Troubleshooting general EIM configuration and domain problems

There are a number of general problems that you may encounter as you configure EIM for your system, as well as problems that you may encounter as you access an EIM domain. Review the following table to learn more about some common problems and potential solutions that you can use to resolve these problems.

Table 1. Common EIM configuration and domain problems and solutions
Possible problem Possible solutions
EIM Configuration wizard appears to hang during Finish processing. Tthe wizard may be waiting for the domain controller to start. Verify that no errors occurred during the startup of the directory server. For IBM® i platforms, check the job log for the QDIRSRV job in the QSYSWRK subsystem. To check the job log, follow these steps:
  1. From IBM Navigator for i, expand Work Management > All Tasks > Subsystems.
  2. Click Active Subsystems.
  3. Right-click QSYSWRK and select Jobs.
  4. Right-click QUSRDIR and select Job Log.
While using the EIM Configuration wizard to create a domain on a remote system, you received the following error message: "The parent distinguished name (DN) you entered is not valid. The DN must exist on the remote directory server. Specify or select a new or existing parent DN.' The parent DN specified for the remote domain does not exist. See Creating and joining a new remote domain to learn more about how to use the EIM Configuration wizard. Also, see the online help for detailed information about specifying a parent DN when creating a domain.
You receive a message indicating that the EIM domain does not exist. If you have not created an EIM domain, use the EIM Configuration wizard. This wizard creates an EIM domain for you, or enables you to configure an existing EIM domain. If you have created an EIM domain, ensure that the specified user is a member of an EIM access control group with sufficient authority to access it.
You receive a message indicating that an EIM object (identifier, registry, association, policy association, or certificate filter) is not found, or that you are not authorized to EIM data. Verify that the EIM object exists and whether the specified user is a member of an EIM access control group with sufficient authority to that object.
While managing EIM through IBM Navigator for i, you receive an error indicating that the EIM handle is no longer valid. The connection to the domain controller has been lost. To reconnect to the domain controller, follow these steps:
  1. From IBM Navigator for i, expand Security > All Tasks > Enterprise Identity Mapping.
  2. Click Domain Management.
  3. Right-click the domain that you want to work with and select Reconnect.
  4. Specify the connection information.
  5. Click OK.
When using the Kerberos protocol for authentication with EIM, diagnostic message CPD3E3F is written to the job log. This message is generated whenever authentication or identity mapping operations fail. The diagnostic message contains both major and minor status codes to indicate where the problem occurred. The most common errors are documented in the message along with the recovery. Refer to the help information associated with the diagnostic message to begin troubleshooting the problem. You may also find it helpful to review Troubleshoot single sign-on configuration.