Adding an LDAP group to VMware NSX 4.x for authentication fails with: "Error: Invalid LDAP user/group. (Error code: 71050)".
Article ID: 322587
Updated On:
Products
VMware NSX
Issue/Introduction
- You are unable to add AD group having same name prefix of another group.
- You are adding role for LDAP user where you are calling AD groups and it fails with below and seen in the manager /var/log/proton/nsxapi.log:
"Error: Invalid LDAP user/group. (Error code: 71050)"
- In NSX-T 3.2 versions, these same AD groups could have been integrated successfully with NSX-T. But post upgrade to 4.x, this fails.
- The AD group name for which this operation is failing has a name which is prefix of another group name.
- Eg:
- You have following AD groups, "pg-nsx-r" and "pg-nsx-ro".
- You are able to add "pg-nsx-ro" successfully in NSX but operation for "pg-nsx-r" fails with the aforementioned error.
- Here "pg-nsx-r" name is a prefix of "pg-nsx-ro".
- Eg:
Environment
VMware NSX 4.x
VMware NSX-T Data Center
VMware NSX-T Data Center
Cause
VMware NSX does a search in the AD server to validate if the group exists. In the affected versions this search function uses the logic "starts with", rather than "exact match".
Resolution
This issue is resolved in VMware NSX 4.1.2.4 and 4.2.0, available at Broadcom downloads.
If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.
Workaround
You can rename the group in AD so that it's name doesn't become prefix of another group.
Additional Information
Feedback
Yes
No
Powered by
