NSX-T IDFW rules are not working as expected
Article ID: 324238
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
- On the NSX UI, the source VM is not populated in the effective members of the AD Group after an AD user logs onto the source VM.
- The AD user's Distinguished Name (dname) contains a special character.
- NSX Manager log
/var/log/proton/nsxapi.loghas the logon event but the user is not mapped to any group
2021-05-17T19:54:24.469Z INFO IDFW-Vertical1 UserToParentGroupsCache 5573 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Loading user from LDAP: CN=Doe\, John (VDI User),OU=example,DC=com2021-05-17T19:54:25.385Z INFO IDFW-Vertical1 IdfwEventProcessorImpl 5573 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] 1/1: no mapping to add, none of user's parent AD-group(s) are in any NSGroupEnvironment
VMware NSX-T Data Center 3.x
Cause
Active Directory requires that the following ten characters be escaped with the backslash "\" escape character if they appear in any of the individual components of a distinguished name:
This prevents the user being matched to the AD Group, in turn no translation occurs to map the login with the Grouping object and the IDFW rule will not be applied.
- Comma ,
- Backslash character \
- Pound sign (hash sign) #
- Plus sign +
- Less than symbol <
- Greater than symbol >
- Semicolon ;
- Double quote (quotation mark) "
- Equal sign =
- Leading or trailing spaces
This prevents the user being matched to the AD Group, in turn no translation occurs to map the login with the Grouping object and the IDFW rule will not be applied.
Resolution
This issue is resolved in NSX-T Data Center 3.1.3
Workaround:
If an upgrade is not possible, the only workaround is to create a new user that does not use the special characters in its dname or edit an existing users to remove those characters.
Feedback
Yes
No
Powered by
