Querying user accounts in the vSphere Web Client fails with the error: Cannot load the users for the selected domain
Article ID: 344334
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- You are unable to query user accounts in vSphere Web Client.
- This issue occurs when you attempt to add a user to vCenter Server permissions.
- You see the error:
Cannot load the users for the selected domain
- This issue occurs when your directory service is OpenLDAP 2.4 or later.
- This issue occurs when you are using an Open LDAP identity source within vCenter Single Sign-On.
- In the C:\ProgramData\VMware\CIS\logs\vmware-ssovmware-sts-idmd.log file, you see entries similar to:
YYYY-MM-DD 16:51:05,273 ERROR [IdentityManager] Failed to find objects [Criteria : searchString=, domain=SSOTEST.COM] in tenant [vsphere.local]
YYYY-MM-DD 16:51:05,274 ERROR [ServerUtils] Exception 'com.vmware.identity.interop.ldap.SizeLimitExceededLdapException: Size Limit Exceeded
LDAP error [code: 4]'
com.vmware.identity.interop.ldap.SizeLimitExceededLdapException: Size Limit Exceeded
LDAP error [code: 4]
at com.vmware.identity.interop.ldap.LdapErrorChecker$4.RaiseLdapError(LdapErrorChecker.java:74)
at com.vmware.identity.interop.ldap.LdapErrorChecker.CheckError(LdapErrorChecker.java:826)
at com.vmware.identity.interop.ldap.WinLdapClientLibrary.CheckError(WinLdapClientLibrary.java:588)
at com.vmware.identity.interop.ldap.WinLdapClientLibrary.ldap_one_paged_search(WinLdapClientLibrary.java:399)
at com.vmware.identity.interop.ldap.LdapConnection$5.call(LdapConnection.java:588)
at com.vmware.identity.interop.ldap.LdapConnection$5.call(LdapConnection.java:585)
at com.vmware.identity.interop.ldap.LdapConnection.execute(LdapConnection.java:60)
at com.vmware.identity.interop.ldap.LdapConnection.search_one_page_internal(LdapConnection.java:584)at com.vmware.identity.interop.ldap.LdapConnection.paged_search(LdapConnection.java:534)
at com.vmware.identity.idm.server.provider.ldap.LdapProvider.findUsers(LdapProvider.java:540)
at com.vmware.identity.idm.server.provider.ldap.LdapProvider.find(LdapProvider.java:1068)
at com.vmware.identity.idm.server.IdentityManager.find(IdentityManager.java:3698)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Note: This log excerpt is an example. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 5.5.x
VMware vSphere Web Client 5.5.x
VMware vCenter Server 6.5.x
VMware vCenter Server 5.5.x
VMware vSphere Web Client 5.5.x
VMware vCenter Server 6.5.x
Cause
This issue occurs when the VMware Identity Management (IDM) service experiences a timeout as it attempts to query the vSphere Web Client and reports an exception error.
Resolution
This is a known issue affecting vSphere Web Client 5.5 and 6.5.
Currently, there is no resolution.
To work around this issue, increase the olcSizeLimit timeout value on the OpenLDAP server(s) to 30000.
Caution: Contact your OpenLDAP administrator to make modifications on the OpenLDAP server(s).
To work around this issue, increase the olcSizeLimit timeout value on the OpenLDAP server(s) to 30000.
Caution: Contact your OpenLDAP administrator to make modifications on the OpenLDAP server(s).
Additional Information
For more information on olcSizeLimit, see the Configuring slapd section in the OpenLDAP web page.
For related information, see the OpenLDAP documentation.
For related information, see the OpenLDAP documentation.
Note: The links in this article were correct as of November 7, 2013. If you find a link is broken, provide feedback and a VMware employee will update the link.
To be alerted when this document is updated, click the Subscribe to Article link in the Actions box.
Feedback
Yes
No
Powered by
