SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

idmdstrace

Identity Manager DS Trace

This is a small page on how to get a level 3 trace log of a driver (like created in Identity Manager AD Driver) and how to read that.

DS Trace Preparation

Set DS Trace Log Level

First you need to set the ds trace log level to 3. Level 3 gives you all the information you need, I never came across a situation that required a higher level:

  • Log in to iManager
  • Go to 'Identity Manager' and on to 'Identity Manager overview'
  • Search for driver sets and click on the one holding the driver you need to troubleshoot
  • Click on the status symbol and select 'Edit properties'
  • Go to the menu option 'misc'
  • Set the 'Trace level' to '3' and click on 'OK'
  • You might need to restart the driver, so click again on the status symbol and select 'Restart Driver'.

View the Trace

Now you need to view the trace, and for that you need to log in to iMonitor on port 8030 on Linux and 8009 on NetWare:

  • Select the 'Trace Configuration'
  • Select these options:
    • Time Stamp
    • DirXML
    • DirXML Drivers
  • Select 'Trace On'
  • Select 'Update'
  • Select the 'Trace Live' option, which just appeared next to the 'Trace Configuration' button you selected before.

You can now follow the trace by clicking the update button. You might want to set a higher buffer, preferebly to all.
NOTE: set the trace off when you're done, it takes quite some resources from the server

Read XML

This is a piece of XML code I traced:

<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User" event-id="sles11-idm#20100519082352#1#1" qualified-src-dn="O=shift\OU=SHIFTUSERS\CN=SjoerdH" src-dn="\SHIFT-TREE\shift\SHIFTUSERS\SjoerdH" src-entry-id="32955">
<add-attr attr-name="Full Name">
<value timestamp="1274187979#7" type="string">Sjoerd Hooft</value>
</add-attr>
<add-attr attr-name="Given Name">
<value timestamp="1274187979#5" type="string">Sjoerd</value>
</add-attr>
<add-attr attr-name="Surname">
<value timestamp="1274187979#9" type="string">Hooft</value>
</add-attr>
<operation-data attempt-to-match="true" unmatched-src-dn="CN=SjoerdH"/>
</add>
</input>
</nds>
10:23:53 AD-driver ST:Applying policy: sub-cp-Users.
10:23:53 AD-driver ST: Applying to add #1.
10:23:53 AD-driver ST: Evaluating selection criteria for rule 'Break if not a User'.
10:23:53 AD-driver ST: (if-class-name not-equal "User") = FALSE.
10:23:53 AD-driver ST: Rule rejected.
10:23:53 AD-driver ST: Evaluating selection criteria for rule 'Veto if nspmDistributionPassword is not available'.
10:23:53 AD-driver ST: Rule selected.
10:23:53 AD-driver ST: Applying rule 'Veto if nspmDistributionPassword is not available'.
10:23:53 AD-driver ST: Action: do-veto-if-op-attr-not-available("nspmDistributionPassword").
10:23:53 AD-driver ST:Policy returned:
10:23:53 AD-driver ST:

As you can see, the policy is vetoing since the nspmDistributionPassword attribute is not available.

<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input/>
</nds>
10:23:53 AD-driver ST:Applying policy: sub-cp-ExchMailboxPolicy.
10:23:53 AD-driver ST:Policy returned:
10:23:53 AD-driver ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input/>
</nds>
10:23:53 AD-driver ST:Applying policy: lib-CredProv-RequiredAttributes-sub-cp-V1.
10:23:53 AD-driver ST:Policy returned:
10:23:53 AD-driver ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input/>
</nds>
10:23:53 AD-driver ST:Processing returned document.
10:23:53 AD-driver ST:Processing operation <status> for .
10:23:53 AD-driver ST:
DirXML Log Event -------------------
Driver: \SHIFT-TREE\shift\AD-driver\AD-driver
Channel: Subscriber
Object: \SHIFT-TREE\shift\SHIFTUSERS\SjoerdH
Status: Warning
Message: Code(-8017) Operation vetoed by object creation policy.

Which it also tells here but without the reason. In this case universal password was not enabled for the user so it didn't get synchronized.

You could leave a comment if you were logged in.
idmdstrace.txt · Last modified: 2021/09/24 00:24 (external edit)