IDM (All versions) liveSync syncToken is out of sync with the DS changelog number
The purpose of this article is to provide assistance if the IDM liveSync syncToken is out of sync with the DS changelog number, meaning no changes are detected and liveSync stops working. You will see the following error when this happens: "The current SyncToken value (n+x) is greater than the lastChangeNumber value (n)".
Warning
Do not compress, tamper with, or otherwise alter changelog database files directly unless specifically instructed to do so by a qualified ForgeRock technical support engineer. External changes to changelog database files can render them unusable by the server. By default, changelog database files are located under the /path/to/ds/changelogDb directory.
Symptoms
liveSync fails to detect any changes, and the syncToken and DS changelog numbers are out of sync.
The following error is shown when this happens:
WARNING: The current SyncToken value (15,187) is greater than the lastChangeNumber value (12,872) Sep 21, 2021 8:22:30 AM org.identityconnectors.ldap.LdapConnector doSyncRecent Changes
Configured or changed your liveSync configuration.
Updated the DS instance's changelog after the last successful liveSync was performed.
Causes
The syncToken is based on the last highest value seen within the DS changelog and is stored within the IDM repository.
The syncToken and changelog number can get out of sync for one of the following reasons:
- IDM is connected to DS via a load balancer and the changelog numbers are out of sync between the servers.
- The repository used by IDM (repo.jdbc.json) contains old data from a previous IDM instance, which was pointed to an alternative DS instance that had a different changelog number.
- The changelog associated with the DS instance was modified or purged without having reset the syncToken which is cached in the IDM repository.
Solution
This issue can be resolved using one of the following options:
- Reset the syncToken to zero (null) using the REST API as described in How do I reset the liveSync syncToken in Identity Cloud or IDM (All versions)?
- Use the resetSyncToken configuration property to address these possible inconsistencies. See LDAP connector Configuration for further information on setting this property.
You should also refer to Best practice for liveSync in IDM (All versions) with multiple DS instances to ensure your configuration is correct to avoid similar issues in the future.
See Also
How do I read and set the liveSync syncToken using REST in IDM (All versions)?
How do I reset the liveSync syncToken in Identity Cloud or IDM (All versions)?
Best practice for liveSync in IDM (All versions) with multiple DS instances
Related Training
N/A
Related Issue Tracker IDs
N/A