Testing EIM mappings
Enterprise Identity Mapping (EIM) mapping testing allows you to issue EIM mapping lookup operations against your EIM configuration. You can use the test to verify that a specific source user identity maps correctly to the appropriate target user identity. Testing ensures that EIM mapping lookup operations can return the correct target user identity based on the specified information.
To use the test a mapping function to test your EIM configuration, you must be connected to the EIM domain in which you want to work and you must have EIM access control at one of these levels:
- EIM administrator
- Identifier administrator
- Registry administrator
- EIM mapping lookup operations
To use mapping test support to test your EIM configuration, complete these steps:
Working with test results and resolving problems
When the test runs, a target user identity is returned if the test process finds an association between the source user identity and target user registry that the administrator supplied. The test also indicates the type of association that it found between the two user identities. When the test process does not find an association based on the information supplied, the test returns a target user identity of none.
The test, like any EIM mapping lookup operation, searches for and returns the first appropriate target user identity, by searching in the following order:
- Specific identifier association
- Certificate filter policy association
- Default registry policy association
- Default domain policy association
In some cases, the test returns no target user identity results although associations are configured for the domain. Verify that you supplied the correct information for the test. If the information is correct and the test returns no results, then the problem may be caused by one of the following:
- Policy association support is not enabled at the domain level. You may need to enable policy associations for a domain.
- Mapping lookup support or policy association support is not enabled at the individual registry level. You may need to enable mapping lookup support and the use of policy associations for the target registry.
- A target or source association for an EIM identifier is not configured correctly. For example, there is no source association for the Kerberos principal (or windows user) or it is incorrect. Or, the target association specifies an incorrect user identity. Display all identifier associations for an EIM identifier to verify associations for a specific identifier.
- A policy association is not configured correctly. Display all policy associations for a domain to verify source and target information for all policy associations defined in the domain.
- The registry definition and user identities do not match because of case sensitivity. You can delete and re-create the registry, or delete and re-create the association with the proper case.
In other cases, the test may have ambiguous results. In such a case, an error message indicating this displays. The test returns ambiguous results when more than one target user identity matches the specified test criteria. A mapping lookup operation can return multiple target user identities when one or more of the following situations exist:
- An EIM identifier has multiple individual target associations to the same target registry.
- More than one EIM identifier has the same user identity specified in a source association and each of these EIM identifiers has a target association to the same target registry, although the user identity specified for each target association may be different.
- More than one default domain policy association specifies the same target registry.
- More than one default registry policy association specifies the same source registry and the same target registry.
- More than one certificate filter policy association specifies the same source X.509 registry, certificate filter, and target registry.
A mapping lookup operation that returns more than one target user identity can create problems for EIM-enabled applications, including IBM i applications and products. Consequently, you need to determine the cause of the ambiguous results and what action needs to be taken to resolve the situation. Depending on the cause, you can do one or more of the following:
- The test returns unwanted multiple target identities. This indicates
that association configuration for the domain is not correct, due
to one of the following:
- A target or source association for an EIM identifier is not configured correctly. For example, there is no source association for the Kerberos principal (or windows user) or it is incorrect. Or, the target association specifies an incorrect user identity. Display all identifier associations for an EIM identifier to verify associations for a specific identifier.
- A policy association is not configured correctly. Display all policy associations for a domain to verify source and target information for all policy associations defined in the domain.
- The test returns multiple target user identities and these results
are appropriate for the way you configured associations, then you
need to specify lookup information for
each target user identity. You need to define unique lookup information
for all target user identities that have the same source (either an
EIM identifier for identifier associations or a source user registry
for policy associations). By defining lookup information for each
target user identity, you ensure that a lookup operation returns a
single target user identity rather than all possible target user identities.
Review Add lookup information
to a target user identity. You must specify this lookup information
about the mapping lookup operation.Note: This approach only works if the application is enabled to use the lookup information. However, base IBM i applications such as IBM i Access Client Solutions can not use lookup information to distinguish among multiple target user identities returned by a lookup operation. Consequently, you might consider redefining associations for the domain to ensure that a mapping lookup operation can return a single target user identity to ensure that base IBM i applications can successfully perform lookup operations and map identities.