Problems with Connectivity
This section describes DirX Identity connectivity errors that can occur and the steps to take to solve the problem.
General Problems
This section describes problems that can occur with different agents and the steps to take to solve the problem.
Imported Groups Cannot Be Assigned
Indication:
After running an initial load or validation workflow in Tcl-based technology, the imported groups cannot be assigned to users.
Reason:
The Tcl-based workflows do not set the "User Assignment Possible" flag by default. In contrast, the Java-based workflows set this flag by default.
Solution:
Change the mapping of the Tcl-based workflows to set this flag.
Insufficient Memory for Java Agents
Indication:
Running a Java-based application can result in an "Insufficient memory" message.
Reason:
Each Java application starts up with a fixed maximum memory definition (if none is specified 64 MB are used by default). DirX Identity uses 256 MB as the default.
Solution:
If you run into this problem, adjust the corresponding parameter -Xmx of the Java application.
Specify an appropriate value for the parameter -Xmx. For the definition of this parameter, see the file Xusage.txt. (Search this file in the DirX Identity installation.)
SSL Flag at Service Objects for LDAP Connections
Indication:
The SSL flag in service objects is not used.
Reason:
The SSL flag is not used in service objects for LDAP connections.
Solution:
If you need to configure an SSL connection to an LDAP server, set the SSL flag in the corresponding bind profile and be sure that the secure port in the service object is set.
Workflow does not End
Indication:
Workflows hang and sometimes run into time out. A specific activity does not end correctly.
Reason:
A buffer overrun occurred either in stdout or stderr.DirX Identity can handle output on these two channels only up to 32 KB.If larger output is generated on these channels, communication between the agent controller and the agent is broken.A result is that the agent controller waits until timeout.Nevertheless the agent completed its tasks and ended correctly.
Solution:
The channels stdout and stderr are not designed to be used for a large amount of output data.Use regular files instead for this type of output.A common problem is often to use puts in Tcl to output some debug information to stdout or stderr.
To check that this is the real error cause, copy all files of the erroneous run from the status area back to the work area and start the agent by hand.Redirect the output to a file and check whether the file is too large (> 32 KB).
Rewrite your application so that it does not produce large amount of output to stdout or stderr.For meta controller applications, open a regular file and write this information to it.
Java-Based Workflow Problems
This section describes problems that can occur with Java-based workflows and the steps to take to solve the problem.
Attribute is not Synchronized even though Specified in Mapping
Indication:
You have added a mapping entry in a channel, for example a direct mapping from source attribute displayName to target attribute description in an account channel to an LDAP target system, but the attribute is not synchronized to the target system.
Reason:
The join engine can only perform the mapping if the source attribute displayName is contained in the selected attributes list of the corresponding Identity account channel. If displayName would have already been contained as target attribute in the mapping to Identity, which is true for most attributes, this error wouldn’t have been occurred.
Solution:
To put the attribute displayName to the source selected attributes list, follow the link to the corresponding Identity account channel and add a dummy mapping - if no real mapping is wanted for that attribute - to displayName as target attribute, for example map a constant value to displayName, and set the flag readOnly.
Starting Transport Workflows on Java-based Server
Indication:
It is not possible to start transport workflows on a Java-based Server. The error message is:
ERROR: 'The first argument to the non-static Java function '…' is not a valid object reference.'
FATAL ERROR: 'Could not compile stylesheet'
Reason:
The TransformerFactory FEATURE_SECURE_PROCESSING flag enabled on a Java-based Server prevents the use of XSLT extension functions.
Setting of the flag is driven by presence of a custom security manager. Whenever it is set (System.setSecurityManager()), the flag is turned on and cannot be switched back. This "limitation" comes with Java 7.
Solution:
Start transport workflows from batch.
SharePoint Connector Problems
This section describes problems that relate to SharePoint Connector operation and how to solve them.
Content is not allowed in prolog.: 404 FILE NOT FOUND
Indication:
The logging of the SharePoint Connector, which is contained in the Java server log file if run inside a workflow, states that even though a connection to the SharePoint server was made successfully, the search on the specified site fails with the above error code.
Reason:
The reason for this error code is an incorrect server URL (property "Site URL" of the SharePoint Provisioning ClusterTarget System "Server Connection" tab).
Solution:
Depending on your Windows domain DNS configuration it is important that you specify the server URL in the appropriate form, which can be either a short server name form, like
or a fully qualified server name form, like
or just a form without any server name, like
You must try and find out which form fits with your environment.
Org.xml.sax.SAXException: Premature end of file
Indication:
The logging of the SharePoint Connector, which is contained in the Java-based server log file if run inside a workflow, states that even though a connection to the SharePoint server was built up successfully, the search on the specified site fails with the error code above.
Reason:
The reason for this error code is an incorrect password (property "bind account" of the SharePoint Provisioning ClusterTarget System "Server Connection" on a clustered SharePoint target system or the password of the Bind Profile of the Connected Directory on a non-clustered target system).
Solution:
Specify the correct password.
Java.net.SocketException: Connection reset
Indication:
The SharePoint Connector log, which is contained in the Java-based Server log file if run inside a workflow, states that the connection during a validation or synchronization workflow has been reset due to a java.net.SocketException and the workflow was aborted.
Reason:
The reason for this error is that the "Unlimited Strength Java Cryptography Extension Policy Files" JRE extension has been installed in the JRE the Java-based Server runs with.
Solution:
If JRE version 8 is used, the Unlimited Strength Java Cryptography Extension (JCE) package should not be installed.Only the limited JCE should be installed; this version is installed by default when installing a JRE.If JRE version 7 is used, both limited and unlimited variants of JCE can be used.
Tcl-Based Workflow Problems
This section describes problems that can occur with Tcl-based workflows and the steps to take to solve the problem.
ADS Agent
This section describes problems that relate to ADS agent operation and how to solve them.
Secure Authentication in Bind Profiles
Indication:
When you set the Use Secure Authentication flag in the bind profile, you can set user passwords, but binding to the deleted objects container fails if the agent runs on a Windows NT machine.
Reason:
Due to a Microsoft bug in the ADSI Version on Windows NT, a bind to the deleted objects container fails when the Use Secure Authentication flag is set.
Solution:
If you want to be able to set user passwords and also get deleted objects, use different bind profiles for ADS Import and Export when running on Windows NT. Set the flag in the bind profile used for import (note that if you set this flag, the username must be specified in the form domainname*\*username on Windows NT) and do not set it in the bind profile used for export.
Exchange 5.5 Agent
This section describes problems that relate to Exchange 5.5 agent operation and how to solve them.
Stored Mailbox Resources
Indication:
When a mailbox is deleted, the stored resources are not deleted and become orphaned.
Reason:
Due to a Microsoft bug, the stored resources are not deleted if an Exchange 5.5 mailbox is deleted using the ADSI/LDAP API. They are only deleted using the DAPI API or the Exchange Administrator Tool.
Solution:
-
To identify orphaned mailbox resources, run the consistency adjuster with the Exchange Administrator Tool. Select: YourServer→Properties→Advanced→Consistency Adjuster.
-
Check all private information store checkboxes and the filter to all inconsistencies, then click OK.
-
The Consistency Adjuster runs and recreates the orphaned objects under their original Recipients container. You can now delete them with the Exchange Administrator Tool. You can also recreate an orphaned object in its original context by creating the same deleted mailbox with the Exchange Agent and then deleting it with the Exchange Administrator Tool.
Meta Controller
This section describes problems that relate to meta controller operation.
Exit Code 4
Indication:
During workflow execution, a metacp job exits with exit code 4, and no further information or not enough information about the reason for the problem is visible in the report, trace, or process info file of the related status entry.
Reason:
There is a serious syntax error in a Tcl script involved in the job, for example, a missing opening brace in a script.
Solution 1:
Run the workflow again. If this action does not provide more information, try solution 2.
Solution 2:
-
For each Tcl script in the related job ensure that the Copy to Status Area flag in the File item tab is checked.
-
Run the workflow again.
-
Copy the generated files from the status area into the work area (the directory: workpath/workflowDisplayName/activityDisplayName)
-
Open an MS/DOS command prompt window (or a UNIX shell) in the work area directory and rerun the Tcl scripts:
metacp
metacp>source control.tcl
error output will be displayed here
metacp>exit -
Analyze the error output. If the error output is related to the DirX Identity default scripts rather than to your customizations, inform your DirX Identity support service about the problem. Otherwise, fix the problem in your scripts. Proceed with solution 3.
Solution 3:
Set debug_scripts = 1 in the central control script, rerun the workflow and view the file workpath/workflowDisplayName/activityDisplayName*/dump.txt*.
If the error output in this file is related to the DirX Identity default scripts rather than to your customizations, inform your DirX Identity support service about the problem. Otherwise, fix the problem in your scripts.
Don’t forget to reset the debug_scripts switch in the central control script after you have fixed the problem.
Solution 4:
If none of methods just described provide enough information, you need to insert additional debug statements (like puts…, meta writetrace…, trace_out…) in order to find and fix the problem.
GUID Generation Fails
Indication:
During GUID generation (adding an entry) this message is displayed:
# {GUID not set by mapping => create it now !}
# {*** object cn=uid-a127359-6ecbe6a6-10499aaf3d5--7ff5,dxmC=uid-a127359-6ecbe6a6-10499aaf3d5--7ff6,dxmC=uid-a127359-6ecbe6a6-10499aaf3d5--7ff7,dxmC=uid-a127359-6ecbe6a6-10499aaf3d5--7ff8,dxmC=Connected Directories,dxmC=DirXmetahub not found ***}
Reason:
The start value to generate the next GUID value is not set.
Solution:
Specify the attribute dxmActualGUIDvalue at the target connected directory to the required value. (Specify 1 if this is the first entry, otherwise specify the highest number + 1 of existing GUIDs in the directory.)
metacp and Additional LDAP Attribute Names
Indication:
During execution of metacp jobs in Tcl-based workflows, metacp does not recognize additional attribute names if the number of attributes to be synchronized is greater than 64. In this case, LDAP attributes which have been defined in the schema so that they have not only a primary name but additional attribute names are not handled in a correct way.
Reason:
In order to tune performance, metacp simply requests all attributes instead of specifying longer attribute lists explicitly. The search result contains the primary LDAP attribute names which are not necessarily identical to related additional attribute names.
Solution:
Use primary LDAP attribute names (attribute configuration, mapping) in these jobs instead of additional attribute names. As a short-term workaround in a production environment, perform the following change in the file init.metacp: set the Tcl variable _md_req_attr_limit to the value -1 instead of 64. The file is located in install_path/bin (Windows) or install_path/client/conf (UNIX), respectively. Remember to check this setting again whenever you repeat the installation of the release or a related service pack.
metacp and Operational Attributes
Indication:
During execution of metacp jobs in Tcl-based workflows, metacp does not recognize operational attribute names if the number of attributes to be synchronized is greater than 64.
Reason:
In order to tune performance, metacp requests simply all attributes instead of specifying longer attribute lists explicitly. Therefore, the search result doesn’t contain operational attributes.
Solution:
As a short-term workaround in a productive environment perform the following change in the file init.metacp: set the Tcl variable _md_req_attr_limit to the value -1 instead of 64. The file is located in install_path/bin (Windows) or install_path/client/conf (UNIX), respectively. Remember to check this setting again whenever you repeat the installation of the release or a related service pack.
metacp Hangs
Indication:
The initial configuration hangs in one of the steps:
-
“Connectivity schema and data configuration”
-
“Provisioning schema and data configuration”
-
“Sample domain configuration”
-
“Create customer domain …”
or when running Tcl workflows in the MSS, the workflow hangs.
Reason:
When running metacp using a Tcl script, metacp hangs if the meta controller flushes messages either to stdout or stderr by means of a fprintf operation. Such an fprintf operation conflicts with the native Tcl I/O handling by means of puts. This situation appears if certain environment variables are set to enforce metacp to output trace information on stderr.
Solution:
Run metacp in a DOS box or UNIX shell and check whether metacp flushes messages to stderr. If true, then you should unset the environment variables. Check all the environment variables that start with prefix DIRX_ and unset those that are not absolutely necessary.
Tcl Comment Problems
Indication:
Sometimes people find that Tcl behaves differently than they expect (often because of the way some other language acts in a similar situation). They then think this unexpected behavior is a bug. Probably the most common occurrence of this is in regard to comments.
Reason:
In Tcl, everything passed to the parser must have proper list structure, even comments (and comments are passed to the parser, unlike in some languages, where they are stripped at an earlier stage). Generally, this means you need to make sure your braces are evenly matched, even though they may be on a line that is commented out.
Solution:
-
Unbalanced braces:
For example, you have an if statement that tests a certain condition, but you want to try testing a different condition. You comment out the old condition and type a new if statement. This code will cause an error that there is a missing close-brace:## WRONG if { $newflag } { # if { $oldflag } { puts hello }In this case, you have to balance the braces, for example:
## CORRECT if { $newflag } { # if { $oldflag } { puts hello # } } -
Comment Continuation:
Another interesting point about comments in Tcl is that the line continuation mechanism still applies, so:# This is a comment line that ends with a backslash \ and this line is still part of the comment
Warnings are not Logged
Indication:
Warnings are not logged at all.
Reason:
Logging of warnings is dependent on the trace level Variable trace.
Solution:
Select a trace level that comprises Variable trace.
Workflows Run Too Slowly
Indication:
The meta controller activity, especially import workflows, seems to run very slowly compared with the amount of entries to be produced.
Reason:
A possible reason can be searches for attributes that are not indexed.
Solution:
-
Check your filter condition for attributes that are not indexed.
-
Set the indexes in the directory.
XML Parse Error
Indication:
A 'parse error' message is displayed when the meta controller (metacp) reads an XML file.
Reason:
The export parser has detected an incorrect XML file.
Solution:
Use an XML editor or viewer to check the file before you read it with the meta controller. For example, use Microsoft Internet Explorer.
Windows NT Agent
This section describes problems that relate to Windows NT agent operation and how to solve them.
Error 87: Invalid Parameter
Indication:
Running an import operation with the Windows NT meta agent on a Windows 2000 or Windows XP machine generates the error message:
Error 87: Invalid Parameter
Reason:
The AccountType in the initialization (*.ini) file is set to 1. This functionality is not supported on Windows 2000 and Windows XP.
Solution:
Set the AccountType in the initialization file to 0.
RPC Server is Unavailable
Indication:
Error message in the file report.log:
The RPC server is unavailable
Reason:
This error will occur if your machine has a different host and machine name.
Solution:
-
Start DirX Identity Manager
-
In the expert view, select Configuration → Services → NT Service and enter the computer name into the Server Name field.
Lotus Notes Agent
This section describes problems that relate to Lotus Notes agent operation and how to solve them.
Password Reading from File
Indication:
Lotus Notes / Domino Agent shall read the password automatically from a file.
Reason:
Administrative requirement.
Solution:
Perform this administrative step:
Specify the extension manager by extending the section [Notes] in the file notes.ini:
[Notes]
EXTMGR_ADDINS=nextpwd.dll
The location of notes.ini depends on the version of your Lotus Notes client:
-
Version 4.6.3: the file is located in the Windows directory.
-
Version 5.x and 6.x: the file is located in the Lotus Notes client directory.
ODBC Agent
This section describes problems that relate to ODBC agent operation and how to solve them.
Errors in Old ODBC Workflows
Indication:
ODBC Agent enhancements may cause errors in old ODBC workflows
Reason:
In older versions it was sometimes necessary to specify column specification using tablename*.*columnname format. Using abbreviations was not possible. The new version of the agent provides full support of abbreviations.
If you have used SQL columnnames identical to an abbreviation this might result in strange SQL error messages. The columname is interpreted as abbreviation and the long form of the abbreviation is inserted in the SQL statement. If you turn on SQL tracing you will see the generated SQL statement.
Solution:
Use abbreviations in your configuration.
Example:
-
Part of attribute configuration:
Abbr:AccountID Name:Accounts.ID Prefix:'AccountID:' Suffix:'\012' Rec-Sep:'' Mrule:- Encryption:N Abbr:GroupID Name:Groups.ID Prefix:'GroupID:' Suffix:'\012' Rec-Sep:'' Mrule:- Encryption:N Abbr:MembershipAccountID Name:Memberships.AccountID Prefix:'MembershipAccountID:' Suffix:'\012' Rec-Sep:'' Mrule:- Encryption:N Abbr:MembershipGroupID Name:Memberships.GroupID Prefix:'MembershipGroupID:' Suffix:'\012' Rec-Sep:'' Mrule:- Encryption:N Abbr:MembershipID Name:Memberships.ID Prefix:'MembershipID:' Suffix:'\012' Rec-Sep:'' Mrule:- Encryption:N
-
The old from clause:
from (Groups LEFT JOIN Memberships ON Memberships.GroupID=Groups.ID) LEFT JOIN Accounts ON Accounts.ID=Memberships.AccountIDworked fine in former versions. Now the above configured "from clause" results in the following SQL "from clause":
from (Groups LEFT JOIN Memberships ON Memberships.Groups.ID=Groups.ID) LEFT JOIN Accounts ON Accounts.ID=Memberships.Accounts.IDwhich results in an SQL Error: "too few parameters".
-
Change the "from clause" to:
from (Groups LEFT JOIN Memberships ON MembershipGroupID=Groups.ID) LEFT JOIN Accounts ON Accounts.ID=MembershipAccountIDHere Groups.ID and Accounts.ID have still table.column format.
Alternatively you can use:
from (Groups LEFT JOIN Memberships ON MembershipGroupID=GroupID) LEFT JOIN Accounts ON AccountID=MembershipAccountID
MS Access: Too Few Parameters
Indication:
The error occurs during export of data from the ODBC database. A ODBC Microsoft Access Driver is used. The following message is logged:
SQLExecDirect failure state=07002 native error=-3010 error message=[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1.
Reason:
The SQL query requests a field that is not present in the database. The field is defined in the attribute configuration of the ODBC database object and used in the source selected attributes.
Solution:
Define the necessary field(s) in the ODBC database.
SAP R/3 HR Agent
This section describes problems that relate to SAP R/3 HR agent operation and how to solve them.
Extras / Copy Export
Indication:
Activating the menu action 'Extras/Copy Export' on an R/3 release 4.7 system results in a pop-up info box that has to be confirmed.
Reason:
The info states that the SAP R/3 HR agent uses an old but otherwise still supported R/3 download functionality. Nevertheless, the Copy Export function works.
Solution:
You can ignore this message. This is an R/3 issue.
SAP R/3 UM Agent
This section describes problems that relate to SAP R/3 UM agent operation and how to solve them.
Other Languages
Indication:
Languages other than English or German the export of the text description of profiles or roles in a CUA environment does not work correctly. The default workflow does not export this attribute.
Reason:
Incomplete implementation.
Solution:
Change the workflow to export this attribute if you work with English or German texts.
SAP EP UM Agent
This section describes problems that relate to SAP EP UM agent operation and how to solve them.
Setting User Passwords in SAP EP
Indication:
In DirX Identity 7.0B and 7.0B service packs, the handling for setting and modifying a user password in SAP EP through the “Ident_SAPEPUM_Sync” workflow (setting a password on account creation) and the “setPassword in SAP EP UM” workflow (modifying a password) is not easy.If not handled correctly you can get the error message:
“could not update user WRONG_PASSWORD” in the java servers logfile.
Reason:
In SAP EP, a password can only be modified when the old password is also passed in the modify request.Therefore the setPassword workflow for a password modification passes the password value the Sync workflow has set when creating the ts account as old password.This is not easy because, in 7.0B and patches, the Sync workflows for all target systems use the account attribute “dxrPassword” to set the password on account creation in the target systems.On the other hand the setPassword workflows use the dxmPassword attribute of the account for password modification.Starting from version 7.0C, the Sync workflows also use the dxmPassword attribute.
Solution:
When an account is created for a user in Identity through for example an assigned privilege, ensure that the dxrPassword, which is calculated through a java script on account creation, has the same value or is set afterwards to the same value as the dxmPassword attribute of account and user is set to.Then start the Sync workflow which creates the account in SAP EP with the password in dxrPassword.If then the user password is requested to be changed, for example by the WebCenter, an event is generated with the old password taken from dxmPassword of the user - matching the password now existing in SAP EP - and the newly requested password, which results in a correct update of the users password in SAP EP.
Windows Password Listener Problems
This section describes Windows Password Listener errors that can occur and the steps to take to solve the problem.
User Data Empty Error Message in Event Viewer
Indication:
In rare situations, the Event Viewer can show this message:
One or all parts of the user data are empty.
Reason:
This error situation is temporary. The incomplete file is resolved during the next processing cycle of the Windows Password Listener service.
Solution:
Ignore this type of error.