How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I find replication conflicts in DS (All versions)?

Last updated Jan 12, 2023

The purpose of this article is to provide information on searching for replication conflicts in DS so that you can fix them. A common error associated with replication conflicts is "Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=95" which indicates multiple matching entries.

1 reader recommends this article

Background information

Replication conflicts occur when incompatible changes are applied concurrently to multiple read-write replicas. There are two types of conflict possible:

  • Modify conflicts - these involve concurrent modifications to the same entry.
  • Naming conflicts - these involve other operations that affect the DN of the entry.

Replication can resolve modify conflicts and most naming conflicts without intervention. However, the following types of naming conflicts cannot be resolved during replication and must be fixed manually:

  • Different entries that share the same DN are added concurrently on multiple replicas.
  • An entry on one replica is moved (renamed) to use the same DN as a new entry concurrently added on another replica.
  • A parent entry is deleted on one replica while a child entry is added or renamed concurrently on another replica.

This is a brief summary of the information documented in Replication Conflicts.

Multiple matching entries

The following error is commonly seen when there are multiple matching entries:

Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=95

This error can occur in a variety of scenarios, including (but are not limited to) the following common examples:

Finding replication conflicts

You can use the logs to identify all types of replication issues; this is covered in detail in How do I troubleshoot replication issues in DS 6.x? along with information on monitoring replication to identify issues quickly. However, if you know you have naming conflicts, you can run a ldapsearch command on ds-sync-conflict to identify the specific entries.


You must run the ldapsearch command on each node since replication conflict entries can differ across nodes. Alternatively, you can resolve the replication conflicts on one node and re-initialize the remaining nodes.

Example ldapsearch command depending on version:

  • DS 7.1 and later: $ ./ldapsearch --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/ --bindDN uid=admin --bindPassword password --baseDN "dc=example,dc=com" "(ds-sync-conflict=*)" ds-sync-conflict > replication-conflict-entries.out
  • DS 7: $ ./ldapsearch --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/ --bindDN uid=admin --bindPassword password --baseDN "dc=example,dc=com" "(ds-sync-conflict=*)" ds-sync-conflict > replication-conflict-entries.out
  • DS 6.x: $ ./ldapsearch --hostname --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "dc=example,dc=com" "(ds-sync-conflict=*)" ds-sync-conflict > replication-conflict-entries.out

The naming conflicts written to the file would look similar to the output below (where the addition of entryuuid=[string]+ signifies a naming conflict):

entryuuid=bfbbd0fd-42f4-4d54-b0b2-69b32233cec9+cn=jdoe,ou=group,ou=employees,dc=example,dc=com entryuuid=c49df422-5f96-ea2b-85a2-d921eb0c3309+uid=user1,dc=example,dc=com entryuuid=eb8ad149-aa61-ea2b-8b0f-935663bcd8ed+uid=user74,dc=example,dc=com ...

You should resolve the naming conflicts as described in the documentation: Replication Conflicts.

See Also

How do I use the Access log to troubleshoot DS (All versions)?

Troubleshooting DS


Related Training


Related Issue Tracker IDs

OPENDJ-3343 (Invalid Conflict resolution on Add sequence when Parent & Child are added on different replica)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.