There are a number of common problems that may cause Enterprise
Identity Mapping (EIM) mappings to fail entirely or not to work as
expected. Review the following table to find information about what
problem may be causing an EIM mapping to fail and potential solutions
for that problem. If EIM mappings are failing, you may need to work
through each solution in the table to ensure that you find and solve
the problem or problems which are causing the mappings to fail.
Table 1. Common EIM mapping problems and
solutions
Possible problem |
Possible solutions |
Connection information for the domain controller
may not be correct or the domain controller may not be active. |
Review Domain controller
connection problems to learn how to verify connection information
for the domain controller and how to verity that the domain controller
is active. |
EIM mapping lookup operations performed on behalf
of the system are failing. This may be happening because the EIM configuration
is incorrect on the system or systems. |
Verify your EIM configuration. From IBM® Navigator
for i, expand .
Click Configuration. Right-click the domain
controller in which you want to work and select Properties and
verify the following:
- Domain page:
- The domain controller name and port numbers are correct.
- Click Verify Configuration to verify that
the domain controller is active.
- The local registry name is specified correctly
- The Kerberos registry name is specified correctly.
- Verify that Enable EIM operations for this system is
selected.
- System user page:
- The specified user has sufficient EIM access control to perform
a mapping lookup, and the password is valid for the user. Review the
online help to learn more about the different types of user credentials.
Note: If
you have changed the password for the specified system user in the
directory server, you must change the password here as well. If these
passwords do not match, then the system user can not perform EIM functions
for the operating system and mapping lookup operations fail.
- Click Verify Connection to confirm that
the user information specified is correct.
|
A mapping lookup operation may be returning
multiple target user identities. This can occur when one or more of
the following situations exist:
- An EIM identifier has multiple individual target associations
to the same target registry.
- More than one EIM identifier has the same user identity specified
in a source association and each of these EIM identifiers has a target
association to the same target registry, although the user identity
specified for each target association may be different.
- More than one default domain policy association specifies the
same target registry.
- More than one default registry policy association specifies the
same source registry and the same target registry.
- More than one certificate filter policy association specifies
the same source X.509 registry, certificate filter, and target registry.
|
Use the Test EIM Mapping function
to verify that a specific source user identity maps correctly to the
appropriate target user identity. How you correct the problem depends
on what results you get from the test, as follows:
- The test returns unwanted multiple target identities for one of
the following reasons:
- This might indicate that association configuration for the domain
is not correct, due to one of the following:
- A target or source association for an EIM identifier is not configured
correctly. For example, there is no source association for the Kerberos
principal (or windows user) or it is incorrect. Or, the target association
specifies an incorrect user identity. Display all identifier associations
for an EIM identifier to verify associations for a specific
identifier.
- A policy association is not configured correctly. Display
all policy associations for a domain to verify source and target
information for all policy associations defined in the domain.
- This might indicate that group registry definitions that contain
common members are the source or target registries for EIM identifier
associations or policy associations. Use the details provided by the
test mapping lookup operation to determine whether the source or target
registries are group registry definitions. If they are, check the
group registry definition properties to determine whether the group
registry definitions contain common members.
- The test returns multiple target identities and these results
are appropriate for the way you configured associations. If this is
the situation, then you need to specify lookup information for
each target user identity to ensure that a lookup operation returns
a single target user identity rather than all possible target user
identities. Review Add lookup information
to a target user identity.
Note: This approach only works if
the application is enabled to use the lookup information. However,
base IBM i applications
such as IBM i
Access Client Solutions can
not use lookup information to distinguish among multiple target user
identities returned by a lookup operation. Consequently, you might
consider redefining associations for the domain to ensure that a mapping
lookup operation can return a single target user identity to ensure
that base IBM i applications
can successfully perform lookup operations and map identities.
|
EIM lookup operations return no results and
associations are configured for the domain. |
Use the Test EIM Mapping function
to verify that a specific source user identity maps correctly to the
appropriate target user identity. Verify that you supplied the correct
information for the test. If the information is correct and the test
returns no results, then the problem may be caused by one of the following:
- Association configuration is incorrect. Verify your association
configuration by using the problem resolution information provided
in the previous entry.
- Policy association support is not enabled at the domain level.
You may need to enable
policy associations for a domain.
- Mapping lookup support or policy association support is not enabled
at the individual registry level. You may need to enable mapping lookup support
and the use of policy associations for the target registry.
- The registry definition and user identities do not match because
of case sensitivity. You can delete and recreate the registry, or
delete and recreate the association with the proper case.
|