Description:
This technical document describes the contents of the summary log of a DSA.
Solution:
The summary log shows a summary of every operation handled by a DSA during a single day in a one line pre operation format. Each line contains three major fields. These are "Request Header", "Request Summary" and "Result Summary". The "Request Header" field can be further broken up into three subfields. These are "Date/Time", "operation ID", "Operation type".
The example below shows an example of these fields.
20090112.034228 #000.024 SEARCH : 5 deep base-object no-filter : 1 entries 1 attrs
20090112.034228 #000.025 (SEARCH) : 6 deep one-level complex : Name Error 1
+-----------------------------------+--------------------------- +--------------------+
Request Header Request Summary Result Summary
+-------------+ +------+ +--------+
Date/Time opId Type
Explanation of fields
The main fields of the summary log are separated by a colon (:).
Request Header
The header consists of three fields separated by a space. These are:
Date/Time
This is the approximate time that the request was responded to. The format is YYYYMMDD.HHmmss in the machines local time zone.
opID
This is the internal operation id. The format is the association Id (client connection) followed by the invoke id (sequential id for a given client).
Type
This is the type of operation that was done. If the operation name is in parenthesis then the request failed.
Request Summary
This is a summary of the arguments or the nature of the arguments for the operation.
Example:
5 deep base-object no-filter
means that the search was base-object search which was 5 level deep and contained no filter.
Result Summary
This is a summary of the result of the operation. If the directory operation did not complete due to an error the result summary contains a description of the error encountered. Descriptions of the possible errors are listed below in "Operation Error Summary".
Example:
1 entries 1 attrs
means that the search returned 1 entry and 1 attribute contained in that entry.
Operation Error Summary
Note: The following errors, explanations and examples are taken from the X.511 standards. Not all the errors are possible with CA Directory and many of the examples are not applicable.
The operation error summary contains the error category possibly followed by an error problem number.
The possible error categories that may be returned are:
- Abandoned
- Abandon Failed
- Attribute Error
- Name Error
- Referral
- Security Error
- Service Error
- Update Error
Abandoned
This outcome may be reported for any outstanding directory enquiry operation (i.e. Read, Search, Compare, List) if the DUA invokes an Abandon operation with the appropriate InvokeId
Abandon Failed
The abandon failed error reports a problem encountered during an attempt to abandon an operation.
Any of the following problems may be indicated:
- No Such Operation
When the Directory has no knowledge of the operation which is to be abandoned (this could be because no such invoke took place, or because the Directory has forgotten about it).
- Too Late
When the Directory has already responded to the operation.
- Cannot Abandon
When an attempt has been made to abandon an operation for which this is prohibited (e.g. modify), or the abandon could not be performed.
Attribute Error
An attribute error reports an attribute-related problem.
One or more problems may be specified. Each problem (identified below) is accompanied by an indication of the attribute type, and, if necessary to avoid ambiguity, the value, which caused the problem:
- No Such Attribute Or Value
The named entry lacks one of the attributes or attribute values specified as an argument of the operation.
- Invalid Attribute Syntax
A purported attribute value, specified as an argument of the operation, does not conform to the attribute syntax of the attribute type.
- Undefined Attribute Type
An undefined attribute type was provided as an argument to the operation. This error may occur only in relation to addEntry or modifyEntry operations.
- Inappropriate Matching
An attempt was made, e.g. in a filter, to use a matching rule not defined for the attribute type concerned.
- Constraint Violation
An attribute value supplied in the argument of an operation does not conform to the constraints imposed by ITU-T Rec. X.501 ISO/IEC 9594-2 or by the attribute definition
(e.g. the value exceeds the maximum size allowed).
- Attribute Or Value Already Exists
An attempt was made to add an attribute which already existed in the entry, or a value which already existed in the attribute.
- Context Violation
A context list or context supplied with an attribute value in the argument of an operation does not conform to the constraints imposed by ITU-T Rec. X.501 ISO/IEC 9594-2, by the context definition (e.g. the context value is not of the correct syntax), or the DIT Context Use.
Name Error
A name error reports a problem related to the name provided as an argument to an operation.
The particular problem encountered. Any of the following problems may be indicated.
- No Such Object
The name supplied does not match the name of any object.
- Alias Problem
An alias has been dereferenced which names no object.
- Invalid Attribute Syntax
An attribute type and its accompanying attribute value in an AVA in the name are incompatible.
- Alias Dereferencing Problem
An alias was encountered in a situation where it was not allowed or where access was denied.
- Context Problem
A context type or value used in a name is not understood or is invalid, the use of a context variant name is not acceptable, or during name resolution a purported name matches the names of more than one DIT entry.
Referral
A referral redirects the service-user to one or more access points better equipped to carry out the requested operation.
Security Error
A security error reports a problem in carrying out an operation for security reasons.
The following problems may be indicated:
- Inappropriate Authentication
The level of security associated with the requestor's credentials is inconsistent with the level of protection requested, e.g. simple credentials were supplied while strong credentials were required.
- Invalid Credentials
The supplied credentials were invalid.
- Insufficient Access Rights
The requestor does not have the right to carry out the requested operation.
- Invalid Signature
The signature of the request was found to be invalid.
- Protection Required
The Directory was unwilling to carry out the requested operation because the argument was not signed.
- No Information
The requested operation produced a security error for which no information is available.
- Blocked Credentials
The credentials are blocked from consideration for security reasons (e.g. because an invalid password has been presented too many times in succession). The decision to return this error is governed by the security policy in effect for the DSA.
- Invalid QOP Match
The two entities have differing protection parameters defined for the respective security services.
- Spkm Error
The supplied SPKM token was found to be invalid. The spkmInfo parameter contains an indication that this is an SPKM error token and the identifier of the SPKM context with which this error is associated.
Service Error
A serviceError reports a problem related to the provision of the service.
The following problems may be indicated:
- Busy
The Directory, or some part of it, is presently too busy to perform the requested operation, but may be able to do so after a short while.
- Unavailable
The Directory, or some part of it, is currently unavailable.
- Unwilling To Perform
The Directory, or some part of it, is not prepared to execute this request, e.g. because it would lead to excessive consumption of resources or violates the policy of an Administrative Authority involved.
- Chaining Required
The Directory is unable to accomplish the request other than by chaining; however, chaining was prohibited by means of the chainingProhibited service control option.
- Unable To Proceed
The DSA returning this error did not have administrative authority for the appropriate naming context and as a consequence was not able to participate in name resolution.
- Invalid Reference
The DSA was unable to perform the request as directed by the DUA, (via OperationProgress) This may have arisen due to using an invalid referral.
- Time Limit Exceeded
The Directory has reached the limit of time set by the user in a service control. No partial results are available to return to the user.
- Administrative Limit Exceeded
The Directory has reached some limit set by an administrative authority, and no partial results are available to return to the user.
- Loop Detected
The Directory is unable to accomplish this request due to an internal loop.
- Unavailable Critical Extension
The Directory was unable to satisfy the request because one or more critical extensions were not available.
- Out Of Scope
No referrals were available within the requested scope.
- DIT Error
The Directory is unable to accomplish the request due to a Directory Information Tree consistency problem.
- Invalid Query Reference
The parameters of the requested operation are invalid. This problem is reported if the queryReference in paged results is invalid.
- Requested Service Not Available
A search request failed within a service specific administrative area because no search-rule was available for the search or because the search violated an applicable search-rule.
- Unsupported Matching Use
An attempt was made, e.g. in a filter, to use a matching rule not supported by the DSA when the performExactly search option is set.
- Ambiguous Key Attributes
A mapping-based matching rule was selected, but the mappable filter items provided multiple matches against the relevant mapping table.This error situation is accompanied by a notification attribute as indicated by the relevant matching-based matching rule.
Update Error
An updateError reports problems related to attempts to add, delete, or modify information in the DIT.
The following problems may be indicated:
- Naming Violation
The attempted addition or modification would violate the structure rules of the DIT as defined in the Directory schema and ITU-T Rec. X.501 ISO/IEC 9594-2. That is, it would place an entry as the subordinate of an alias entry, or in a region of the DIT not permitted to a member of its object class, or would define an RDN for an entry to include a forbidden attribute type.
- Object Class Violation
The attempted update would produce an entry inconsistent with the rules for entry content; for example, its object class definition, the DIT content rules, or with the definitions of ITU-T Rec. X.501 ISO/IEC 9594-2 as they pertain to object classes.
- Not Allowed On Non Leaf
The attempted operation is only allowed on leaf entries of the DIT.
- Not Allowed On RDN
The attempted operation would affect the RDN (e.g. removal of an attribute which is a part of the RDN).
- Entry Already Exists
An attempted addEntry or modifyDN operation names an entry which already exists.
- Affects Multiple DSAs
An attempted update would need to operate on multiple DSAs where this operation is not permitted.
- Object Class Modification Prohibited
An operation attempted to modify the structural object class of an entry.
- No Such Superior
An attempted modifyDN operation names a new superior entry that does not exist.
- Not Ancestor
An operation attempted to delete a compound entry without specifying the ancestor as the object.
- Parent Not Ancestor
An operation attempted to establish an entry as an immediately hierarchical child under a family member that is not the ancestor.
- Hierarchy Rule Violation
An operation attempted to break a rule applicable to a hierarchical group: a hierarchical group has to be completely outside any service specific administrative area or has to be completely contained within a service specific administrative area; hierarchical group is confined to a single DSA.
- Family Rule Violation
An operation attempted to break a rule applicable to families within a compound entry.