Understanding the errors in AD/LDAP sync log
Article ID: 386871
Updated On: 06-17-2025
Products
VMware Cloud Foundation
Issue/Introduction
-
In order to sync the users and groups from Active Directory, VMware Identity broker performs a directory sync from the Active Directory.
-
This sync could fail for multiple reasons. The following document lists the possible reasons for the sync to fail.
Environment
VCF 9.0
Resolution
Error codes for sync failure in AD/LDAP and OpenLDAP
Additional Error codes for sync failure in OpenLDAP
Error codes for users/groups not getting provisioned in AD/LDAP and OpenLDAP
LDAP server is not reachable - This could be due to network issues, firewall blocks, an incorrect hostname, or invalid BIND credentials. Verify the configuration and retry the sync.
An internal error occurred during a sync with the LDAP server - An exception might have occurred in VCF Identity broker due to an internal error. Please retry the sync. If the issue persists, contact support.
Additional Error codes for sync failure in OpenLDAP
The users don't have the required object UUID property - The unique attribute that is used to search for the user is a mandatory attribute. This attribute is configured as 'Object UUID' in the OpenLDAP configuration workflow. Please ensure that the mapping is correct and all the user objects have this attribute.
The groups don't have the required object UUID property - The unique attribute that is used to search for the group is a mandatory attribute. This attribute is configured as 'Object UUID' in the OpenLDAP configuration workflow. Please ensure that the mapping is correct and all the user objects have this attribute.
Error codes for users/groups not getting provisioned in AD/LDAP and OpenLDAP
Invalid user attribute name - If the mandatory attribute 'Username' is invalid in the LDAP server, the user will not be provisioned. Ensure the attribute is mapped properly in the LDAP server.
Multiple attribute values - If the user/group has more than one attribute value mapped per attribute, the user/group cannot be provisioned. Ensure there is only one attribute value mapped per attribute in the LDAP server.
Missing required attributes {attribute name} for user - If the mandatory attribute 'Username' is missing in the LDAP server, the user will not be provisioned. Ensure the attribute is mapped properly in the LDAP server.
User Query Failed - The user that was configured to be provisioned could not be found in the LDAP server. This maybe because the user was deleted from the LDAP server after the SSO was configured.
Group Query Failed - The group that was configured to be provisioned could not be found in the LDAP server. This maybe because the group was deleted from the LDAP server after the SSO was configured.
Feedback
Was this article helpful?
Yes
No
Powered by
