetWare 3.12 servers on which AS/400 users are to be enrolled. to NetWare. 

To set up your AS/400 system for user enrollment:

  1.   Set the Retain Server Security (QRETSVRSEC) (Ref #5.) system value to 1 to indicate that security information such as passwords,   which are needed to authenticate users' access to NetWare, can be retained on AS/400.         

  2. To change this value, enter WRKSYSVAL SYSVAL(QRETSVRSEC). When the Work with System Values display appears, use option 2 to change the system value. 

+--------------------------------------------------------------------------------+
|                              Change System Value                               |
|                                                                                |
| System value . . . . . :   QRETSVRSEC                                          |
| Description  . . . . . :   Retain server security data                         |
|                                                                                |
|                                                                                |
| Type choice, press Enter.                                                      |
|                                                                                |
|   Retain server security                                                       |
|     data . . . . . . . .   1              0=Do not retain data                 |
|                                           1=Retain data                        |
+--------------------------------------------------------------------------------+


    Note:
    Even if you set QRETSVRSEC to 0 and passwords cannot be stored, you can still enroll AS/400 users on NetWare. Refer to "Enrolling AS/400 Users when QRETSVRSEC=0" for more information. 
  1. Set the password for QNETWARE on AS/400. 

  2. If you used the same password for the QNETWARE user objects on most or all of the NetWare 3.12 servers and NDS trees, you should use the same password for QNETWARE on AS/400. 

    To set the password for the QNETWARE profile, enter: 


    CHGUSRPRF USRPRF(QNETWARE) PASSWORD(password)




    Note that you cannot enable the QNETWARE profile; AS/400 intercepts and ignores attempts to change the profile to an enabled state. 

  3.   If you want to propagate QNETWARE profile changes, including passwords, to the NDS trees and NetWare 3.12 servers on which you will enroll AS/400 users, you must use the CHGNWSUSRA command. Use this command to specify the NDS trees and NetWare 3.12 servers to which you want profile changes propagated. 

  4. For example, to propagate QNETWARE profile changes to all the NDS trees and NetWare 3.12 servers defined in the network server attributes, enter: 

    CHGNWSUSRA USRPRF(QNETWARE) PRFTYPE(*USER)

    NDSTREELST(*NWSA) NTW3SRVLST(*NWSA)





    If you do not use network server attributes, you can also use the CHGNWSUSRA command to specify the NDS context, NDS trees, and NetWare 3.12 servers on which you want the QNETWARE profile to be propagated. 

  5. If you want to enroll AS/400 users on any NDS trees or NetWare 3.12 servers to which the QNETWARE profile changes were not propagated in step 3, you must use the ADDNTWAUTE command. Use this command to create authentication entries for the QNETWARE profile on those NDS trees or NetWare 3.12 servers.   

  6. You also might choose this option if you want to have different passwords for QNETWARE on the various NDS trees or NetWare 3.12 servers. 

    To create an authentication entry for the QNETWARE user object, which has a password of BOSS in NDS tree TREE1 in NDS context MAIN, enter: 

    ADDNTWAUTE SVRTYPE(*NDS) NDSTREE(TREE1)     USRPRF(QNETWARE)

    PASSWORD(BOSS) NDSCTX(MAIN)


    To create a NetWare authentication entry for the QNETWARE user object, which has a password of BOSS in SERVER1, enter: 

    ADDNTWAUTE SVRTYPE(*NETWARE3) SERVER(SERVER1) USRPRF(QNETWARE)

    PASSWORD(BOSS)





    See Chapter 16. "NetWare Authentication Entries and Connections" for more information. 


Step 3--Create AS/400 Group and User Profiles

If you do not have AS/400 profiles, or if they do not represent the structure you want in your NetWare network, you need to create AS/400 group and user profiles. 

Note:
If your AS/400 is already set up with group and user profiles that you can propagate to NetWare, go to "Step 4--Enroll AS/400 Users on NetWare"

To create user or group profiles for users on AS/400 that need to access NetWare servers, use the Create User Profile (CRTUSRPRF) command. 

For example, to create a group profile named FINANCE for a group of users that needs to access a NetWare server for a specific financial application, enter: 

  CRTUSRPRF USRPRF(FINANCE)




Note that creating a group profile is the same as creating a user profile. Group profiles on AS/400 are user profiles that have other user profiles associated with them. 

To create a user profile named TOM and add it to the FINANCE group profile, enter: 

  CRTUSRPRF USRPRF(TOM) GRPPRF(FINANCE)




Note:
A user profile must have a primary group before you can specify a supplementary group. NetWare does not distinguish between a primary group and a supplementary group. 

After you create the AS/400 profiles, they are ready to be enrolled on NDS trees and NetWare 3.12 servers. 


Step 4--Enroll AS/400 Users on NetWare

You can automatically create NetWare objects by enrolling AS/400 users   on one or more NDS trees and NetWare 3.12 servers. This means that certain AS/400 profile information is automatically propagated to NetWare. For example, the profile name and password is automatically propagated to all the NDS trees and NetWare 3.12 servers you specify. 

If you plan for most of your AS/400 users to be enrolled on the same set of NDS trees and NetWare 3.12 servers, you can define those servers and trees by using the Change Network Server Attributes (CHGNWSA) command. 

To ensure that AS/400 group and user profiles map correctly to NetWare, you must define an AS/400 profile as either a group or a user on a NetWare server or NDS tree. You cannot define an AS/400 profile as both a group and a user in an NDS tree or a NetWare 3.12 server. But you can define an AS/400 profile as a user object in one NDS tree or NetWare 3.12 server and as a group object in a different NDS tree or NetWare 3.12 server. 

You can define any AS/400 profile as either a group or a user object in an NDS tree or NetWare 3.12 server. For example, an AS/400 user profile that has no other profiles referencing it as a group can be defined as a group profile to NetWare. 

You can also define AS/400 group profiles as user objects to NetWare. However, group members in these profiles are not automatically enrolled on NetWare. 

For a description of all the AS/400 profile attributes that are mapped to NetWare group and user objects, refer to "Mapping AS/400 Profiles to NetWare"

To enroll AS/400 users on NetWare, use the Change Network Server User Attributes (CHGNWSUSRA) command. 

Using the CHGNWSUSRA Command

Use this command to enroll AS/400 users on NetWare   by specifying the NDS trees and NetWare 3.12 servers on which the AS/400 users are to be enrolled. You can specify the NDS trees and NetWare 3.12 servers on the CHGNWSUSRA command as: 

To enroll AS/400 users on NetWare:
  1. Enter CHGNWSUSRA and press F4 to see the Change NWS User Attributes (CHGNWSUSRA) display shown in Figure 21-3

  2. Figure 21-3. Change NWS User Attributes (CHGNWSUSRA) Display
     

+--------------------------------------------------------------------------------+
|                     Change NWS User Attributes (CHGNWSUSRA)                    |
|                                                                                |
| Type choices, press Enter.                                                     |
|                                                                                |
| User profile . . . . . . . . . .   PUBS          Name, *CURRENT                |
| Profile type . . . . . . . . . . > *GROUP        *USER, *GROUP                 |
| Prompt control . . . . . . . . . > *NETWARE      *ALL, *BASE, *LANSERVER...    |
| Propagate group members  . . . .   *ALL          *SAME, *NONE, *ALL            |
| Default server type  . . . . . .   *NETWARE      *SAME, *NWSA, *BASE...        |
| NDS tree . . . . . . . . . . . .   *NWSA                                       |
| NDS context  . . . . . . . . . .   *NWSA                                       |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                      More...   |
| F3=Exit   F4=Prompt   F5=Refresh   F12=Cancel   F13=How to use this display    |
| F24=More keys                                                                  |
|                                                                                |
+--------------------------------------------------------------------------------+


    When you enroll group profiles, specify the profile type (PRFTYPE) as *GROUP and propagate group members (PRPGRPMBR) as *ALL if you want all the group members to be enrolled. The default of *NONE specifies that group members are not to be enrolled. 
  1. Press Page Down to specify the NDS tree list and NetWare 3.12 server list shown in Figure 21-4

  2. Figure 21-4. Change NWS User Attributes (CHGNWSUSRA) Display, Part 2
     

+--------------------------------------------------------------------------------+
|                     Change NWS User Attributes (CHGNWSUSRA)                    |
|                                                                                |
| Type choices, press Enter.                                                     |
|                                                                                |
| NDS tree list:                                                                 |
|   NDS tree . . . . . . . . . . .   TREE1                                       |
|   User object context  . . . . .   MAIN                                        |
|                                                                                |
|   Default server . . . . . . . .   IBMSRV1                                     |
|                                                                                |
|   Profile object . . . . . . . .   NWLOGIN                                     |
|                                                                                |
|                + for more values                                               |
| NetWare 3.12 server list . . . .   NTW3SRV1                                    |
|                                                                                |
|                + for more values                                               |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                      Bottom    |
| F3=Exit   F4=Prompt   F5=Refresh   F12=Cancel   F13=How to use this display    |
| F24=More keys                                                                  |
|                                                                                |
+--------------------------------------------------------------------------------+


  1. Use the following information to fill in the NDS tree list fields: 
    NDS tree parameter The NDS tree in which the AS/400 group or user is to be enrolled. 
    User object context The location in the NDS tree where the NDS group or user object is to be created during enrollment. 
    Default server The default server in the NDS tree that is to be used to enroll the AS/400 profiles. 

    Note:
    You can improve performance by specifying a server rather than using the default *ANY. If the specified server is not active when AS/400 attempts to connect to NetWare, AS/400 searches the NDS tree for other active servers. 

    Profile object The distinguished name of the default NDS profile object that contains the login script to be used by the NetWare object when logging into the network. 
  1. Use the NetWare 3.12 server list fields to define a default list of NetWare 3.12 servers on which AS/400 will enroll AS/400 users. 
Specifying the Default List of NDS Trees and NetWare 3.12 Servers

If you defined your NetWare servers and NDS trees in the network server attributes, as described in "Step 9--Define Network Server Attributes (Optional)", you can define defaults for the NetWare server and NDS tree with the CHGNWSUSRA command. 

When you specify the NDS tree list (NDSTREELST) parameter as *NWSA, you avoid having to change AS/400 group or user profiles when NetWare servers are added to or removed from your network. Changes to any user or group profiles defined to use the *NWSA value are propagated automatically to new servers whenever new servers are added to the NWSA. 

To see what your NWSA values are, use the Display NWS Attributes (DSPNWSA) command with OPTION(*NETWARE). 

Specifying *NWSA--Examples

The following examples show how to enroll either a group profile or a user profile to the system default list of NetWare servers and NDS trees. 

Group Profile

To enroll the group profile FINANCE and all its group members on the NDS trees and NetWare 3.12 servers defined in the network server attributes (NWSA), enter: 

CHGNWSUSRA USRPRF(FINANCE) PRFTYPE(*GROUP)  PRPGRPMBR(*ALL)

NDSTREELST(*NWSA) NTW3SVRLST(*NWSA)





All the FINANCE group members, including JOHN who was created in Step 3, are now enrolled on NetWare. Future changes to the FINANCE profile or any user profiles for members of FINANCE, will be propagated to NetWare. 

User Profile

To enroll user profile JOHN on the NDS trees and NetWare 3.12 servers defined in the network server attributes (NWSA), enter: 

  CHGNWSUSRA USRPRF(JOHN) PRFTYPE(*USER)

  NDSTREELST(*NWSA) NTW3SVRLST(*NWSA)





Notes:

  • You cannot specify *NWSA as the NDS tree list if you want to specify additional servers that were not defined in the network server attributes. 

  • If an AS/400 group or user profile needs to be enrolled on servers other than those defined as network server attributes, you must use the CHGNWSUSRA command to   specify all the NDS trees and NetWare 3.12 servers for that profile, even if most of them were already defined in the network server attributes. 

  • You might not want to specify *NWSA if your NetWare authorization differs from one NDS context to another and you want to enroll AS/400 users in the context that matches the desired authorization. 
Specifying an NDS Tree List

Figure 21-5. Specifying an NDS Tree List
 
 

+--------------------------------------------------------------------------------+
|                    Specify More Values for Parameter NDSTREELST                |
|                                                                                |
| Type choices, press Enter.                                                     |
|                                                                                |
| NDS tree list:                                                                 |
|   NDS tree . . . . . . . . . . . > TREE1                                       |
|   User object context  . . . . .   MAIN                                        |
|                                                                                |
|   Default server . . . . . . . .   IBMSRV1                                     |
|                                                                                |
|   Profile object . . . . . . . .   NWLOGIN                                     |
|                                                                                |
|                                                                                |
|   NDS tree . . . . . . . . . . . > TREE2                                       |
|   User object context  . . . . .   PUBS.ROCH.IBM                               |
|                                                                                |
|   Default server . . . . . . . .   PUBSRV1                                     |
|                                                                                |
|   Profile object . . . . . . . .   NWLOGIN                                     |
|                                                                                |
|                                                                      More...   |
| F3=Exit   F4=Prompt   F5=Refresh   F12=Cancel   F13=How to use this display    |
| F24=More keys                                                                  |
|                                                                                |
+--------------------------------------------------------------------------------+


Specifying an NDS Tree List--Examples

The following examples show how to enroll either a group profile or a user profile in context O=MAIN in NDS tree XYZ: 

Group Profile

To enroll group profile FINANCE and all of its group members in context O=MAIN in NDS tree XYZ, enter: 

CHGNWSUSRA USRPRF(FINANCE) PRFTYPE(*GROUP)  PRPGRPMBR(*ALL)


NDSTREELST((XYZ 'O=MAIN' PUBSRV1 NWLOGIN))




The FINANCE group object and user objects corresponding to the AS/400 group members are created in the NDS tree. From now on, users added to or removed from AS/400 FINANCE group profile are added or removed from NDS tree XYZ. 

User Profile

To enroll user profile MIKE in context O=MAIN in NDS tree XYZ, enter: 

  CHGNWSUSRA USRPRF(MIKE) PRFTYPE(*USER)

  NDSTREELST((XYZ 'O=MAIN' PUBSRV1 NWLOGIN))





The MIKE user object is created in NDS tree XYZ and will use NWLOGIN as his login script. 

Specifying a NetWare 3.12 Server List

Figure 21-6. Specifying a NetWare 3.12 Server List
 
 

+--------------------------------------------------------------------------------+
|                     Change NWS User Attributes (CHGNWSUSRA)                    |
|                                                                                |
| Type choices, press Enter.                                                     |
|                                                                                |
| NDS tree list:                                                                 |
|   NDS tree . . . . . . . . . . .   *NWSA                                       |
|   User object context  . . . . .                                               |
|                                                                                |
|   Default server . . . . . . . .                                               |
|                                                                                |
|   Profile object . . . . . . . .                                               |
|                                                                                |
|                + for more values                                               |
| NetWare 3.12 server list . . . . > NTW3SRV1                                    |
|                                                                                |
|                                  > NTW3SRV2                                    |
|                                                                                |
|                + for more values > NTW3SRV3                                    |
|                                                                                |
|                                                                                |
|                                                                      Bottom    |
| F3=Exit   F4=Prompt   F5=Refresh   F12=Cancel   F13=How to use this display    |
| F24=More keys                                                                  |
|                                                                                |
+--------------------------------------------------------------------------------+


Specifying a NetWare 3.12 Server List--Examples

The following examples show how to enroll either a group profile or a user profile on NetWare 3.12 servers. 

Group Profile

To enroll group profile FINANCE and all its group members on a NetWare 3.12 server named NTW3SRV1, enter: 

  CHGNWSUSRA USRPRF(FINANCE) PRFTYPE(*GROUP) PRPGRPMBR(*ALL)

  NTW3SVRLST(NTW3SRV1)





The FINANCE group object and user objects corresponding to the AS/400 group members are created on NTW3SRV1. From now on, users added to or removed from AS/400 FINANCE group are added to or removed from this NetWare 3.12 server. 

User Profile

To enroll user profile JOHN on servers NTW3SRV1 and NTW3SRV2, enter: 

  CHGNWSUSRA USRPRF(JOHN) PRFTYPE(*USER)

  NTW3SVRLST(NTW3SRV1 NTW3SRV2)





The JOHN user object is created on the NTW3SRV1 and NTW3SRV2 servers. 

Propagating Profile Changes to NetWare

After you use the CHGNWSUSRA command to enroll AS/400 users on NetWare, AS/400 profile changes are automatically propagated to NetWare. Only those AS/400 profiles that you defined to be enrolled, by using the CHGNWSUSRA command, are affected when you: 

  • Use the CHGNWSA command to change network server attributes if *NWSA was specified for the NDSTREELST or NTW3SVRLST parameters on the CHGNWSUSRA command. 
  • Use the CHGNWSUSRA command to change the NDSTREELST or NTW3SVRLST parameters for an AS/400 profile or to change the PRPGRPMBR parameter for an AS/400 group profile. 
  • Use the CHGPWD command to change the password of a user profile. 
  • Use the CHGUSRPRF command to: 
    • Change the password of an AS/400 user profile 
    • Change the text (description) of an AS/400 group or user profile 
    • Add an AS/400 user profile to an AS/400 group that is being enrolled 
    • Remove an AS/400 user profile from an AS/400 group that is being enrolled       
    Attention:
    If a user profile was enrolled only as a group member with the PRPGRPMBR(*ALL) parameter and does not belong to any other groups that were enrolled, and you remove that user profile from the group, the NetWare user object with the same name is deleted on all NDS trees and NetWare 3.12 servers specified with the CHGNWSUSRA command. 
  • Use the CRTUSRPRF command to add an AS/400 user profile to an AS/400 group that was enrolled 
  • Use the DLTUSRPRF command to delete an AS/400 profile. 
  • Sign on to AS/400 if passwords aren't stored on AS/400 and if you used one of the preceding commands. In this case, propagation is delayed until you sign on so AS/400 can obtain the password. 
Note:
You can stop propagating group and user profile changes by using the CHGNWSUSRA command and specifying *NONE for the NDSTREELST and NTW3SRVLST parameters. 

Propagation Restrictions

You cannot enroll the following AS/400 profiles on NetWare and, thus, you also cannot propagate changes for these profiles to NetWare.
 
QAUTPRF

QDFTOWN

QDOC

QDSNX

QFNC

QGATE

QLPAUTO

QLPINSTALL

QMSF

QNETSPLF

QNFSANON

QPRJOWN

QRJE

QSNADS

QSPL

QSPLJOB

QSRV

QSRVBAS

QSVSM

QSYS

QTCP

QTMPLPD

QTSTRQS

QUMB

QFSNOTES

Enrolling AS/400 Users when QRETSVRSEC=0

When the Retain Server Security (QRETSVRSEC) system value is set to 0, AS/400 cannot store passwords with authentication entries. Therefore, enrollment for group and user profiles is delayed until AS/400 can access the profile's password.   This occurs when one of the following happens: 

  • The user signs on to AS/400 
  • The password is changed using either the CHGUSRPRF or the CHGPWD command 
To enroll AS/400 users when QRETSVRSEC=0:
  1. Make sure that QNETWARE has a NetWare authentication entry for each NDS tree and NetWare 3.12 server on which you want to enroll AS/400 users. 
  2. Use the CHGNWSUSRA command to define the NDS trees and NetWare 3.12 servers on which to enroll the AS/400 profile. 

  3. Enrollment is delayed until AS/400 temporarily accesses the profile's password. 

  4. To start enrollment, do one of the following: 
    • Have the AS/400 user sign on to AS/400. 
    • Have an AS/400 user with *SECADM authority set the profile's password using the CHGUSRPRF command. 
    • Have the AS/400 user change the profile's password using the CHGPWD command. 
    The AS/400 profile attributes are propagated to NetWare. If a NetWare object with this name does not exist, one is created with the same name as the AS/400 profile. If a NetWare object with this name does exist, it is updated with AS/400 profile changes. An authentication entry is not created. 

Mapping AS/400 Profiles to NetWare

When AS/400 group and user profiles are enrolled on NetWare servers, only information in the AS/400 profiles that is applicable to NetWare is sent to the servers. 

Note:
The profile information that is specified for the following AS/400 attributes overwrites the corresponding NetWare attributes. If NetWare users change these attributes, they can be overwritten whenever AS/400 profile changes are propagated. 

You can add additional NetWare group and user attributes, such as user properties for a telephone number, fax number, and last name, from the NetWare NWADMIN utility. 

AS/400 Group Profiles

When an AS/400 group profile is enrolled as a group object in NetWare, the following AS/400 attributes are propagated: 
 
Profile name The name of the AS/400 group profile, which corresponds to the name of the group object in NetWare. 
Text The text description field on an AS/400 group profile, which corresponds to a text description of the group object in NetWare. 

You can define this with the Text parameter using either the CRTUSRPRF or CHGUSRPRF command. 

NDS context The context of the NDS tree (specified with the CHGNWSA or CHGNWSUSRA command) in which the AS/400 group profile is to be placed as a NetWare group object. 

You can define this with the NDSTREELST parameter using either the CHGNWSA or CHGNWSUSRA command. 

AS/400 User Profiles

When an AS/400 user profile is enrolled as a user object in NetWare, the following AS/400 attributes can be propagated: 
 
Profile name The name of the user object in NetWare, which corresponds to the AS/400 profile name. 
Text The text description field on an AS/400 user profile, which corresponds to a text description of the user object in NetWare. 

You can define this with the Text parameter using either the CRTUSRPRF or CHGUSRPRF command. 

NDS context The context of the NDS tree (specified with the CHGNWSA or CHGNWSUSRA command) in which the user profile is to be placed as a NetWare user object. 

You can define this with the NDSTREELST parameter using either the CHGNWSA or CHGNWSUSRA command. 

Notes:

  • If you enroll an AS/400 group and all its members, the context for each member is the same as the group context. 
  • If you enroll a user as a member of multiple groups, and more than one of those groups is enrolled in an NDS tree, the context of the user object is the same as the first group it was enrolled into. 
    • If you enroll the main group that a user belongs to, the NDS context of the user object is the same as this group.     
    • If you do not enroll the main group that a user belongs to, but you do enroll one or more of the supplementary groups it belongs to, the NDS context of the user object is the same as the first supplementary group it was enrolled into. 
Password The AS/400 password is used to set the user password on the NetWare servers. This corresponds to the PASSWORD parameter on either the CRTUSRPRF or CHGUSRPRF command. 
Account disabled The STATUS field on the CRTUSRPRF or CHGUSRPRF command is used to indicate whether the user can log into the NetWare server or NDS tree. 
Password required If the AS/400 system value QSECURITY is 10, the NetWare user objects that are created do not require a password to sign on to the server. All other AS/400 QSECURITY levels require that a user object log in with a password. 
Unique password If the system value QPWDRQDDIF is 0 (meaning the new password does not have to be unique when it is changed), user objects do not require unique passwords when passwords are changed. Any other value for QPWDRQDDIF forces the user to have a unique password when passwords are changed. 
Login grace limit User objects are allowed 6 more logins after a password has expired. This is the default. 
Profile login script The name of a login script that is run for a profile when the user logs in to the NetWare server or NDS tree. 

You can define this with the profile object entry field of the NDSTREELST parameter using either the CHGNWSA or CHGNWSUSRA command. 

Password expiration interval The number of days a user object's password is valid. This corresponds to the password expiration interval (PWDEXPITV parameter) on the CRTUSRPRF or CHGUSRPRF command. If this value indicates that the system value QPWDEXPITV should be used, the system value is used to set the expiration interval. 
Password expiration date The date when the user profile password expires on AS/400. If the current date is past the expired date on AS/400, this date is set to expired on the server. 
Login expiration date This date matches the password expiration date because the AS/400 does not have an equivalent field. 


Checking AS/400 User Enrollment Status

After you enroll AS/400 group and user profiles on NetWare, you can use the Work with NWS User Enrollment (WRKNWSENR) command to determine their status. 

You can obtain enrollment status by user profile, profile type, and server type. Enter WRKNWSENR PRFTYPE(*GROUP) to display the objects by GROUP instead of the default, which is by USER. This is the only way to display enrollment status for groups that have no users. 

  1. Enter WRKNWSENR. 

  2. Figure 21-7. WRKNWSENR Display
     
     

+--------------------------------------------------------------------------------+
|                    Work with NWS User Enrollment (WRKNWSENR)                   |
|                                                                                |
| Type choices, press Enter.                                                     |
|                                                                                |
| User profile . . . . . . . . . .   *ALL          Name, generic*, *ALL          |
| Profile type . . . . . . . . . .   *GROUP        *USER, *GROUP                 |
| Server type  . . . . . . . . . .   *NETWARE      *NWSUSRA, *NWSA, *NETWARE     |
| NDS tree . . . . . . . . . . . .   *ALL                                        |
| Server . . . . . . . . . . . . .   *ALL                                        |
|                                                                                |
|                                                                                |
+--------------------------------------------------------------------------------+


    Note:
    If you specify *NWSA for the NDS tree and Server parameters, AS/400 displays those groups and users that are being enrolled into the NDS trees and NetWare 3.12 servers defined in the network server attributes. 
  1. Press Enter to view all the NetWare servers and NDS trees on which groups are to be enrolled. 

  2. The Work with NWS User Enrollment display in Figure 21-8 shows a list of NetWare servers and NDS trees and the current enrollment status of each group that has been enrolled or that is being enrolled. 

    Figure 21-8. Enrollment Status of All Groups Being Enrolled
     
     

+--------------------------------------------------------------------------------+
|                         Work with NWS User Enrollment                          |
|                                                             System:   SYSAS400 |
| Type options, press Enter.                                                     |
|   2=Change user profile   5=Display user profile   6=Retry entry               |
|   14=Change network user attributes   15=Display network user attributes       |
|   16=Display error details                                                     |
|                                                                                |
|      Tree/Server                   Enrollment  Error                           |
| Opt    Profile           Type      status      code    Text                    |
|      IBM_TREE1           *NDSTREE                                              |
|        GROUP1            *GROUP    *CURRENT            Scott and Marla         |
|        PUBS              *GROUP    *CURRENT            Edith and Merry         |
|      RCHHJA50            *NTW3SVR                                              |
|        FELLOWSHIP        *GROUP    *CURRENT            Dennis and Lee          |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                                |
|                                                                      Bottom    |
| Parameters or command                                                          |
| ===>                                                                           |
| F3=Exit   F4=Prompt   F5=Refresh   F6=Print list   F9=Retrieve                 |
| F10=Display users     F12=Cancel   F17=Position to                             |
|                                                                                |
+--------------------------------------------------------------------------------+


    The Work with NWS User Enrollment display shows: 
    • A list of active NDS trees and NetWare 3.12 servers 
    • The enrollment status of the AS/400 group or user profile on each NDS tree and NetWare 3.12 server 
    • When you press F10, a list of all the members in each group that are also being enrolled. Pressing F10 toggles you back to the list of groups. 
    • Enrollment status values for the specified profile from an AS/400 perspective. Press F1 and then F2 to view an explanation of the status values that might appear. 

    • Tip:
      If the enrolled user is no longer available on NetWare, use option 6 to retry the enrollment request even if the status is *CURRENT and there are no error codes. 

    • Error codes if problems have occurred. 

    • If error codes appear, use option 16 to view error details. See "User Enrollment Problems" for more information. 

User Enrollment Status Values

The following list describes the various status values that might appear on the Work with NWS User Enrollment display: 
 
*CURRENT AS/400 has enrolled the profile on NetWare and no more work is pending for the profile. 
*UPDPND A create or change has been specified for a profile, and the operation is in progress. If you have several profiles to be updated at once, such as when first enrolling a group and its members, there could be many profiles in this status at one time. 

For a NetWare 3.12 server, only one profile operation at a time is in progress. Other profiles changes are queued up, and are processed in turn as the updates proceed. 

For an NDS tree with multiple servers, you can direct profile update operations to specific servers when you use the CHGNWSUSRA or CHGNWSA command. If that server is down, AS/400 attempts other available servers. 

*DLTPND A delete operation has been specified for a profile, and the operation is in progress. This could occur if you have deleted a profile on AS/400, or have changed the enrollment request so that the profile is no longer to be enrolled on an NDS tree or NetWare 3.12 server. 
*UPDRCYPND An update operation was attempted but did not complete successfully. Because the status indicates recovery pending, the operation will be retried. The timing and number of retry attempts varies with the type of error. If the error was that a communications session could not be established with a server, the retry occurs every 15 minutes, for a period of about an hour.   If no communications has been established in that time frame, no further attempts are made without manual operator action. If the error was due to a NetWare error, the operation is tried again 3 times before it becomes a permanent failure. 
*DLTRCYPND A delete operation was attempted, but did not complete successfully.   Because the status indicates recovery pending, it means the operation will be retried. 
*UPDFAIL A scheduled profile update failed, and all recovery attempts have ended.   See "User Enrollment Problems" for more information. 
*DLTFAIL This means that a scheduled profile delete failed, and all recovery attempts have ended.   See "User Enrollment Error Codes" for more information. 


Ending User Enrollment

You can end user enrollment on one or more NDS trees or NetWare servers for an AS/400 profile that was enrolled on NetWare whenever you: 

  • Use the CHGNWSA command to remove NDS trees or NetWare 3.12 servers in the network server attributes if *NWSA was specified on the CHGNWSUSRA command for the AS/400 profile. 

  • AS/400 will attempt to remove the NetWare object with the same name as the AS/400 profile from the NDS trees or NetWare servers that were removed. 

  • Use the CHGNWSUSRA command to remove an NDS tree or NetWare 3.12 server for an AS/400 profile. 

  • AS/400 will attempt to remove the NetWare object with the same name as the AS/400 profile from the NDS trees or NetWare servers that were removed. 

  • Use the CHGNWSUSRA command to change the PRPGRPMBR parameter from *ALL to *NONE for an AS/400 group profile. 

  • If an AS/400 user profile was enrolled only as a member of this group, AS/400 will attempt to remove the NetWare object with the same name as the AS/400 profile from the NDS trees and NetWare 3.12 servers on which the group was enrolled. 

  • Use the CHGNWSUSRA command to change the NDSTREELST or NTW3SRVLST parameters to *NONE for an AS/400 profile. 

  • AS/400 will attempt to remove the NetWare object with the same name as the AS/400 profile from the NDS trees and NetWare servers on which it was enrolled. 

  • Use the CHGUSRPRF command to remove an AS/400 user profile from an AS/400 group that was enrolled. 

  • If a user profile was enrolled only as part of a group with the PRPGRPMBR(*ALL) parameter and does not belong to any other groups that were enrolled, and you remove that user profile from the group, AS/400 will attempt to remove the NetWare user object with the same name on all NDS trees and NetWare 3.12 servers on which the group was enrolled. 

  • Use the DLTUSRPRF command to delete an AS/400 profile. 
Note:
If you use one of the preceding commands to remove an AS/400 profile from a NetWare server that AS/400 can no longer access, AS/400 cannot complete the request. In this case, the Work with NWS User Enrollment display will show the status of the AS/400 profile as either *DLTPND, *DLTRCYPND, or *DLTFAIL.   These status codes are described in "User Enrollment Status Values"

If one of these status values appears, you can remove the entry from the display by using Option 4. The entry is then processed as though the delete request had completed successfully on the NetWare server once the remove entry request completes and the CPCA40F message "Remove request submitted successfully" appears. 

If you use option 4 to remove the entry, you must delete the NetWare object from the NDS tree or NetWare 3.12 Bindery by using the NetWare NETADMIN, NWADMIN, or SYSCON utility. 


User Enrollment and Authentication Commands

Table 21-1. User Enrollment Commands
 
Enter this AS/400 command  to... 
ADDNTWAUTE  Add a NetWare authentication entry to an AS/400 profile that contains the NetWare user name and password used to connect to a NetWare server. 
CHGNWSA  Define the NDS context and a default set of NetWare servers and NDS trees on which AS/400 users can be enrolled. 
CHGNWSUSRA  Enroll AS/400 group and user profiles on NetWare. 

If you specify NDSTREELST(*NONE) and NTW3SVRLST(*NONE), the profile is not enrolled on NetWare. 

CHGPWD  Change the password of a AS/400 user profile. If the user profile was enrolled on NetWare, the password of the NetWare user object with the same name is also changed. 
CHGUSRPRF  Change attributes such as the description of an AS/400 group or user profile. If the AS/400 profile was enrolled on NetWare, the attributes of the NetWare group or user object with the same name are also changed. 
CRTUSRPRF  Create a AS/400 user profile that can be enrolled on NetWare. 
DLTUSRPRF  Delete a NetWare group or user object if the AS/400 profile with the same name was enrolled on NetWare. 
WRKNTWAUTE  Create, change, display, or remove a NetWare authentication entry. 
WRKNWSENR  Check the status of AS/400 profiles being enrolled on NetWare. You can also change or display AS/400 profiles, change or display network user attributes, try the enrollment request again, remove entries for enrollment requests in a delete state, or display error details for AS/400 profiles being enrolled on NetWare. 


[ Top of Page | Previous Page | Next Page | Table of Contents | Index