Entitlement driver is slow or stops after processing some events

  • Document ID:7008579
  • Creation Date:13-May-2011
  • Modified Date:27-Apr-2012
    • Micro Focus Products:
      Identity Manager

Environment

Novell Identity Manager 4.0
Novell Identity Manager 3.6.1

Situation

Entitlements are taking a long time to process.  Sometimes the driver will not start or it starts then stops after processing some users.

Resolution

Starting in IDM 4.0 a change was added so that anytime an entitlement was revoked or added, a message is now generated so that the event can be tracked in auditing software.  The messages are 31622 Entitlement_Revoke or 31620 Entitlement_Grant.  This can cause a lot more traffic.  If you are auditing, then rather than turn off logging there are some things that can be done to reduce the impact.
 
Part of eDirectory slowness or drivers hanging can come up because by default all the events are written into eDirectory, not just to the auditing agent.  This feature has been around for many versions of IDM and was used in cases where customers did not have any other auditing service.  Because of the way that the events are written into eDirectory, a great deal of slowness may happen.  This is because each event is written to the logging attribute and stored as an additional linear value.  Each time that is done, eDirectory calculates the number of values and marks any beyond the limit for deletion.  Even with a limit of 500, the values are not removed until the eDirectory Janitor process runs and rebuilds the attribute value.  After bulk changes, this attribute value can consist of 10s or 100s of thousands of entries, or more.
 
This can effect all versions of IDM.
 
To prevent the problem, you can turn off logging to eDirectory but leave the logging of events to platform agents.  This is changed by going into the properties of the driver, going to the Log Level tab and marking the option "Turn off logging to Driver Set, Subscriber and Publisher logs."
 
It is recommended that unless this feature is being used, that this option be selected for each driver and for the Driver Set.  This is especially true for anyone using the Entitlement driver.
 
Also, if Auditing is not being used, you can turn off logging by going into the same Log level tab and choosing the option "Logging off".  This is very importent to do on the entitlement driver is auditing is not being used.