test

Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide

Troubleshooting Connectors

Use the information in this section to troubleshoot problems with your connectors. The information is organized as follows:

How to Determine the ID of a Connector Managing a Directory Source?

You can use one of the following methods to determine the connector ID:

Using the Central Logs

Determine the connector IDs of the directory sources being synchronized by looking in the central audit.log. At startup, the central logger logs the IDs of each connector and the directory source that it manages. Look for the last instance of the startup banner for the most recent information.

For example, in the following log message there are two connectors:


[2006/03/19 00:00:00.722 -0600] INFO    16
"System Component Information:
SysMgr_100 is the system manager (CORE);
console is the Product Console User Interface;
CNN101 is the connector that manages
[dc=example,dc=com (ldap://host1.example.com:389)];
CNN100 is the connector that manages
[example.com (ldaps://host2.example.com:636)];"

Using idsync printstat

The connector IDs and status are also available from the idsync printstat command (see Using printstat).

A sample output of this command follows:


Connector ID: CNN100
Type:     Active Directory
Manages:  example.com (ldaps://host2.example.com:636)
State:    READY
Connector ID: CNN101
Type:     Sun Java System Directory
Manages: dc=example,dc=com 
(ldap://host1.example.com:389)
State:    READY
Sun Java System 
Message Queue Status:  Started
Checking the System Manager status over the Sun Java System
Message Queue.
System Manager Status:  Started SUCCESS

How to Determine a Connector’s Current State?

You can determine the current state of the connectors involved in synchronization, using the Status pane in the Console, the idsync printstat command (as shown previously), or by looking in the central audit.log.

Search for the last message in the audit.log that reports the connector state. For example, in the following log message you can see that connector CNN101 is in the READY state.


[2006/03/19 10:20:16.889 -0600]
 INFO    13  SysMgr_100 host1
  "Connector [CNN101] is now in state "READY"."

How to Determine a Connector’s Current State describes the different connector states.

Table 12–1 Connector State Meanings

State 

Meaning 

UNINSTALLED 

The connector has not been installed. 

INSTALLED 

The connector has been installed, but it has not received its configuration. 

READY 

The connector has been installed and has received its configuration, but it has not started to synchronize. 

SYNCING 

The connector has been installed, has received its configuration, and has attempted to start synchronizing. 

What to Do if the Connector is in the UNINSTALLED State?

Install the connector.

What to Do if the Connector Install Failed but You Cannot Reinstall?

If the connector installation failed, but the Identity Synchronization for Windows installation program thinks that the connector is installed, the installation program will not allow you to reinstall the connector.

Run idsync resetconn (as described in Using resetconn) to reset the connector’s state to UNINSTALLED, and then re-install the connector.

What to Do if the Connector is in the INSTALLED State?

If a connector remains in the installed state for a long period of time, then most likely it is not running, or it is unable to communicate with the Message Queue.

At the machine where the connector was installed, look in the connector’s logs (audit.log and error.log) for potential errors. If the connector cannot connect to the Message Queue, then that error will be reported here. If this is the case, see Troubleshooting Message Queue for possible causes.

If the most recent messages in the audit log are old, then perhaps the connector is not running. See Troubleshooting Components.

What to Do if the Connector is in the READY State?

A connector remains in the READY state until synchronization has been started and all of its subcomponents have been installed and have connected to the connector. If synchronization has not been started, then start it using the Console or command line utility.

If synchronization has been started, but a connector does not enter the SYNCING state, then there is likely a problem with subcomponent. See Troubleshooting Subcomponents

What to Do if the Connector is in the SYNCING State?

If all connectors are in the SYNCING state, but modifications are not being synchronized, then verify that the synchronization settings are correct:

What to Do if the Active Directory Connector Fails to Contact Active Directory Over SSL?

If the Active Directory Connector fails to contact Active Directory over SSL and the following error message displays, restart the AD domain controller.


Failed to open connection to
ldaps://server.example.com:636,
error(91): Cannot connect to the LDAP server,
reason: SSL_ForceHandshake failed: (-5938)
Encountered end of file.

What to Do if Detecting and Applying Changes in Active Directory Fails?

If a non-admin account is used for the Active Directory connector, then the default permissions for this user are not sufficient. Some operations such as a resync process from Active Directory to Directory Server succeeds, but other operations such as detecting and applying changes in Active Directory could fail abruptly. For example, if you synchronize the deletions from Active Directory to Directory Server, then even full control is insufficient. To resolve this, you must use a Domain Administrator account for the Active Directory connector.