OpenDJ Password Synchronization Plugin fails to initialize in OpenIDM 3.0.0

Last updated Jan 5, 2021

The purpose of this article is to provide assistance when the OpenDJ Password Synchronization Plugin fails to initialize in OpenIDM 3.0.0.


This article has been archived and is no longer maintained by ForgeRock.


An error similar to the following is shown when you use the ldapmodify command to add the plugin configuration to OpenDJ's configuration:

Additional Information: The attempt to apply the configuration add failed. The preliminary checks were all successful and the entry was added to the server configuration, but at least one of the configuration add listeners reported an error when attempting to apply the change: An error occurred while trying to initialize an instance of class org.forgerock.openidm.agent.accountchange.OpenidmAccountStatusNotificationHandler as an account status notification handler as defined in configuration entry cn=OpenIDM Notification Handler,cn=Account Status Notification Handlers,cn=config: ConfigException: An error occurred during OpenIDM Password Sync plugin initialization because the ds-certificate-subject-dn: c=none,l=none,o=openidm self-signed certificate,ou=none,cn=localhost,st=none is not found in provided keystore. (

Recent Changes

Installed the OpenDJ Password Synchronization Plugin.


The self-signed certificate that is generated on startup has a certificate subjectDN of: C=None, L=None, O=OpenIDM Self-Signed Certificate, OU=None, CN=localhost, whereas the subjectDN in the plugin configuration is: cn=localhost,o=OpenIDM

The plugin fails to initialize because it is expecting a different self-signed certificate.


This issue can be resolved by upgrading to OpenIDM 3.1.0 as the generated self-signed certificate is now compatible with the plugin.

Alternatively, you can update the plugin configuration to match the self-signed certificate.

In the openidm-pwsync-plugin-config.ldif file (located in the /path/to/opendj/config directory), change:

ds-certificate-subject-dn: cn=localhost,o=OpenIDM Self-Signed Certificate


ds-certificate-subject-dn: C=None, L=None, O=OpenIDM Self-Signed Certificate, OU=None, CN=localhost Self-Signed Certificate

You should then re-add the plugin configuration to OpenDJ's configuration using the ldapmodify command and proceed with the rest of the process to install the plugin.

See Also

OpenIDM Integrator's Guide › Managing Passwords › Password Synchronization › To Install the OpenDJ Password Synchronization Plugin

Related Training


Related Issue Tracker IDs

OPENIDM-1523 (Generated self-signed cert does not work with the OpenDJ pwd sync plugin)

OPENIDM-2248 (Generated self-signed cert does not work with the OpenDJ pwd sync plugin)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.