Groups can't be syncronized with LDAP or AD in VMware Identity Manager/vIDM.
search cancel

Groups can't be syncronized with LDAP or AD in VMware Identity Manager/vIDM.

book

Article ID: 398445

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

  • VMware Identity Manager/vIDM can't synchronize users or groups in AD or LDAP,  The error in the user interface is "Response from the connector: Failed to complete dry run."
  • The  /opt/vmware/horizon/workspace/logs/connector.log will show similar exceptions like:

2025-05-16T07:15:45,735 ERROR (resourceSyncTaskExecutor-1) [;;;] com.vmware.horizon.pullengine.HealthCheckClient - Error while checking the health of horizon service
com.vmware.horizon.connector.exception.PullEngineException: Could not retrieve required object from Horizon

2025-05-16T07:24:40,582 ERROR (Thread-6) [XXXXXX-XXXXXX;configadmin@XXXXXXXX;xx.xx.xx.xx;] com.vmware.horizon.connector.rest.SyncConfigurationRestController - Failed to complete dry run.
com.vmware.horizon.client.rest.Exception.ApiException: User is not authorized.

2025-05-16T07:28:23,960 ERROR (pool-118-thread-1) [;;;] com.vmware.horizon.connector.admin.controller.DirectoryController - Could not add the Bind user - Could not bulk push Users, Groups. Received Response Code: 401 and Response body: {"errors":[

{"code":"unauthorized","message":"User is not authorized.","parameters":null}

Environment

VMware Identity Manager/vIDM 3.3.7

Cause

Issues with the connector configuration.

Resolution

  1. Take snapshots of all  VMware Identity Manager/vIDM nodes.

  2. Try steps from KB VMware Identity Manager Directory Sync fails with Error 'Response from connector: Failed to complete dry run'

  3. If step 2 doesn't work, review the Connector Config-state.json file on all the nodes in the VMware Identity Manager/vIDM instance. If there is evidence of Config-state.json corruption, try the steps from KB HW-134096 - VMware Identity Manager Connector may fail to communicate due to config-state.json corruption

  4. Remove the connector,  and leave only the primary connector. Use as reference the steps from the link below  Deleting a VMware Identity Manager Connector Instance

  5. On the primary connector, use as reference steps  KB Steps to re-create embedded connector in vIDM , recreate the primary connector. 

    curl --location 'https://ID1:8443/hc/API/1.0/REST/connectormanagement/connector/activate/' \
    --header 'Authorization: HZN ID2' \
    --header 'Content-Type: application/vnd.vmware.horizon.manager.connector.management.activate.connector+json' \
    --header 'Accept: application/json' \
    --header 'Cookie: JSESSIONID=ID3; trutid=ID4' \
    --data '{
    "activationToken":"ID5",
    "adminPassword":"ID6",
    "gatewayHostname":"ID7"
    }'
    :
    Parameters from the command:
    ID1: vIDM IP address
    ID2: HZN Cookie or Bearer Token --> Via developer mode -> Application - Cookie -> HZN copied the cookie value 
    ID3: JSESSIONID > Via developer mode -> Application
    ID4: VIDM tenant ID> Via vIMD
    ID5: Connector activation token
    ID6: Default Admin Password
    ID7: vIDM host_name/LB_FQDN
  6. Only on the primary connector,  import the groups and try to sync groups. If syncing groups succeeds  correctly,  finish adding the remaining connectors  from VMwre identity manager instance

Additional Information

Note:

  • To check the config-state.json file for all the directories in all the tenants. Corruption can be confirmed if the file is of size zero i.e, the file is blank, or the json has values set as null.

Null values are seen in config-state.json throughout.

{
"isConfigured" : false,
"version" : <some_number>,
"mol" : {
"isConfigured" : null,
"url" : null,
"tenantId" : null,
"clientId" : null,
"clientSecret" : null,
"metaData" : null,

Note: Even if the administrator has not configured anything in the default Tenant, you still need to check the default tenant for config-state.json corruption.

 

  • Even after fixing the connector configuration and making sure the config-state.json in the default node is also fixed,  the directory sync/login is failing.

The reason could be that the backup file, which was used to fix the corrupted config-state.json does not have the IDP information. This information is critical for directory and connector mapping. To check the same, open the config-state.json for the connector that is associated with the directory:

    1. vim /usr/local/horizon/conf/states/<TENANT_NAME>/<WORKER_ID>/config-state.json
      For eg - vim /usr/local/horizon/conf/states/XXXXX-XX/1/config-state.json
    2. check the "idp" section, if the content is like -

"idp" : {
"isConfigured" : false,
"host" : null,
"tenantId" : null,
"id" : null,
"name" : null,
"cert" : null,
"key" : null
}

Then the IDP association is not present.

Powered by Wolken Software