Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Continuous query listener has lost its connection and insufficient access rights errors in AM 6.0.x

Last updated Jan 12, 2023

The purpose of this article is to provide assistance if you encounter "Continuous query listener has lost its connection" warnings accompanied by "The request control with Object Identifier (OID) "" cannot be used due to insufficient access rights" errors in AM.

1 reader recommends this article

Symptoms

The following warning is shown repeatedly in the IdRepo debug log, which shows the connection being established, but the persistent control connection request failing:

PersistentSearch:10/11/2018 03:09:14:594 PM GMT: Thread[SystemTimerPool,5,main]: TransactionId[743b0898-31f8-4a43-b30f-e30784c19ef5-94] Starting persistent search against baseDN: dc=cts,dc=example,dc=com, scope: sub, filter: (&(coreTokenType=NOTIFICATION)(objectClass=frCoreToken)), attrs: [coreTokenObject, dn] against org.forgerock.openam.cts.monitoring.impl.connections.MonitoredCTSConnectionFactory@334410e7 org.forgerock.openam.notifications.integration.brokers.CTSNotificationBroker:10/11/2018 03:09:14:595 PM GMT: Thread[OpenDJ LDAP SDK Client Worker(726),5,main]: TransactionId[743b0898-31f8-4a43-b30f-e30784c19ef5-649444] WARNING: Continuous query listener has lost its connection PersistentSearch:10/11/2018 03:09:14:596 PM GMT: Thread[OpenDJ LDAP SDK Client Worker(726),5,main]: TransactionId[743b0898-31f8-4a43-b30f-e30784c19ef5-649444] Restarting persistent search connection against: org.forgerock.openam.cts.monitoring.impl.connections.MonitoredCTSConnectionFactory@334410e7

A corresponding insufficient access rights error is shown, for example:

  • CTS ldap-access.audit.json log: {"eventName":"DJ-LDAP","client":{"ip":"192.0.2.0","port":36424},"server":{"ip":"192.0.2.1","port":36890},"request":{"protocol":"LDAP","operation":"SEARCH","connId":10,"msgId":184,"dn":"dc=cts,dc=example,dc=com","scope":"sub","filter":"(&(coreTokenMultiString01=2a1e1c55-1353-44f3-83d6-04eb060cc53f)(objectClass=frCoreToken))","attrs":["coreTokenString05","dn"]},"transactionId":"d893c6b2-557a-49de-9c72-6a831765ee8d-231/158","response":{"status":"FAILED","statusCode":"12","elapsedTime":1,"elapsedTimeUnits":"MILLISECONDS","detail":"The request control with Object Identifier (OID) \"2.16.840.1.113730.3.4.3\" cannot be used due to insufficient access rights","nentries":0},"timestamp":"2018-11-10T15:09:14.594Z","_id":"05afe287-a4c5-48dd-a65f-f86d1193c0f0-18723"}
  • Session debug log: amCoreTokenService:10/11/2018 03:09:14:594 PM GMT: Thread[CTSWorkerPool-15,5,main]: TransactionId[345e5867-025f-46db-b441-ea699659f91a-0] Failed to delete SESSION token with id KXMgkwZWiTevm5WTe0kvziKj3p0=  org.forgerock.openam.cts.exceptions.CoreTokenException:  CTS:  CTS: Operation failed:  Result Code: Unavailable Critical Extension  Diagnostic Message: The request control with Object Identifier (OID) "1.3.6.1.1.12" cannot be used due to insufficient access rights  Matched DN:     at org.forgerock.openam.cts.reaper.PromiseResultHandler.processError(PromiseResultHandler.java:39)     at org.forgerock.openam.sm.datalayer.api.AbstractTask.processError(AbstractTask.java:41)     at org.forgerock.openam.sm.datalayer.api.AbstractTask.execute(AbstractTask.java:63)     at org.forgerock.openam.sm.datalayer.impl.SeriesTaskExecutor$TaskDecorator.execute(SeriesTaskExecutor.java:231)     at org.forgerock.openam.sm.datalayer.impl.SimpleTaskExecutor.execute(SimpleTaskExecutor.java:59)     at org.forgerock.openam.sm.datalayer.impl.SeriesTaskExecutorThread.run(SeriesTaskExecutorThread.java:86)     at org.forgerock.openam.audit.context.AuditRequestContextPropagatingRunnable.run(AuditRequestContextPropagatingRunnable.java:34)     at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)     at java.util.concurrent.FutureTask.run(FutureTask.java:266)     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)     at java.lang.Thread.run(Thread.java:748)  Caused by: org.forgerock.openam.sm.datalayer.api.LdapOperationFailedException:  CTS: Operation failed:  Result Code: Unavailable Critical Extension  Diagnostic Message: The request control with Object Identifier (OID) "1.3.6.1.1.12" cannot be used due to insufficient access rights

Recent Changes

Installed, or upgraded to AM 6.0.x.

Configured an external CTS token store.

Causes

The "Continuous query listener has lost its connection" message is a generic warning signifying a CTS connection issue. In conjunction with an insufficient access rights error, it implies that the required ACI has not been set up correctly for the CTS admin user:

  • The "2.16.840.1.113730.3.4.3" OID is the persistent search control, which is required by the CTS admin user.
  • The "1.3.6.1.1.12" OID is a default global ACI that gives authenticated users LDAP read access; this must be specified during the setup if DS is configured in productionMode.
Note

Configuring these ACIs is a required step detailed in the Install guide for implementing the CTS: Non-Admin User Creation and ACI Import.

Solution

This issue can be resolved by configuring the ACIs correctly for the CTS admin user:

  • If you haven't followed the steps in the Install guide, you should work through these steps to set up your CTS admin user correctly: To Create a Non-Admin User.
  • If you have followed the steps in the Install guide, something went wrong with the setup process. To identify and fix the issue, you should:
    • Double-check you followed all the steps in the Install Guide.
    • Check you applied the ACIs to the correct user; you can search the access log for the BIND request with the same ConnId noted in the CTS ldap-access.audit.json log to identify the user who does not have the appropriate ACIs. See How do I use the Access log to troubleshoot DS (All versions)? (Finding out more about the operation section) for further information on searching the access log.
    • Check your configuration for typos or malformed LDIFs; each line in the LDIFs must begin with the field name, followed by a colon and the value. If your LDIFs are badly formed, you can reformat them and reapply with the ldifmodify command.
Note

These configuration steps are automated in AM 6.5 (using the am-cts profile in DS), which prevents common misconfigurations of the CTS admin user in AM 6.5 and later. See Configuring CTS in AM for further information.

See Also

Best practice for configuring an external DS instance for the Core Token Service (CTS) in AM 6.0.x

How do I know what the default Global ACIs are used for in OpenDJ 3.x?

Preparing an External Configuration Data Store

Using ACIs or Global Access Policies

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.