Unable to assign role to ldap users in NSX-T for a configured ldap
search cancel

Unable to assign role to ldap users in NSX-T for a configured ldap


Article ID: 327368


Updated On:


VMware NSX Networking


  • You are using NSX-T 3.1 or 3.1.1
  • LDAP is configured and connected:
AD configured.png
  • When you select 'User Role Assignment' and click 'ADD' there will be a banner presented saying: 'Checking Authentication providers connection status..', this remains and does not change:
message when adding role.png
  • logs entry such as with 500 return status:
    "GET /api/v1/trust-management/oidc-uris HTTP/1.1" 500 169 34 33


VMware NSX-T Data Center
VMware NSX-T Data Center 3.x


Problem occurs if an OIDC provider has been configured in NSX, One of the use cases where oidc provider is used is with wcp


This is a known issue affecting VMware NSX-T Data Center 3.x.
Currently, there is no resolution.

You can use REST API's to assign role bindings.
To send REST API to the NSX manager you can either use a client such as Chrome Postman or using Curl, Curl can be run from root.
Example of curl GET from NSX manager root:
curl -k -u 'admin:<admin password>' -X GET 'https://localhost/api/v1/aaa/role-bindings'

First retrieve the list of current role bindings: 
GET /api/v1/aaa/role-bindings

This snippet sample from a result below shows the admin user:
"results": [
            "name": "admin",
            "type": "local_user",
            "user_id": "10000",
            "roles": [
                    "role": "enterprise_admin",
                    "role_display_name": "Enterprise Admin"
            "resource_type": "RoleBinding",
            "id": "27e25ab9-acd0-498d-b74f-84969db9cbd5",
            "display_name": "admin",
            "_system_owned": true,
            "_protection": "NOT_PROTECTED"

Next check what roles are available to use for the new binding:
GET /policy/api/v1/aaa/roles

Then use the POST to add new role bindings:
POST /policy/api/v1/aaa/role-bindings

Curl example of a POST with new ldap group:
curl -X POST -k -u 'admin:<admin password>' -H "Content-Type: application/json" --data '@/tmp/new-ldap-group.txt' 'https://localhost/api/v1/aaa/role-bindings'

Where the file '/tmp/new-ldap-group.txt' will contain the body to be sent to the NSX manager via REST as below.

Here we have a sample body for adding groups:
    "name" : "[email protected]",  
    "type" : "remote_group",
    "identity_source_type" : "LDAP",
    "identity_source_id" : "corp.local-ad",
    "roles" : [ {
      "role" : "auditor"

Here we have a sample body for adding users:
    "name" : "[email protected]",  
    "type" : "remote_user",
    "identity_source_type" : "LDAP",
    "identity_source_id" : "corp.local-ad",
    "roles" : [ {
      "role" : "auditor"

Note: The identity_source_id above refers to the identity of the ldap configured in NSX-T for this user or group you are now adding.
You can get this by using the following API:
GET /policy/api/v1/aaa/ldap-identity-sources

Look for the ldap you are using then note and the ID of it for the POST API call above.

Then you can check if they have been successfully created:
GET /policy/api/v1/aaa/role-bindings

For more details please check the API guide for your version, this can be found in the NSX-T manager, when logged in select the Help icon on the top of the GUI:
api guide access.png
And click on the API Documentation link.
This will open a new tab, there go to System Administration and under there look for the API's we used above.

Additional Information

Unable to assign ldap role for access to NSX-T.