AD group are not syncing with Identity Manager and users are able to access aria automation.
Article ID: 377226
Updated On:
Products
Issue/Introduction
OI AD(Active Directory) group are not syncing with Identity Manager and users are able to access aria automation.
Environment
VMware Identity Manager 3.x
Cause
- Sync result showing very old date from sync log.
- All AD groups showing not synced in User in Groups from Users & Groups tabs from vIDM UI.
- AD(Active Directory) When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.
- Members in groups do not sync to the directory until the group is entitled to applications or added to an access policy rule, add all users who need to authenticate before group entitlements are configured.
Resolution
1. Check all the Group collect added from Identity & Access Management > Sync Settings > Groups tab.
2. Select or deselect the Sync nested group members check box, as needed
3. Run below command on primary node to increase the OpenSearch max shards count to 6500/8200:
curl -X PUT localhost:9200/_cluster/settings -H "Content-Type: application/json" -d '{ "persistent":{ "cluster.max_shards_per_node": "8200" }}'
4. Restart the main vIDM service - first on primary, wait a minute or two, then the other two nodes:
service horizon-workspace restart
5. Resave all the Tab from Identity & Access Management > Sync setting > Save all tabs one by one -> Save and sync.
6. From User and Groups > Groups (Click on groups) > Sync User from User Tab > refresh.
7. Check and confirm all issues reported above are resolved.
Feedback
