Test EIM mappings

Enterprise Identity Mapping (EIM) mapping test support allows you to issue EIM mapping lookup operations against your EIM configuration. You can use the test to verify that a specific source user identity maps correctly to the appropriate target user identity. Such testing ensures that EIM mapping lookup operations can return the correct target user identity based on the specified information.

To use the test a mapping function to test your EIM configuration, you must be connected to the EIM domain in which you want to work and you must have EIM access control at one of these levels:

To use mapping test support to test your EIM configuration, complete these steps:

  1. Expand Network > Enterprise Identity Mapping > Domain Management.
  2. Select the EIM domain in which you want to work.
  3. Right-click the EIM domain to which you are connected and select Test a Mapping...
  4. In the Test a Mapping dialog, specify the following information:
    1. In the Source registry field, provide the registry definition name that refers to the user registry that you want to use as the source of the test mapping lookup operation.
    2. In the Source user field, provide the user identity name that you want to use as the source of the test mapping lookup operation.
    3. In the Target registry field, provide the registry definition name that refers to the user registry that you want to use as the target of the test mapping lookup operation.
    4. Optional: In the Lookup information field, provide any lookup information defined for the target user.
  5. Click Help, if necessary, for more details about what information is needed for each field in the dialog.
  6. Click Test and review the results of the mapping lookup operation when they display.
    Note: Start of changeIf the mapping lookup operation returns ambiguous results, the Test a Mapping - Results dialog is displayed indicating an error message and a list of the target users that the lookup operation finds.
    1. To troubleshoot ambiguous results, select a target user and click Details.
    2. The Test a Mapping - Details dialog is displayed indicating information about the mapping lookup operation results for the specified target user. Click Help for more detailed information about the mapping lookup operation results.
    3. Click Close to exit the Test a Mapping - Results dialog.
    End of change
  7. Continue testing your configuration, or click Close to exit.

Working with test results and resolving problems

When the test runs, a target user identity is returned if the test process finds an association between the source user identity and target user registry that the administrator supplied. The test also indicates the type of association that it found between the two user identities. When the test process does not find an association based on the information supplied, the test returns a target user identity of none.

The test, like any EIM mapping lookup operation, searches for and returns the first appropriate target user identity, by searching in the following order:

  1. Specific identifier association
  2. Certificate filter policy association
  3. Default registry policy association
  4. Default domain policy association

In some cases, the test returns no target user identity results although associations are configured for the domain. Verify that you supplied the correct information for the test. If the information is correct and the test returns no results, then the problem may be caused by one of the following:

In other cases, the test may have ambiguous results. In such a case, an error message indicating this displays. The test returns ambiguous results when more than one target user identity matches the specified test criteria. A mapping lookup operation can return multiple target user identities when one or more of the following situations exist:

  • An EIM identifier has multiple individual target associations to the same target registry.
  • More than one EIM identifier has the same user identity specified in a source association and each of these EIM identifiers has a target association to the same target registry, although the user identity specified for each target association may be different.
  • More than one default domain policy association specifies the same target registry.
  • More than one default registry policy association specifies the same source registry and the same target registry.
  • More than one certificate filter policy association specifies the same source X.509 registry, certificate filter, and target registry.

A mapping lookup operation that returns more than one target user identity can create problems for EIM-enabled applications, including i5/OS™ applications and products. Consequently, you need to determine the cause of the ambiguous results and what action needs to be taken to resolve the situation. Depending on the cause, you can do one or more of the following:

  • The test returns unwanted multiple target identities. This indicates that association configuration for the domain is not correct, due to one of the following:
    • A target or source association for an EIM identifier is not configured correctly. For example, there is no source association for the Kerberos principal (or windows user) or it is incorrect. Or, the target association specifies an incorrect user identity. Display all identifier associations for an EIM identifier to verify associations for a specific identifier.
    • A policy association is not configured correctly. Display all policy associations for a domain to verify source and target information for all policy associations defined in the domain.
  • The test returns multiple target user identities and these results are appropriate for the way you configured associations, then you need to specify lookup information for each target user identity. You need to define unique lookup information for all target user identities that have the same source (either an EIM identifier for identifier associations or a source user registry for policy associations). By defining lookup information for each target user identity, you ensure that a lookup operation returns a single target user identity rather than all possible target user identities. See Add lookup information to a target user identity. You must specify this lookup information about the mapping lookup operation.
    Note: This approach only works if the application is enabled to use the lookup information. However, base i5/OS applications such as iSeries™ Access for Windows® can not use lookup information to distinguish among multiple target user identities returned by a lookup operation. Consequently, you might consider redefining associations for the domain to ensure that a mapping lookup operation can return a single target user identity to ensure that base i5/OS applications can successfully perform lookup operations and map identities.

For additional information about potential mapping problems and solutions in additional to those described here, see Troubleshoot EIM mapping problems.