Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Unable to locate the DS replication change log suffix error in IDM (All versions)

Last updated Jan 12, 2023

The purpose of this article is to provide assistance if you get the following errors when trying to use liveSync from DS to IDM: "Failed to get OperationOptionsBuilder: Unable to locate the DS replication change log suffix."

Symptoms

liveSync between DS and IDM fails when using a non-directory superuser (uid=admin or cn=Directory Manager).

You will see the "Failed to get OperationOptionsBuilder: Unable to locate the DS replication change log suffix." error in the IDM logs when this happens. The exact log snippet seen with this message will vary, for example, some common versions are as follows:

  • Scheduled service "scheduler-service-group.liveSync" invocation reported failure: WARNING: Scheduled service "scheduler-service-group.liveSync" invocation reported failure: org.forgerock.json.resource.InternalServerErrorException: Failed to get OperationOptionsBuilder: Unable to locate the DS replication change log suffix. Please make sure it's enabled, and changelog-read access is granted. org.forgerock.openidm.quartz.ExecutionException: org.forgerock.json.resource.InternalServerErrorException: Failed to get OperationOptionsBuilder: Unable to locate the DS replication change log suffix. Please make sure it's enabled, and changelog-read access is granted. at org.forgerock.openidm.provisioner.impl.SystemObjectSetService.execute(SystemObjectSetService.java:501) at org.forgerock.openidm.quartz.impl.SchedulerServiceJob.execute(SchedulerServiceJob.java:135) at org.quartz.core.JobRunShell.run(JobRunShell.java:223) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:549) Caused by: org.forgerock.json.resource.InternalServerErrorException: Failed to get OperationOptionsBuilder: Unable to locate the DS replication change log suffix.
  • Resource exception: 500 Internal Server Error: WARNING: Resource exception: 500 Internal Server Error: "Failed to get OperationOptionsBuilder: Unable to locate the DS replication change log suffix. Please make sure it's enabled, and changelog-read access is granted." org.forgerock.json.resource.InternalServerErrorException: Failed to get OperationOptionsBuilder: Unable to locate the DS replication change log suffix. Please make sure it's enabled, and changelog-read access is granted. at org.forgerock.openidm.provisioner.openicf.impl.OpenICFProvisionerService.liveSynchronize(OpenICFProvisionerService.java:878) at org.forgerock.openidm.provisioner.api.SystemObjectSetService.liveSync(SystemObjectSetService.java:542) at org.forgerock.openidm.provisioner.api.SystemObjectSetService.actionInstance(SystemObjectSetService.java:383)

Recent Changes

Configured liveSync between DS and IDM.

Created a new user for liveSync purposes.

Causes

The user does not have the necessary access rights to trigger liveSync. Typically, they are missing access to the root DSE.

When liveSync runs, it first reads the changelog attributes (changelog, firstChangeNumber and lastChangeNumber) from the root DSE, and then performs searches on cn=changelog for those changes. Therefore liveSync will fail if the user does not have changelog privileges AND access to the root DSE.

Note

The documentation in DS 6 and early versions of DS 6.5 explained how to give the necessary access rights to the changelog but missed giving access to the root DSE. This has now been corrected in later versions of DS 6.5.

Solution

This issue can be resolved by giving the user the correct access rights:

  • If you did not follow the documentation to give the user access to the changelog, then you should follow the steps in Let a User Read the Changelog (this procedure includes steps to grant access to the root DSE).
  • If you did follow the documentation but the user does not have access to the root DSE, you just need to add this as follows.
    • DS 7.1 and later: $ ./dsconfig set-access-control-handler-prop --hostname ds.example.com --port 4444 --bindDN uid=admin --bindPassword password --add global-aci:"(target=\"ldap:///\")(targetattr = \"changeLog||firstChangeNumber||lastChangeNumber\")(version 3.0;acl \"Search and read changelog numbers\"; allow (read,search,compare) userdn=\"ldap:///cn=adminUser,dc=example,dc=com\";)" --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
    • DS 7: $ ./dsconfig set-access-control-handler-prop --hostname ds.example.com --port 4444 --bindDN uid=admin --bindPassword password --add global-aci:"(target=\"ldap:///\")(targetattr = \"changeLog||firstChangeNumber||lastChangeNumber\")(version 3.0;acl \"Search and read changelog numbers\"; allow (read,search,compare) userdn=\"ldap:///cn=adminUser,dc=example,dc=com\";)" --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
    • DS 6.x: $ ./dsconfig set-access-control-handler-prop --hostname ds.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --add global-aci:"(target=\"ldap:///\")(targetattr = \"changeLog||firstChangeNumber||lastChangeNumber\")(version 3.0;acl \"Search and read changelog numbers\"; allow (read,search,compare) userdn=\"ldap:///cn=adminUser,dc=example,dc=com\";)" --trustAll --no-prompt

See Also

Synchronization

Access control

Changelog for Notifications

Related Training

N/A

Related Issue Tracker IDs

OPENDJ-6893 (Document ACI for regular user to access changelog attributes in root DSE)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.