ForgeRock Identity Platform
Does not apply to Identity Cloud

Authentication fails with Error inactivating user account in AM (All versions)

Last updated Jun 24, 2021

The purpose of this article is to provide assistance if you encounter "Error inactivating user account" and "Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=95" errors when a user tries to authenticate. If you are using SAML2 federation, you may also see a "Login failed with unknown reason" error as well when Single Sign On (SSO) fails.

2 readers recommend this article


An error similar to the following is shown in the Authentication debug log when authentication fails:amAccountLockout:06/21/2021 11:36:03:814 AM UTC: Thread[http-nio-10600-exec-2,5,main]: TransactionId[df44988f-eda9-46fa-b356-b72f2945cfcb-22742] ERROR: Error inactivating user account Message:Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=95   at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.newIdRepoException(    at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getDN(    at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getDN(    at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getAttributes(    at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getAttributes(    at com.sun.identity.idm.server.IdServicesImpl.getAttributes(    at com.sun.identity.idm.server.IdCachedServicesImpl.getAttributes(    at com.sun.identity.idm.AMIdentity.getAttribute(    at com.sun.identity.common.ISAccountLockout.isAccountLocked(    at com.sun.identity.authentication.service.AMAccountLockout.isAccountLocked(    at com.sun.identity.authentication.service.LoginState.isAccountLocked(    at com.sun.identity.authentication.service.LoginState.searchUserProfile(    at com.sun.identity.authentication.service.AMLoginContext.runLogin(    at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(    at com.sun.identity.authentication.AuthContext.submitRequirements(    at com.sun.identity.authentication.AuthContext.submitRequirements(    at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(    at com.sun.identity.saml2.profile.SPACSUtils.processResponse(

You may see an error similar to the following in the authentication Audit log as well even though the credentials are correct:{"realm":"/employees","transactionId":"11466e57-479d-c4eb-b088-107251dcbbc4-7481","2021-06-24T11:37:49.541Z","AM-LOGIN-COMPLETED","11466e57-479d-c4eb-b088-107251dcbbc4-7464","uid=jdoe,ou=People,dc=example,dc=com","[""11466e57-479d-c4eb-b088-107251dcbbc4-7465""]","FAILED","[""jdoe""]",,"[{""moduleId"":""LDAP"",""info"":{""failureReason"":""NO_USER_PROFILE"",""ipAddress"":"""",""authLevel"":""0""}}]","Authentication","/"

The following error is shown in the Federation debug log when SSO fails if AM is set up for SAML2 federation:libSAML2:06/21/2021 11:36:03:814 AM UTC: Thread[http-nio-10600-exec-5,5,main]: TransactionId[df44988f-eda9-46fa-b356-b72f2945cfcb-22742] ERROR: spAssertionConsumer.jsp: SSO failed. com.sun.identity.saml2.common.SAML2Exception: Login failed with unknown reason.   at com.sun.identity.saml2.profile.SPACSUtils.processResponse(    at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(    at org.apache.jasper.runtime.HttpJspBase.service(    at javax.servlet.http.HttpServlet.service(    at org.apache.jasper.servlet.JspServletWrapper.service(    at org.apache.jasper.servlet.JspServlet.serviceJspFile(    at org.apache.jasper.servlet.JspServlet.service(

The same error is seen if you select the affected user via the Identities page in the console: Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=95

Recent Changes



The ldap errorcode=95 signifies that multiple matching entries exist. From LDAP Result Codes:

Unexpected Results Returned

The client-side result code that the requested single entry search operation or read operation failed because the Directory Server returned multiple matching entries (or search references) when only a single matching entry was expected. This is for client-side use only and should never be transferred over protocol.

This use case is typically the result of naming conflicts that can not be resolved automatically by replication. This situation commonly occurs when you have duplicate user entries sharing the same DN, which can be caused by concurrent updates to different user stores or replication conflicts.


Naming conflicts that can not be automatically resolved by replication can be identified by entries containing a DN addition in the form entryuuid=entryUUID-value+original-RDN,original-parent-DN. You can use ldapsearch to find conflicting entries and then resolve them manually as illustrated in Replication Conflicts.

See How do I find replication conflicts in DS (All versions)? and How do I troubleshoot replication issues in DS 5.x and 6.x? for further information on troubleshooting and resolving replication conflicts.

See Also

Data stores in AM

Replication in DS

entryUUID Operational Attribute

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.