ForgeRock Identity Platform
Does not apply to Identity Cloud

Insufficient Access Rights error for dsreplication status after upgrading a replicated server to DS 6.x

Last updated Apr 13, 2021

The purpose of this article is to provide assistance if the dsreplication status command returns "Insufficient Access Rights: You do not have sufficient privileges to read directory server monitoring information" after upgrading to DS 6.x. If you run the command interactively, you will see a "No replication information found" message instead and no output. You will also experience this issue if you try to set up replication between an older version and DS 6.x.

1 reader recommends this article


Using a dsreplication status command such as the following returns partial or no information: 

$ ./dsreplication status --hostname localhost.localdomain --port 4444 --adminUID admin --adminPassword password --trustAll --no-prompt


  • An error similar to the following is shown when you run dsreplication status: The displayed information might not be complete because the following errors were encountered reading the configuration of the existing servers: Error on An error occurred connecting to the server.  Details: Insufficient Access Rights: You do not have sufficient privileges to  read directory server monitoring information
  • The following output is shown when you run the command interactivelyNo replication information found.

You will see the following error in the access log when this happens:

{"eventName":"DJ-LDAP","client":{"ip":"","port":8080},"server":{"ip":"","port":4444},"request":{"protocol":"LDAPS","operation":"SEARCH","connId":8,"msgId":2,"dn":"cn=replicas,cn=replication,cn=monitor","scope":"one","filter":"(objectClass=ds-monitor-replica)","attrs":["ds-mon-server-id","ds-mon-current-delay","ds-mon-ds-mon-server-id"]},"transactionId":"550c8966-9ee5-4352-a6a0-c252a1c8e93a-293","response":{"status":"FAILED","statusCode":"50","elapsedTime":1,"elapsedTimeUnits":"MILLISECONDS","detail":"You do not have sufficient privileges to read directory server monitoring information","nentries":0},"timestamp":"2019-04-30T08:43:50.704Z","_id":"550c8966-9ee5-4352-a6a0-c252a1c8e93a-295"}

Recent Changes

Upgraded to DS 6.x.


The required permissions for monitoring dsreplication have changed in DS 6 and need to be updated manually as noted in the Installation Guide › To Upgrade Replicated Servers. You will encounter this issue if the global administrator account is missing the following privileges: bypass-lockdown, monitor-read and server-lockdown.


This issue can be resolved by adding the following required permissions:

  • bypass-lockdown
  • monitor-read
  • server-lockdown


The following example grants the privileges to the default global administrator account, which has DN cn=admin,cn=Administrators,cn=admin data:

$ ./ldapmodify --port 1389 --hostname --bindDN "cn=admin,cn=Administrators,cn=admin data" --bindPassword password dn: cn=admin,cn=Administrators,cn=admin data changetype: modify add: ds-privilege-name ds-privilege-name: bypass-lockdown ds-privilege-name: monitor-read ds-privilege-name: server-lockdown -

If you have a replication topology with mixed versions, you should run dsreplication status from the DS 6.x server once you have added the missing permissions. If you run it from an older server, you will not see any entries on the DS 6.x server. This is noted in the Release Notes › Limitations: "After adding servers, use the dsreplication command installed with a new server."

See Also

Upgrading DS

Installation Guide › Upgrading a Directory Server

Installation Guide › To Add a New Replica to an Existing Topology

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.