To confirm a successful module mapping for users, ensure that a Verify Identity Access policy is set for a protected
resource to refuse unauthenticated users and allow authenticated ones.
Before you begin
Before accessing this resource in a browser, ensure that the client certificate is imported
into the browser. See your browser help for instructions on how to import.
Procedure
- When attempting to access a protected resource, the browser prompts you to select a
client certificate. Select the client certificate which you just imported into the
browser.
- The result of the XSLT transformation dictates whether the mapping module must perform a
user registry search or not. The mapping module conducts a user registry search if the result is in
the following form:
!userreg base='baseDN' attr='attrName' ! ldapSearchFilter!
Otherwise, the mapping module does not conduct a user registry search. The result of the search
is a Verify Identity Access user ID or a DN of a user.
If the mapping is successful and a search was performed in the user registry, the following
message displays in the WebSEAL log. The WebSEAL log is typically at
/var/pdweb/log/msg_webseal-instance.log on UNIX™ machines. It is at C:\Program
Files\Tivoli\PDWeb\log\msg_webseal-instance.log on Windows™ machines:
2012-06-07-16:37:11.113+10:00I----- thread(2)
trace.pd.cas.certmap:5
/sandbox/amwebrte611/src/pdwebrte/authn/modules/certmapauthn/AMWCertLDAPUserRegistry.cpp:146: ISAM
user identity: testuser
If no search was performed in the registry, only a message similar to the following is
displayed:
2012-06-07-18:34:29.200+10:00I----- thread(2) trace.pd.cas.certmap:3
/sandbox/amwebrte611/src/pdwebrte/authn/modules/certmapauthn/AMWCertRulesEngine.cpp:219: result:
CN=testuser,O=IBM,C=AU