| Connection information for the domain controller may
not be correct or the domain controller may not be active. |
See Domain
controller connection problems to learn how to verify connection information
for the domain controller and how to verity that the domain controller is
active. |
| EIM mapping lookup operations performed on behalf of
the system are failing. This may be happening because the EIM configuration
is incorrect on the system or systems. |
Verify your EIM configuration. Expand Network-->Enterprise
Identity Mapping-->Configuration on the system that you are trying
to authenticate with. Right-click the Configuration folder
and select Properties and verify the following:- Domain page:
- The domain controller name and port numbers are correct.
- Click Verify Configuration to verify that the domain
controller is active.
- The local registry name is specified correctly
- The Kerberos registry name is specified correctly.
- Verify that Enable EIM operations for this system is
selected.
- System user page:
- The specified user has sufficient EIM access control to perform a mapping
lookup, and the password is valid for the user. See the online help to learn
more about the different types of user credentials.
Note: If you have changed
the password for the specified system user in the directory server, you must
change the password here as well. If these passwords do not match, then the
system user can not perform EIM functions for the operating system and mapping
lookup operations fail.
- Click Verify Connection to confirm that the user
information specified is correct.
|
A mapping lookup operation may be returning multiple
target user identities. This can occur when one or more of the following situations
exist:- An EIM identifier has multiple individual target associations to the same
target registry.
- More than one EIM identifier has the same user identity specified in a
source association and each of these EIM identifiers has a target association
to the same target registry, although the user identity specified for each
target association may be different.
- More than one default domain policy association specifies the same target
registry.
- More than one default registry policy association specifies the same source
registry and the same target registry.
- More than one certificate filter policy association specifies the same
source X.509 registry, certificate filter, and target registry.
|
Use the Test
EIM Mapping function to verify that a specific source user identity
maps correctly to the appropriate target user identity. How you correct the
problem depends on what results you get from the test, as follows: - The test returns unwanted multiple target identities for one of the following
reasons:
- This might indicate that association configuration for the domain is not
correct, due to one of the following:
- A target or source association for an EIM identifier is not configured
correctly. For example, there is no source association for the Kerberos principal
(or windows user) or it is incorrect. Or, the target association specifies
an incorrect user identity. Display
all identifier associations for an EIM identifier to verify associations
for a specific identifier.
- A policy association is not configured correctly. Display
all policy associations for a domain to verify source and target information
for all policy associations defined in the domain.
 This might indicate that group registry definitions that contain
common members are the source or target registries for EIM identifier associations
or policy associations. Use the details provided by the test mapping lookup
operation to determine whether the source or target registries are group registry
definitions. If they are, check the group registry definition properties to
determine whether the group registry definitions contain common members.
 - The test returns multiple target identities and these results are appropriate
for the way you configured associations. If this is the situation, then you
need to specify lookup
information for each target user identity to ensure that a lookup operation
returns a single target user identity rather than all possible target user
identities. See Add
lookup information to a target user identity.
Note: This approach only
works if the application is enabled to use the lookup information. However,
base i5/OS™ applications
such as iSeries™ Access
for Windows® can
not use lookup information to distinguish among multiple target user identities
returned by a lookup operation. Consequently, you might consider redefining
associations for the domain to ensure that a mapping lookup operation can
return a single target user identity to ensure that base i5/OS applications
can successfully perform lookup operations and map identities.
|
| EIM lookup operations return no results and associations
are configured for the domain. |
Use the Test
EIM Mapping function to verify that a specific source user identity
maps correctly to the appropriate target user identity. Verify that you supplied
the correct information for the test. If the information is correct and the
test returns no results, then the problem may be caused by one of the following: - Association configuration is incorrect. Verify your association configuration
by using the problem resolution information provided in the previous entry.
- Policy association support is not enabled at the domain level. You may
need to enable policy associations
for a domain.
- Mapping lookup support or policy association support is not enabled at
the individual registry level. You may need to enable
mapping lookup support and the use of policy associations for the target registry.
- The registry definition and user identities do not match because of case
sensitivity. You can delete and recreate the registry, or delete and recreate
the association with the proper case.
|