Unable to login to NSX Manager using LDAP authentication
search cancel

Unable to login to NSX Manager using LDAP authentication

book

Article ID: 322458

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • You have configured LDAP authentication for the NSX Managers.
  • You are unable to login to the NSX Managers using the LDAP accounts.
  • On 2 of the 3 NSX Manager, the file '/etc/iptables/nsx-saved-iptables.v4rules' may not exist.
  • If the file does exist, on checking the file we do not see the current IP address(es) used for the LDAP servers.
  • For example, the LDAP server uses IP address 192.168.110.11, but this is not visible in iptables, we see a different IP address for LDAP, if using LDAPS, replace below port 389 with port 636:
-A OUTPUT -d 192.168.110.10/32 -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 111 -j ACCEPT
-A OUTPUT -d 192.168.110.10/32 -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 113 -j ACCEPT
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware NSX-T Data Center

VMware NSX

Cause

  • When an LDAP server is added to the NSX Manager, this is converted to an IP address and saved in a file called '/etc/iptables/nsx-saved-iptables.v4rules'.
  • This file is used to build the NSX Managers IPTABLES rule base.
  • If for example on day 1, when you add the LDAP server and DNS resolves it to 2 IP addresses, these 2 IP addresses would be added to the '/etc/iptables/nsx-saved-iptables.v4rules' file.
  • Then on day 10, you add or changed the LDAP server IP address (external to NSX), therefore DNS now resolves the LDAP server to a different IP address or has more IP addresses.
  • In the situation where the LDAP server now has a different IP address, this will now not be allowed by NSX, as IPTABLES uses a different IP address for the LDAP server.
  • If you added more LDAP servers (more IP addresses), these extra addresses will not be allowed by IP tables, as it is not aware of them.
  • In the case where the file '/etc/iptables/nsx-saved-iptables.v4rules' is missing, this occurs when the DNS server is initially added, the file is only saved on the NSX Manager that receives the API call. For the other 2 Managers, it is only retained in the kernel and not the file used to build IPTABLES rule base.

Resolution

This issue is resolved in NSX 4.1.2.

Workaround:
You can remove the LDAP(S) configuration and re-add it again, so that in this instance, DNS will rescan and find the correct and current IP addresses for all LDAP(S) server.
If you are unable to remove LDAP(S), you can use the following procedure.
As root on each NSX Manager, do the following one Manager at a time:

  • Confirm if the file '/etc/iptables/nsx-saved-iptables.v4rules' exists, if it does not exist do the following:
    • iptables-save > /etc/iptables/nsx-saved-iptables.v4rules
  • Then continue with the following:
    • vi /etc/iptables/nsx-saved-iptables.v4rules
  • Add the following two rules at the end of the file, but before the COMMIT line:
    • -A OUTPUT -d <LDAP-SERVER-IP-CIDR> -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 111 -j ACCEPT
    • -A OUTPUT -d <LDAP-SERVER-IP-CIDR> -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 113 -j ACCEPT
  • Save and quit from the file.
  • Note: <LDAP-SERVER-IP-CIDR> is the IP address for each LDAP server. You can either add the subnet for the LDAP servers or each LDAP server needs to be added.
  • Example for individual LDAP server:
    • -A OUTPUT -d 192.168.110.10/32 -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 111 -j ACCEPT
    • -A OUTPUT -d 192.168.110.10/32 -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 113 -j ACCEPT
    • -A OUTPUT -d 192.168.110.11/32 -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 111 -j ACCEPT
    • -A OUTPUT -d 192.168.110.11/32 -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 113 -j ACCEPT
  • And below is a sample for a subnet:
    • -A OUTPUT -d 10.0.0.0/8 -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 111 -j ACCEPT
    • -A OUTPUT -d 10.0.0.0/8 -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 113 -j ACCEPT
  • Run
    • service set-iptables restart
  • To confirm the new rules have been loaded:
    • iptables -L -n | grep 389

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Note: If using LDAPS please replace port 389 above with port 636.