Use the information in this section to troubleshoot problems with your connectors. The information is organized as follows:
You can use one of the following methods to determine the connector ID:
Determine the connector IDs of the directory sources being synchronized by looking in the central audit.log. At startup, the central logger logs the IDs of each connector and the directory source that it manages. Look for the last instance of the startup banner for the most recent information.
For example, in the following log message there are two connectors:
CNN101 is a Sun Directory Connector that manages dc=example,dc=com
CNN100 is an Active Directory Connector that manages the example.com domain
[2006/03/19 00:00:00.722 -0600] INFO 16 "System Component Information: SysMgr_100 is the system manager (CORE); console is the Product Console User Interface; CNN101 is the connector that manages [dc=example,dc=com (ldap://host1.example.com:389)]; CNN100 is the connector that manages [example.com (ldaps://host2.example.com:636)];" |
The connector IDs and status are also available from the idsync printstat command (see Using printstat).
A sample output of this command follows:
Connector ID: CNN100 Type: Active Directory Manages: example.com (ldaps://host2.example.com:636) State: READY Connector ID: CNN101 Type: Sun Java System Directory Manages: dc=example,dc=com (ldap://host1.example.com:389) State: READY Sun Java System Message Queue Status: Started Checking the System Manager status over the Sun Java System Message Queue. System Manager Status: Started SUCCESS |
You can determine the current state of the connectors involved in synchronization, using the Status pane in the Console, the idsync printstat command (as shown previously), or by looking in the central audit.log.
Search for the last message in the audit.log that reports the connector state. For example, in the following log message you can see that connector CNN101 is in the READY state.
[2006/03/19 10:20:16.889 -0600] INFO 13 SysMgr_100 host1 "Connector [CNN101] is now in state "READY"." |
How to Determine a Connector’s Current State describes the different connector states.
Table 12–1 Connector State Meanings
State |
Meaning |
UNINSTALLED |
The connector has not been installed. |
INSTALLED |
The connector has been installed, but it has not received its configuration. |
READY |
The connector has been installed and has received its configuration, but it has not started to synchronize. |
SYNCING |
The connector has been installed, has received its configuration, and has attempted to start synchronizing. |
Install the connector.
If the connector installation failed, but the Identity Synchronization for Windows installation program thinks that the connector is installed, the installation program will not allow you to reinstall the connector.
Run idsync resetconn (as described in Using resetconn) to reset the connector’s state to UNINSTALLED, and then re-install the connector.
If a connector remains in the installed state for a long period of time, then most likely it is not running, or it is unable to communicate with the Message Queue.
At the machine where the connector was installed, look in the connector’s logs (audit.log and error.log) for potential errors. If the connector cannot connect to the Message Queue, then that error will be reported here. If this is the case, see Troubleshooting Message Queue for possible causes.
If the most recent messages in the audit log are old, then perhaps the connector is not running. See Troubleshooting Components.
A connector remains in the READY state until synchronization has been started and all of its subcomponents have been installed and have connected to the connector. If synchronization has not been started, then start it using the Console or command line utility.
If synchronization has been started, but a connector does not enter the SYNCING state, then there is likely a problem with subcomponent. See Troubleshooting Subcomponents
If all connectors are in the SYNCING state, but modifications are not being synchronized, then verify that the synchronization settings are correct:
Using the Console, verify that modifications and/or creates are synchronized in the expected direction (for example, from Windows to the Sun Java System Directory Server).
Using the Console, verify that the attribute being modified is a synchronized attribute (note: passwords are always synchronized). If created user entries are not being synchronized, then verify that user creation flow is enabled in the Console.
Does the source connector detect the change to the user? Use the central audit.log to determine if the connector for the directory source where the user was added or modified detects the modification. Does the destination connector process this modification?
If the Active Directory Connector fails to contact Active Directory over SSL and the following error message displays, restart the AD domain controller.
Failed to open connection to ldaps://server.example.com:636, error(91): Cannot connect to the LDAP server, reason: SSL_ForceHandshake failed: (-5938) Encountered end of file. |
If a non-admin account is used for the Active Directory connector, then the default permissions for this user are not sufficient. Some operations such as a resync process from Active Directory to Directory Server succeeds, but other operations such as detecting and applying changes in Active Directory could fail abruptly. For example, if you synchronize the deletions from Active Directory to Directory Server, then even full control is insufficient. To resolve this, you must use a Domain Administrator account for the Active Directory connector.