Recently geoffc submitted a very useful hint about the 9063 error. However, I know that most administrators do not watch their trace files as well as they should, and having trace level set to 3 to see the details will slow down the drivers. If you want to be notified when an IDM -9063 error occurs, but you do not have Audit or Sentinel running, you can use email notifications.
The following code snippet placed in the Publisher Channel Input Transformation Policy Set will detect an error -9063 and send an email complete with the failed user object dn. (The snippet is also attached for easy downloading).
<rule> <description>Status Error Handling: User Already Associated</description> <conditions> <and> <if-operation op="equal">status</if-operation> <if-xpath op="true">./@level='error'</if-xpath> <if-xpath op="true">contains(./text(),'-9063')</if-xpath> </and> </conditions> <actions> <do-set-local-variable name="lv-dn" scope="policy"> <arg-string> <token-xpath expression="object-dn"/> </arg-string> </do-set-local-variable> <do-send-email server="mail.company.com" type="text"> <arg-string name="to"> <token-text xml:space="preserve">email@example.com</token-text> </arg-string> <arg-string name="subject"> <token-text xml:space="preserve">Error 9063 Detected</token-text> </arg-string> <arg-string name="message"> <token-text xml:space="preserve">Error 9063 was detected during a match of user </token-text> <token-local-variable name="lv-dn"/> </arg-string> </do-send-email> </actions> </rule>
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.