Unable to assign role to ldap users in NSX-T for a configured ldap
Article ID: 327368
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- You are using NSX-T 3.1 or 3.1.1
- LDAP is configured and connected:
- When you select 'User Role Assignment' and click 'ADD' there will be a banner presented saying: 'Checking Authentication providers connection status..', this remains and does not change:
- logs entry such as with 500 return status:
"GET /api/v1/trust-management/oidc-uris HTTP/1.1" 500 169 34 33
Environment
VMware NSX-T Data Center
VMware NSX-T Data Center 3.x
VMware NSX-T Data Center 3.x
Cause
Problem occurs if an OIDC provider has been configured in NSX, One of the use cases where oidc provider is used is with wcp
Resolution
This is a known issue affecting VMware NSX-T Data Center 3.x.
Currently, there is no resolution.
Workaround:
You can use REST API's to assign role bindings.
To send REST API to the NSX manager you can either use a client such as Chrome Postman or using Curl, Curl can be run from root.
Example of curl GET from NSX manager root:
First retrieve the list of current role bindings:
This snippet sample from a result below shows the admin user:
Next check what roles are available to use for the new binding:
Then use the POST to add new role bindings:
Curl example of a POST with new ldap group:
Where the file '/tmp/new-ldap-group.txt' will contain the body to be sent to the NSX manager via REST as below.
Here we have a sample body for adding groups:
Here we have a sample body for adding users:
Note: The identity_source_id above refers to the identity of the ldap configured in NSX-T for this user or group you are now adding.
You can get this by using the following API:
Look for the ldap you are using then note and the ID of it for the POST API call above.
Then you can check if they have been successfully created:
For more details please check the API guide for your version, this can be found in the NSX-T manager, when logged in select the Help icon on the top of the GUI:
And click on the API Documentation link.
This will open a new tab, there go to System Administration and under there look for the API's we used above.
Currently, there is no resolution.
Workaround:
You can use REST API's to assign role bindings.
To send REST API to the NSX manager you can either use a client such as Chrome Postman or using Curl, Curl can be run from root.
Example of curl GET from NSX manager root:
curl -k -u 'admin:<admin password>' -X GET 'https://localhost/api/v1/aaa/role-bindings'
First retrieve the list of current role bindings:
GET /api/v1/aaa/role-bindings
This snippet sample from a result below shows the admin user:
...
"results": [
{
"name": "admin",
"type": "local_user",
"user_id": "10000",
"roles": [
{
"role": "enterprise_admin",
"role_display_name": "Enterprise Admin"
}
],
"resource_type": "RoleBinding",
"id": "27e25ab9-acd0-498d-b74f-84969db9cbd5",
"display_name": "admin",
"_system_owned": true,
"_protection": "NOT_PROTECTED"
},
...
"results": [
{
"name": "admin",
"type": "local_user",
"user_id": "10000",
"roles": [
{
"role": "enterprise_admin",
"role_display_name": "Enterprise Admin"
}
],
"resource_type": "RoleBinding",
"id": "27e25ab9-acd0-498d-b74f-84969db9cbd5",
"display_name": "admin",
"_system_owned": true,
"_protection": "NOT_PROTECTED"
},
...
Next check what roles are available to use for the new binding:
GET /policy/api/v1/aaa/roles
Then use the POST to add new role bindings:
POST /policy/api/v1/aaa/role-bindings
Curl example of a POST with new ldap group:
curl -X POST -k -u 'admin:<admin password>' -H "Content-Type: application/json" --data '@/tmp/new-ldap-group.txt' 'https://localhost/api/v1/aaa/role-bindings'
Where the file '/tmp/new-ldap-group.txt' will contain the body to be sent to the NSX manager via REST as below.
Here we have a sample body for adding groups:
{
"name" : "[email protected]",
"type" : "remote_group",
"identity_source_type" : "LDAP",
"identity_source_id" : "corp.local-ad",
"roles" : [ {
"role" : "auditor"
}
]
}
"name" : "[email protected]",
"type" : "remote_group",
"identity_source_type" : "LDAP",
"identity_source_id" : "corp.local-ad",
"roles" : [ {
"role" : "auditor"
}
]
}
Here we have a sample body for adding users:
{
"name" : "[email protected]",
"type" : "remote_user",
"identity_source_type" : "LDAP",
"identity_source_id" : "corp.local-ad",
"roles" : [ {
"role" : "auditor"
}
]
}
"name" : "[email protected]",
"type" : "remote_user",
"identity_source_type" : "LDAP",
"identity_source_id" : "corp.local-ad",
"roles" : [ {
"role" : "auditor"
}
]
}
Note: The identity_source_id above refers to the identity of the ldap configured in NSX-T for this user or group you are now adding.
You can get this by using the following API:
GET /policy/api/v1/aaa/ldap-identity-sources
Look for the ldap you are using then note and the ID of it for the POST API call above.
Then you can check if they have been successfully created:
GET /policy/api/v1/aaa/role-bindings
For more details please check the API guide for your version, this can be found in the NSX-T manager, when logged in select the Help icon on the top of the GUI:
And click on the API Documentation link.
This will open a new tab, there go to System Administration and under there look for the API's we used above.
Additional Information
Impact/Risks:
Unable to assign ldap role for access to NSX-T.
Unable to assign ldap role for access to NSX-T.
Feedback
Yes
No
Powered by
