After updating the LDAP Virtual IP (VIP) from an older DNS value (e.g., ldap-old.example.com) to a new DNS value (e.g., ldap-new.example.com), Active Directory (AD) over LDAP directories in VMware Aria Suite Lifecycle continue to reference the old VIP in synchronization attempts.

Even with valid certificates configured for the new VIP, synchronization fails with TLS errors referencing the previous FQDN.

Symptoms

• TLS handshake failures when attempting to synchronize the AD over LDAP directory.
• connector.log messages report attempts to connect to the old ldap FQDN
• /usr/local/horizon/conf/states/<TENANT_NAME>/<WORKER_ID>/config-state.json contains Kerberos entries in certain sections for the old FQDN address
• Attempts to manually edit the config-state.json directly with the new value does not persist the change.

VMware Identity Manager 3.3.7

In some cases, particularly when certificates expire, or if each node behind the VIP isn't updated with the new certificate, the config-state.json may persist old values causing communication failures on subsequent synchronization attempts.

Prerequisites

• Document Existing Configuration:
  Before deletion, note or export current directory settings, including:

  • Directory Name

  • Base DN

  • Bind DN and Bind Password

  • Group and User Search Filters

  • Domain Name

  • SSL/TLS Settings

Procedure

1. Delete the Existing Directory:

   • Navigate to:
     Identity and Tenant Management > Directory Management

   • Select the AD over LDAP directory and choose Delete

2. Recreate the Directory:

   • Use the updated -new FQDN for the LDAP VIP

   • Copy in the PEM formatted certificate for the new LDAP endpoint

   • Complete the directory setup wizard using the values copied from the Prerequisites section.

3. Verify Synchronization:

   • Initiate a manual sync to confirm the issue is resolved

   • Monitor the connector.log to ensure no references to the old FQDN persist and previous errors are clear.