LDAP users experience slow NSX-T UI logins
search cancel

LDAP users experience slow NSX-T UI logins

book

Article ID: 326174

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
  • All NSX-T versions.
  • NSX-T uses LDAP directly integrated for RBAC role assignment.
  • Users that are part of a large number of AD groups, either directly or through nesting experience slow UI login.
  • User may be able to login┬ábut is logged out automatically after a few minutes


Environment

VMware NSX-T Data Center

Cause

Even though a user may be a direct member of a small number of AD groups, this may explode out to a large number with AD group nesting.
As part of the login process, NSX-T does a full recursive lookup of nested groups. This is expensive from a timing perspective and results in a delayed login.

Resolution

This is a known issue affecting NSX-T Data Center.

Workaround:
To avoid slow login issues due to AD nesting, VMware recommends the following configuration limits:
  • Maximum group nesting depth: 3.
  • Maximum number of groups a user belongs to (including nested groups): 50.
Alternatively use vIDM as an Identity Source for NSX-T.