We've had

<product build="20120608_0352" instance="Google Apps"
version="4.0.2">GoogleApps Driver</product>

running for a smallish subset of our users for a while now. I kept the
list smallish by a veto() call for most of our userbase based on OU.

Yesterday I removed that veto and watched the Google Apps driver create
users (forcing a resync). Somewhere around 1:40AM the driver quit, and
will not stay restarted from iManager. In the interval between the TAO
qeue went from 14000 to 4000 entries. A lot of accounts were created.

It seems at least reasonable that google might be experiencing some API
issues. running ndstrace during restarts, I see this entry

DirXML Log Event -------------------
Driver: \AUGSBURG\Augsburg\Servers\IDM4 Driver Set\Google Apps
Channel: Subscriber
Status: Fatal
Message: Code(-9005) The driver returned a "fatal" status
indicating that the driver should be shut down. Detail from driver:
(-9005) The driver returned a "fatal" status indicating that the driver
should be shut down. Detail from driver: <description>Service Ex
ception: com.google.gdata.util.ServiceForbiddenException: Invalid
&lt;TITLE>Invalid domain.&lt;/TITLE>
&lt;BODY BGCOLOR="#FFFFFF" TEXT="#000000">
&lt;H1>Invalid domain.&lt;/H1>
&lt;H2>Error 403&lt;/H2>
class-name="com.google.gdata.util.ServiceForbiddenExcept ion">
<message>Invalid domain.</message>

This message appears in every tracefile, but does not always appear in
direct proximity to the final "Stop" message

There is a posting here:
ps://forums.netiq.com/archive/index.php/t-46073.html in which this error
occurs. It appears to be related to users who actually do have a bad
domain, and was resolved by turning off entitlement matching for users
who did not have an appropriate domain. This does not appear to be the
case in our setup.

1) ndstrace does not show any attempts to add anyone. It runs through a
startup sequence, and then dies
2) We are only using basic provisioning, no advanced, no entitlements
3) The settings referenced are set to false ("Use Entitlements to
Control GoogleApps Accounts" "Use Group Membership Entitlement"_
4) A large chunk of users are successfully created
5) Nothing in our directory seems like it would trigger an alternate
domain (though I'm not sure what the poster meant, I'd suspect there
were email addresses with alternate domains that the driver was queuing
off of).

Some questions I'd like to ask the community:

1) Does a google issue seem a likely cause?

2) Have others seen this sort of thing?

joe_fortier's Profile: https://forums.netiq.com/member.php?userid=4309
View this thread: https://forums.netiq.com/showthread.php?t=47825