Lookup operation examples: Example 3
Use this example to learn how the search flow works for a lookup operation that returns a target user identity from a default registry policy association.
In Figure 13, an administrator wants to map all desktop workstation
users in a Windows Active
Directory registry to a single IBM® i user profile named
an IBM i registry
that he named
System_A in Enterprise Identity Mapping
(EIM). Kerberos is the authentication method that Windows uses and the name of the Windows Active Directory registry
as the administrator defined it in EIM is
One of the user identities that the administrator wants to map from
is a Kerberos principal named
The administrator creates a default registry policy association with the following information:
- A source registry of
- A target registry of
- A target user identity of
Figure 13: A lookup operation returns a target user identity from a default registry policy association.
Desktopsregistry, including the
sajonesprincipal, to the IBM i user profile named
|Source user identity and registry||--->||Default registry policy association||--->||Target user identity|
||--->||Default registry policy association||--->||
The lookup operation search flows in this manner:
- The user
sajoneslogs on and authenticates to her Windows desktop by means of her Kerberos principal in the
- The user opens a 5250 emulator session in IBM i Access Client Solutions to access data on System A.
- IBM i uses
an EIM API to perform an EIM lookup operation with a source user identity
sajones, a source registry of
Desktops, and a target registry of
- The EIM lookup operation checks whether mapping lookups are enabled
for the source registry
Desktopsand target registry
System_A. They are.
- The lookup operation checks for a specific identifier source association
that matches the supplied source user identity of
sajonesin a source registry of
Desktops. It does not find a matching identifier association.
- The lookup operation checks whether the domain is enabled to use policy associations. It is.
- The lookup operation checks whether the target registry (
System_A) is enabled to use policy associations. It is.
- The lookup operation checks whether the source registry (
Desktops) is an X.509 registry. It is not.
- The lookup operation checks whether there is a default registry
policy association that matches the source registry definition name
Desktops) and the target registry definition name (
- The lookup operation determines that there is one and returns
general_useras the target user identity.
Sometimes an EIM lookup operation returns ambiguous results. This can happen, for example, when more than one target user identity matches the specified lookup operation criteria. Some EIM-enabled applications, including IBM i applications and products are not designed to handle these ambiguous results and may fail or give unexpected results. You may need to take action to resolve this situation. For example, you may need to either change your EIM configuration or define lookup information for each target user identity to prevent multiple matching target user identities. Also, you can test a mapping to determine whether the changes you make work as expected.