Using the UI to select IDFW LDAP OUs gives a maximum org units error
search cancel

Using the UI to select IDFW LDAP OUs gives a maximum org units error

book

Article ID: 327765

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • VMware NSX with IDFW
  • When selecting to sync specific LDAP OUs, an error is observed on the UI
    Directory domain exceeds maximum org unit (Error code: 38032))


     
  • In the NSX Manager log /var/log/proton/nsxapi.log a similar error is observed

<Date>T<Time>Z ERROR http-nio-127.0.0.1-7440-exec-19680 AdLdapFetcher 4749 INVENTORY [nsx@6876 comp="nsx-manager" errorCode="MP38032" level="ERROR" reqId="<id>" subcomp="manager" username="admin"] AD domain exceeds maximum(=500) org units



Environment

VMware NSX 4.x

Cause

The UI imposes a maximum of 500 OUs in order to limit the time spent in fetching the entire OU tree.

Resolution

This is expected behaviour on the UI.


It is possible to use the NSX Policy API to configure the domain with selected OUs instead.

Use the field selective_sync_settings, under the selected_org_units, to specify the OUs required.

For example: 

 

PUT https://<nsx-mgr>/policy/api/v1/infra/firewall-identity-stores/idstore-1

 {

  "name": "<>",

  "base_distinguished_name": "DC=<>,DC=com",

  "netbios_name": "<>",

  "description": "Active directory domain",

  "display_name": "<>",

   "ldap_servers": [

     {

      "username": "<username>",

      "password": "<password>",

       "display_name": "nimbus ldap",

      "host": "<IP>",

      "thumbprint": "<thumbprint>",

       "port": 389,

       "protocol": "LDAP"

     }

   ],

   "selective_sync_settings": {

     "enabled": true,

     "selected_org_units": [

         "OU=<>,OU=<>,DC=<>,DC=com",

         "OU=<>,OU=<>,DC=<>,DC=com"

     ]

   },

   "sync_settings": {

     "delta_sync_interval": 100

   }

 }

 

Additional Information

 
Powered by Wolken Software