LDAP Documentum debugging techniques

Its always been a challenge to debug LDAP-Documentum integration in any given Documentum implementation. This article is put together to share some of the debugging techniques I used over time to identify and resolve the related issues.

Connectivity problems:

If you are setting up the LDAP configuration object using DA and it throws

LDAP directory connection/validation problem–Couldn’t connect using xxxx.yyyycom : 389

The first and foremost thing we do is to check with the LDAP admin to identify if the server name/port given are accurate. It gets complicated if we are told it is accurate. To assure ourselves that its indeed the case, you would have to try and connect to the LDAP yourself, outside of Documentum using one of these couple of ways:

Command Line:
java com.documentum.ldap.LDAPSync -docbase_name -user_name -password -t -n

Note: Make sure that the class path has all the necessary Jar files pointed to.

Softerra LDAP Browser
Install this browser and this should prove if the LDAP server information is accurate.

If it turns out that the LDAP server information is indeed correct, it could be possible that the App Server is unable to see the LDAP server. Since we are using DA to connect to the LDAP server, it would be essential to check the connectivity to the LDAP server from the App Server using the same choices described above.

And if it still is not resolved and you have confirmed that the LDAP server information is accurate, try the DQL to update the LDAP config object and kick off the job. Assuming the Content Server has accessibility to LDAP server, the job will run successfully.

update dm_ldap_config object set ldap_host = ‘xyz.com’, set port_number = ‘389’

LDAP Synchronization problems

First and foremost is to check the release notes of the version you are working with to identify any known bugs. And of course to check with the LDAP Administrator with the criteria being used in the LDAP Config object.

If that doesn’t help, try the Microsoft utility (described in Microsoft Support, Knowledge Base Article – Q237677) with Windows 2000 to produce a LDIF extract file. Please refer to the Microsoft Support Site for additional information concerning this utility

A network sniffer utility (like Microsoft NetMon) can be used to evaluate the network traffic between the content server and the Microsoft Active Directory

Full Refresh

In the event to perform a full refresh of LDAP data, utilize the a_last_run attribute as follows to achieve it.
Note: a_last_run is defined as a string not a datetime field. And LDAP Synchronization will not produce the desired results if the word “null” is present in this attribute.


To turn on the authentication tracing follow the steps below:

Unix: Start the docbase with tracing.
dm_start_docbasename -otrace_authentication

Microsoft: Edit the Service to add tracing
Start->Programs->Documentum->Documentum Server Manager
Select Edit Service
In the command field, add -otrace_authentication after docbase name and before -security

Example for docbase with name DCTM_Software:

D:\Documentum\product\5.2\bin\dmserver_v4.exe -docbase_name DCTM_Software -otrace_authentication -security acl -init_file D:\Documentum\dba\config\DCTM_Software\server.ini -run_as_service -install_owner mahmoodh -logfile D:\Documentum\dba\log\DCTM_Software.log

The server logfile will show extra lines with details of each domain right as the docbase starts up.


And ofcourse, you can always review the source of the LDAP class file as a last resort to give you soem pointers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: