VMware Identity Manager 3.3.x

The issue stems from multiple misconfigurations in the directory synchronization settings within VMware Identity Manager, preventing it from correctly mapping and retrieving user and group information from the Radiant Logic VDS.

1. Missing entryDN Attribute: The entryDN attribute, critical for uniquely identifying directory entries, was not natively exposed or returned by the Radiant Logic VDS for queries.
2. Incorrect User Identification Attribute: Some user entries in the VDS lacked the standard mail attribute, instead using a different, non-standard attribute like 'mail' , leading to an incomplete user synchronization when mail was expected.
3. Incorrect Group Membership Attribute Mapping: The attribute configured in vIDM to identify group members (e.g., geUID#####) was storing User IDs (UIDs) rather than full User Distinguished Names (DNs). Conversely, find another attribute that correctly contained user DNs but was not being utilized for membership mapping. This mismatch prevented vIDM from accurately resolving group memberships.
4. Bind User Permissions (Potential): An initial concern was raised regarding whether the bind user had sufficient read access to all necessary attributes, although this was later found to be less central than the attribute mappings.

To resolve the synchronization issues and enable successful retrieval of both users and groups from Radiant Logic VDS, adjust the attribute mappings and filters within the VMware Identity Manager directory configuration as follows:

1. Update User Directory Search Attribute:

   • Navigate to the directory configuration in VMware Identity Manager.
   • Change the "directory search attribute for users" from mail (or similar standard attribute) to the specific attribute used in your Radiant Logic VDS for user email addresses "mail"  This ensures all users are correctly identified and synchronized, including those without a standard mail attribute.

2. Update ObjectUuid Attribute Mapping:

   • Modify the ObjectUuid attribute mapping within vIDM.
   • If entryDN is not natively returned by your Radiant Logic VDS, update the mapping to an attribute that provides a unique identifier for directory objects, such as actualdn (or configure Radiant Logic VDS to expose entryDN if possible, and then map to entryDN). 
   • Check your LDAP configurations accordingly to match VMware Documentation for LDAP Configurations in Identity Manager :

3. Verify Group Membership Attribute Mapping:

   • User Member Attribute: Ensure this attribute (which lists members within a group object) is configured to correctly reference user DNs. For instance, if your VDS uses uniquemember to store full user DNs for group members, configure vIDM to use uniquemember for the User Member Attribute.
   • Group Membership Attribute: Similarly, ensure this attribute (which lists the groups a user belongs to) is also correctly configured based on how your VDS stores this information.

4. Review Group Filter (if necessary):

   • If groups are still not fully synchronizing, review the "Group Filter" in your vIDM directory configuration.
   • Consider broadening a potentially restrictive filter (e.g., cn=) to a more general one like (objectClass=groupOfUniqueNames) or (cn=*) if your environment uses different object classes or a broader search is required.

5. Confirm Bind User Permissions:

   • Verify that the bind user configured for the LDAP connection has sufficient read access to all necessary attributes (e.g., uid, mail, cn, member, uniquemember, entryDN, 'mail####' ) on both user and group objects within the Radiant Logic VDS. This can often be verified using an ldapsearch command from an external client with the bind user's credentials.