Incomplete User Synchronization in VCF SSO for Active Directory Groups
search cancel

Incomplete User Synchronization in VCF SSO for Active Directory Groups

book

Article ID: 420156

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

  • VCF SSO fails to display all users that are members of a AD group. 

  • Although the AD groups are successfully added to the 'Group Provisioning' configuration, only a subset of users from the group appear in VCF SSO user list.

  • When triggering a "Sync on Request" operation from VCF Operations, the task completes successfully and reports correct group retrieval; however not all users are populated.

  • On vCenter Server (Embedded Identity Broker with Active Directory configured as an Identity Provider using AD/LDAP), following log entries may be observed in /var/log/vmware/vc-ws1a-broker/usergroup-service.log:

    YYYY-MMM-DDThh:mm:ss INFO <VC-PNID>:usergroup (dirsynclib-Sync-Task-596) [;;;;] com.vmware.vidm.dirsynclib.sync.directory.modelaction.impl.GroupMembersAction -Retrieved 2 groups from AD. 2 groups to be synced after transformation
    YYYY-MMM-DDThh:mm:ss INFO <VC-PNID>:usergroup (dirsynclib-Sync-Task-596) [;;;;] com.vmware.vidm.dirsynclib.sync.directory.modelaction.impl.GroupMembersAction - Sync in batches: Starting to pull data from the AD with paged controls.
    YYYY-MMM-DDThh:mm:ss INFO <VC-PNID>:usergroup (dirsynclib-Sync-Task-596) [;;;;] com.vmware.vidm.dirsynclib.datastore.transformers.request.LdapGenericObjectRequestTransformer - Result ldap filter:(&(&(objectClass=user)(objectCategory=person))(|(memberOf=CN=VC- Users,CN=Users,DC=domain,DC=com)(memberOf=CN=VC-Admins,CN=Users,DC=domain,DC=com)))

  • Running a manual LDAP query using the same LDAP filter from logs returns incomplete users: 

ldapsearch -x -H "ldaps://<Domain-controller>:3269" -D "[email protected]" -W -b "DC=domain,DC=com" "(&(&(objectClass=user)(objectCategory=person))(|(memberOf=CN=VCUsers,CN=Users,DC=domain,DC=com)(memberOf=CN=VCAdmins,CN=Users,DC=domain,DC=com)))" userPrincipalName

Environment

VCF 9.x

Cause

The issue is caused by insufficient read permissions assigned to the bind user account configured for AD/LDAP synchronization in VCF SSO.

Resolution

Use a bind user account with sufficient Active Directory privileges so that VCF SSO can properly enumerate and retrieve all required AD users during configuration.
Engage your Active Directory team to review and confirm that the bind user account used for SSO configuration has the necessary permissions.

Additional Information

 

Powered by Wolken Software