If you have been using Identity Manager for any length of time, you will have been spending a lot of time using Designer for Identity Manager. Designer is a big improvement over using iManager for everything in some ways, and has some weaknesses in other areas. That is life I guess, nothing is ever perfect.
One neat thing about Designer is that is an Eclipse based application, (Called an RCP (Rich Client Platform) project) that is really Eclipse, slightly repackaged to allow it to run as a standalone application. If you have been using Designer long enough you will remember that it began as an add on to Eclipse and each time there was a new release you would have to install Eclipse and install the plugins on top of that. I forget when they switched to an RCP app, but I suspect it was probably around version 3 something or other.
At that point, it was easy to forget it was Eclipse based. However some people never forgot.
There are a number of plugins people have written for Designer, which are really just Eclipse plugins, specific to Designer.
I thought it would be interesting to review some of them in case people were not aware of them. (My experience is that most IDM folk are NOT aware of these plugins). Some are very useful and some only have minor use cases (though very useful minor use cases).
First up is by a guy whose name I cannot spell properly, so excuse the likely type, Stefaan Van Cauwenberge.
I highly recommend you go there and look. He has his Generic File Driver, which is just plain excellent and miles better than the NetIQ Delimited text driver. He has a Package Unlocker which is very useful if you have 'lost' ownership of a Package and need to make a new version. He has an association editor which replaces the functionality of DAModifier as a plugin to Designer.
All these tools are great, and very useful but the one I want to talk about today he calls the Enhanced Trace plugin.
You may not know, but if you have a Designer project and click on the Server object in the outline view, there was a Live Trace option, to see the Dstrace, sort of the way you would see it in iMonitor. (Every eDirectory server runs a web server on port 8028 cleartext and 8030 SSL that allows you to enable Dstrace there.) I use this regularly for LDAP server, NMAS tracing and many other things. For IDM tracing it is less useful since every driver that is tracing is shown interleaved on one screen. As hard as it can be to read Dstrace of an event that loops back on the publisher channel even as the subscriber channel event is completing, imagine it with every driver tracing that way.
You could of course turn down trace on all the other drivers but that is a pain when you are tracing something that bounces between drivers or when you have to work with others at the same time. Another upside is you get the colors in the trace that the Java trace files do not generate.
Normally I would always tell you to enable Java trace files to use Dstrace without hesitation, but some of that is because I have been spoiled by working with IDM on Unix/Linux platforms almost exclusively for years now. I just had to start working on a Windows eDirectory/IDM implementation and had completely forgotten how terrible the state of file readers on Windows is. Sure I could install Cygwin to get less, but the customer was not that interested in installing it.
After being frustrated using trace in text editors for a while I threw in the towel and decided to try Stephaan's plugin, which I had looked at months earlier. Using the built in trace this way is not helpful because of the interleaving of all the trace files together.
But Stefaan's plugin has some nice features that make this work much better.
Then you simply do a Check for Package updates in Designer's Help menu and away you go, there it is in the list just like a Package update, and when you select it and restart Designer, not much has visually changed.
If you right click on a server object in the Outline View and now select Live Trace, you see a similar window to before, but it has new features you will enjoy.
When you do this the first time, you may fail to connect. Earlier versions of this plugin did not work with SSL, so you would have to change the configuration of the LDAP server on eDirectory to allow non-TLS binds. This is annoying, but since this is work done in a development lab this is not so bad. When I first started, I noticed that I was using a slightly older version and I upgraded via the Package Update method, and the release notes do not mention the SSL issue. So I wonder if he fixed it in this release, but since I am too lazy to go turn SSL back on, and try to connect I do not know the answer. (Leave a comment if you know please!).
The next minor annoyance is that I get told that the server does not have a hostname field set, and it is using the IP address instead. At least there is a tick box to avoid showing the same message again. I initially thought this was related to having an IP Number but not DNS name in the server object, but Stefaan corrected me. Rather it is the Server object in Designer is lacking an IP or DNS value. Therefore there is no connection information. Instead it will look at the connection info you entered at the Tree level in Designer and use that to connect.
This is perfectly fine, if you have a single IDM server running drivers. If you had two or more, then you would connect to only the one defined at the tree level, and not be able to get trace from the second server. You would have to go edit the server object in the Outline view and enter a hostname. I thought Designer would go get it, but I was wrong. It does not seem to fill it in, itself.
The connection will use the information in the server object to find the IP address or hostname. It will use the Identity Vault driver set configuration, to which the server is assigned, to read the credentials to bind with.
Interestingly enough, this is all done over LDAP using extensions NetIQ added to eDirectory to allow reading Dstace via LDAP extensions. To me that seems a bit crazy, but it works quite nicely. This topic came up in the context of Designer 4.6 which was in beta a while ago (still waiting for an update) that replaces the NCP connections that Designer normally uses with LDAP connections. This is important, since VPNs and NAT cause issues with NCP and LDAP can handle them better. Additionally the hold up on running Designer on Macintosh computers was related to porting NICI to run on the Mac. (NICI - Novell International Cryptographic Infrastructure is used to handle encryption of many things, including passwords in eDirectory. NMAS, and JClient depend upon it to work). If you wanted to make NCP connections on a Mac you would need Jclient to work, which needs NMAS, which needs NICI. NetIQ decided it would be easier to change Designer to use LDAP than to port that stack to the Mac, which is an interesting comment. Now it is also possible that the benefit for VPN and NAT users made LDAP the better choice anyway.
However, NCP is a pretty interesting protocol with lots of interesting extensions, and IDM uses a whole bunch of them. If you want to just replace NCP with something else you need to handle the things NCP can do. In preparation for this, years ago, the LDAP extensions to eDirectory where enhanced to support much of the functionality that NCP has. (I never confirmed if it was 100% or stuff was missed, which would be important to know what if anything was missed.
I wonder if we see hints of this in that dxcmd reports that it is running in NCP mode, which makes me wonder if it has an LDAP mode, in which case, it is likely using the LDAP Extensions to allows starting/stopping drivers and whatnot.
Thus the Dstrace plugin and the enhanced Dstrace plugin use the LDAP extensions to get the information from eDirectory.
When you open the Live Trace window you get a boring display at first, just wait and events will come in and then it gets interesting. On the right hand side window you see the interleaved window sort of like you would before, or in iMonitors Dstrace screen. Nothing helpful here. Well sort of. You will notice along the top a Timestamp, Tracename, Thread, and message set of columns. The trace is broken down (or maybe parsed) into these columns, alas you cannot sort on them. If you click on a message there is an option to copy the message. No timestamp, trace name, etc. Much cleaner, if that is what you want. If you click on an XML bit in the trace there are more options:
Copy message Copy (XML) details Copy message and (XML) detail
If you select the XML details, then in one click you get the entire XML message in your buffer. This is much easier than trying to snag the beginning and end of the XML. Alas for messages, it is one at a time, and not easy to bulk select a segment of messages and XML. Oh well. I use that all the time to collect error messages for my articles but I will figure out a way around that I guess.
This is all a nice improvement but the magic is in the left hand pane, the Outline view has a filter, and you can select all or any one of the drivers to see. You can expand the driver name and see the PT, ST, ET, and ?? (Pub Thread, Sub Thread, Engine Thread, and stuff Stefaan is not sure what it should be called, usually related to driver startup). Thus you segregate events into their channels to look at. Drill down another level and you see all the events, as individual events you can drill further into, down to the policy set and each step as it goes through trace.
This is pretty awesome, and the right hand side will jump to the right spot, but if you are collecting trace it will continue to scroll which is annoying. You can stop trace, but then it stops collecting, I have asked for an enhancement to pause trace instead.
However you do not need to care. Right click in the left hand Outline view on a node, event or subevent (Not channel) and there is an Open menu. Try it and enjoy!
Now you see just this one event in a details screen. You see the policy flow view and can click on it to jump to that part of the trace. If you right click on a policy set, it shows the rules that fired in that set and you can jump to them as well.
This is just plain amazingly useful. Of course there are issues, and seemingly obvious enhancements. (How about showing the elapsed time of each event? How cool would that be?).
If you do a Direct command (add-src-attr when="direct") it gets mixed up in the middle, which is fine. But realize it won't get its own sub event in the flow.
If you have ever been paging through a complicated trace to debug and need to see a specific point but could never find a good search term to use, this will make you very happy.
It is hard to describe but go use it, and you will be very pleasantly surprised. I highly recommend this plugin. Especially if your eDirectory is running on Windows.
UPDATE: Stefaan read this and had a couple of comments. I will note them here, and go edit them in up above where they belong: 1) ET is engine thread. 2) ?? is stuff he does not know what it does. It is related to engine startup that logs events that are not really classified in a channel or as part of the engine. 3) My understanding of the no hostname message is wrong. It is not that the Server object is missing a DNS name, rather it has neither IP nor DNS name, and thus the Designer project's tree level info is used instead. If you only have a single server, this is exactly what you want. If you have two or more, this is an issue you should fix since it means you won't be able to connect to the proper server to get trace data.
Have you found out anything on the SSL issue? When I try to connect I get a com.novell.ldap.LDAPException: Confidentiality Required error. Changing the configuration of the LDAP server on eDirectory to allow non-TLS binds is not an option for me.
Can you try setting the ID Vault properties with the following: * useLDAPSecureChannel: true, * ldapSecurePort: 389 The plugin uses TLS (not SSL) when setting useLDAPSecureChannel to true, but uses the ldapSecurePort (which is by default configured for SSL, not TLS).