GitHubContribute in GitHub: Open doc issue|Edit online

Troubleshooting

Understanding the limitations, log files, and explanations for common errors can help you troubleshoot the Federated Directory Server plug-in for IBM Security Access Manager.

Known limitations

This solution uses the IBM Security Access Manager Registry Direct API. It does not support adding, modifying, or deleting Global Sign On (GSO) users.

Log files

The IBM Security Access Manager synchronization process creates the following log file:

sdi_solution_dir /LDAPSync/logs/

flow-ProvisionISAM.log, where flow is the name of the synchronization flow that calls the plug-in to provision IBM Security Access Manager. A history of 50 older logs is also maintained. This log usually contains more details about the problem, including the principalName and secDN for the entry that is being synchronized.

The errors that are reported by the IBM Security Access Manager provisioning process are displayed in Federated Directory Server. The logs typically contain the text afterwrite or post-write in the logged message. The logged messages usually consist of two parts, with the Federated Directory Server error printed first and followed by a second message that indicates the root cause of the error.

For example, the following error might occur after write operations:

CTGDII761E Error invoking afterwrite Hook

Sometimes, the initial message also contains the Config and AssemblyLine name, which by default is FDS_ISAM_Plugin:/AssemblyLines/ProvisionISAM.

The last part of each error report provides insights to correct the problem.

Mandatory attribute is missing from output map
The error message also includes the name of an attribute that is required by IBM Security Access Manager. You must update the map file to ensure that this value is returned.

CTGDIS047W Entry is not found
This error occurs only during incremental synchronization when a user is to be deleted from IBM Security Access Manager. It indicates that this user was not found in the IBM Security Access Manager registry.

CTGDKD262E Could not start Config Instance
This error occurs when the configuration XML file that contains the IBM Security Access Manager Provisioning AssemblyLine is not found in the sdi_solution_dir/configs folder. By default, this file is FDS_ISAM_Plugin.xml. Ensure that the configuration file is copied to this folder and try again.

HPDAA0321E The Distinguished Name does not map to an existing entry in the registry.
HPDAA0320E The Distinguished Name that is provided has incorrect syntax.
These error indicates that the secDN attribute value is invalid.

If you set the isam.map.secDN property to compute, then check the value of the isam.user.container property. This property contains the DN of an existing container in the IBM Security Access Manager directory where user entries are written. Also, ensure that the isam.map.secDN.type property is set to either CN or UID.

If isam.map.secDN property is set to mapFile, then ensure that the map file contains the secDN attribute. The mapping assignment must produce a syntactically correct DN value. Also, the suffix of the DN must refer to an existing container in the IBM Security Access Manager directory.