= Identity Manager DS Trace
This is a small page on how to get a level 3 trace log of a driver (like created in [[idmaddriver]]) and how to read that.
= DS Trace Preparation
== Set DS Trace Log Level
First you need to set the ds trace log level to 3. Level 3 gives you all the information you need, I never came across a situation that required a higher level:
* Log in to iManager
* Go to 'Identity Manager' and on to 'Identity Manager overview'
* Search for driver sets and click on the one holding the driver you need to troubleshoot
* Click on the status symbol and select 'Edit properties'
* Go to the menu option 'misc'
* Set the 'Trace level' to '3' and click on 'OK'
* You might need to restart the driver, so click again on the status symbol and select 'Restart Driver'.
== View the Trace
Now you need to view the trace, and for that you need to log in to iMonitor on port 8030 on Linux and 8009 on NetWare:
* Select the 'Trace Configuration'
* Select these options:
** Time Stamp
** DirXML
** DirXML Drivers
* Select 'Trace On'
* Select 'Update'
* Select the 'Trace Live' option, which just appeared next to the 'Trace Configuration' button you selected before.
You can now follow the trace by clicking the update button. You might want to set a higher buffer, preferebly to all.
\\
**NOTE: set the trace off when you're done, it takes quite some resources from the server**
\\
= Read XML
This is a piece of XML code I traced:
DirXMLNovell, Inc.Sjoerd HooftSjoerdHooft
10:23:53 AD-driver ST:Applying policy: sub-cp-Users.
10:23:53 AD-driver ST: Applying to add #1.
10:23:53 AD-driver ST: Evaluating selection criteria for rule 'Break if not a User'.
10:23:53 AD-driver ST: (if-class-name not-equal "User") = FALSE.
10:23:53 AD-driver ST: Rule rejected.
10:23:53 AD-driver ST: Evaluating selection criteria for rule 'Veto if nspmDistributionPassword is not available'.
10:23:53 AD-driver ST: Rule selected.
10:23:53 AD-driver ST: Applying rule 'Veto if nspmDistributionPassword is not available'.
10:23:53 AD-driver ST: Action: do-veto-if-op-attr-not-available("nspmDistributionPassword").
10:23:53 AD-driver ST:Policy returned:
10:23:53 AD-driver ST:
As you can see, the policy is vetoing since the nspmDistributionPassword attribute is not available.
DirXMLNovell, Inc.
10:23:53 AD-driver ST:Applying policy: sub-cp-ExchMailboxPolicy.
10:23:53 AD-driver ST:Policy returned:
10:23:53 AD-driver ST:
DirXMLNovell, Inc.
10:23:53 AD-driver ST:Applying policy: lib-CredProv-RequiredAttributes-sub-cp-V1.
10:23:53 AD-driver ST:Policy returned:
10:23:53 AD-driver ST:
DirXMLNovell, Inc.
10:23:53 AD-driver ST:Processing returned document.
10:23:53 AD-driver ST:Processing operation for .
10:23:53 AD-driver ST:
DirXML Log Event -------------------
Driver: \SHIFT-TREE\shift\AD-driver\AD-driver
Channel: Subscriber
Object: \SHIFT-TREE\shift\SHIFTUSERS\SjoerdH
Status: Warning
Message: Code(-8017) Operation vetoed by object creation policy.
Which it also tells here but without the reason. In this case universal password was not enabled for the user so it didn't get synchronized.
{{tag>idm}}