10.1 Identity Manager

10.1.1 Identity Manager Plug-Ins Do Not Appear in iManager

After you properly install Identity Manager plug-ins in iManager, the plug-ins sometimes disappear from iManager for the tree you want to manage.

Identity Manager plug-ins for iManager require that eDirectory is running and working properly in the tree you are trying to manage. If the plug-in does not appear in iManager, ensure that the eDirectory daemon (ndsd) is running on the server that contains the eDirectory master replica for that tree.

To restart ndsd on the master replica server, enter the following command at its command prompt as the root user:

rcndsd restart

10.1.2 Identity Manager Drivers for Cluster Synchronization Do Not Start

If the Identity Manager drivers for cluster synchronization do not start, the problem might be caused by one of the following conditions:

  • The ports used by the driver are not unique and available.

    Each eDirectory driver must listen on a different port number. To specify the port number, access the driver properties in iManager and specify the appropriate port number in the IP address field. See Section 6.0, Configuring the Identity Manager Drivers for BCC for more information.

    The format for specifying the port number in the IP address field is remote IP:remote port:local port. For example, you could specify something similar to 10.1.1.1:2002:2002.

  • The driver has been disabled.

    Click the red icon for the driver on the Identity Manager Driver Overview page. You can enable the driver by using the radio buttons in the Driver Startup section of the page that displays.

    Selecting the Auto Start option is recommended.

  • Unknown communications problems. See Section 10.1.4, Tracing Identity Manager Communications.

10.1.3 Identity Manager Drivers Do Not Synchronize Objects from One Cluster to Another

If objects are not synchronizing between clusters, the problem might be caused by one of the following conditions:

  • The eDirectory daemon (ndsd) is not running on the server that contains the eDirectory master replica in the tree. To restart ndsd on the master replica server, enter the following command at its command prompt as the root user:

    rcndsd restart
  • The drivers are not running.

  • A driver is not security equivalent to an object with the necessary rights in the tree.

  • You have underscores and spaces in object names.

    eDirectory interprets underscores and spaces as the same character. For example, if you have a cluster template named iPrint Server and you try to synchronize a resource named iPrint_Server, the synchronization fails. This is because the underscore character is mapped to a space. eDirectory returns an error that the entry already exists.

  • The eDirectory partition on the Identity Manager node is incorrect.

    This partition must contain the cluster container, the DriverSet, the Landing Zone OU, and the server containers (Virtual NCP Servers, Volumes, and Pools).

  • The drivers are not communicating on the same port.

    For example, if the driver on Cluster A is listening on port 2002, the driver on Cluster B must bind to port 2002 on Cluster A in order for the driver communication to work properly.

    The format for specifying the port number in the IP address field is remote IP:remote port:local port. For example, you could specify something similar to 10.1.1.1:2002:2002.

    See Section 10.1.4, Tracing Identity Manager Communications.

10.1.4 Tracing Identity Manager Communications

DSTrace is used to trace Identity Manager communications. In a BCC, it is generally best to trace both sides of the communication channel (both drivers).

For information about setting trace levels for driver sets, see Configuring Trace Levels in the NetIQ Identity Manager Driver Administration Guide.

For information about using ndstrace, see “Using DSTrace” in the NetIQ eDirectory Administration Guide.

The trace messages are written to the ndstrace.log file located in the directory where eDirectory is installed. By default, it is /var/nds. You might want to delete this file before starting a trace so that the events logged in the file are specific to the actions you are tracing.

To trace the communications for the BCC-specific Identity Manager drivers on a Linux BCC:

  1. Modify two attributes on both DriverSet objects:

    1. Log in to iManager as the BCC Administrator user.

    2. Click the View Objects button at the top of the iManager page.

    3. In the tree view, browse to and right-click the desired DriverSet object, then select Modify Object.

    4. Click the General tab. In the list of valued attributes, click DirXML-DriverTraceLevel, then click Edit.

    5. Ensure that the Trace Level is set to 4, then click OK.

    6. Repeat Step 1.d and Step 1.e for the DirXML-XSLTraceLevel attribute, also setting the trace level to 4.

    7. Repeat Step 1.c through Step 1.f for the other driver sets you want to trace.

  2. At the Linux terminal console, log in as the root user, then start the DSTrace utility by entering

    /opt/novell/eDirectory/bin/ndstrace
  3. Configure DSTrace by entering

    ndstrace inline -all +dvrs +dxml +time 
  4. Exit the DSTrace utility by entering

    exit
  5. Enable DSTrace by again entering ndstrace on at the Linux terminal console.

  6. Run the desired actions for the information you want traced.

  7. Disable DSTrace by entering ndstrace off at the Linux terminal console.

10.1.5 SSL Certificates Are Missing

If SSL certificates are not present or have not been created, Identity Manager drivers might not start or function properly.