Environment
Novell Identity Manager 3.5.1
Novell Identity Manager 3.6
Novell Identity Manager 3.6
Situation
When looking at a Novell Identity Manager (IDM) trace from the
engine the events that should be showing up are in the trace at
all. Synchronization does not seem to be occurring from the
engine side. The driver is running and the driver startup
level three trace messages show up in the trace file properly
indicating that the driver is configured and running.
Resolution
There are a few very common problems that prevent events from
showing up in the trace when synchronization is not working.
1. An event was never caused. IDM is event-driven, so just having a driver running does not cause events that would send objects through a driver to an application. The objects must be modified, migrated, or synchronized from the Identity Manager tools. See the documentation for ways to migrate or synchronize or modify the object in a way that IDM is set to synchronize.
2. Class/Attribute is not in the filter. IDM does not synchronize every object class or every class's attributes all the time. The driver must be configured to synchronize certain classes and their attributes, and those classes or attributes must be modified according to the filter's settings for the engine to pick up the event.
3. Driver Security Equivalence is not set properly. By default a driver, once created, has no more rights than an anonymous user accessing the tree. Once rights are assigned IDM can be very powerful but it is limited in eDirectory for security reasons without this granted access. If rights are not granted then a change to an attribute in the filter cannot be seen and therefore acted upon.
4. Replicas of the synchronized objects are not held on the IDM engine machine. IDM acts as a module of eDirectory. If eDirectory does not have replicas of the objects to be synchronized then any events that happen against those objects will not be sent to the eDirectory server from servers holding replicas and IDM will never be notified of the events. Adding replicas of the objects to be synchronized will let subsequent events to those objects be picked up by the engine and synchronized per the driver logic.
5. Delay in event for indeterminate amount of time. It is possible that a change is made on serverB and serverA is the IDM engine. In this case if replication is not immediately done from serverB to serverA the IDM engine on serverA will not see the event until replication completes. Often this is within just a few seconds but some attributes are not set to synchronize quickly. Also it is possible that many events are going through the trace file when a change takes place on any eDirectory server (including IDM) but the event itself will not show up in the trace until previous events have had their turn. Events happen in the order that eDirectory applies them so a change now will wait until all previously-detected changes are processed.
1. An event was never caused. IDM is event-driven, so just having a driver running does not cause events that would send objects through a driver to an application. The objects must be modified, migrated, or synchronized from the Identity Manager tools. See the documentation for ways to migrate or synchronize or modify the object in a way that IDM is set to synchronize.
2. Class/Attribute is not in the filter. IDM does not synchronize every object class or every class's attributes all the time. The driver must be configured to synchronize certain classes and their attributes, and those classes or attributes must be modified according to the filter's settings for the engine to pick up the event.
3. Driver Security Equivalence is not set properly. By default a driver, once created, has no more rights than an anonymous user accessing the tree. Once rights are assigned IDM can be very powerful but it is limited in eDirectory for security reasons without this granted access. If rights are not granted then a change to an attribute in the filter cannot be seen and therefore acted upon.
4. Replicas of the synchronized objects are not held on the IDM engine machine. IDM acts as a module of eDirectory. If eDirectory does not have replicas of the objects to be synchronized then any events that happen against those objects will not be sent to the eDirectory server from servers holding replicas and IDM will never be notified of the events. Adding replicas of the objects to be synchronized will let subsequent events to those objects be picked up by the engine and synchronized per the driver logic.
5. Delay in event for indeterminate amount of time. It is possible that a change is made on serverB and serverA is the IDM engine. In this case if replication is not immediately done from serverB to serverA the IDM engine on serverA will not see the event until replication completes. Often this is within just a few seconds but some attributes are not set to synchronize quickly. Also it is possible that many events are going through the trace file when a change takes place on any eDirectory server (including IDM) but the event itself will not show up in the trace until previous events have had their turn. Events happen in the order that eDirectory applies them so a change now will wait until all previously-detected changes are processed.