This is a known issue affecting VMware NSX-T Data Center 3.x.
Currently, there is no resolution.
Workaround:
You can use REST API's to assign role bindings.
To send REST API to the NSX manager you can either use a client such as Chrome Postman or using Curl, Curl can be run from root.
Example of curl GET from NSX manager root:
curl -k -u 'admin:<admin password>' -X GET 'https://localhost/api/v1/aaa/role-bindings'
First retrieve the list of current role bindings:
GET /api/v1/aaa/role-bindings
This snippet sample from a result below shows the admin user:
...
"results": [
{
"name": "admin",
"type": "local_user",
"user_id": "10000",
"roles": [
{
"role": "enterprise_admin",
"role_display_name": "Enterprise Admin"
}
],
"resource_type": "RoleBinding",
"id": "27e25ab9-acd0-498d-b74f-84969db9cbd5",
"display_name": "admin",
"_system_owned": true,
"_protection": "NOT_PROTECTED"
},
...
Next check what roles are available to use for the new binding:
GET /policy/api/v1/aaa/roles
Then use the POST to add new role bindings:
POST /policy/api/v1/aaa/role-bindings
Curl example of a POST with new ldap group:
curl -X POST -k -u 'admin:<admin password>' -H "Content-Type: application/json" --data '@/tmp/new-ldap-group.txt' 'https://localhost/api/v1/aaa/role-bindings'
Where the file '
/tmp/new-ldap-group.txt' will contain the body to be sent to the NSX manager via REST as below.
Here we have a sample body for adding groups:
{
"name" : "[email protected]",
"type" : "remote_group",
"identity_source_type" : "LDAP",
"identity_source_id" : "corp.local-ad",
"roles" : [ {
"role" : "auditor"
}
]
}
Here we have a sample body for adding users:
{
"name" : "[email protected]",
"type" : "remote_user",
"identity_source_type" : "LDAP",
"identity_source_id" : "corp.local-ad",
"roles" : [ {
"role" : "auditor"
}
]
}
Note: The
identity_source_id above refers to the identity of the ldap configured in NSX-T for this user or group you are now adding.
You can get this by using the following API:
GET /policy/api/v1/aaa/ldap-identity-sources
Look for the ldap you are using then note and the ID of it for the POST API call above.
Then you can check if they have been successfully created:
GET /policy/api/v1/aaa/role-bindings
For more details please check the API guide for your version, this can be found in the NSX-T manager, when logged in select the Help icon on the top of the GUI:
![api guide access.png](https://api-broadcomcms-software.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=1512279150617)
And click on the API Documentation link.
This will open a new tab, there go to System Administration and under there look for the API's we used above.