Testing EIM identity mappings

Now that you have created all the associations that you need, you must verify that EIM mapping lookup operations return the correct results based on the configured associations.

For this scenario, you must test the mappings used for the identifier associations for each of the administrators and you must test the mappings used for the default registry policy associations. To test the EIM mappings, follow these steps:

Test mappings for John Day

To test that identifier mappings work as expected for John Day, follow these steps:

  1. In IBM® Navigator for i on System A, expand IBM i Management > Security > All Tasks > Enterprise Identity Mapping.
  2. Click Domain Management.
  3. Right-click MyCoEimDomain and select Test a mapping.
    Note: You might be prompted to connect to the domain controller. In that case, the Connect to EIM Domain Controller dialog box is displayed. You must connect to the domain before you can perform actions in it. To connect to the domain controller, provide the following information and click OK:
    • User type: Distinguished name
    • Distinguished name: cn=administrator
    • Password: mycopwd
      Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration.
  4. On the Test a mapping dialog box, specify or Browse to select the following information, and click Test.
    • Source registry: MYCO.COM
    • Source user: jday
    • Target registry: SYSTEMA.MYCO.COM
  5. Results will display in the Mapping found portion of the page, as follows:
    For these fields See these results
    Target user JOHND
    Origin EIM Identifier: John Day
  6. Click Close.
    Repeat these steps but select SYTEMB.MYCO.COM for the Target registry field. Results will display in the Mapping found portion of the page, as follows:
    For these fields See these results
    Target user DAYJO
    Origin EIM Identifier: John Day

Test mappings for Sharon Jones

To test the mappings used for the individual associations for Sharon Jones, follow these steps:

  1. In IBM Navigator for i on System A, expand IBM i Management > Security > All Tasks > Enterprise Identity Mapping.
  2. Click Domain Management.
  3. Right-click MyCoEimDomain and select Test a mapping.
    Note: You might be prompted to connect to the domain controller. In that case, the Connect to EIM Domain Controller dialog box is displayed. You must connect to the domain before you can perform actions in it. To connect to the domain controller, provide the following information and click OK:
    • User type: Distinguished name
    • Distinguished name: cn=administrator
    • Password: mycopwd
      Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration.
  4. On the Test a mapping dialog box, specify or Browse to select the following information, and click Test:
    • Source registry: MYCO.COM
    • Source user: sjones
    • Target registry: SYSTEMA.MYCO.COM
  5. Results will display in the Mapping found portion of the page, as follows:
    For these fields See these results
    Target user SHARONJ
    Origin EIM Identifier: Sharon Jones
  6. Click Close.
Repeat these steps but select SYSTEMB.MYCO.COM for the Target registry field. Results will display in the Mapping found portion of the page, as follows:
For these fields See these results
Target user JONESSH
Origin EIM Identifier: Sharon Jones

Test mappings used for default registry policy associations

To test that mappings work as expected for the users in the Order Receiving Department, as based on the policy associations that you defined, follow these steps:

  1. In IBM Navigator for i on System A, expand IBM i Management > Security > All Tasks > Enterprise Identity Mapping.
  2. Click Domain Management.
  3. Right-click MyCoEimDomain and select Test a mapping.
    Note: You might be prompted to connect to the domain controller. In that case, the Connect to EIM Domain Controller dialog box is displayed. You must connect to the domain before you can perform actions in it. To connect to the domain controller, provide the following information and click OK:
    • User type: Distinguished name
    • Distinguished name: cn=administrator
    • Password: mycopwd
      Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration.
  4. On the Test a mapping dialog box, specify or Browse to select the following information, and click Test:
    • Source registry: MYCO.COM
    • Source user: mmiller
    • Target registry: SYSTEMA.MYCO.COM
  5. Results will display in the Mapping found portion of the page, as follows:
    For these fields See these results
    Target user SYSUSERA
    Origin Registry policy association
  6. Click Close.

To test the mappings used for the default registry policy association that maps your users to the SYSUSERB profile on System B, follow these steps:

  1. In IBM Navigator for i on System A, expand IBM i Management > Security > All Tasks > Enterprise Identity Mapping.
  2. Click Domain Management.
  3. Right-click MyCoEimDomain and select Test a mapping.
    Note: You might be prompted to connect to the domain controller. In that case, the Connect to EIM Domain Controller dialog box is displayed. You must connect to the domain before you can perform actions in it. To connect to the domain controller, provide the following information and click OK:
    • User type: Distinguished name
    • Distinguished name: cn=administrator
    • Password: mycopwd
      Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration.
  4. On the Test a mapping dialog box, specify or Browse to select the following information, and click Test:
    • Source registry: MYCO.COM
    • Source user: ksmith
    • Target registry: SYSTEMB.MYCO.COM
  5. Results will display in the Mapping found portion of the page, as follows:
    For these fields See these results
    Target user SYSUSERB
    Origin Registry policy association
  6. Click Close.

If you receive messages or errors that indicate problems with your mappings or with communications, see Troubleshoot EIM to help you find solutions to these problems.

Now that you have tested the EIM identity mappings, you can configure IBM i Access for Windows applications to use Kerberos authentication.