21.5 Deploying Identity Manager Objects

When you see an error message in Designer, the error message corresponds to the place where Designer could not complete the task, and indicates the best place to start troubleshooting. This section discusses the common problems you face when deploying Identity Manager objects into an eDirectory tree. To see error messages and possible solutions, see Section 21.5.3, Error Messages and Solutions.

21.5.1 Deployment Considerations

  • Ensure that the Metadirectory server meets the system requirements necessary to run Identity Manager. See Metadirectory Server in the Identity Manager 3.6.1 Installation Guide for requirements.

  • Ensure that the Metadirectory server you are deploying to has Identity Manager installed and holds a real copy of the objects to which you want to synchronize. The server running eDirectory must have a Master Read-Write or a Filtered Read-Write replica.

  • Ensure that the Java software installed on the server is running correctly, because Identity Manager is dependent on Java. If Java is corrupted, you might be able to deploy to a Metadirectory server but not run the Identity Manager drivers.

  • To deploy an Identity Manager-based project or an object in a project, you must have access to the eDirectory tree that is associated with the Identity Vault you are designing. Select the Identity Vault you want to deploy, then look in the Properties view below the Project/Outline view.

    Figure 21-2 The Properties View

    In the Properties view, ensure that the Identity Vault’s Name, Host Address, User DN, Password, Deploy Context’s Distinguished Name (DN), and Metadirectory information is complete and accurate. (You can click the Browse button to find the Deploy Context’s DN on an existing tree if the other information is accurate and Designer can attach to the eDirectory tree.) You need this information to deploy anything, even a policy, into an existing eDirectory tree running the Metadirectory engine.

  • Use the Deploy feature only after you have thoroughly tested the rules and policies that make up your drivers. To test a policy, use the Policy Simulator (right-click a policy and select Simulate, then click Start to see the simulation results of the policy that is being tested). For policy design, see the Policy Builder Help topics within the Designer utility.

    You can use the Import feature to import a driver, a channel, or a policy. You can then modify the object or objects, run the Policy Simulator to ensure that the object is working correctly, then deploy the object back into the test tree for further analysis. You can also run the Compare feature to see the differences between your modified driver and the driver that is currently running on an Identity Vault server.

  • In the Outline view in the Project Group view, right-click the driver object in question (you can also double-click the driver object). Use the Properties window to make most changes to drivers. Properties are unique to each driver.

    A simple driver problem is specifying the incorrect context (Distinguished DN) for an eDirectory tree. For example, the context of a user object in eDirectory is shown with the slash notation (for example, Blanston\Sales\Users) on the Properties of the Identity Manager driver or when you import the driver. However, different drivers can use formats other than the slash notation. For example, Active Directory and LDAP drivers use comma-delimited format (OU=Users,OU=Sales,O=Blanston). See the driver guides for further details on the drivers you are deploying.

21.5.2 An Example Deploy Error

When deploying an Identity Vault for the first time, there are several common sources for errors, from incorrectly typing information to not completing the driver set templates.

Figure 21-3 Default Server Container Message

Right-click the Identity Vault in the Modeler view, select Properties > Server List, then click the Edit button to edit the server information.

Figure 21-4 Correcting a Server Name Problem

21.5.3 Error Messages and Solutions

When you see an error message in Designer, the error message corresponds to the place where Designer could not complete the task and indicates the best place to start troubleshooting. This section discusses the error messages you might see when deploying Identity Manager objects into an eDirectory tree, followed by their cause and possible solutions.

Identity Vault Configuration Errors

Cannot connect to host [Identity Vault Host]; verify the address is correct and that the server is running.

Possible Cause: The address listed in the Identity Vault properties is incorrect or the server is not running.

Solution: Verify that the server address is correct and that the server is up and running.

[User] could not be authenticated to [Identity Vault Host]. Cannot proceed. 

Possible Cause: The username or password listed in the Identity Vault properties is incorrect.

Solution: Verify the username specified in the Identity Vault properties and reenter the user’s password.

Driver Configuration Errors

The driver configuration file [Driver Config File] is not a valid XML document: [Error Message]. 

Cause: The Driver Configuration file being imported from the file system does not contain a valid XML document.

Solution: Fix the Driver Configuration file format.

The XML contained the file named [Driver Config File] is not a driver configuration file. The file cannot be imported.

Cause: The Driver Configuration file being imported from the file system is a valid XML document but is not a valid driver configuration file.

Solution: Import a driver configuration file.

The following 'XML DOM Exception' was thrown.
[ExceptionInfo]

Cause: The Driver Configuration XML document is incorrectly formatted. This is probably an internal error because driver configuration files are dynamically generated by Designer for deployment.

Solution: Turn on trace for Designer. To do this, select Window > Preferences > Designer for IDM Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces. Attempt to deploy again, then send the trace file to Novell Support.

The following 'Number Format Exception' was thrown.
[ExceptionInfo]

Cause: An integer value in the driver configuration file being deployed is invalid. All integer fields in Designer should validate the content when it is set.

Solution: Turn on trace for Designer. To do this, select Window > Preferences > Designer for IDM Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces. Deploy again and analyze the generated driver configuration file to see if all integer attribute values are correct. Identify the incorrect parameter in Designer, correct the setting, and redeploy.

The specified driver configuration file does not contain a valid driver configuration.

Cause: Designer attempted to process a dynamically generated driver configuration file with an invalid format.

Solution: Turn on XML tracing for the Import/Deploy plug-in. To do this, select Window > Preferences > Designer for IDM Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces. Deploy again, then send the trace to Novell Support. Otherwise, edit and correct the configuration file being imported.

Tree population is not supported from a Driver Set configuration. Tree population components will be ignored.

Cause: The driver configuration file being processed has a <ds-object> element under a <driver-set-configuration> element, which is not permitted.

Solution: If this is a dynamically generated configuration file, contact Novell Support; otherwise, move the <ds-object> element under a <driver-configuration> element.

The following Driver Set based global variables could not be resolved:
[Global Variable List]
These variables exist in both the source and target Driver Sets. The two definitions, however, have different types.

Cause: The driver configuration file being processed has global variable definitions that could not be resolved.

Solution: If this is a dynamically generated configuration file, contact Novell Support. If it is a driver configuration file on disk, check the global variable definitions.

The driver configuration file being processed does not contain a valid driver configuration.

Cause: The driver configuration file being processed does not contain a <driver-configuration> element.

Solution: If this is a dynamically created configuration file, turn on XML tracing for the Import/Deploy plug-in. To do this, select Window > Preferences > Designer for IDM Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces. Deploy again, then send the trace to Novell Support. Otherwise, edit and correct the configuration file that is being imported.

The specified driver configuration file was only intended to be imported from a ConsoleOne command line.

Cause: The driver configuration file being processed is not a valid document.

Internal Designer Errors

An internal error has occurred in the Designer Data Model: The policy named [Policy Name] does not know its container.

Cause: The policy being deployed is not contained in a Channel or Driver object. This is an abnormal error, indicating that the Designer model has become corrupted.

Solution: Contact Novell Support.

eDirectory Access Errors

The following 'Component Creation Exception' occurred while trying to access eDirectory. 
[Exception Info]

Cause: A value contained in the driver configuration file being deployed could not be successfully created in eDirectory. This is probably an internal error because driver configuration files are dynamically generated by Designer for deployment. However, if the Driver in Designer was created by importing a driver configuration file from the file system and that configuration file contained a Tree Population Segment, a value within a <ds-object> element might be invalid.

Solution: Turn on trace for Designer. To do this, select Window > Preferences > Designer for IDM Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces. Deploy again and analyze the generated driver configuration file to see if any <ds-object> elements exist. If they do, verify that all attribute values are correct. If no <ds-object> elements exist or if all values seem to be correct, contact Novell Support.

The following 'IO Exception' occurred while trying to access eDirectory.
[ExecptionInfo]

Cause: This is a Java exception indicating that Designer could not perform the requested input or output operation.

Solution: Contact Novell Support.

DSAccessException: 
[ExceptionInfo]

Cause: Designer could not connect to the target deployment server.

Solution: Verify that the server information specified in the Identity Vault properties page is correct and that the eDirectory server is up and running.

The following 'Namespace Exception' occurred while trying to access eDirectory. ({0})

Cause: This is a namespace exception indicating that there is a problem with the eDirectory schema, such as a missing attribute or class.

Solution: Verify that the eDirectory schema being imported from or deployed to is correct. If the driver being deployed contains Tree Population segments, verify that the objects being created are valid for the target eDirectory schema.

An exception occurred during the deployment. Cannot perform the operation.

Cause: An unknown exception was encountered.

Solution: Contact Novell Support.

The following 'Snapin Exception' occurred while trying to access eDirectory. 
[ExceptionInfo]

Cause: Snap-in exceptions can be thrown in certain methods to report exceptions or errors during import/deploy. Subclasses of a snap-in exception include:

  • NotAContainerException: There was a call to get the children of an eDirectory object that is not a container.

  • ObjectNotFoundException: The object being resolved cannot be found in eDirectory.

  • SPIException: Unable to connect to the eDirectory tree.

Solution: The exception might include the name of the object that caused the exception. Verify that the eDirectory tree being imported or deployed to is up and running and that it has Identity Manager installed.

The following exception occurred but was not handled. ({0})

Cause: An unexpected error occurred while resolving an object in eDirectory.

Solution: Contact Novell Support.

eDirectory Object/Attribute Creation Errors

The driver could not be created.

Cause: Designer attempted to create a driver in eDirectory, but the process failed.

Solution: Verify that the target eDirectory server has Identity Manager installed.

A [ObjectClass] object named [ObjectName] could not be created.

Cause: Designer attempted to create a Publisher, Subscriber, or Policy object in eDirectory, but the process failed.

Solution: Verify that the target eDirectory server has Identity Manager installed.

The driver password could not be saved.

Cause: Designer attempted to set the Driver password in eDirectory, but the request failed.

Solution: Verify that the target eDirectory server has Identity Manager installed.

The password named ''{0}'' could not be saved.

Cause: Designer attempted to set a named password in eDirectory, but the request failed.

Solution: Turn on stack tracing for the Import/Deploy plug-in to get details of the exception. To do this, select Window > Preferences > Designer for IDM Trace > Enable Tracing. In the Trace window, select the check box for Include Stack Traces.

The value for the attribute named [Attribute Name] could not be stored on the object named [Object name].

Cause: Designer attempted to add an attribute to an object in eDirectory, but the request failed. The error message should contain information about the attribute and object.

Solution: Verify that the attribute and value are valid for the given eDirectory object type.

The value for the attribute named ''{0}'' could not be updated using the XSLT on the object named ''{1}''.

Cause: Unable to export shim configuration information.

Solution: Contact Novell Support.

An exception was thrown updating the value of the [Attribute Name] attribute on the [Item Type] object named [Object Name].
[Exception Info]

Cause: Unable to deploy the Identity Manager object and attributes to eDirectory. The error message should contain details of the exception.

Solution: Contact Novell Support.

A [Object Class] object could not be created. The name is missing.

Cause: An eDirectory object could not be created for the given object class because a name was not provided.

Solution: Contact Novell Support.

The policy named [Policy Name] contains a cycle in its next transformation list.

Cause: This is a warning message generated when Designer encounters a circular loop in the policy chain.

Solution: Remove the policy loop by correcting the next policy in the Policy Set view.

The policies named [Policy name] contain cycles in their next transformation lists.

Cause: This is a warning message generated when Designer encounters a circular loop in the policy chain.

Solution: Remove the policy loop by correcting the next policy in the Policy Set view.

Driver [Driver name] could not be restarted for the deployed changes to be in effect.

Cause: Designer was unable to restart a driver after a deployment.

Solution: Turn on DSTrace screen in eDirectory to identity the error preventing the driver from starting.

Driver '[Driver Name]' is disabled and could not be restarted for the deployed changes to be in effect. 

Cause: Designer was unable to restart a driver after a deployment because its Driver Start option is set to Disabled.

Solution: Change the Driver Start option to Manual or Auto-start under the driver properties and then deploy the driver.

Driver '[Driver Name]' could not be stopped for the deployed changes to be in effect. 

Cause: Designer was unable to stop a running driver after a deployment.

Solution: Turn on DSTrace screen in eDirectory to identify the error preventing the driver from stopping.

An invalid request to set up security on an exported driver was made, no Driver objects were provided. The request cannot be processed.

Cause: The code to set up the security equivalence for a deployed driver was passed an invalid parameter.

Solution: Contact Novell Support.

Warnings

The version of Identity Manager running on the server named '[Server Name]' does not support all the features of Designer. Although you can import a configuration from that server, changes may not work if the configuration is deployed back to it.

Cause: An import or deploy action was made to an eDirectory server running an unsupported version.

Solution: The server must be upgraded for deployments.

An internal error has occurred. The parameters passed into the importer were invalid.

Cause: The code that performs the import was passed an invalid parameter.

Solution: Contact Novell Support.

The '[Attribute Name]' attribute of '[Object Name]' refers to a policy that does not exist or cannot be accessed.

Cause: The driver configuration file being processed contains a DN attribute that cannot be resolved in eDirectory.

Solution: Verify or correct the DN attribute value on the specified object in eDirectory.

An external reference to '[Object Name]' was not handled.

Cause: The driver configuration file being processed contains a DN attribute that cannot be resolved in eDirectory.

Solution: Contact Novell Support.

The XML for the policy named '[Object Name]' contained in the [Policy Type] named '[Policy Name]' does not contain valid XML for a policy. '[Root Node]' is not recognized as the root node for policy XML.
The policy is being ignored.

Cause: The policy being imported does not contain a valid XML document.

Solution: Correct the content of the policy in eDirectory.

A [Item Type] can only be imported into a [Item Type].
A [Item Type] can only be imported into a [Item Type] or [Item Type].

Cause: An attempt was made to import an Identity Manager object into an invalid parent object. For example, policies might not be imported into a Driver Set. The code should prevent this from happening, but this error identifies scenarios that were not caught.

Solution: Contact Novell Support.

An unhandled import request was encountered in DeployImporter_Import method [Object DN].

Cause: An attempt was made to import an unknown object or attribute from eDirectory. The code should prevent this from happening, but this error identifies scenarios that were not caught.

Solution: Contact Novell Support.

Could not access the driver configuration file named '[File Name]'.

Cause: Designer could not open or parse the given driver configuration file.

Solution: Contact Novell Support.

The driver filter could not be read from the driver named '[Driver Name].

Cause: Designer could not import the Driver filter.

Solution: Turn on the DSTrace in eDirectory to determine the error, then contact Novell Support.

An error was encountered processing the driver configuration file. The variable named [Variable Name] is defined more than once.

Cause: The driver configuration file has a variable that is being defined multiple times.

Solution: If you are importing a driver configuration file from a file, edit the file and remove multiple declarations for the specified variable. If this is a dynamically generated configuration file (import/deploy to eDirectory), turn on XML tracing for import/deploy to get a trace of the generated configuration file, then contact Novell Support. To turn on trace for Designer, select Window > Preferences > Identity Manager > Application > Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces.

An error was encountered processing the driver configuration file. The declaration of the Node variable named [Variable Name] is invalid. The [Attribute name] attribute is missing.

Cause: The driver configuration file being processed has an invalid variable declaration.

Solution: If you are importing a driver configuration file from a file, edit the driver configuration file and correct the variable declaration. If this is a dynamically generated configuration file (import/deploy to eDirectory), turn on XML tracing for import/deploy to get a trace of the generated configuration file, then contact Novell Support. To turn on trace for Designer, select Window > Preferences > Identity Manager > Application > Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces.

An error was encountered processing the driver configuration file. Flexible prompting requires a 'use-when-value' when a 'use-when-var' is specified.

Cause: The driver configuration file being processed has an error.

Solution: If you are importing a driver configuration file from a file, edit the driver configuration file and add a use-when-value for the specified use-when-var. If this is a dynamically generated configuration file (import/deploy to eDirectory), turn on XML tracing for import/deploy to get a trace of the generated configuration file, then contact Novell Support. To turn on trace for Designer, select Window > Preferences > Identity Manager > Application > Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces.

An error was encountered processing the driver configuration file. Flexible prompting requires a 'use-when-var' when a 'use-when-value' is specified.

Cause: The driver configuration file being processed has an error.

Solution: If you are importing a driver configuration file from a file, edit the file and add a use-when-var for the specified use-when-value. If this is a dynamically generated configuration file (import/deploy to eDirectory), turn on XML tracing for import/deploy to get a trace of the generated configuration file, then contact Novell Support. To turn on trace for Designer, select Window > Preferences > Identity Manager > Application > Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces.

The variable named [Variable Name] has been referred to but not defined in the driver configuration file being processed.

Cause: The driver configuration file has a variable that is being referenced but has not been defined.

Solution: If you are importing a driver configuration file from a file, edit the driver configuration file and add a declaration for the specified variable. If this is a dynamically generated configuration file (import/deploy to eDirectory), turn on XML tracing for import/deploy to get a trace of the generated configuration file, then contact Novell Support. To turn on trace for Designer, select Window > Preferences > Identity Manager > Application > Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces.

An error was encountered processing the driver configuration file. Built-in variables cannot be used as a flexible prompting control variable. The reference to the variable named '[Variable Name]' is invalid.

Cause: The driver configuration file being processed contains an invalid reference to a variable.

Solution: If this is a dynamically created configuration file generated during an import/deploy action, contact Novell Support. If this is a driver configuration file being imported from disk, edit and correct the configuration file for the variable specified.

An error was encountered processing the driver configuration file. There was a non-checkbox reference to the checkbox variable named '[Check Box Variable name]'.

Cause: The driver configuration file being processed contains an invalid reference to a check box variable.

Solution: If this is a dynamically created configuration file that is generated during an import/deploy action, contact Novell Support. If this is a driver configuration file being imported from disk, edit and correct the configuration file for the check box variable specified.

An error was encountered processing the driver configuration file. An unhandled import prompt was encountered.

Cause: The driver configuration file being processed contains an invalid prompt type.

Solution: If this is a dynamically created configuration file that is generated during an import/deploy action, contact Novell Support. If this is a driver configuration file being imported from disk, edit and correct the configuration file.

The eDirectory tree corresponding to the Identity Vault named '[Identity Vault Name]' cannot be accessed. Directory browsing cannot be performed.

Cause: Designer attempted to access eDirectory through an eDirectory browse button in the Driver Configuration Wizard, but the connection could not be created.

Solution: Cancel out of the Driver Configuration Wizard, set up the connection parameters in Identity Vault, and run the Driver Configuration Wizard again.

The partition could not be created on the ''{0}'' object. The problem may be that it has not replicated to the master yet. You can try creating the partition manually later.

Cause: Designer attempted to create a partition when deploying a driver set and the partition operation failed.

Solution: Turn on the eDirectory tracing options for partitioning to determine why the eDirectory partitioning operation failed.

The Driver Set was created but did not replicate to all the servers in the replica ring. The deployment cannot proceed.

Cause: Designer cannot deploy per-server attributes until the driver set has replicated to the eDirectory server.

Solution: Turn on the eDirectory tracing options for replication and determine why eDirectory replication is not occurring.

There are no servers associated with the Driver Set named ''{0}''. There must be at least one server associated with any Driver Set being deployed or the Driver Set containing any objects being deployed.

Cause: Designer cannot deploy an Identity Vault or driver set with an empty server list.

Solution: Edit the properties of the Identity Vault and the driver set to add a server to the server lists.

The Identity Vault name '[Identity Vault Name]'' does not contain any Driver Set objects to deploy.

Cause: You cannot deploy an Identity Vault that does not contain at least one driver set.

Solution: Add a driver set to the Identity Vault.

'[User Name]' could not be authenticated to '[Host Name]'. Cannot proceed.

Cause: Designer could not authenticate to the eDirectory tree.

Solution: Verify that the hostname, user, and password for the Identity Vault are correct in the Identity Vault properties.

The Identity Vault named '[Identity Vault Name]' does not contain the eDirectory tree to access. Cannot proceed.

Cause: The Identity Vault does not contain a host address or DNS name for authentication.

Solution: Specify the host address or DNS name for the Identity Vault in the Properties view or Properties page.

Deploy_Util_NoIdentityVault=The {2} named ''{1}'' is not contained in an {0}. Cannot proceed.
The Identity Vault named '[Identity Vault name]' does not contain the DN of the user to authenticate to the target eDirectory tree with. Cannot proceed.

Cause: The Identity Vault does not contain a user for authentication.

Solution: Specify the user for the Identity Vault in the Properties view or Properties page.

The server list on the parent Driver Set for the following eDirectory Driver is empty. We were unable to import the connected eDirectory Driver:

Cause: Designer uses the per-server Shim Auth Server attribute of an eDirectory driver to identify the tree and connected eDirectory driver to import. Because the server list is empty, the connected eDirectory driver cannot be imported.

Solution: Fix the server list on the driver set for the eDirectory driver and the Drivers Shim Auth Server attribute in eDirectory, or import the connected eDirectory driver separately.

The Shim Auth Server parameter for the eDirectory Driver '[Driver Name]' on server '[Server Name]' is empty. We were unable to import the connected eDirectory Driver.

Cause: Designer uses the Shim Auth Server parameter of an eDirectory driver to identify the tree and connected eDirectory driver to import. If this parameter is empty, the connected eDirectory driver cannot be imported.

Solution: Fix the Shim Auth Server parameter on the eDirectory driver or import the connected eDirectory driver separately.

Unable to save Driver Configuration to file '[File Name]'.

Cause: Designer was unable to save an exported driver configuration file.

Solution: Try to save the file to a different directory or filename.

Unable to clear contents of Driver Configuration file '[File Name]'.

Cause: Designer was unable to clear the contents of a driver configuration file that is being overwritten.

Solution: Delete the configuration file being overwritten.

Setting up the Security Equals and Excluded objects may only be performed on a Driver object.

Cause: An invalid object was selected in the Modeler or Outline view.

Solution: Select a single Driver object to set up security equivalences or excluded users.

The selected Driver ''{0}'' has not been deployed or cannot be found in the eDirectory ''{1}''.

Cause: Designer cannot resolve to the Driver object in eDirectory to set up the security equivalences or excluded user list.

Solution: Deploy the driver to eDirectory before setting up the security equivalences or excluded users.

The eDirectory tree corresponding to the Identity Vault named '[Tree Name]' cannot be accessed. Setting up the Driver Security Equivalence/Excluded Users cannot be performed.

Cause: Designer cannot connect or authenticate to the eDirectory tree to set up a driver's security equivalences or excluded user list.

Solution: Verify that the eDirectory parameters specified on the Identity Vault are correct and that the eDirectory server is running.

The Identity Vault named '[Identity Vault Name]' has no deployment DN specified. It is not deployable. 

Cause: A deployment context is not specified on the Identity Vault or driver set being deployed.

Solution: Add a deploy DN (context) to the properties of the Identity Vault or Driver Set object in Designer.