Solutions

Insufficient Access Rights error for dsreplication status after upgrading a replicated server to DS 6.x

Last updated Jun 11, 2019

The purpose of this article is to provide assistance if the dsreplication status command returns "Insufficient Access Rights: You do not have sufficient privileges to read directory server monitoring information" after upgrading to DS 6.x. If you run the command interactively, you will see a "No replication information found" message instead and no output. You will also experience this issue if you try to setup replication between an older version (such as OpenDJ 3, 3.5; DS 5, 5.5) and DS 6, 6.5.


1 reader recommends this article

Symptoms

Using a dsreplication status command such as the following returns partial or no information: 

$ ./dsreplication status --hostname localhost.localdomain --port 4444 --adminUID admin --adminPassword password --trustAll --no-prompt

Responses:

  • An error similar to the following is shown when you run dsreplication status:
    The displayed information might not be complete because the following errors 
    were encountered reading the configuration of the existing servers:
    
    Error on ds1.example.com: An error occurred connecting to the server. 
    Details: Insufficient Access Rights: You do not have sufficient privileges to 
    read directory server monitoring information 
    
  • The following output is shown when you run the command interactively:
    No replication information found.
    

You will see the following error in the access log when this happens:

{"eventName":"DJ-LDAP","client":{"ip":"127.0.0.1","port":8080},"server":{"ip":"127.0.0.1","port":4444},"request":{"protocol":"LDAPS","operation":"SEARCH","connId":8,"msgId":2,"dn":"cn=replicas,cn=replication,cn=monitor","scope":"one","filter":"(objectClass=ds-monitor-replica)","attrs":["ds-mon-server-id","ds-mon-current-delay","ds-mon-ds-mon-server-id"]},"transactionId":"550c8966-9ee5-4352-a6a0-c252a1c8e93a-293","response":{"status":"FAILED","statusCode":"50","elapsedTime":1,"elapsedTimeUnits":"MILLISECONDS","detail":"You do not have sufficient privileges to read directory server monitoring information","nentries":0},"timestamp":"2019-04-30T08:43:50.704Z","_id":"550c8966-9ee5-4352-a6a0-c252a1c8e93a-295"}

Recent Changes

Upgraded to DS 6.x.

Causes

The required permissions for monitoring dsreplication have changed in DS 6 and need to be updated manually as noted in the Installation Guide › To Upgrade Replicated Servers. You will encounter this issue if the global administrator account is missing the following privileges: bypass-lockdown, monitor-read and server-lockdown.

Solution

This issue can be resolved by adding the following required permissions:

  • bypass-lockdown
  • monitor-read
  • server-lockdown

Example

The following example grants the privileges to the default global administrator account, which has DN cn=admin,cn=Administrators,cn=admin data:

$ ./ldapmodify --port 1389 --hostname ds1.example.com --bindDN "cn=admin,cn=Administrators,cn=admin data" --bindPassword password
dn: cn=admin,cn=Administrators,cn=admin data
changetype: modify
add: ds-privilege-name
ds-privilege-name: bypass-lockdown
ds-privilege-name: monitor-read
ds-privilege-name: server-lockdown
-
Note

If you have a replication topology with mixed versions, you should run dsreplication status from the DS 6.x server once you have added the missing permissions. If you run it from an older server, you will not see any entries on the DS 6.x server. This is noted in the Release Notes › Limitations: "After adding servers, use the dsreplication command installed with a new server."

See Also

Upgrading DS/OpenDJ

Installation Guide › Upgrading a Directory Server

Installation Guide › To Add a New Replica to an Existing Topology

Related Training

N/A

Related Issue Tracker IDs

OPENDJ-6247 (RFE: Improve error reporting for dsreplication status)

OPENDJ-5074 (dsreplication status reports "No replication information found" after DS 6 upgrade)



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...