One connector in a cluster of connectors in VMware Identity Manager attempts to delete all synchronized users while other connectors do not
search cancel

One connector in a cluster of connectors in VMware Identity Manager attempts to delete all synchronized users while other connectors do not

book

Article ID: 425722

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • Directory Sync fails on a specific node while others operate normally.

  • Sync logs indicate an attempt to delete a significant number (or all) users/groups, triggering the vIDM Safeguard threshold.

  • Multiple UUID directories exist within the /usr/local/horizon/conf/states/VSPHERE.LOCAL/ path on a single appliance.

Environment

VMware Identity Manager 3.3.7

Cause

Configuration drift or a failed connector re-registration can result in a "Ghost Connector" on the filesystem. If the system initializes using a stale state directory that lacks search filters, it perceives the Active Directory response as "empty" and issues a mass-delete command to reconcile the database.

Resolution

1. Identify the Authoritative Connector UUID

The cluster database contains the source of truth for the valid Worker ID.

  1. SSH into one of the vIDM appliances

  2. Log into the PostgreSQL shell: psql -U horizon saas

  3. Execute the following query to identify the correct UUID for the affected node:

    SELECT * FROM saas."Connector";

    Note: Column names must be wrapped in double quotes to maintain case sensitivity.

2. Stop the Horizon Workspace Service

Stop the application service to ensure a clean transition and release file locks.

  1. SSH into the affected node as root.

  2. Run:

    service horizon-workspace stop

3. Isolate the Stale Configuration State

Align the appliance filesystem with the authoritative database identity.

  1. Navigate to the connector state directory:

    cd /usr/local/horizon/conf/states/VSPHERE.LOCAL/

  2. Identify the directory that does not match the UUID/ID retrieved from the database in Step 1.

  3. Move the stale directory to the /tmp location:

    # Example: If 4736 is authoritative and 3002 is stale
mv 3002 /tmp/3002_stale_backup

4. Restart the Horizon Workspace Service

Restart the service to force the node to initialize using the correct configuration state.

  1. Run:

    service horizon-workspace start

5. Verify Sync Stability

  1. Log into the vIDM Admin Console.

  2. Navigate to Identity & Access Management > Setup > Connectors.

  3. Ensure the Sync Connector is set to the remediated node.

  4. Perform a Sync Preview (Dry Run).

  5. Validation: Verify the "Users to be Deleted" count is accurate. If the safeguard is no longer triggered, the node is stabilized.

Powered by Wolken Software