LDAP Active Sync is Hanging
Howdy all,
I'm looking for some advice on debugging an active sync issue. We are running IDM 7.0, and do a lot of processing via our LDAP active sync workflows. Currently we are experiencing an increasing amount of hung active sync threads. When looking at the active sync logs, and the jakarta tomcat logs, we don't really see any errors or clues. If we examine the Show_Provisioning debug page, we can often see that a provision thread is fetching a user from some resource when it hangs. It is not hanging up on the same user, or same resource. Has anyone experienced anything like this before? Does anyone have any ideas on good ways to debug it? I was thinking about trying to trace some of the java classes that are executing, but am not sure which ones are likely candidates. Please let me know if you have any other debugging ideas.
Thanks!
Did you set the java heap size in Tomcat?
Similar Messages
-
Hi Experts,
Last weekend an Acticve Sync task "hung" for 2 days. The Active Sync is scheduled to start every 24 hours at 8:30am.
This morning however its status was "Started, executing" yet nothing was being logged. I would expect something as its log level is 4.
The last time the AS was started was Friday but having the task in this state prevented the Saturday or Sunday morning runs from being executed.
The only way to recover was to reset IdM by restarting the webserver.
What circumstances could cause Active Sync to 'hang' like this?
Has anyone else suffered this sort of situation and if so was the cause determined?
Any hints or tips appreciated.We have experienced this behavior on a fairly frequent basis with our Active Directory Active Sync processes.
We are not sure why the system behaves this way.
We are in the habit of manually monitor the active sync jobs on a daily basis.
We have the log level set to 2 on our 11 Active Directory resources.
We view the timestamps on the log files to determine if the Active Syncs are truly running.
Our 11 Active Directories run every 3 hours. I note this because the time stamp on the log files should be older than 3 hours (in our case) if the Active Sync (A/S) process is truly not running.
Here is our process when restarting the A/S.
1. Make sure the Task SARunner:<Active Directory Resource> is running.
a. Go to the Tasks form and get a list of All Tasks.
b. Find the SARunner:<Active Directory Resource>. If this task is not running then you need not read any further because you will need to recycle your Websever to get the Active Syncs to run.
2. If the Task is running.
a. Go into Debug and edit the Active Directory Resource.
b. Change the Polling Start Time and Polling Start Date to the desired start time. Note: Set the start time at least 10 minutes into the future. So if at 11 am your making the change then set the polling start time to 11:10 (at a min.)
b. Save the changes.
3. Navigate to the resources form.
a. Stop the Active Sync
b. Refresh the Active Sync
c. Start the Active Sync
d. Refresh the Active Sync.
Good Luck. -
Expert pls help: Sun IDM with ldap active sync
Hi all,
Currently i am configuring Sun IDM 6.0 SP1 to active sync with Sun directory server. I have enabled Retro Change Log but yet i cant find my changeNumber in directory server. Could anyone show me a way (search?) to get what changeNumber directory server currently running?Check the account used by IDM to access DS can search cn=changelog branch. If he is not Directory Manager, you probably need to set an ACI on that branch.
HTH -
Ensure 1 Active Sync process runs against the change log before all others?
He folks,
We have a lot of LDAP active sync thread. We have a primary on that correlates to an individuals account. Then we have several that represent affiliations at our organization. The affiliations are represented in LDAP as subordinates of the main persons entry. These sets of data were set up as different resource adapters because the they are different object types in LDAP.
Now we are running into a problem where the active sync threads for subordinates are running before the thread for the main entry. What this means, is that an affiliation thread might run, see a new person was added and ignore it (since that isn't it's resource) but find the affiliation subordinate entry and want to process it. However, the thread can't find an associated account in IDM yet, so no processing takes place on that change, ever..
If the main account active sync thread had already run, it would see the main entry, and then make a correisponding IDM entry. If the IDM entry has been made, and the affiliation resource active sync adapter runs, it will then find the IDM entry and update that.
So.. We are experience problems when the affiliation processes a new account before the main account sync process.
Can we ensure somehow that the main account active sync process always runs first? These are all LDAP resources. If we could ensure the main account resource / sync happens before any other affiliation resource, then we would never ignore data, and would not have anyproblems.
Does anyone know of a good clean way to do this?
Thanks!I had a similar issue, and solved it by using post process workflows and starting and stopping resource adapters manually. This will allow you to start the first resource, and any others you want can be started/stopped manually via the workflow. You can effectively "chain" resource adapters to run in any order you'd like.
On the first resource that you want to run before anything else, this will run as a post-process workflow:
<Activity id='0' name='stopFirstResource'>
<Action id='0' name='stop'>
<expression>
<block name='stop'>
<invoke name='stopActiveSyncOnResource' class='com.waveset.session.SessionUtil'>
<ref>displaySession</ref>
<s>%%FIRSTRESOURCENAME%%</s>
</invoke>
</block>
</expression>
</Action>
<Transition to='Process Errors'>
<ref>WF_ACTION_ERROR</ref>
</Transition>
<Transition to='startSecondResource'/>
</Activity>
<Activity id='1' name='startSecondResource'>
<Action id='0' name='start'>
<expression>
<invoke name='startActiveSyncOnResource' class='com.waveset.session.SessionUtil'>
<ref>displaySession</ref>
<s>%%SECONDRESOURCENAME%%</s>
</invoke>
</expression>
</Action>
<Transition to='Process Errors'>
<ref>WF_ACTION_ERROR</ref>
</Transition>
<Transition to='end'/>
</Activity>
This will stop the first one (after it has run) and start the second one.
Then, on the post process workflow of the second resource:
<Activity id='1' name='stopSecondResource'>
<Action id='0' name='stop'>
<expression>
<block name='start'>
<invoke name='stopActiveSyncOnResource' class='com.waveset.session.SessionUtil'>
<ref>displaySession</ref>
<s>%%SECONDRESOURCENAME%%</s>
</invoke>
</block>
</expression>
</Action>
<Transition to='Process Errors'>
<ref>WF_ACTION_ERROR</ref>
</Transition>
<Transition to='end'/>
</Activity>This stops the second one. -
Unassign resources from lighthouse during active sync
I have a requirement to unassign resources during terminations. in the LDAP active sync userform , i tried the following code. it did not work, whereas disable and unlink works with this code.
<FieldLoop for='name' in='waveset.accounts[*].name'>
<Field name='resourceAccounts.currentResourceAccounts[$(name)].unassign'>
<Expansion>
<s>true</s>
</Expansion>
</Field>
</FieldLoop>
<FieldLoop for='name' in='waveset.accounts[*].name'>
<Field name='update.resourceAccounts.currentResourceAccounts[$(name)].unassign'>
<Expansion>
<s>true</s>
</Expansion>
</Field>
</FieldLoop>
any help will be appreciated.
Thanks,
FarooqHi Farooq,
I have a requirement, to unlink a resource account (user has multiple AD accounts) where 'dn' comes dynamically in WorkFlow.
I shall be thankful for any help,
Shadab -
How Create LDAP Group Inside Active Sync Form?
I have an Active Sync form that is working well to synchronize (and slightly massage) data from an Active Directory source to a Sun Directory Server destination.
I need to synchronize group information from AD to DS. It must automatically create groups during the Active Sync processing. It can't be done externally using another scripting language; it must be done within IdM.
I have the following code...
<Action id='0' application='com.waveset.provision.WorkflowServices'>
<Argument name='op' value='createResourceObject'/>
<Argument name='object'>
<Object>
<Attribute name='resourceId' value='DS'/>
<Attribute name='resourceName' value='DS'/>
<Attribute name='resourceType' value='LDAP'/>
<Attribute name='objectName' value='abcd'/>
<Attribute name='attributes'>
<Object>
<Attribute name='cn' value='abcd'/>
<Attribute name='groupType' value='abcd'/>
</Object>
</Attribute>
<Attribute name='objectType' value='group'/>
<Attribute name='objectId' value='CN=abcd,ou=Groups,dc=blah,dc=com>
</Object>
</Argument>
<Argument name='objectType' value='group'/>
<Argument name='resourceId' value='DS'/>
</Action>However with that code inside the <Field><Expansion>...</Expansion><Field> section the group is not created. I've enabled tracing and as best I can determine the code isn't even executed.
I have created resource schemas for accounts[DS].ldapGroups and accounts[AD].groups and that works well. I can read group memberships from those lists. However I can't simply append to those lists to automatically create groups (which would be nice). That's why I've gone down this path of attempting to create the groups programatically.
I've scoured the groups and the course notes and found nothing relevant here. The examples all refer to creating the groups within an interactive form. I'm trying to do the same within the <Field> section of an Active Sync form.TTSLSAB wrote:
Hi Vladimir,
can you please tell me what should i import in the java class inorder to avoid the below error (session) for the line
Resource resource = (Resource)session.getObject(Type.RESOURCE, resId);
ResourceAdapter ra = ResourceOp.findAdapter(resource, session.getCache());Error, which i am getting is
Exception in thread "main" java.lang.Error: Unresolved compilation problems:
session cannot be resolved
session cannot be resolvedsession is your LighthouseContext handle so depending on how you are implementing the class you quoted, you will either need to pass it in, for example via the invoke tag from your form/workflow, or get your own - don't know how this is done but I'm assuming authenticating to IdM would have to be done.
For all those interested, I have implemented the Java code snippet listed by Vladimir in XPRESS.
idmSessionHandle - is the LighthouseContext for the current session
currentOUDN - is a string representing the AD DN of the OU to be created
<defvar name='resourceAdapterHandle'/>
<set name='resourceAdapterHandle'>
<invoke name='findAdapter' class='com.waveset.provision.ResourceOp'>
<ref>resourceObject</ref>
<invoke name='getCache'>
<ref>idmSessionHandle</ref>
</invoke>
</invoke>
</set>
<defvar name='newOUGenericObject'/>
<set name='newOUGenericObject'>
<new class='com.waveset.object.GenericObject'>
<map>
<s>objectId</s>
<ref>currentOUDN</ref>
<s>objectType</s>
<s>Organizational Unit</s>
</map>
</new>
</set>
<invoke name='createObject'>
<ref>resourceAdapterHandle</ref>
<ref>newOUGenericObject</ref>
<new class='java.util.HashMap'/>
</invoke>
[...]Although the above works well, to create OUs in AD, I have not yet tested its real life application with regards to the initial mass loading of users (from LDAP (auth source) to IdM to AD) and ActiveSyncing. My concerns are two threads attempting to create the OU at roughly the same time, the first succeeds, and second one fails because AD will reply with the fact that the object already exists. The workaround would be to do a recheck of the existence of the OU, after a failure was encountered. This ties into exception handling in general in this approach.
If anyone can contribute exception handling and possibly a create with retries approach, to the above code, I'd appreciate it.
Cheers. -
Active sync : process selection values are not persistent
Hi,
Version: IDM : 6
I am attempting to provision oracle user accounts through IDM active sync process running against an AD LDAP server.
I want to use default forms/views supplied by IDM product, and configure active sync to use my custom workflow on create/update events.
I was not able to save my workflow for any of the events in process selection module of active sync configuration.
this is what i did..
======================================================
Active sync in (advanced mode) ->Process Selection
Process Mode
Use the event type to determine the process / workflow ? (enabled)
Create -> (from available workflows i select my custom workflow ) save
======================================================
after saving my changes , i again re-visited active sync-> process selection : to confirm my changes.
i do not see my saved workflow for create , but i see "default" as selected.
Is assigning custom workflows through actives syncs process selection allowed?
If Yes, How do i preserve my active sync-> process selection configurations?
Thanks
Edited by: idm_new_user on Jun 3, 2008 9:44 AMHi Chapo,
Thanks for trying to help me out...
Issue is not with assigning my custom form to my active sync process, it works that way...(i can achieve AD->IDM->ORACLE provisioning) using custom form/workflow...i now want to use, forms/workflow shipped out of box by IDM product to achieve provisioning of oracle accounts(Target) with Active Sync configured on AD (source).I am having issues with this configuration...i am not sure , it even works, out of box with out editing any forms/workflows !!!
what i now to achieve is a partial customization, i.e use forms supplied out of box by idm's active sync process, and ONLY use my custom workflows to do create/updates...
This is what i am trying to do, for an active sync configured on AD resource in advanced mode.
Find the AD LDAP resource under the Resources tab.
The check the box on the left hand side.
Now select "edit Active Sync process" from the drop down box.
In the active sync ->process selection view...select "use event type to determine the process/workflow ?"
and assign my custom workflows for create/update events...
after saving this, i revisit to confirm my changes...only to find that , they get lost/replaced by "default"
so, my question is how do i configure an active sync to use my workflow on create/update events...with out using my custom forms? if "process selection" module of active sync wizard is the way to do this, how can i save my configurations? -
Can't get mobile device to auto configure the active sync server
Hello
I am trying to get my costumer mobile devices to auto configure the active sync server name so they don't have to type it in. I believe I have everything in place Certificates are fine. I populated the external url on the active sync
object in Exchange.
DNS is set up correct. I ran the Exchange Connectivity Analyzer and it runs perfectly. The only test step if fails on is the first attempt to contact the autodiscover service using just the domain name and that is because we have a
record in DNS so our domain name points to our public web server but all the other tests run fine. At the end, it even displays the xml file contents and shows me the external url of the active sync object.
I get a successful run but it first shows SSL certifiate of our public Web site and then hangs on the server config and then prompts me to enter in the server name and domain. My external url in Exchange looks like this:
https://remote.domain.com/Microsoft-Server-ActiveSync
Any Help??
EddieThank you for replaying but there is already internal A record that points to Exchange server. Firewall, DNS external and internal are setup like this:
Firewall:
Port 443 and 25 points to Internal IP of our Exchange 2013 (only mail server in company).
Port 80 not open.
External DNS records:
autodiscover.mydomain.com à points to our WAN IP
remote.mydomain.com à points to our WAN IP
mydomain.com à points to external online webhosting
Internal DNS records:
autodiscover.mydomain.com à points to ours Exchange 2013 internal IP
Remote.mydomain.com à points to ours Exchange 2013 internal IP
mydomain.com à points to external online webhosting
Test form "ExchangeConnectivityTest.com" is Successful but with warnings.
Warnings are about https://mydomain.com/AutoDiscover/AutoDiscover.XML
because
https://mydomain.com is
pointing to website, which is hosted externally.
Eddie -
Getting this crazy error:
Error starting #ID#C4C490642F5489B6:309EE1:106A49D3C08:-7FFB.Source adapter management is initializing.
Obviously the first bit is the resource adapter's ID. This problem just suddently started happening after a restart and no changes to the RA configuration. Thankfully it's a test box...
Anyway, when we try and start the adapter we get this error and in the WebLogic logs we see this:
Exception in Scheduler thread:
com.waveset.util.InternalError: Item 'TaskInstance:SARUNNER:#ID#C4C490642F5489B6:142C63F:1069A84A3C0:-7FC6(id=null)' object is null.
com.waveset.util.InternalError: Item 'TaskInstance:SARUNNER:#ID#C4C490642F5489B6:142C63F:1069A84A3C0:-7FC6(id=null)' object is null.
Weird that it thinks the object is null seeing as how we'd made not changes the RA. Has anyone seen this error?We had a similar problem on the production environment with the same error as listed on the original post. After struggling for almost 2 work days and the weekend, the issue was that the AD gateway service hung, and restarting the gateway service started all the active sync processing again.
The basic problem is that no error is logged related to the Gateway service (either on IDM side or on the AD server), and the active sync processing thread will hang in execute mode trying to connect to AD. No proper error led us all over the place starting with the database resource which the active sync was running against.
So check that all the applicable resources are responding before getting deeper into Active sync debugging. -
I understand the issues with initial loads of data. What I am trying to determine is the performance of active sync when one data source has a large update. For example if idm is syncing a LDAP with AD and I update 10k users in LDAP, how long does it take for AD to be updated by idm? Does idm's design intent take into acount batch or bulk updating?
We have had issues with performance and activesyncs.
For activesyncs, update every minute on change seems to be the most effecient way.
Bulk Loads, Import/Exports and Reconciliation take days for 90K user datastores. Reports take forever.
Our workarounds have been to sometimes update datastores outside of IdM through JavaDAO and StoredProcs in SQL. -
How to engage Shell Script resource action in an Active Sync workflow.
A little background, at my organization I have IDM set up simply to recognize changes in LDAP and transmit those changes, via active sync, to AD. We don't yet use the IDM interface to make any changes to users, instead we use external interfaces that we have written to make changes to LDAP which then get picked up via Active Sync and synchronized to AD. However, in addition to AD, there are several other resources that we would like to gradually wrap into this active sync workflow via native and custom resource adapters. Currently I am working on a simple Shell Script resource to manage Linux home directories. I have written all the necessary code and created the resource itself within IDM. This all seems to work, I can create, delete, disable, etc.. users in our Linux environment from the IDM interface.
Here is the problem, I would like to integrate the creation, deletion, enabling, disabling, etc.. of users into the same Active Sync workflow that engages whenever a change is made to LDAP. This way, whenever a user is created in LDAP (and consequently AD), that user will be granted a home directory in Linux. Unfortunately it seems that Shell Script Resources are not enabled for Active Sync. Any ideas on how one might accomplish this?
Thanks in advance.Thank you for the prompt reply. Funny thing is that I have been banging my head on this problem for a couple weeks now (this is my first attempt at real customization ... ). I finally got desperate and decided to reach out for help. After I posted this message I came to a realization that ended up solving the problem for me, go figure.
For anyone in my place I can relate what I ended up doing, simple as it was. Keep in mind, of course, that this is a highly customized environment that I am working in so the specifics probably wont apply. What I basically did, is I found an LDAPCreateUserProcess form that gets invoked when Active Sync is run. For all I could tell, this simply processed the new attributes that came through Active Sync and related them to their llighthouse / AD counterarts. But I noticed a line like this:
<Field name="waveset.resources">
<Expansion>
<filterdup>
<appendAll>
<ref>waveset.resources</ref>
<s>AD</s>
</appendAll>
</filterdup>
</Expansion>
</Field>
and simply added the name of my shell script resource under the <s>AD</s> line. That was it.
Anyway, thanks bobm53, I can now get on with my life :-) -
Active Sync running when a change occurs on the target resource
Does anyone have any insight on if I can configure an Active Sync to run when a target resource attribute changes? In the docs I only see manual running and scheduled running.
Thanks
Edited by: robspierre19 on Jan 25, 2008 12:35 PMHello.
Keep in mind that Sun IdM connects to resources via agent-less, over-the-wires connection. As such, there's no agent or software running on the managed system to "alert" IdM that a native change was made (e.g. a target resource attribute change).
ActiveSync is in most cases a form of polling -- it periodically checks for native changes. How it checks depends on the resource. In some cases, it checks change logs (LDAP), in some cases it checks a last-modified flag (e.g. DB table), in some cases it looks for an HRMD_A message (SAP HR), etc.
The Manual and Scheduled (Automatic) is how you want the ActiveSync process to start -- e.g. automatically start when IdM starts (Application Server is booted) or start only when you manually select it to start. The polling frequency is configurable for every ActiveSync adapter in the ActiveSync Wizard (Resources tab).
Does that make more sense? -
I had an issue this AM with my active sync hanging. I had the JVM restarted as active sync was not responding. The active sync is still not responding even though the jvm has been stopped and re-started.
I did notice that under the active state there is a SPE Sync:stopped.
If I try to restart it it tells me the polciy is disabled.
IS this causing my active sync issue?
How do I re-start the SPE?
Thanks!Don’t bother about SPE Sync:stopped.,
For AS just go to All tasks and delete SARunner task related to your AS like SARunner:Active Sync and then try to start -
Active sync ms exchange not showing body message
Hello I got a problem regarding exchange active sync.
I got an email account based on office 365, works fine on any other apple devices but does not on an iphone 5s 32 gb.
It receives emails with big delay and does not show body message (charging mail...charging mail ...and then hangs without any reason).
Tried to re make the account and tested on other devices works fine. I'm getting mad.
Any other mail account (gmail) works fine. Tried right now on another iphone and it works!
The iphone with the problem's got 7 gb free space.
Any help ^Ale,
I have the same problem!!!!!!!! With the iphone 5s 32 gb and ios 7.1.2
On iphone 5 with ios 7.0.x works fine
Any help please!! -
Zenprise software and exchange active sync is no longer working with my work email
Has anyone resolved this issue yet? I use Zenprise to allow my email to communicate with my work server. The account and set up is correctly and I reenrolled to ping the server. I discussed this with my company's support center. However, my company no longer see's my phone trying to communicate with the server. I also use active sync to sync up the email. Both are not working and did work fine before the ICS upgrade. I did everything verizon told me to do. Such as clear out cache, etc.
If my phone can not be fixed, I should receive a free upgrade to apple (since android is not working). I should not have to pay for a new phone. Verizon, please fix the software or send me a new apple phone.Hello all - I have good and bad news. The good news is after I deleted both my unique Office365-based exchange accounts and then re-added one, I was asked to allow some policy that allows my company to wipe the device, etc., etc. That allowed the first one to work, and the second one set up without issue too. I'm most pleased to have my device working, but my 'fix' isn't too revolutionary so probably not very helpful to you. I did try the Touchdown app for a bit the other day, but was disappointed that it could only do one account at a time and didn't have the comprehensive cross-account calendar, from what I could tell. Also, my apologies for possibly polluting the thread but I do not use Zenprise; my phone (although company-issued) is a base Android. Good luck with your issues and let's hope any other OS upgrade is far, far into the future.
Maybe you are looking for
-
Please help, just got first Mac, finding my way. How do I sync my iPhone 4 When I connect the USB nothing happens Mac G5 dual cpu OSX 10.4.11
-
Changing to non RFC 1918 addresses
Is there anyway to change the DHCP scope to non RFC 1918 IP addresses on a time-capsule? The time-capsule limits you to 10net, 192.168net or 172net addresses. My company allows split tunnels on VPN if your home network uses one of their registered ad
-
Https with URLConnection class
when instantiating a URL object with protocol "https", i get a MalformedURLException. However, it works fine with "http". anyone?
-
AirPort Extreme conection cuts out! Wireless Connection problems, Solved!?
If you are having the same problem I was with not being able to stay connected wireless to internet using OS X 10.5.6 and Airport.... Try this...... Fingers Crossed its working! For now 3 days and still going. Open Airport Utility when your base stat
-
Mac Pro won't wake up from sleep
I've read a lot of posts about sleep issues, but I seem to be having the opposite problem. When my MP goes to sleep, sometimes it won't wake up. It doesn't seem to matter if it goes to sleep because its idle or if I manually put it to sleep. I had up