Unable to login to NSX Manager using LDAP authentication
book
Article ID: 322458
calendar_today
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
You have configured LDAP authentication for the NSX Managers.
You are unable to login to the NSX Managers using the LDAP accounts.
On 2 of the 3 NSX Manager, the file '/etc/iptables/nsx-saved-iptables.v4rules' may not exist.
If the file does exist, on checking the file we do not see the current IP address(es) used for the LDAP servers.
For example, the LDAP server uses IP address 192.168.110.11, but this is not visible in iptables, we see a different IP address for LDAP, if using LDAPS, replace below port 389 with port 636:
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware NSX-T Data Center
VMware NSX
Cause
When an LDAP server is added to the NSX Manager, this is converted to an IP address and saved in a file called '/etc/iptables/nsx-saved-iptables.v4rules'.
This file is used to build the NSX Managers IPTABLES rule base.
If for example on day 1, when you add the LDAP server and DNS resolves it to 2 IP addresses, these 2 IP addresses would be added to the '/etc/iptables/nsx-saved-iptables.v4rules' file.
Then on day 10, you add or changed the LDAP server IP address (external to NSX), therefore DNS now resolves the LDAP server to a different IP address or has more IP addresses.
In the situation where the LDAP server now has a different IP address, this will now not be allowed by NSX, as IPTABLES uses a different IP address for the LDAP server.
If you added more LDAP servers (more IP addresses), these extra addresses will not be allowed by IP tables, as it is not aware of them.
In the case where the file '/etc/iptables/nsx-saved-iptables.v4rules' is missing, this occurs when the DNS server is initially added, the file is only saved on the NSX Manager that receives the API call. For the other 2 Managers, it is only retained in the kernel and not the file used to build IPTABLES rule base.
Resolution
This issue is resolved in NSX 4.1.2.
Workaround: You can remove the LDAP(S) configuration and re-add it again, so that in this instance, DNS will rescan and find the correct and current IP addresses for all LDAP(S) server. If you are unable to remove LDAP(S), you can use the following procedure. As root on each NSX Manager, do the following one Manager at a time:
Confirm if the file '/etc/iptables/nsx-saved-iptables.v4rules' exists, if it does not exist do the following:
Note:<LDAP-SERVER-IP-CIDR> is the IP address for each LDAP server. You can either add the subnet for the LDAP servers or each LDAP server needs to be added.
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment. Note: If using LDAPS please replace port 389 above with port 636.