Troubleshooting EIM mapping problems

There are a number of common problems that may cause Enterprise Identity Mapping (EIM) mappings to fail entirely or not to work as expected. Review the following table to find information about what problem may be causing an EIM mapping to fail and potential solutions for that problem. If EIM mappings are failing, you may need to work through each solution in the table to ensure that you find and solve the problem or problems which are causing the mappings to fail.

Table 1. Common EIM mapping problems and solutions
Possible problem Possible solutions
Connection information for the domain controller may not be correct or the domain controller may not be active. Review Domain controller connection problems to learn how to verify connection information for the domain controller and how to verity that the domain controller is active.
EIM mapping lookup operations performed on behalf of the system are failing. This may be happening because the EIM configuration is incorrect on the system or systems. Verify your EIM configuration. From IBM® Navigator for i, expand Security > All Tasks > Enterprise Identity Mapping. Click Configuration. Right-click the domain controller in which you want to work and select Properties and verify the following:
  • Domain page:
    • The domain controller name and port numbers are correct.
    • Click Verify Configuration to verify that the domain controller is active.
    • The local registry name is specified correctly
    • The Kerberos registry name is specified correctly.
    • Verify that Enable EIM operations for this system is selected.
  • System user page:
    • The specified user has sufficient EIM access control to perform a mapping lookup, and the password is valid for the user. Review the online help to learn more about the different types of user credentials.
      Note: If you have changed the password for the specified system user in the directory server, you must change the password here as well. If these passwords do not match, then the system user can not perform EIM functions for the operating system and mapping lookup operations fail.
    • Click Verify Connection to confirm that the user information specified is correct.
A mapping lookup operation may be returning multiple target user identities. This can occur when one or more of the following situations exist:
  • An EIM identifier has multiple individual target associations to the same target registry.
  • More than one EIM identifier has the same user identity specified in a source association and each of these EIM identifiers has a target association to the same target registry, although the user identity specified for each target association may be different.
  • More than one default domain policy association specifies the same target registry.
  • More than one default registry policy association specifies the same source registry and the same target registry.
  • More than one certificate filter policy association specifies the same source X.509 registry, certificate filter, and target registry.
 Use the Test EIM Mapping function to verify that a specific source user identity maps correctly to the appropriate target user identity. How you correct the problem depends on what results you get from the test, as follows:
  • The test returns unwanted multiple target identities for one of the following reasons:

    • This might indicate that association configuration for the domain is not correct, due to one of the following:

      • A target or source association for an EIM identifier is not configured correctly. For example, there is no source association for the Kerberos principal (or windows user) or it is incorrect. Or, the target association specifies an incorrect user identity. Display all identifier associations for an EIM identifier to verify associations for a specific identifier.

      • A policy association is not configured correctly. Display all policy associations for a domain to verify source and target information for all policy associations defined in the domain.

    • This might indicate that group registry definitions that contain common members are the source or target registries for EIM identifier associations or policy associations. Use the details provided by the test mapping lookup operation to determine whether the source or target registries are group registry definitions. If they are, check the group registry definition properties to determine whether the group registry definitions contain common members.

    • The test returns multiple target identities and these results are appropriate for the way you configured associations. If this is the situation, then you need to specify lookup information for each target user identity to ensure that a lookup operation returns a single target user identity rather than all possible target user identities. Review Add lookup information to a target user identity.
      Note: This approach only works if the application is enabled to use the lookup information. However, base IBM i applications such as IBM i Access Client Solutions can not use lookup information to distinguish among multiple target user identities returned by a lookup operation. Consequently, you might consider redefining associations for the domain to ensure that a mapping lookup operation can return a single target user identity to ensure that base IBM i applications can successfully perform lookup operations and map identities.
EIM lookup operations return no results and associations are configured for the domain. Use the Test EIM Mapping function to verify that a specific source user identity maps correctly to the appropriate target user identity. Verify that you supplied the correct information for the test. If the information is correct and the test returns no results, then the problem may be caused by one of the following:
  • Association configuration is incorrect. Verify your association configuration by using the problem resolution information provided in the previous entry.
  • Policy association support is not enabled at the domain level. You may need to enable policy associations for a domain.
  • Mapping lookup support or policy association support is not enabled at the individual registry level. You may need to enable mapping lookup support and the use of policy associations for the target registry.
  • The registry definition and user identities do not match because of case sensitivity. You can delete and recreate the registry, or delete and recreate the association with the proper case.