Attempt to login Grafana web UI hit "User sync failed" error
search cancel

Attempt to login Grafana web UI hit "User sync failed" error

book

Article ID: 424433

calendar_today

Updated On:

Products

VMware Tanzu Application Service

Issue/Introduction

LDAP method is enabled for Grafana Authentication on the Healthwatch for VMware Tanzu tile Settings page. 

When attempting to login the Grafana web UI, user might hit the "User sync failed" error even though the correct LDAP credentials are entered (as shown by below image). 

The following error logs might be found in /var/vcap/sys/log/grafana/grafana.log file on grafana instance of the Healthwatch deployment.

logger=ldap t=2026-01-06T05:50:02.235934805Z level=info msg="Searching for user's groups" filter="(&(objectClass=posixGroup)(memberUid=userb))"
logger=user.sync t=2026-01-06T05:50:02.247889764Z level=error msg="Failed to create user" error="user already exists" auth_module=ldap auth_id="cn=userb,ou=Users,dc=net"
logger=authn.service t=2026-01-06T05:50:02.248163659Z level=warn msg="Failed to run post auth hook" client=auth.client.form id= error="[user.sync.internal] unable to create user"

## OR ##

logger=ldap t=2026-01-07T03:13:06.875873776Z level=info msg="Searching for user's groups" filter="(&(objectClass=posixGroup)(memberUid=userb))"
logger=user.sync t=2026-01-07T03:13:06.883165674Z level=error msg="Failed to create user" error="[user.empty-username-and-email] user cannot be created with empty username and email" auth_module=ldap auth_id="cn=userb,ou=Users,dc=net"
logger=authn.service t=2026-01-07T03:13:06.883751651Z level=error msg="Failed to run post auth hook" client=auth.client.form id= error="[user.sync.internal] unable to create user: [user.empty-username-and-email] user cannot be created with empty username and email"

 

Environment

  • Healthwatch for VMware Tanzu

Cause

When configuring LDAP method for Grafana Authentication, usually some attributes need to be set in Server attributes box as stated in the documentation. Following image shows an example.

The username and email attributes will be used to map the corresponding properties in response data from LDAP server and create the internal user accordingly. However, if the username and email attributes are not set properly in the Server attributes box which leads to empty values for them, the "User sync failed" login error would happen.

Another possible scenario could be that the response data from LDAP server about the user doesn't include necessary properties to populate username and email. 

Resolution

  • Examine the content of Server attributes box and make sure username and email attributes are well configured
  • Check the attributes of the login user at LDAP server side and make sure proper attributes (e.g. "cn" and "mail") will be returned. The ldapsearch tool can be used to check the response data from LDAP server for some specific user. For example,

     $ ldapsearch  -H 'ldap://<LDAP server FQDN or IP' -D '<bind dn>' -w '<bind dn password>' -b '<base dn>' 'uid=usera'         

         This KB article is also a reference about using ldapsearch tool. 

Powered by Wolken Software