The LDAP Synchronization Job does not add users to the cloud.

The LDAP sync log will generally provide clues. If necessary, switch the LDAP sync service logging level to DEBUG, restart the service, and run an LDAP synchronization again. 

Possible causes:

• The member object does not satisfy any of the VIP EG user store filter(s). To test the user, click the User Store tab in the VIP EG console, click the name of the user store connection, then click Edit next to the connection.  If unsuccessfully, repeat with all user stores and user store connections. 
• The change threshold is preventing the update. (See: What is the VIP LDAP Directory Synchronization Change Threshold). To force a 100% sync of all data, click the Run Once button. 
• The User ID is already in use. 
• The same user already exists in VIP with a different attribute. For example, attempting to add a single AD as 2 different User IDs in VIP Manager. The sync will update the old user ID with the new. 
• One of the User Stores is unable to connect to the server listed in the configuration. Check LDAP logs to verify.  A User Store failing will ABORT the LDAP sync for all user stores with the error "Aborting Sync Operation".
• The user belongs to a different LDAP sync cluster. To determine this, refer to the debug-level LDAP sync logs:
  • Search the file for the VIP User ID. VIP cloud data for each user is fetched and displayed in JSON format so finding the user can be a little tricky. This example shows the VIP user ID and the VIP EG Cluster ID

    {\"user\":{\"_id\":\"AD9A2BAE08481AF5\"\,\"userId\":\"VIPUSER1\"\,\"userStatus\":\"ACTIVE\"\,\"userAttributes\":[{\"_id\":\"525088D9D2BEBDB4\"\,\"attributeName\":\"_firstName\"\,\"attributeValue\":\"VIP\"}\,{\"_id\":\"ABFCB4F7E2874269\"\,\"attributeName\":\"_guid\"\,\"attributeValue\":\"VIP_EMPSync\"}\,{\"_id\":\"F8762087D7B3F7D9\"\,\"attributeName\":\"_lastName\"\,\"attributeValue\":\"USER\"}\,{\"_id\":\"652FFD379AF87FD4\"\,\"attributeName\":\"EG-8d18bb50-2dde-11eb-b3af-0f531c21e476:ldapUserstore-7468a2e0-2de4-11eb-96dc-f774dc3207b8\"\,\"attributeValue\":\"GUID-e17dd466-c006-4dfc-a9e3-48c8b2acfa5e\"}]\,\"_version\":12}}

  • If the VIP EG cluster ID does not match, the user is 'owned' by the VIP EG with the same. If the cluster ID is missing or matches the VIP EG cluster name, there is no issue,
• If the Add box is not selected, users will not be added during an LDAP Sync. (Note: This will add all members of your user store(s) on that VIP EG. Symantec recommends using the VIP Self-Service or MyVIP IdP portals, or other methods for adding users to the cloud. Here's why:
  • New users are added as a user to the VIP cloud after a successful login.
  • Users who don't access VIP-protected resources won't consume a VIP license.
  • Users are deleted from the VIP cloud by the LDAP sync as they are removed from AD or are no longer a member of the user store. 
  • Users not a member of the user store filter cannot log in and won't be added to the VIP Cloud.
  • Reduces the risk of your helpdesk adding a non-authorized user.
  • Allows end-users to manage their own VIP credential rather than tying up your helpdesk. 
  • VIP Self-Service or MyVIP portal can be added to your existing SSO solution as the IdP.