Unable to modify user attributes or Add vIDM connector in VMware Identity Manager (vIDM)

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

Attempts to add the vIDM connector under Identity Providers fail with the following error: ["error": "invalid_client", "error_description": "Client is not found." ]
Additionally, attempts to modify User Attributes such as changing an attribute from Required to Optional within an Active Directory over LDAP directory configuration also fail. This issue primarily affects clustered environments that use external connectors.

Cannot update User Attributes. Connector communication failed with response: for the connector <Connector_FQDN>. If you have set up directories, you cannot make optional attributes as required.

Environment

VMware Identity Manager 3.3.7

Cause

The underlying cause is a corrupt or inconsistent config-state.json file on the service nodes.

In a clustered environment, changes made via the Identity Provider UI must be synchronized across the Configurator service (Tomcat) and the various connectors. If the config-state.json file becomes desynchronized or contains malformed data, the backend communication between the vIDM database and the connector service fails. This prevents the platform from validating that the attribute constraint change is safe to implement across the cluster.

Resolution

Before following the steps below:

Take a snapshot of the virtual Identity Manager Appliance(s)
If the UI will not load and you are receiving the /hc/error as shown in the screenshot above in the Introduction section, verify the Bind User/Password of the directory are correct.
- If a service account is being used in the configuration its password may have expired.
- Browse to https://vIDM_NODE_FQDN/SAAS/login/0
- Test and Save the directory configuration once the password has been reset.
- Skip ahead to step 8 below after receiving a successful Test and Save.

Note that if there are multiple directories in vIDM there will be a directory for each <WORKER_ID> in the <TENANT_NAME> directory. In this case it is necessary to check the config-state.json in every <WORKER_ID> directory and restore the latest stable version for any affected directory .

SSH to VMware Identity Manager Appliance(s) using root credentials. Change the directory to the location of the config-state.json file by running the command:

cd /usr/local/horizon/conf/states/<TENANT_NAME>/<WORKER_ID>

For example cd /usr/local/horizon/conf/states/VSPHERE.LOCAL/3001

Stop the service before doing anything.

service horizon-workspace stop

Back up the current configuration file by running the command:

mv config-state.json config-state.json.1

Copy application backup of the configuration file by running the command:

cp -p config-state.json.backup_<latest-stable-version> config-state.json

Change the owner of the config-state.json to horizon user by running the command:

chown horizon:www /usr/local/horizon/conf/states/<TENANT_NAME>/<WORKER_ID>/config-state.json

Change the permission of the config-state.json file by running the command:

chmod 640 /usr/local/horizon/conf/states/<TENANT_NAME>/<WORKER_ID>/config-state.json

NOTE: If the config-state.json file does not get updated with directory information even after restoring from the older versions, recreate the affected directory from the UI. Go to Identity & Access Management > YOUR DIRECTORY and delete the directory and re-add it back.

Start vIDM/Workspace service by running the command:

service horizon-workspace start

Go to Directory Setting and for each tab do the save operation by navigating to Identity & Access Management > YOUR DIRECTORY > Sync Settings

Navigate each of the tabs and click on Save.
If the "Groups" page refuses to save due to an error about the Bind DN: come back to the directory settings, enter the Bind DN password, validate & save.
Then come back to save the remaining tabs in Sync Settings.