Best Practice
ForgeRock Identity Platform
Does not apply to Identity Cloud

Best practice for LiveSync in IDM (All versions) with multiple DS instances

Last updated Mar 31, 2021

The purpose of this article is to provide best practice advice on using LiveSync in IDM when there are multiple DS instances and you are using the LDAP connector.

1 reader recommends this article


Do not compress, tamper with, or otherwise alter changelog database files directly unless specifically instructed to do so by a qualified ForgeRock technical support engineer. External changes to changelog database files can render them unusable by the server. By default, changelog database files are located under the /path/to/ds/changelogDb directory.

LiveSync best practice

There are two approaches to using LiveSync in IDM with DS:

With both approaches, you should avoid having a load balancer in front of DS as explained here: Configuration Guide › On Load Balancers. You can configure your LDAP connector for failover: How do I configure the LDAP connector in IDM (All versions) for LDAP failover?

Timestamp mechanism

Timestamps are maintained per entry for create and modify operations; however, delete operations cannot be detected via timestamps. If delete synchronization is a high priority, you should continue to use the changelog for LiveSync.

If you want to use timestamps, you should set the following property in your provisioner configuration file (for example, provisioner.openicf-ldap.json), which is located in the /path/to/idm/conf directory:

"useTimestampsForSync" : "true",

You should thoroughly test LiveSync with the timestamp mechanism in a development environment first to ensure it meets your needs. Using LiveSync with timestamps can potentially cause performance issues if the DS instance is managing millions of entries; the timestamp search can have a high cost when there are many entries.

LiveSync retry policy

You should consider configuring the LiveSync retry policy to define how many times a failed modification should be reattempted and what should happen in the event that the modification is unsuccessful after the specified number of attempts. This is discussed in: Synchronization Guide › Configure the LiveSync Retry Policy. If no retry policy is configured, IDM reattempts the change an infinite number of times, until the change is successful.

See Also

Best practice for LiveSync in IDM (All versions) with Active Directory

How do I configure the LDAP connector in IDM (All versions) for LDAP failover?

Connectors Guide › LDAP Connector

Setup Guide › Property Value Substitution

Synchronization Guide › Configure the LiveSync Retry Policy

Connectors Guide › The ForgeRock Identity Connector Framework (ICF)

Samples Guide › Connect to a MySQL Database With ScriptedSQL

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.