SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


idmdstrace
Differences

This shows you the differences between two versions of the page.

Link to this comparison view

idmdstrace [2013/03/05 06:55] (current)
sjoerd created
Line 1: Line 1:
 += Identity Manager DS Trace
 +This is a small page on how to get a level 3 trace log of a driver (like created in [[idmaddriver]]) and how to read that.
 += DS Trace Preparation
 +== Set DS Trace Log Level
 +First you need to set the ds trace log level to 3. Level 3 gives you all the information you need, I never came across a situation that required a higher level:
 +* Log in to iManager
 +* Go to '​Identity Manager'​ and on to '​Identity Manager overview'​
 +* Search for driver sets and click on the one holding the driver you need to troubleshoot
 +* Click on the status symbol and select 'Edit properties'​
 +* Go to the menu option '​misc' ​
 +* Set the 'Trace level' to '​3'​ and click on '​OK'​
 +* You might need to restart the driver, so click again on the status symbol and select '​Restart Driver'​.
  
 +== View the Trace
 +Now you need to view the trace, and for that you need to log in to iMonitor on port 8030 on Linux and 8009 on NetWare:
 +* Select the 'Trace Configuration'​
 +* Select these options:
 +** Time Stamp
 +** DirXML
 +** DirXML Drivers
 +* Select 'Trace On'
 +* Select '​Update'​
 +* Select the 'Trace Live' option, which just appeared next to the 'Trace Configuration'​ button you selected before.
 +
 +You can now follow the trace by clicking the update button. You might want to set a higher buffer, preferebly to all.
 +\\
 +**NOTE: set the trace off when you're done, it takes quite some resources from the server**
 +\\
 +
 += Read XML
 +This is a piece of XML code I traced:
 +<code xml>
 +<nds dtdversion="​3.5"​ ndsversion="​8.x">​
 +<​source>​
 +<product version="​3.6.10.4747">​DirXML</​product>​
 +<​contact>​Novell,​ Inc.</​contact>​
 +</​source>​
 +<​input>​
 +<add class-name="​User"​ event-id="​sles11-idm#​20100519082352#​1#​1"​ qualified-src-dn="​O=shift\OU=SHIFTUSERS\CN=SjoerdH"​ src-dn="​\SHIFT-TREE\shift\SHIFTUSERS\SjoerdH"​ src-entry-id="​32955">​
 +<​add-attr attr-name="​Full Name">​
 +<value timestamp="​1274187979#​7"​ type="​string">​Sjoerd Hooft</​value>​
 +</​add-attr>​
 +<​add-attr attr-name="​Given Name">​
 +<value timestamp="​1274187979#​5"​ type="​string">​Sjoerd</​value>​
 +</​add-attr>​
 +<​add-attr attr-name="​Surname">​
 +<value timestamp="​1274187979#​9"​ type="​string">​Hooft</​value>​
 +</​add-attr>​
 +<​operation-data attempt-to-match="​true"​ unmatched-src-dn="​CN=SjoerdH"/>​
 +</​add>​
 +</​input>​
 +</​nds>​
 +10:23:53 AD-driver ST:Applying policy: sub-cp-Users.
 +10:23:53 AD-driver ST: Applying to add #1.
 +10:23:53 AD-driver ST: Evaluating selection criteria for rule 'Break if not a User'.
 +10:23:53 AD-driver ST: (if-class-name not-equal "​User"​) = FALSE.
 +10:23:53 AD-driver ST: Rule rejected.
 +10:23:53 AD-driver ST: Evaluating selection criteria for rule 'Veto if nspmDistributionPassword is not available'​.
 +10:23:53 AD-driver ST: Rule selected.
 +10:23:53 AD-driver ST: Applying rule 'Veto if nspmDistributionPassword is not available'​.
 +10:23:53 AD-driver ST: Action: do-veto-if-op-attr-not-available("​nspmDistributionPassword"​).
 +10:23:53 AD-driver ST:Policy returned:
 +10:23:53 AD-driver ST:
 +</​code>​
 +As you can see, the policy is vetoing since the nspmDistributionPassword attribute is not available.
 +<code xml>
 +<nds dtdversion="​3.5"​ ndsversion="​8.x">​
 +<​source>​
 +<product version="​3.6.10.4747">​DirXML</​product>​
 +<​contact>​Novell,​ Inc.</​contact>​
 +</​source>​
 +<​input/>​
 +</​nds>​
 +10:23:53 AD-driver ST:Applying policy: sub-cp-ExchMailboxPolicy.
 +10:23:53 AD-driver ST:Policy returned:
 +10:23:53 AD-driver ST:
 +<nds dtdversion="​3.5"​ ndsversion="​8.x">​
 +<​source>​
 +<product version="​3.6.10.4747">​DirXML</​product>​
 +<​contact>​Novell,​ Inc.</​contact>​
 +</​source>​
 +<​input/>​
 +</​nds>​
 +10:23:53 AD-driver ST:Applying policy: lib-CredProv-RequiredAttributes-sub-cp-V1.
 +10:23:53 AD-driver ST:Policy returned:
 +10:23:53 AD-driver ST:
 +<nds dtdversion="​3.5"​ ndsversion="​8.x">​
 +<​source>​
 +<product version="​3.6.10.4747">​DirXML</​product>​
 +<​contact>​Novell,​ Inc.</​contact>​
 +</​source>​
 +<​input/>​
 +</​nds>​
 +10:23:53 AD-driver ST:​Processing returned document.
 +10:23:53 AD-driver ST:​Processing operation <​status>​ for .
 +10:23:53 AD-driver ST:
 +DirXML Log Event -------------------
 +Driver: \SHIFT-TREE\shift\AD-driver\AD-driver
 +Channel: Subscriber
 +Object: \SHIFT-TREE\shift\SHIFTUSERS\SjoerdH
 +Status: Warning
 +Message: Code(-8017) Operation vetoed by object creation policy.
 +</​code>​
 +Which it also tells here but without the reason. In this case universal password was not enabled for the user so it didn't get synchronized.
 +
 +{{tag>​idm}}
idmdstrace.txt ยท Last modified: 2013/03/05 06:55 by sjoerd