VMware Identity Manager Directory Sync fails with Error 'Response from connector: Failed to complete dry run'
Article ID: 314594
Updated On:
Products
VMware Aria Suite
Issue/Introduction
- Directory sync fails with below errors:
Response from connector: Failed to complete dry run.
Failed to parse the response received from connector. - Unable to sync the domain users and groups from the VMware Identity Manager (vIDM) connectors.
- Unable to login to Aria Automation and Aria Lifecycle Manager using domain user.
- The "connector.log" file contains error messages similar to:
INFO (Thread-12) com.vmware.horizon.client.rest.Utils - END sendRequestBase (https://localhost/SAAS/t/VIDMHOST/API/1.0/REST/admin/sync/groups/AD-Group-ID/memberswithdirectness?size=10000&start=0, ..., application/json, GET, null, ...) ERROR (Thread-12) com.vmware.horizon.connector.mvc.UIAlerts - Failed to complete sync due to a problem with the service. Exception Info: The service reported that group: AD-GROUP-ID (ActiveDirectoryGroup@Domain) contains an unreported user: <AD-USER-ID> ERROR (Thread-12) com.vmware.horizon.connector.rest.SyncConfigurationRestController - Failed to complete dry run.com.vmware.horizon.client.rest.Exception.ApiException: The service reported that group: AD-GROUP-ID (ActiveDirectoryGroup@Domain) contains an unreported user: <AD-USER-ID>
Environment
VMware Identity Manager 3.3.x
Cause
This may be caused by:
- Incorrect credentials in the Base DN / Bind DN section of the sync settings for this domain in vIDM
- Invalid permissions on 'krb5.conf' file-
/usr/local/horizon/conf/krb5.conf
- We see below exception under/opt/vmware/horizon/workspace/logs/connector.logon vIDM node:
ERROR (pool-158-thread-1) [;;;] com.vmware.horizon.connector.rest.DirectoryRestController - Failed to resolve and save domains.
com.vmware.horizon.directory.DirectoryServiceException: Unable to populate KDCs
at com.vmware.horizon.directory.ldap.dc.service.KerberosConnectServiceWithOptimizedKDCLookup.initializeKdcs(KerberosConnectServiceWithOptimizedKDCLookup.java:69) ~[adapter-ldap-0.1.jar:3.3.5.0 Build 18049997]
at com.vmware.horizon.directory.ldap.dc.service.KerberosConnectServiceWithOptimizedKDCLookup.getKerberosAuthenticatedSubject(KerberosConnectServiceWithOptimizedKDCLookup.java:86) ~[adapter-ldap-0.1.jar:3.3.5.0 Build 18049997]
at
Caused by: java.nio.file.AccessDeniedException: /usr/local/horizon/conf/krb5.conf
at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84) ~[?:1.8.0_292]
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102) ~[?:1.8.0_292] - Unreported user within the Active Directory group synchronized with vIDM.
Resolution
Scenario 1 : Incorrect credentials in the Base DN / Bind DN section of the sync settings for this domain in vIDM
Enter the password for the configured user under the Base DN / Bind DN settings for this domain in vIDM.
Scenario 2 : Invalid permissions on 'krb5.conf' file- /usr/local/horizon/conf/krb5.conf
- Check the permissions of conf folder on primary node and replica nodes
- ls -l /usr/local/horizon
- If they are not same then set the appropriate permissions to conf folder on replica nodes using chmod command.
- chown root:www /usr/local/horizon/conf
- chmod 775 /usr/local/horizon/conf
- Then permissions should be
- drwxrwxr-x 11 root www 4096 Nov 19 17:15 conf
- Save 'Domains' tab after setting the permissions and resync the directory.
Scenario 3 : Unreported user within the Active Directory group synchronized with vIDM
Review the Active Directory group synchronized with vIDM and remove the unreported user ID.
Feedback
Yes
No
Powered by
