ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzalv_5.4.0.1/rzalvtestmappings.htm

201 lines
13 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Test EIM mappings" />
<meta name="DC.Relation" scheme="URI" content="rzalvadmindomain.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzalvtestmappings" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Test EIM mappings</title>
</head>
<body id="rzalvtestmappings"><a name="rzalvtestmappings"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Test EIM mappings</h1>
<div><div class="section"><p>Enterprise Identity Mapping (EIM) mapping test support allows
you to issue EIM mapping <a href="rzalveservereimmaplookup.htm#rzalveservereimmaplookup">lookup
operations</a> against your EIM configuration. You can use the test to
verify that a specific source user identity maps correctly to the appropriate
target user identity. Such testing ensures that EIM mapping lookup operations
can return the correct target user identity based on the specified information.</p>
<p>To
use the test a mapping function to test your EIM configuration, you must be
connected to the EIM domain in which you want to work and you must have <a href="rzalveservereimauths.htm#rzalveservereimauths">EIM access control</a> at
one of these levels: </p>
<ul><li>EIM administrator</li>
<li>Identifier administrator</li>
<li>Registry administrator</li>
<li>EIM mapping lookup operations</li>
</ul>
<p>To use mapping test support to test your EIM configuration, complete
these steps:</p>
</div>
<ol><li class="stepexpand"><span>Expand <span class="uicontrol">Network &gt; Enterprise Identity Mapping &gt; Domain
Management</span>.</span></li>
<li class="stepexpand"><span>Select the EIM domain in which you want to work. </span> <ul><li>If the EIM domain you want to work with is not listed under <span class="uicontrol">Domain
Management</span>, see <a href="rzalvadmindomainadd.htm#rzalvadmindomainadd">Add
an EIM domain to Domain Management</a>.</li>
<li>If you are not currently connected to the EIM domain in which you want
to work, see <a href="rzalvadmindomaincon.htm#rzalvadmindomaincon"> Connect
to the EIM domain controller</a>. </li>
</ul>
</li>
<li class="stepexpand"><span>Right-click the EIM domain to which you are connected and select <span class="uicontrol">Test
a Mapping...</span></span></li>
<li class="stepexpand"><span>In the <span class="uicontrol">Test a Mapping</span> dialog, specify the
following information: </span><ol type="a"><li><span>In the <span class="uicontrol">Source registry</span> field, provide
the registry definition name that refers to the user registry that you want
to use as the source of the test mapping lookup operation.</span></li>
<li><span>In the <span class="uicontrol">Source user</span> field, provide the
user identity name that you want to use as the source of the test mapping
lookup operation.</span></li>
<li><span>In the <span class="uicontrol">Target registry</span> field, provide
the registry definition name that refers to the user registry that you want
to use as the target of the test mapping lookup operation.</span></li>
<li><span>Optional: In the <span class="uicontrol">Lookup information</span> field,
provide any lookup information defined for the target user.</span></li>
</ol>
</li>
<li class="stepexpand"><span>Click <span class="uicontrol">Help</span>, if necessary, for more details
about what information is needed for each field in the dialog.</span></li>
<li class="stepexpand"><span>Click <span class="uicontrol">Test</span> and review the results of the
mapping lookup operation when they display.</span> <div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />If
the mapping lookup operation returns ambiguous results, the Test a Mapping
- Results dialog is displayed indicating an error message and a list of the
target users that the lookup operation finds. <div class="p"><ol type="a"><li>To troubleshoot ambiguous results, select a target user and click <span class="uicontrol">Details</span>. </li>
<li>The Test a Mapping - Details dialog is displayed indicating information
about the mapping lookup operation results for the specified target user.
Click Help for more detailed information about the mapping lookup operation
results.</li>
<li>Click <span class="uicontrol">Close</span> to exit the <span class="uicontrol">Test a Mapping
- Results </span>dialog. </li>
</ol>
</div>
<img src="./deltaend.gif" alt="End of change" /></div>
</li>
<li class="stepexpand"><span>Continue testing your configuration, or click <span class="uicontrol">Close</span> to
exit.</span></li>
</ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalvadmindomain.htm" title="This information explains how to manage your Enterprise Identity Mapping (EIM) domains and EIM domain properties.">Manage Enterprise Identity Mapping domains</a></div>
</div>
</div><div class="nested1" xml:lang="en-us" id="workingwithtestresults"><a name="workingwithtestresults"><!-- --></a><h2 class="topictitle2">Working with test results and resolving problems</h2>
<div><div class="section"><p>When the test runs, a target user identity is returned if the
test process finds an association between the source user identity and target
user registry that the administrator supplied. The test also indicates the
type of association that it found between the two user identities. When the
test process does not find an association based on the information supplied,
the test returns a target user identity of <tt>none</tt>.</p>
<p>The test,
like any EIM mapping lookup operation, searches for and returns the first
appropriate target user identity, by searching in the following order:</p>
</div>
<ol><li><span>Specific identifier association</span></li>
<li><span>Certificate filter policy association</span></li>
<li><span>Default registry policy association</span></li>
<li><span>Default domain policy association</span></li>
</ol>
<div class="section"><p>In some cases, the test returns no target user identity results
although associations are configured for the domain. Verify that you supplied
the correct information for the test. If the information is correct and the
test returns no results, then the problem may be caused by one of the following:</p>
<ul><li>Policy association support is not enabled at the domain level. You may
need to <a href="rzalvenablepoliciesfordomain.htm#enablepolicyfordomain">enable
policy associations for a domain</a>.</li>
<li>Mapping lookup support or policy association support is not enabled at
the individual registry level. You may need to <a href="rzalvenablepoliciesforregistry.htm#enable_policies_for_registry">enable
mapping lookup support and the use of policy associations for the target registry</a>. </li>
<li>A target or source association for an EIM identifier is not configured
correctly. For example, there is no source association for the Kerberos principal
(or windows user) or it is incorrect. Or, the target association specifies
an incorrect user identity. <a href="rzalvdsplyallidentassocs.htm#dsply_all_ident_assoc">Display
all identifier associations for an EIM identifier</a> to verify associations
for a specific identifier.</li>
<li>A policy association is not configured correctly. <a href="rzalvdsplyallpoliciesdomain.htm#dsply_all_policy_assoc_domain">Display
all policy associations for a domain</a> to verify source and target information
for all policy associations defined in the domain.</li>
<li>The registry definition and user identities do not match because of case
sensitivity. You can delete and re-create the registry, or delete and re-create
the association with the proper case.</li>
</ul>
<p>In other cases, the test may have ambiguous results. In such a case,
an error message indicating this displays. The test returns ambiguous results
when more than one target user identity matches the specified test criteria.
A mapping lookup operation can return multiple target user identities when
one or more of the following situations exist: </p>
<ul><li>An EIM identifier has multiple individual target associations to the same
target registry. </li>
<li>More than one EIM identifier has the same user identity specified in a
source association and each of these EIM identifiers has a target association
to the same target registry, although the user identity specified for each
target association may be different.</li>
<li>More than one default domain policy association specifies the same target
registry.</li>
<li>More than one default registry policy association specifies the same source
registry and the same target registry.</li>
<li>More than one certificate filter policy association specifies the same
source X.509 registry, certificate filter, and target registry.</li>
</ul>
<p>A mapping lookup operation that returns more than one target user
identity can create problems for EIM-enabled applications, including i5/OS™ applications
and products. Consequently, you need to determine the cause of the ambiguous
results and what action needs to be taken to resolve the situation. Depending
on the cause, you can do one or more of the following:</p>
<ul><li>The test returns unwanted multiple target identities. This indicates that
association configuration for the domain is not correct, due to one of the
following: <ul><li>A target or source association for an EIM identifier is not configured
correctly. For example, there is no source association for the Kerberos principal
(or windows user) or it is incorrect. Or, the target association specifies
an incorrect user identity. <a href="rzalvdsplyallidentassocs.htm#dsply_all_ident_assoc">Display
all identifier associations for an EIM identifier</a> to verify associations
for a specific identifier.</li>
<li>A policy association is not configured correctly. <a href="rzalvdsplyallpoliciesdomain.htm#dsply_all_policy_assoc_domain">Display
all policy associations for a domain</a> to verify source and target information
for all policy associations defined in the domain.</li>
</ul>
</li>
<li>The test returns multiple target user identities and these results are
appropriate for the way you configured associations, then you need to specify <a href="rzalvlookupinfodef.htm#lookup_info_def">lookup information</a> for
each target user identity. You need to define unique lookup information for
all target user identities that have the same source (either an EIM identifier
for identifier associations or a source user registry for policy associations).
By defining lookup information for each target user identity, you ensure that
a lookup operation returns a single target user identity rather than all possible
target user identities. See <a href="rzalvaddlookupinfo.htm#add_lookup_info">Add
lookup information to a target user identity</a>. You must specify this
lookup information about the mapping lookup operation.<div class="note"><span class="notetitle">Note:</span> This
approach only works if the application is enabled to use the lookup information.
However, base i5/OS applications
such as iSeries™ Access
for Windows<sup>®</sup> can
not use lookup information to distinguish among multiple target user identities
returned by a lookup operation. Consequently, you might consider redefining
associations for the domain to ensure that a mapping lookup operation can
return a single target user identity to ensure that base i5/OS applications
can successfully perform lookup operations and map identities.</div>
</li>
</ul>
<p>For additional information about potential mapping problems and solutions
in additional to those described here, see <a href="rzalv_trouble_mappings.htm#rzalv_trouble_mappings">Troubleshoot EIM mapping problems</a>.</p>
</div>
</div>
</div>
</body>
</html>