DIP Sync Troubleshooting

OID/DIP Troubleshooting: Verify Unprocessed Changes with LAST vs. cn=changelog

This article is for OID/DIP operators who suspect that directory sync has stalled but need
a quick, defensible way to prove it. You’ll get a minimal, field-tested command set to:
read the profile’s last applied change (LAST), compare it against the actual
cn=changelog, interpret the gap, and—only if necessary—safely reset to re-drive
the reader. Each command explains why you run it and what
the result means, so you can cut noise and focus on facts.

Security note: Replace sample credentials like welcome1 with environment-safe secrets.

1) Find the profile DN

Identify the exact DN of the DIP profile entry you’re targeting.

Why run: Every later query/modify needs the precise profile DN.
What it means: The returned dn: becomes the base DN for subsequent commands.

# List agent profiles under "subscriber profile" and print only DN
ldapsearch -LLL -h dip11g -p 3060 
  -D cn=orcladmin -w welcome1 
  -b "cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" 
  -s one "(objectClass=orclodipagentprofile)" dn


2) Read orclodipConDirLastAppliedChgNum

From the profile DN, fetch the LAST value (the change number it believes it has applied).

Why run: LAST is your anchor to judge whether unprocessed changes exist.
What it means: Any changelog entry with changeNumber > LAST is potentially unprocessed.

ldapsearch -LLL -h dip11g -p 3060 
  -D cn=orcladmin -w welcome1 
  -b "orclodipagentname=MsadSyncProfile,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" 
  -s base "(objectClass=*)" orclodipConDirLastAppliedChgNum

Optional: capture to a shell variable

LAST=$(ldapsearch -LLL -h dip11g -p 3060 
  -D cn=orcladmin -w welcome1 
  -b "orclodipagentname=MsadSyncProfile,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" 
  -s base "(objectClass=*)" orclodipConDirLastAppliedChgNum |
  awk '/orclodipcondirlastappliedchgnum:/ {print $2}')
echo "LAST = ${LAST}"


Example: If LAST=49204, next check whether 49205+ exists in changelog.

3) Check if higher changeNumber actually exists (unprocessed?)

Probe cn=changelog for entries with changeNumber > LAST.

Why run: This is the proof step—validates whether the system truly has pending changes beyond LAST.
What it means: No result ⇒ probably up-to-date. Hit found ⇒ reader hasn’t consumed or failed to apply those changes.

# If LAST=49204, see if 49205+ exists (just 1 record is enough)
ldapsearch -LLL -h dip11g -p 3060 -D cn=orcladmin -w welcome1 
  -b "cn=changelog" "(chgNumber>=$((LAST+1)))" changeNumber -z 1


4) (Optional) Find the “top end” change number

For deeper analysis, check the root’s lastChangeNumber or fetch the latest changelog entry.

Why run: Gauges how far behind you are (gap between LAST and the system’s max).
What it means: A large gap suggests accumulated lag and higher catch-up cost.

4-1. RootDSE lastChangeNumber

ldapsearch -LLL -h dip11g -p 3060 
  -D "cn=orcladmin" -w welcome1 
  -b "" -s base "(objectClass=*)" lastChangeNumber

4-2. Latest changeNumber from changelog

ldapsearch -LLL -h dip11g -p 3060 -D cn=orcladmin -w welcome1 
  -b "cn=changelog" -s one "(objectClass=*)" changeNumber -S changeNumber:desc -z 1


5) Recommended checks & actions

  • Profile property: read LAST ⇒ search cn=changelog for (chgNumber >= LAST+1)
  • Mode/control: inspect orclodipSynchronizationMode, orclodipAgentControl
  • Reader log: ensure Searching changelog with base=cn=changelog appears on startup
  • Force reset (caution): lower LAST to a safe earlier value and restart (backup first)
  • Replication load: use oidmon -cmd showreplmon to spot busy loops / contention

6) Safe force-reset (only when needed)

Use only when unprocessed changes are confirmed and the reader won’t progress.

Why run: Recover from a stuck reader caused by an incorrect LAST checkpoint.
What it means: Lowering LAST makes DIP re-read from that point; lowering too far may re-apply changes.

6-1. Backup the profile entry (LDIF)

ldapsearch -LLL -h dip11g -p 3060 -D "cn=orcladmin" -w welcome1 
  -b "orclodipagentname=MsadSyncProfile,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" 
  -s base "(objectClass=*)" * + > MsadSyncProfile_backup.ldif

6-2. Adjust LAST (LDIF)

dn: orclodipagentname=MsadSyncProfile,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
changetype: modify
replace: orclodipConDirLastAppliedChgNum
orclodipConDirLastAppliedChgNum: 49200

6-3. Apply

ldapmodify -h dip11g -p 3060 -D "cn=orcladmin" -w welcome1 -f reset_last.ldif


Note: Always back up before changing LAST. After restart, verify the reader queries changelog again.

7) Reader debugging tips

Determine whether the reader is not querying changelog at all—or reading but failing to apply.

Why run: The fix differs for “not reading” vs. “read but fail.”
What it means: If Searching changelog with base=cn=changelog is missing, check profile/mode/control/credentials first.

  • JVM flag: -Doracle.security.jps.debug=true
  • Log needle: Searching changelog with base=cn=changelog
© Data In Hands · OID/DIP Operations Guide. Replace sample credentials with secure values.

Scroll to Top