Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] error when reinstalling an AM 5.x or 6.x instance

Last updated Feb 24, 2021

The purpose of this article is to provide assistance if you encounter a "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]" error when reinstalling an AM instance in a multi-server environment.


Symptoms

The following error is shown when you reinstall an AM instance in a site configuration:

The following errors were encountered reading the configuration of the existing servers: Error on host1.example.com:4444: An error occurred connecting to the server. Details: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] The replication tool will to try to update the configuration of all the servers in a best-effort mode. However it cannot guarantee that the servers that are generating errors will be updated.

However, the install proceeds and replication continues to work.

Recent Changes

Deleted an AM instance without stopping replication and then attempted to reinstall the instance in the site configuration.

Causes

The replication configuration is not removed when you delete an AM instance from a site, which means the remaining instances still have an entry for the removed instance.

You can observe this in the admin-backend.ldif file (located in /db/adminRoot in DS 6.5 and later, /db/admin in DS 6 or /config in DS 5). For example, if you started with two instances (host1 and host2) and deleted host2, you will still see the entry associated with the removed instance:

objectClass: groupOfUniqueNames uniqueMember: cn=host1.example.com:5444 uniqueMember: cn=host2.example.com:4444

When you attempt to reinstall the second instance in the site configuration, a conflict occurs as the remaining instances' configuration has not been updated.

Solution

This issue can be resolved using one of the following approaches to update the remaining instances' configuration after deleting the AM instance:

  • Restart the AM instances that remain in the site after you have removed the instance but prior to reinstalling the instance. Restarting the other AM instances updates their configuration and therefore removes the entry of the removed instance.
  • Stop replication on the DS server associated with the instance you want to remove prior to removing it. You should use dsreplication to do this, for example:$ ./dsreplication unconfigure --unconfigureAll --hostname ds1.example.com --port 4444 --adminUID admin --adminPassword password --trustAll --no-prompt This command removes the server's replication configuration from all other servers in the replication topology, meaning the remaining servers will not try to replicate to this server.

See How do I delete an AM 5.x or 6.x instance from a site along with the replicated embedded DS server? for further details.

See Also

Installing and configuring AM

Related Training

N/A

Related Issue Tracker IDs

OPENAM-8646 (Clean up embedded OpenDJ replication config when a server is removed)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.