AD group are not syncing with VMware Identity Manager and impacting access to aria automation.
search cancel

AD group are not syncing with VMware Identity Manager and impacting access to aria automation.

book

Article ID: 377226

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • AD(Active Directory) groups are not syncing with Identity Manager and users are able to access aria automation.
  • Having had successful directory sync earlier, the sync attempts now, hit safeguards, showing deletion of many users. 

Environment

  • VMware Identity Manager 3.x

Cause

  • There may be many causes for improper group Sync: 
    • Sync not run successfully recently - Sync result show very old date from sync log for successful sync.
    • Required groups not selected to be synced - All AD groups showing not synced in User in Groups from Users & Groups tabs from vIDM UI.
    • AD(Active Directory) When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.
    • Members in groups do not sync to the directory until the group is entitled to applications or added to an access policy rule, add all users who need to authenticate before group entitlements are configured.
    • Nested groups sync option is not selected. 

Resolution

  • Check all the Group collect added from VIDM Administrator Portal > Identity & Access Management > Sync Settings > Groups tab. 
  • Select or deselect the Sync nested group members check box, as needed
  • Run below command on primary node to increase the OpenSearch max shards count to 6500/8200:
    curl -X PUT localhost:9200/_cluster/settings -H "Content-Type: application/json" -d '{ "persistent":
{ "cluster.max_shards_per_node": "8200" }
}'
  • Restart the main vIDM service - first on primary, wait a minute or two, then the other two nodes:
       /etc/init.d/horizon-workspace restart
  • Resave all the Tab from Identity & Access Management > Sync setting > Save all tabs one by one -> Save and sync.
  • From User and Groups > Groups (Click on groups) > Sync User from User Tab > refresh.
  • Check and confirm all issues reported above are resolved.

 

Additional Information

  • A shard is a unit of data distribution in the Opensearch/Elasticsearch  analytics search engine. Shards are used to distribute data around the cluster.    
  • A shard is a Lucene index, which is a full-text search library that acts as both a data store and a search engine. Shards are used to logically partition data, and each shard indexes and handles queries for a subset of data. Sharding separates large databases into smaller parts that are faster and easier to manage.
  • In 3.3.6 and earlier versions, the IDM appliance used Elasticsearch search engine where the number of shards set was about 1000.
  • vIDM 3.3.7 uses the Opensearch search engine which handles search on a larger number of objects that has bigger data distribution units, and hence needs the Shards set to a higher number.
  • After upgrading to IDM 3.3.7, it is recommended to increase the number of shards to a higher number.
Powered by Wolken Software