Users are successfully synchronized from OpenLdap Identity Management (IdM) into VMware Workspace ONE Access (vIDM). however, group synchronization consistently fails. This occurs even though the directory integration is configured with the correct Base DN and group schema.

You should see similar logs at /opt/vmware/horizon/workspace/logs/connector-dir-sync.log

<Timestamp> INFO : com.vmware.horizon.directory.ldap.dc.service.context.JNDIContextFetcher - LDAP Context env Json Values:
{   "java.naming.provider.url" : "ldap://IP:389",   "java.naming.factory.initial" : "com.sun.jndi.ldap.LdapCtxFactory",   "com.sun.jndi.ldap.connect.timeout" : "10000",   "java.naming.security.principal" : "uid=username,cn=username,cn=username,dc=username,dc=username",   "java.naming.security.authentication" : "simple",   "java.naming.security.credentials" : "",   "com.sun.jndi.ldap.read.timeout" : "600000",   "java.naming.ldap.attributes.binary" : "gidnumber pae-IconData objectSid securityIdentifier"   <<---------- }

VMware Identity Manager 3.3.7

Group synchronization fails because VMware Identity Manager does not retrieve the entryUUID attribute from the OpenLdap IdM directory.

In OpenLdap IdM, group objects rely on entryUUID as their unique identifier. VMware Identity Manager requires a single, consistent unique identifier attribute for all directory objects (users and groups) within a directory configuration. However:

• vIDM does not expose any configuration to modify java.naming.ldap.attributes.binary
• EntryUUID is not included in vIDM’s hard-coded LDAP binary attributes list
• vIDM does not support using different unique identifier attributes for users and groups in the same directory

As a result, user synchronization succeeds while group synchronization fails.