Administrators may experience intermittent failures during scheduled Active Directory (AD/LDAP) synchronizations in VMware Identity Manager (vIDM). The hourly scheduled sync fails and triggers a Directory Sync Safeguard violation.

Common Error Message found in /opt/vmware/horizon/workspace/logs/connector-dir-sync.log

"You are attempting to remove [X]% of current users from an existing group, more than your current limit of 10%."

NOTE: Despite this error, running a manual sync—or temporarily raising the safeguard threshold—allows the sync to complete successfully while reporting that "0 Groups and 0 Users were affected." This indicates that the automated sync is falsely detecting mass user removals.

• Product: VMware Identity Manager (vIDM)

• Version: 3.3.7.0 (Build 25163938)

The root cause of the false safeguard violation is a Concurrency Race Condition causing intermittent LDAP data stream corruption during scheduled synchronizations.

When the automated hourly sync executes via background threads (e.g., Timer-4), concurrent thread interference can occur within the shared LdapContext. This brief collision corrupts the LDAP stream data being read by vIDM. Due to this corrupted read, vIDM falsely interprets that the target AD group suddenly has zero members, despite no actual changes occurring on your LDAP endpoint.

Why the Safeguard Triggers: The Directory Sync Safeguard is functioning exactly as designed, albeit acting on bad input. Because the corrupted LDAP read returns 0 members, vIDM calculates that it needs to "remove" all existing users from the group. If the group is large (e.g., removing 1,387 users from a total user base of ~3,750), it equates to a high removal rate (e.g., 37%). This trips the default 10% safeguard limit, instantly suspending the sync to protect the environment from mass unentitlement.

Why Manual Syncs Succeed: Manual syncs are initiated by a user in the UI, which executes over a completely different thread pool (e.g., tomcat-http). This thread bypasses the background race condition, reads the LDAP data cleanly, and processes the sync without issue.

Use the following administrative actions to stabilize the environment:

Immediate Workaround (Manual Sync)

Because manual syncs utilize a different, unaffected thread, perform a manual sync to clear the safeguard violation whenever the scheduled hourly sync gets suspended.

1. Navigate to the Identity & Access Management > Directories page in the vIDM admin console.

2. Select the affected directory.

3. Click Sync Now to initiate a manual synchronization.

4. Acknowledge the dry-run to reset the database state safely.