Unable to assign role to ldap users in NSX-T for a configured ldap
search cancel

Unable to assign role to ldap users in NSX-T for a configured ldap

book

Article ID: 327368

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • LDAP is configured and connected:
  • When you select 'User Role Assignment' and click 'ADD' there will be a banner presented saying: 'Checking Authentication providers connection status..', this remains and does not change:
  • logs entry such as with 500 return status:
    "GET /api/v1/trust-management/oidc-uris HTTP/1.1" 500 169 34 33



Environment

VMware NSX-T Data Center 3.1.x
LDAP configured in NSX

Cause

Problem occurs if an OIDC provider has been configured in NSX, One of the use cases where oidc provider is used is with wcp

Resolution

This issue is resolved in VMware NSX-T Data Center 3.1.2.0
This issue is resolved in VMware NSX-T Data Center 3.2.0

Workaround:
You can use REST API's to assign role bindings.
To send REST API to the NSX manager you can either use a client such as Chrome Postman or using Curl, Curl can be run from root.
Example of curl GET from NSX manager root:

curl -k -u 'admin:<admin password>' -X GET 'https://localhost/api/v1/aaa/role-bindings'


First retrieve the list of current role bindings: 

GET /api/v1/aaa/role-bindings


This snippet sample from a result below shows the admin user:

...
"results": [
        {
            "name": "admin",
            "type": "local_user",
            "user_id": "10000",
            "roles": [
                {
                    "role": "enterprise_admin",
                    "role_display_name": "Enterprise Admin"
                }
            ],
            "resource_type": "RoleBinding",
            "id": "########-####-####-####-########cbd5",
            "display_name": "admin",
            "_system_owned": true,
            "_protection": "NOT_PROTECTED"
        },
...


Next check what roles are available to use for the new binding:

GET /policy/api/v1/aaa/roles


Then use the POST to add new role bindings:

POST /policy/api/v1/aaa/role-bindings


Curl example of a POST with new ldap group:

curl -X POST -k -u 'admin:<admin password>' -H "Content-Type: application/json" --data '@/tmp/new-ldap-group.txt' 'https://localhost/api/v1/aaa/role-bindings'


Where the file '/tmp/new-ldap-group.txt' will contain the body to be sent to the NSX manager via REST as below.

Here we have a sample body for adding groups:

{
    "name" : "Users@####.local",  
    "type" : "remote_group",
    "identity_source_type" : "LDAP",
    "identity_source_id" : "####.local-ad",
    "roles" : [ {
      "role" : "auditor"
    }
    ]
}


Here we have a sample body for adding users:

{
    "name" : "testuser@####.local",  
    "type" : "remote_user",
    "identity_source_type" : "LDAP",
    "identity_source_id" : "####.local-ad",
    "roles" : [ {
      "role" : "auditor"
    }
    ]
}


Note: The identity_source_id above refers to the identity of the ldap configured in NSX-T for this user or group you are now adding.
You can get this by using the following API:

GET /policy/api/v1/aaa/ldap-identity-sources


Look for the ldap you are using then note and the ID of it for the POST API call above.

Then you can check if they have been successfully created:

GET /policy/api/v1/aaa/role-bindings


For more details please check the API guide for your version, this can be found in the NSX-T manager, when logged in select the Help icon on the top of the GUI:

And click on the API Documentation link.
This will open a new tab, there go to System Administration and under there look for the API's we used above.

Additional Information

Impact/Risks:
Unable to assign ldap role for access to NSX-T.

Powered by Wolken Software