search cancel

What are the contents of a DSA Summary Log?


Article ID: 53975


Updated On:


CA Directory CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting



This technical document describes the contents of the summary log of a DSA.


The summary log shows a summary of every operation handled by a DSA during a single day in a one line pre operation format. Each line contains three major fields. These are "Request Header", "Request Summary" and "Result Summary". The "Request Header" field can be further broken up into three subfields. These are "Date/Time", "operation ID", "Operation type".

The example below shows an example of these fields.

20090112.034228 #000.024 SEARCH   : 5 deep base-object no-filter   : 1 entries 1 attrs
20090112.034228 #000.025 (SEARCH) : 6 deep one-level complex      : Name Error 1
+-----------------------------------+--------------------------- +--------------------+
 Request Header                      Request Summary              Result Summary
+-------------+   +------+ +--------+ 
  Date/Time            opId        Type

Explanation of fields

The main fields of the summary log are separated by a colon (:).

Request Header

The header consists of three fields separated by a space. These are:

This is the approximate time that the request was responded to. The format is YYYYMMDD.HHmmss in the machines local time zone.

This is the internal operation id. The format is the association Id (client connection) followed by the invoke id (sequential id for a given client).

This is the type of operation that was done. If the operation name is in parenthesis then the request failed.

Request Summary

This is a summary of the arguments or the nature of the arguments for the operation.


5 deep base-object no-filter

means that the search was base-object search which was 5 level deep and contained no filter.

Result Summary

This is a summary of the result of the operation. If the directory operation did not complete due to an error the result summary contains a description of the error encountered. Descriptions of the possible errors are listed below in "Operation Error Summary".


1 entries 1 attrs

means that the search returned 1 entry and 1 attribute contained in that entry.

Operation Error Summary

Note: The following errors, explanations and examples are taken from the X.511 standards. Not all the errors are possible with CA Directory and many of the examples are not applicable.

The operation error summary contains the error category possibly followed by an error problem number.

The possible error categories that may be returned are:

  • Abandoned

  • Abandon Failed

  • Attribute Error

  • Name Error

  • Referral

  • Security Error

  • Service Error

  • Update Error


This outcome may be reported for any outstanding directory enquiry operation (i.e. Read, Search, Compare, List) if the DUA invokes an Abandon operation with the appropriate InvokeId

Abandon Failed

The abandon failed error reports a problem encountered during an attempt to abandon an operation.

Any of the following problems may be indicated:

  1. No Such Operation
    When the Directory has no knowledge of the operation which is to be abandoned (this could be because no such invoke took place, or because the Directory has forgotten about it).

  2. Too Late
    When the Directory has already responded to the operation.

  3. Cannot Abandon
    When an attempt has been made to abandon an operation for which this is prohibited (e.g. modify), or the abandon could not be performed.

Attribute Error

An attribute error reports an attribute-related problem.
One or more problems may be specified. Each problem (identified below) is accompanied by an indication of the attribute type, and, if necessary to avoid ambiguity, the value, which caused the problem:

  1. No Such Attribute Or Value
    The named entry lacks one of the attributes or attribute values specified as an argument of the operation.

  2. Invalid Attribute Syntax
    A purported attribute value, specified as an argument of the operation, does not conform to the attribute syntax of the attribute type.

  3. Undefined Attribute Type
    An undefined attribute type was provided as an argument to the operation. This error may occur only in relation to addEntry or modifyEntry operations.

  4. Inappropriate Matching
    An attempt was made, e.g. in a filter, to use a matching rule not defined for the attribute type concerned.

  5. Constraint Violation
    An attribute value supplied in the argument of an operation does not conform to the constraints imposed by ITU-T Rec. X.501 ISO/IEC 9594-2 or by the attribute definition
    (e.g. the value exceeds the maximum size allowed).

  6. Attribute Or Value Already Exists
    An attempt was made to add an attribute which already existed in the entry, or a value which already existed in the attribute.

  7. Context Violation
    A context list or context supplied with an attribute value in the argument of an operation does not conform to the constraints imposed by ITU-T Rec. X.501 ISO/IEC 9594-2, by the context definition (e.g. the context value is not of the correct syntax), or the DIT Context Use.

Name Error

A name error reports a problem related to the name provided as an argument to an operation.
The particular problem encountered. Any of the following problems may be indicated.

  1. No Such Object
    The name supplied does not match the name of any object.

  2. Alias Problem
    An alias has been dereferenced which names no object.

  3. Invalid Attribute Syntax
    An attribute type and its accompanying attribute value in an AVA in the name are incompatible.

  4. Alias Dereferencing Problem
    An alias was encountered in a situation where it was not allowed or where access was denied.

  5. Context Problem
    A context type or value used in a name is not understood or is invalid, the use of a context variant name is not acceptable, or during name resolution a purported name matches the names of more than one DIT entry.


A referral redirects the service-user to one or more access points better equipped to carry out the requested operation.

Security Error

A security error reports a problem in carrying out an operation for security reasons.
The following problems may be indicated:

  1. Inappropriate Authentication
    The level of security associated with the requestor's credentials is inconsistent with the level of protection requested, e.g. simple credentials were supplied while strong credentials were required.

  2. Invalid Credentials
    The supplied credentials were invalid.

  3. Insufficient Access Rights
    The requestor does not have the right to carry out the requested operation.

  4. Invalid Signature
    The signature of the request was found to be invalid.

  5. Protection Required
    The Directory was unwilling to carry out the requested operation because the argument was not signed.

  6. No Information
    The requested operation produced a security error for which no information is available.

  7. Blocked Credentials
    The credentials are blocked from consideration for security reasons (e.g. because an invalid password has been presented too many times in succession). The decision to return this error is governed by the security policy in effect for the DSA.

  8. Invalid QOP Match
    The two entities have differing protection parameters defined for the respective security services.

  9. Spkm Error
    The supplied SPKM token was found to be invalid. The spkmInfo parameter contains an indication that this is an SPKM error token and the identifier of the SPKM context with which this error is associated.

Service Error

A serviceError reports a problem related to the provision of the service.
The following problems may be indicated:

  1. Busy
    The Directory, or some part of it, is presently too busy to perform the requested operation, but may be able to do so after a short while.

  2. Unavailable
    The Directory, or some part of it, is currently unavailable.

  3. Unwilling To Perform
    The Directory, or some part of it, is not prepared to execute this request, e.g. because it would lead to excessive consumption of resources or violates the policy of an Administrative Authority involved.

  4. Chaining Required
    The Directory is unable to accomplish the request other than by chaining; however, chaining was prohibited by means of the chainingProhibited service control option.

  5. Unable To Proceed
    The DSA returning this error did not have administrative authority for the appropriate naming context and as a consequence was not able to participate in name resolution.

  6. Invalid Reference
    The DSA was unable to perform the request as directed by the DUA, (via OperationProgress) This may have arisen due to using an invalid referral.

  7. Time Limit Exceeded
    The Directory has reached the limit of time set by the user in a service control. No partial results are available to return to the user.

  8. Administrative Limit Exceeded
    The Directory has reached some limit set by an administrative authority, and no partial results are available to return to the user.

  9. Loop Detected
    The Directory is unable to accomplish this request due to an internal loop.

  10. Unavailable Critical Extension
    The Directory was unable to satisfy the request because one or more critical extensions were not available.

  11. Out Of Scope
    No referrals were available within the requested scope.

  12. DIT Error
    The Directory is unable to accomplish the request due to a Directory Information Tree consistency problem.

  13. Invalid Query Reference
    The parameters of the requested operation are invalid. This problem is reported if the queryReference in paged results is invalid.

  14. Requested Service Not Available
    A search request failed within a service specific administrative area because no search-rule was available for the search or because the search violated an applicable search-rule.

  15. Unsupported Matching Use
    An attempt was made, e.g. in a filter, to use a matching rule not supported by the DSA when the performExactly search option is set.

  16. Ambiguous Key Attributes
    A mapping-based matching rule was selected, but the mappable filter items provided multiple matches against the relevant mapping table.This error situation is accompanied by a notification attribute as indicated by the relevant matching-based matching rule.

Update Error

An updateError reports problems related to attempts to add, delete, or modify information in the DIT.
The following problems may be indicated:

  1. Naming Violation
    The attempted addition or modification would violate the structure rules of the DIT as defined in the Directory schema and ITU-T Rec. X.501 ISO/IEC 9594-2. That is, it would place an entry as the subordinate of an alias entry, or in a region of the DIT not permitted to a member of its object class, or would define an RDN for an entry to include a forbidden attribute type.

  2. Object Class Violation
    The attempted update would produce an entry inconsistent with the rules for entry content; for example, its object class definition, the DIT content rules, or with the definitions of ITU-T Rec. X.501 ISO/IEC 9594-2 as they pertain to object classes.

  3. Not Allowed On Non Leaf
    The attempted operation is only allowed on leaf entries of the DIT.

  4. Not Allowed On RDN
    The attempted operation would affect the RDN (e.g. removal of an attribute which is a part of the RDN).

  5. Entry Already Exists
    An attempted addEntry or modifyDN operation names an entry which already exists.

  6. Affects Multiple DSAs
    An attempted update would need to operate on multiple DSAs where this operation is not permitted.

  7. Object Class Modification Prohibited
    An operation attempted to modify the structural object class of an entry.

  8. No Such Superior
    An attempted modifyDN operation names a new superior entry that does not exist.

  9. Not Ancestor
    An operation attempted to delete a compound entry without specifying the ancestor as the object.

  10. Parent Not Ancestor
    An operation attempted to establish an entry as an immediately hierarchical child under a family member that is not the ancestor.

  11. Hierarchy Rule Violation
    An operation attempted to break a rule applicable to a hierarchical group: a hierarchical group has to be completely outside any service specific administrative area or has to be completely contained within a service specific administrative area; hierarchical group is confined to a single DSA.

  12. Family Rule Violation
    An operation attempted to break a rule applicable to families within a compound entry.


Release: ESPDIR99000-8.1-Extended Support Plus-for CA Directory