ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzalv_5.4.0.1/rzalv_trouble_mappings.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Troubleshoot EIM mapping problems" />
<meta name="DC.Relation" scheme="URI" content="rzalvtrblshoot.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzalv_trouble_mappings" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Troubleshoot EIM mapping problems</title>
</head>
<body id="rzalv_trouble_mappings"><a name="rzalv_trouble_mappings"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Troubleshoot EIM mapping problems</h1>
<div><p>There are a number of common problems that may cause Enterprise Identity
Mapping (EIM) mappings to fail entirely or not to work as expected. Use the
following table to find information about what problem may be causing an EIM
mapping to fail and potential solutions for that problem. If EIM mappings
are failing, you may need to work through each solution in the table to ensure
that you find and solve the problem or problems which are causing the mappings
to fail.</p>
<div class="p">
<div class="tablenoborder"><a name="rzalv_trouble_mappings__troubletable"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="rzalv_trouble_mappings__troubletable" frame="border" border="1" rules="all"><caption>Table 1. Common EIM mapping problems and solutions</caption><thead align="left"><tr><th align="center" valign="top" width="52.55102040816326%" id="d0e21"><strong>Possible problem</strong></th>
<th align="center" valign="top" width="47.44897959183674%" id="d0e24"><strong>Possible solutions</strong></th>
</tr>
</thead>
<tbody><tr><td valign="top" width="52.55102040816326%" headers="d0e21 ">Connection information for the domain controller may
not be correct or the domain controller may not be active.</td>
<td valign="top" width="47.44897959183674%" headers="d0e24 ">See <a href="rzalvtrblcncttodmnctlr.htm#rzalvtrblcncttodmnctlr">Domain
controller connection problems</a> to learn how to verify connection information
for the domain controller and how to verity that the domain controller is
active.</td>
</tr>
<tr><td valign="top" width="52.55102040816326%" headers="d0e21 ">EIM mapping lookup operations performed on behalf of
the system are failing. This may be happening because the EIM configuration
is incorrect on the system or systems.</td>
<td valign="top" width="47.44897959183674%" headers="d0e24 "> Verify your EIM configuration. Expand <span class="uicontrol">Network--&gt;Enterprise
Identity Mapping--&gt;Configuration</span> on the system that you are trying
to authenticate with. Right-click the <span class="uicontrol">Configuration</span> folder
and select <span class="uicontrol">Properties</span> and verify the following:<ul><li><strong>Domain </strong> page:<ul><li>The domain controller name and port numbers are correct.</li>
<li>Click <span class="uicontrol">Verify Configuration</span> to verify that the domain
controller is active.</li>
<li>The local registry name is specified correctly</li>
<li>The Kerberos registry name is specified correctly.</li>
<li>Verify that <span class="uicontrol">Enable EIM operations for this system</span> is
selected.</li>
</ul>
 </li>
<li><strong>System user </strong> page:<ul><li>The specified user has sufficient EIM access control to perform a mapping
lookup, and the password is valid for the user. See the online help to learn
more about the different types of user credentials.<div class="note"><span class="notetitle">Note:</span> If you have changed
the password for the specified system user in the directory server, you must
change the password here as well. If these passwords do not match, then the
system user can not perform EIM functions for the operating system and mapping
lookup operations fail. </div>
</li>
<li>Click <span class="uicontrol">Verify Connection</span> to confirm that the user
information specified is correct.</li>
</ul>
</li>
</ul>
</td>
</tr>
<tr><td valign="top" width="52.55102040816326%" headers="d0e21 ">A mapping lookup operation may be returning multiple
target user identities. This can occur when one or more of the following situations
exist:<ul><li>An EIM identifier has multiple individual target associations to the same
target registry.</li>
<li>More than one EIM identifier has the same user identity specified in a
source association and each of these EIM identifiers has a target association
to the same target registry, although the user identity specified for each
target association may be different.</li>
<li>More than one default domain policy association specifies the same target
registry.</li>
<li>More than one default registry policy association specifies the same source
registry and the same target registry.</li>
<li>More than one certificate filter policy association specifies the same
source X.509 registry, certificate filter, and target registry.</li>
</ul>
</td>
<td valign="top" width="47.44897959183674%" headers="d0e24 ">Use the <a href="rzalvtestmappings.htm#rzalvtestmappings">Test
EIM Mapping</a> function to verify that a specific source user identity
maps correctly to the appropriate target user identity. How you correct the
problem depends on what results you get from the test, as follows: <ul><li>The test returns unwanted multiple target identities for one of the following
reasons:<p></p>
<ul><li>This might indicate that association configuration for the domain is not
correct, due to one of the following: <p></p>
<ul><li>A target or source association for an EIM identifier is not configured
correctly. For example, there is no source association for the Kerberos principal
(or windows user) or it is incorrect. Or, the target association specifies
an incorrect user identity. <a href="rzalvdsplyallidentassocs.htm">Display
all identifier associations for an EIM identifier</a> to verify associations
for a specific identifier.<p></p>
</li>
<li>A policy association is not configured correctly. <a href="rzalvdsplyallpoliciesdomain.htm#rzalvdsplyallpoliciesdomain">Display
all policy associations for a domain</a> to verify source and target information
for all policy associations defined in the domain.<p></p>
</li>
</ul>
</li>
<li><img src="./delta.gif" alt="Start of change" />This might indicate that group registry definitions that contain
common members are the source or target registries for EIM identifier associations
or policy associations. Use the details provided by the test mapping lookup
operation to determine whether the source or target registries are group registry
definitions. If they are, check the group registry definition properties to
determine whether the group registry definitions contain common members. <p></p>
<img src="./deltaend.gif" alt="End of change" /></li>
<li>The test returns multiple target identities and these results are appropriate
for the way you configured associations. If this is the situation, then you
need to specify <a href="rzalvlookupinfodef.htm#rzalvlookupinfodef">lookup
information</a> for each target user identity to ensure that a lookup operation
returns a single target user identity rather than all possible target user
identities. See <a href="rzalvaddlookupinfo.htm#rzalvaddlookupinfo">Add
lookup information to a target user identity</a>. <div class="note"><span class="notetitle">Note:</span> This approach only
works if the application is enabled to use the lookup information. However,
base i5/OS™ applications
such as iSeries™ Access
for Windows<sup>®</sup> can
not use lookup information to distinguish among multiple target user identities
returned by a lookup operation. Consequently, you might consider redefining
associations for the domain to ensure that a mapping lookup operation can
return a single target user identity to ensure that base i5/OS applications
can successfully perform lookup operations and map identities.</div>
</li>
</ul>
</li>
</ul>
</td>
</tr>
<tr><td valign="top" width="52.55102040816326%" headers="d0e21 ">EIM lookup operations return no results and associations
are configured for the domain.</td>
<td valign="top" width="47.44897959183674%" headers="d0e24 ">Use the <a href="rzalvtestmappings.htm#rzalvtestmappings">Test
EIM Mapping</a> function to verify that a specific source user identity
maps correctly to the appropriate target user identity. Verify that you supplied
the correct information for the test. If the information is correct and the
test returns no results, then the problem may be caused by one of the following: <ul><li>Association configuration is incorrect. Verify your association configuration
by using the problem resolution information provided in the previous entry.</li>
<li>Policy association support is not enabled at the domain level. You may
need to <a href="rzalvenablepoliciesfordomain.htm">enable policy associations
for a domain</a>.</li>
<li>Mapping lookup support or policy association support is not enabled at
the individual registry level. You may need to <a href="rzalvenablepoliciesforregistry.htm">enable
mapping lookup support and the use of policy associations for the target registry</a>.</li>
<li>The registry definition and user identities do not match because of case
sensitivity. You can delete and recreate the registry, or delete and recreate
the association with the proper case.</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalvtrblshoot.htm" title="Use this information to learn about common problems and errors that you may encounter when you configure and use EIM as well as potential solutions for them">Troubleshoot Enterprise Identity Mapping</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="concept" />`
			`<meta name="DC.Title" content="Troubleshoot EIM mapping problems" />`
			`<meta name="DC.Relation" scheme="URI" content="rzalvtrblshoot.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="rzalv_trouble_mappings" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Troubleshoot EIM mapping problems</title>`
			`</head>`
			`<body id="rzalv_trouble_mappings"><a name="rzalv_trouble_mappings"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Troubleshoot EIM mapping problems</h1>`
			`<div><p>There are a number of common problems that may cause Enterprise Identity`
			`Mapping (EIM) mappings to fail entirely or not to work as expected. Use the`
			`following table to find information about what problem may be causing an EIM`
			`mapping to fail and potential solutions for that problem. If EIM mappings`
			`are failing, you may need to work through each solution in the table to ensure`
			`that you find and solve the problem or problems which are causing the mappings`
			`to fail.</p>`
			`<div class="p">`
			`<div class="tablenoborder"><a name="rzalv_trouble_mappings__troubletable"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="rzalv_trouble_mappings__troubletable" frame="border" border="1" rules="all"><caption>Table 1. Common EIM mapping problems and solutions</caption><thead align="left"><tr><th align="center" valign="top" width="52.55102040816326%" id="d0e21"><strong>Possible problem</strong></th>`
			`<th align="center" valign="top" width="47.44897959183674%" id="d0e24"><strong>Possible solutions</strong></th>`
			`</tr>`
			`</thead>`
			`<tbody><tr><td valign="top" width="52.55102040816326%" headers="d0e21 ">Connection information for the domain controller may`
			`not be correct or the domain controller may not be active.</td>`
			`<td valign="top" width="47.44897959183674%" headers="d0e24 ">See <a href="rzalvtrblcncttodmnctlr.htm#rzalvtrblcncttodmnctlr">Domain`
			`controller connection problems</a> to learn how to verify connection information`
			`for the domain controller and how to verity that the domain controller is`
			`active.</td>`
			`</tr>`
			`<tr><td valign="top" width="52.55102040816326%" headers="d0e21 ">EIM mapping lookup operations performed on behalf of`
			`the system are failing. This may be happening because the EIM configuration`
			`is incorrect on the system or systems.</td>`
			`<td valign="top" width="47.44897959183674%" headers="d0e24 "> Verify your EIM configuration. Expand <span class="uicontrol">Network-->Enterprise`
			`Identity Mapping-->Configuration</span> on the system that you are trying`
			`to authenticate with. Right-click the <span class="uicontrol">Configuration</span> folder`
			`and select <span class="uicontrol">Properties</span> and verify the following:<ul><li><strong>Domain </strong> page:<ul><li>The domain controller name and port numbers are correct.</li>`
			`<li>Click <span class="uicontrol">Verify Configuration</span> to verify that the domain`
			`controller is active.</li>`
			`<li>The local registry name is specified correctly</li>`
			`<li>The Kerberos registry name is specified correctly.</li>`
			`<li>Verify that <span class="uicontrol">Enable EIM operations for this system</span> is`
			`selected.</li>`
			`</ul>`
			`</li>`
			`<li><strong>System user </strong> page:<ul><li>The specified user has sufficient EIM access control to perform a mapping`
			`lookup, and the password is valid for the user. See the online help to learn`
			`more about the different types of user credentials.<div class="note"><span class="notetitle">Note:</span> If you have changed`
			`the password for the specified system user in the directory server, you must`
			`change the password here as well. If these passwords do not match, then the`
			`system user can not perform EIM functions for the operating system and mapping`
			`lookup operations fail. </div>`
			`</li>`
			`<li>Click <span class="uicontrol">Verify Connection</span> to confirm that the user`
			`information specified is correct.</li>`
			`</ul>`
			`</li>`
			`</ul>`
			`</td>`
			`</tr>`
			`<tr><td valign="top" width="52.55102040816326%" headers="d0e21 ">A mapping lookup operation may be returning multiple`
			`target user identities. This can occur when one or more of the following situations`
			`exist:<ul><li>An EIM identifier has multiple individual target associations to the same`
			`target registry.</li>`
			`<li>More than one EIM identifier has the same user identity specified in a`
			`source association and each of these EIM identifiers has a target association`
			`to the same target registry, although the user identity specified for each`
			`target association may be different.</li>`
			`<li>More than one default domain policy association specifies the same target`
			`registry.</li>`
			`<li>More than one default registry policy association specifies the same source`
			`registry and the same target registry.</li>`
			`<li>More than one certificate filter policy association specifies the same`
			`source X.509 registry, certificate filter, and target registry.</li>`
			`</ul>`
			`</td>`
			`<td valign="top" width="47.44897959183674%" headers="d0e24 ">Use the <a href="rzalvtestmappings.htm#rzalvtestmappings">Test`
			`EIM Mapping</a> function to verify that a specific source user identity`
			`maps correctly to the appropriate target user identity. How you correct the`
			`problem depends on what results you get from the test, as follows: <ul><li>The test returns unwanted multiple target identities for one of the following`
			`reasons:<p></p>`
			`<ul><li>This might indicate that association configuration for the domain is not`
			`correct, due to one of the following: <p></p>`
			`<ul><li>A target or source association for an EIM identifier is not configured`
			`correctly. For example, there is no source association for the Kerberos principal`
			`(or windows user) or it is incorrect. Or, the target association specifies`
			`an incorrect user identity. <a href="rzalvdsplyallidentassocs.htm">Display`
			`all identifier associations for an EIM identifier</a> to verify associations`
			`for a specific identifier.<p></p>`
			`</li>`
			`<li>A policy association is not configured correctly. <a href="rzalvdsplyallpoliciesdomain.htm#rzalvdsplyallpoliciesdomain">Display`
			`all policy associations for a domain</a> to verify source and target information`
			`for all policy associations defined in the domain.<p></p>`
			`</li>`
			`</ul>`
			`</li>`
			`<li><img src="./delta.gif" alt="Start of change" />This might indicate that group registry definitions that contain`
			`common members are the source or target registries for EIM identifier associations`
			`or policy associations. Use the details provided by the test mapping lookup`
			`operation to determine whether the source or target registries are group registry`
			`definitions. If they are, check the group registry definition properties to`
			`determine whether the group registry definitions contain common members. <p></p>`
			`<img src="./deltaend.gif" alt="End of change" /></li>`
			`<li>The test returns multiple target identities and these results are appropriate`
			`for the way you configured associations. If this is the situation, then you`
			`need to specify <a href="rzalvlookupinfodef.htm#rzalvlookupinfodef">lookup`
			`information</a> for each target user identity to ensure that a lookup operation`
			`returns a single target user identity rather than all possible target user`
			`identities. See <a href="rzalvaddlookupinfo.htm#rzalvaddlookupinfo">Add`
			`lookup information to a target user identity</a>. <div class="note"><span class="notetitle">Note:</span> This approach only`
			`works if the application is enabled to use the lookup information. However,`
			`base i5/OS™ applications`
			`such as iSeries™ Access`
			`for Windows<sup>®</sup> can`
			`not use lookup information to distinguish among multiple target user identities`
			`returned by a lookup operation. Consequently, you might consider redefining`
			`associations for the domain to ensure that a mapping lookup operation can`
			`return a single target user identity to ensure that base i5/OS applications`
			`can successfully perform lookup operations and map identities.</div>`
			`</li>`
			`</ul>`
			`</li>`
			`</ul>`
			`</td>`
			`</tr>`
			`<tr><td valign="top" width="52.55102040816326%" headers="d0e21 ">EIM lookup operations return no results and associations`
			`are configured for the domain.</td>`
			`<td valign="top" width="47.44897959183674%" headers="d0e24 ">Use the <a href="rzalvtestmappings.htm#rzalvtestmappings">Test`
			`EIM Mapping</a> function to verify that a specific source user identity`
			`maps correctly to the appropriate target user identity. Verify that you supplied`
			`the correct information for the test. If the information is correct and the`
			`test returns no results, then the problem may be caused by one of the following: <ul><li>Association configuration is incorrect. Verify your association configuration`
			`by using the problem resolution information provided in the previous entry.</li>`
			`<li>Policy association support is not enabled at the domain level. You may`
			`need to <a href="rzalvenablepoliciesfordomain.htm">enable policy associations`
			`for a domain</a>.</li>`
			`<li>Mapping lookup support or policy association support is not enabled at`
			`the individual registry level. You may need to <a href="rzalvenablepoliciesforregistry.htm">enable`
			`mapping lookup support and the use of policy associations for the target registry</a>.</li>`
			`<li>The registry definition and user identities do not match because of case`
			`sensitivity. You can delete and recreate the registry, or delete and recreate`
			`the association with the proper case.</li>`
			`</ul>`
			`</td>`
			`</tr>`
			`</tbody>`
			`</table>`
			`</div>`
			`</div>`
			`</div>`
			`<div>`
			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalvtrblshoot.htm" title="Use this information to learn about common problems and errors that you may encounter when you configure and use EIM as well as potential solutions for them">Troubleshoot Enterprise Identity Mapping</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`