• Log in to iManager
• Go to 'Identity Manager' and on to 'Identity Manager overview'
• Search for driver sets and click on the one holding the driver you need to troubleshoot
• Click on the status symbol and select 'Edit properties'
• Go to the menu option 'misc'
• Set the 'Trace level' to '3' and click on 'OK'
• You might need to restart the driver, so click again on the status symbol and select 'Restart Driver'.

• Select the 'Trace Configuration'
• Select these options:
  • Time Stamp
  • DirXML
  • DirXML Drivers
• Select 'Trace On'
• Select 'Update'
• Select the 'Trace Live' option, which just appeared next to the 'Trace Configuration' button you selected before.

You can now follow the trace by clicking the update button. You might want to set a higher buffer, preferebly to all.

NOTE: set the trace off when you're done, it takes quite some resources from the server

<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User" event-id="sles11-idm#20100519082352#1#1" qualified-src-dn="O=shift\OU=SHIFTUSERS\CN=SjoerdH" src-dn="\SHIFT-TREE\shift\SHIFTUSERS\SjoerdH" src-entry-id="32955">
<add-attr attr-name="Full Name">
<value timestamp="1274187979#7" type="string">Sjoerd Hooft</value>
</add-attr>
<add-attr attr-name="Given Name">
<value timestamp="1274187979#5" type="string">Sjoerd</value>
</add-attr>
<add-attr attr-name="Surname">
<value timestamp="1274187979#9" type="string">Hooft</value>
</add-attr>
<operation-data attempt-to-match="true" unmatched-src-dn="CN=SjoerdH"/>
</add>
</input>
</nds>
10:23:53 AD-driver ST:Applying policy: sub-cp-Users.
10:23:53 AD-driver ST: Applying to add #1.
10:23:53 AD-driver ST: Evaluating selection criteria for rule 'Break if not a User'.
10:23:53 AD-driver ST: (if-class-name not-equal "User") = FALSE.
10:23:53 AD-driver ST: Rule rejected.
10:23:53 AD-driver ST: Evaluating selection criteria for rule 'Veto if nspmDistributionPassword is not available'.
10:23:53 AD-driver ST: Rule selected.
10:23:53 AD-driver ST: Applying rule 'Veto if nspmDistributionPassword is not available'.
10:23:53 AD-driver ST: Action: do-veto-if-op-attr-not-available("nspmDistributionPassword").
10:23:53 AD-driver ST:Policy returned:
10:23:53 AD-driver ST:

As you can see, the policy is vetoing since the nspmDistributionPassword attribute is not available.

<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input/>
</nds>
10:23:53 AD-driver ST:Applying policy: sub-cp-ExchMailboxPolicy.
10:23:53 AD-driver ST:Policy returned:
10:23:53 AD-driver ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input/>
</nds>
10:23:53 AD-driver ST:Applying policy: lib-CredProv-RequiredAttributes-sub-cp-V1.
10:23:53 AD-driver ST:Policy returned:
10:23:53 AD-driver ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input/>
</nds>
10:23:53 AD-driver ST:Processing returned document.
10:23:53 AD-driver ST:Processing operation <status> for .
10:23:53 AD-driver ST:
DirXML Log Event -------------------
Driver: \SHIFT-TREE\shift\AD-driver\AD-driver
Channel: Subscriber
Object: \SHIFT-TREE\shift\SHIFTUSERS\SjoerdH
Status: Warning
Message: Code(-8017) Operation vetoed by object creation policy.

Which it also tells here but without the reason. In this case universal password was not enabled for the user so it didn't get synchronized.