AD/LDAP user login to the NSX UI is slow or fails
Article ID: 326174
Updated On:
Products
Issue/Introduction
- NSX uses LDAP directly integrated for RBAC role assignment.
- The affected AD users are part of a large number of AD groups, either directly or through nesting.
- Authentication using LDAP accounts on NSX UI are slow or fail.
- When login fails the Ui displays
"This page isn't working" and "HTTP ERROR 503". - Authenticated LDAP users may also be automatically logged out after a few minutes
- admin user login works normally
Environment
VMware NSX 4.x
VMware NSX-T Data Center 3.x
Cause
Even though a user may be a direct member of a small number of AD groups, this may explode out to a large number with AD group nesting. As part of the login process, NSX does a full recursive lookup of nested groups. This is expensive from a timing perspective and results in a delayed login, or failed if exceeding threshold.
Resolution
This issue is resolved in VMware NSX 4.2.1, available at Broadcom downloads.
If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.
Workaround:
To avoid login issues due to AD nesting, Broadcom recommends the following configuration limits:
- Maximum group nesting depth: 3.
- Maximum number of groups a user belongs to (including nested groups): 50.
Alternatively, use vIDM as an Identity Source for NSX.
Additional Information
In NSX 4.2.1 and higher, NSX will only look up and expand groups that have been added to NSX, instead of all the groups the user belongs to.
Feedback
