|Skip Navigation Links|
|Exit Print View|
|Oracle Directory Server Enterprise Edition Troubleshooting Guide 11g Release 1 (220.127.116.11.0)|
Use the information in this section to troubleshoot problems with your connectors. This section contains the following topics:
This chapter contains the following sections:
Confirm that all of the connectors are installed. One connector must be installed for each directory source being synchronized.
Confirm that the source connector detects the change to the user. Use the central audit log to determine if the connector for the directory source where the user was added or modified detects the modification.
Verify that all connectors are in the SYNCING state using the Identity Synchronization for Windows console or idsync printstat command.
Determine if the destination connector processes the modification.
You can determine the connector ID by using the central logs or by using the idsync printstat command.
You can find the connector ID of the directory sources being synchronized by looking in the central audit log. At start up, the central logger logs the ID of each connector and the directory source that it manages. Look for the last instance of the startup banner for the most recent information.
For example, the following log entry contains two connector IDs:
CNN101 is a Directory Server connector that manages dc=example,dc=com
CNN100 is an Active Directory connector that manages the example.com domain
[2006/03/19 00:00:00.722 -0600] INFO 16 "System Component Information: SysMgr_100 is the system manager (CORE); console is the Product Console User Interface; CNN101 is the connector that manages [dc=example,dc=com (ldap://host1.example.com:389)]; CNN100 is the connector that manages [example.com (ldaps://host2.example.com:636)];"
For information about using the idsync printstat command to determine the connector ID, see Using the idsync printstat Command
You can determine the current state of the connectors involved in synchronization using the Status pane in the Identity Synchronization for Windows console, using the idsync printstat command , or by looking in the central audit log.
To use the audit log, search for the last message that reports the connector state. For example, the following audit log entry shows the connector CNN101 is in the READY state:
[2006/03/19 10:20:16.889 -0600] INFO 13 SysMgr_100 host1 "Connector [CNN101] is now in state "READY"."
Table 7-1 Definition of the Connector States
If the connector is in an UNINSTALLED state, you need to install the connector.
If a connector remains in the installed state for a long period of time, then might not be running or might be unable to communicate with the Message Queue.
On the machine where the connector is installed, look in the audit and error logs for potential errors. For example, if the connector can not connect to the Message Queue, then that error log will report the problem. If the connector can not connect to the Message Queue, see Troubleshooting the Message Queue Component for possible causes.
If the most recent messages in the audit log are old, then the connector may not be running. See Troubleshooting the Watchdog Process and Core Components for information about starting the connector.
A connector remains in the READY state until synchronization begins all of the subcomponents connect to the connector. If synchronization has not started, then start it using the Identity Synchronization for Windows console or command-line utility.
If synchronization has started and the connector does not go to the SYNCING state, then you may have a problem with one of the subcomponent. See Troubleshooting the Connector Subcomponents for more information.
If all connectors are in the SYNCING state but modifications are not being synchronized, then verify that the synchronization settings are correct.
Using the Identity Synchronization for Windows console, verify that modifications and creates are synchronized in the expected direction, for example, from Windows to the Directory Server. Also verify that the attribute being modified is a synchronized attribute. If created user entries are not being synchronized, then verify that user creation flow is enabled in the Identity Synchronization for Windows console.
Note - Passwords are always synchronized.
If you are still experiencing the problem, check if the source connector detects the change to the user. Use the central audit log to determine if the connector for the directory source where the user was added or modified detects the modification. Also verify that the destination connector processes the modification.
If the Active Directory connector fails to contact Active Directory over SSL and the following error message displays, restart the Active Directory domain controller.
Failed to open connection to ldaps://server.example.com:636, error(91): Cannot connect to the LDAP server, reason: SSL_ForceHandshake failed: (-5938) Encountered end of file.
If detecting and applying change in Active Directory fails, it may be the result of insufficient permissions. If a non-administrator account is used for the Active Directory connector, then the default permissions for this user are not sufficient. Some operations, such as a resynchronization process from Active Directory to Directory Server, succeed while other operations, such as detecting and applying changes in Active Directory, fail abruptly. For example, if you synchronize the deletions from Active Directory to Directory Server, then even full permissions are insufficient. To resolve this problem, you must use a Domain Administrator account for the Active Directory connector.