Solutions

Unable to locate the DS replication change log suffix error in IDM 6.x

Last updated May 21, 2020

The purpose of this article is to provide assistance if you get the following errors when trying to use LiveSync from DS to IDM: "Failed to get OperationOptionsBuilder: Unable to locate the DS replication change log suffix."


Symptoms

LiveSync between DS and IDM fails when using a non-Directory Manager user. 

You will see the "Failed to get OperationOptionsBuilder: Unable to locate the DS replication change log suffix." error in the IDM logs when this happens. The exact log snippet seen with this message will vary, for example, some common versions are as follows: 

  • Scheduled service "scheduler-service-group.LiveSync" invocation reported failure:
    WARNING: Scheduled service "scheduler-service-group.LiveSync" invocation reported failure: org.forgerock.json.resource.InternalServerErrorException: Failed to get OperationOptionsBuilder: Unable to locate the DS replication change log suffix.
    
    Please make sure it's enabled, and changelog-read access is granted.
    
    org.forgerock.openidm.quartz.ExecutionException: 
    org.forgerock.json.resource.InternalServerErrorException: Failed to get OperationOptionsBuilder: Unable to locate the DS replication change log suffix.
    
    Please make sure it's enabled, and changelog-read access is granted.
    
       at org.forgerock.openidm.provisioner.impl.SystemObjectSetService.execute(SystemObjectSetService.java:501)
       at org.forgerock.openidm.quartz.impl.SchedulerServiceJob.execute(SchedulerServiceJob.java:135)
       at org.quartz.core.JobRunShell.run(JobRunShell.java:223)
       at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:549)
    
    Caused by: org.forgerock.json.resource.InternalServerErrorException: Failed to get OperationOptionsBuilder: Unable to locate the DS replication change log suffix.
  • Resource exception: 500 Internal Server Error:
    WARNING: Resource exception: 500 Internal Server Error: "Failed to get OperationOptionsBuilder: Unable to locate the DS replication change log suffix.
    Please make sure it's enabled, and changelog-read access is granted."
    org.forgerock.json.resource.InternalServerErrorException: Failed to get OperationOptionsBuilder: Unable to locate the DS replication change log suffix.
    Please make sure it's enabled, and changelog-read access is granted.
       at org.forgerock.openidm.provisioner.openicf.impl.OpenICFProvisionerService.liveSynchronize(OpenICFProvisionerService.java:878)
       at org.forgerock.openidm.provisioner.api.SystemObjectSetService.liveSync(SystemObjectSetService.java:542)
       at org.forgerock.openidm.provisioner.api.SystemObjectSetService.actionInstance(SystemObjectSetService.java:383)

Recent Changes

Configured LiveSync between DS and IDM.

Created a new user for LiveSync purposes.

Causes

The user does not have the necessary access rights to trigger LiveSync. Typically, they are missing access to the root DSE.

When LiveSync runs, it first reads the changelog attributes (changelog, firstChangeNumber and lastChangeNumber) from the root DSE, and then performs searches on cn=changelog for those changes. Therefore LiveSync will fail if the user does not have changelog privileges AND access to the root DSE.

Note

The documentation in DS 6 and early versions of DS 6.5 explained how to give the necessary access rights to the changelog but missed giving access to the root DSE. This has now been corrected in later versions of DS 6.5.

Solution

This issue can be resolved by giving the user the correct access rights:

  • If you did not follow the documentation to give the user access to the changelog, then you should follow the steps in Administration Guide › To Allow a User to Read the Change Log (this procedure includes steps to grant access to the root DSE).
  • If you did follow the documentation but the user does not have access to the root DSE, you just need to add this as follows.
    $ ./dsconfig set-access-control-handler-prop --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --add global-aci:"(target=\"ldap:///\")(targetattr = \"changeLog||firstChangeNumber||lastChangeNumber\")(version 3.0;acl \"Search and read changelog numbers\"; allow (read,search,compare) userdn=\"ldap:///cn=adminUser,dc=example,dc=com\";)" --trustAll --no-prompt

See Also

IDM Integrator's Guide › Synchronizing Data Between Resources

DS Administration Guide › About ACIs

DS Administration Guide › Change Notification For Your Applications

Related Training

N/A

Related Issue Tracker IDs

OPENDJ-6893 (Document ACI for regular user to access changelog attributes in root DSE)



Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...