Testing EIM mappings

Enterprise Identity Mapping (EIM) mapping testing allows you to issue EIM mapping lookup operations against your EIM configuration. You can use the test to verify that a specific source user identity maps correctly to the appropriate target user identity. Testing ensures that EIM mapping lookup operations can return the correct target user identity based on the specified information.

To use the test a mapping function to test your EIM configuration, you must be connected to the EIM domain in which you want to work and you must have EIM access control at one of these levels:

EIM administrator
Identifier administrator
Registry administrator
EIM mapping lookup operations

To use mapping test support to test your EIM configuration, complete these steps:

From IBM® Navigator for i, expand Security > All Tasks > Enterprise Identity Mapping.
Click Domain Management.
Right-click the EIM domain in which you want to work and select Test a Mapping.
- If the EIM domain you want to work with is not listed under Domain Management, review Add an EIM domain to Domain Management.
- If you are not currently connected to the EIM domain in which you want to work, review Connect to the EIM domain controller.
In the Test a Mapping dialog, specify the following information:
1. In the Source registry field, provide the registry definition name that refers to the user registry that you want to use as the source of the test mapping lookup operation.
2. In the Source user field, provide the user identity name that you want to use as the source of the test mapping lookup operation.
3. In the Target registry field, provide the registry definition name that refers to the user registry that you want to use as the target of the test mapping lookup operation.
4. Optional: In the Lookup information field, provide any lookup information defined for the target user.
Click ? for help, if necessary, for more details about what information is needed for each field in the dialog.
Click Test and review the results of the mapping lookup operation when they display.
Note: If the mapping lookup operation returns ambiguous results, the Test a Mapping - Results dialog is displayed indicating an error message and a list of the target users that the lookup operation finds.
1. To troubleshoot ambiguous results, select a target user and click Details.
2. The Test a Mapping - Details dialog is displayed indicating information about the mapping lookup operation results for the specified target user. Click ? for more detailed information about the mapping lookup operation results.
3. Click Close to exit the Test a Mapping - Results dialog.
Continue testing your configuration, or click Close to exit.

Working with test results and resolving problems

When the test runs, a target user identity is returned if the test process finds an association between the source user identity and target user registry that the administrator supplied. The test also indicates the type of association that it found between the two user identities. When the test process does not find an association based on the information supplied, the test returns a target user identity of none.

The test, like any EIM mapping lookup operation, searches for and returns the first appropriate target user identity, by searching in the following order:

Specific identifier association
Certificate filter policy association
Default registry policy association
Default domain policy association

In some cases, the test returns no target user identity results although associations are configured for the domain. Verify that you supplied the correct information for the test. If the information is correct and the test returns no results, then the problem may be caused by one of the following:

Policy association support is not enabled at the domain level. You may need to enable policy associations for a domain.
Mapping lookup support or policy association support is not enabled at the individual registry level. You may need to enable mapping lookup support and the use of policy associations for the target registry.
A target or source association for an EIM identifier is not configured correctly. For example, there is no source association for the Kerberos principal (or windows user) or it is incorrect. Or, the target association specifies an incorrect user identity. Display all identifier associations for an EIM identifier to verify associations for a specific identifier.
A policy association is not configured correctly. Display all policy associations for a domain to verify source and target information for all policy associations defined in the domain.
The registry definition and user identities do not match because of case sensitivity. You can delete and re-create the registry, or delete and re-create the association with the proper case.

In other cases, the test may have ambiguous results. In such a case, an error message indicating this displays. The test returns ambiguous results when more than one target user identity matches the specified test criteria. A mapping lookup operation can return multiple target user identities when one or more of the following situations exist:

An EIM identifier has multiple individual target associations to the same target registry.
More than one EIM identifier has the same user identity specified in a source association and each of these EIM identifiers has a target association to the same target registry, although the user identity specified for each target association may be different.
More than one default domain policy association specifies the same target registry.
More than one default registry policy association specifies the same source registry and the same target registry.
More than one certificate filter policy association specifies the same source X.509 registry, certificate filter, and target registry.

A mapping lookup operation that returns more than one target user identity can create problems for EIM-enabled applications, including IBM i applications and products. Consequently, you need to determine the cause of the ambiguous results and what action needs to be taken to resolve the situation. Depending on the cause, you can do one or more of the following:

The test returns unwanted multiple target identities. This indicates that association configuration for the domain is not correct, due to one of the following:
- A target or source association for an EIM identifier is not configured correctly. For example, there is no source association for the Kerberos principal (or windows user) or it is incorrect. Or, the target association specifies an incorrect user identity. Display all identifier associations for an EIM identifier to verify associations for a specific identifier.
- A policy association is not configured correctly. Display all policy associations for a domain to verify source and target information for all policy associations defined in the domain.
The test returns multiple target user identities and these results are appropriate for the way you configured associations, then you need to specify lookup information for each target user identity. You need to define unique lookup information for all target user identities that have the same source (either an EIM identifier for identifier associations or a source user registry for policy associations). By defining lookup information for each target user identity, you ensure that a lookup operation returns a single target user identity rather than all possible target user identities. Review Add lookup information to a target user identity. You must specify this lookup information about the mapping lookup operation.
Note: This approach only works if the application is enabled to use the lookup information. However, base IBM i applications such as IBM i Access Client Solutions can not use lookup information to distinguish among multiple target user identities returned by a lookup operation. Consequently, you might consider redefining associations for the domain to ensure that a mapping lookup operation can return a single target user identity to ensure that base IBM i applications can successfully perform lookup operations and map identities.