Using VMware NSX UI to select IDFW LDAP OUs shows error "Directory domain exceeds maximum org unit (Error code: 38032)"
search cancel

Using VMware NSX UI to select IDFW LDAP OUs shows error "Directory domain exceeds maximum org unit (Error code: 38032)"

book

Article ID: 327765

calendar_today

Updated On: 03-21-2025

Products

VMware NSX

Issue/Introduction

  • VMware NSX with IDFW.
  • When selecting to sync specific LDAP OUs, an error is observed on the UI:


Directory domain exceeds maximum org unit (Error code: 38032).


 

  • In the NSX Manager log /var/log/proton/nsxapi.log a similar error is observed

Error in NSX 3.x, NSX 4.1:
<Date>T<Time>Z ERROR http-nio-127.0.0.1-7440-exec-19680 AdLdapFetcher 4749 INVENTORY [nsx@6876 comp="nsx-manager" errorCode="MP38032" level="ERROR" reqId="<id>" subcomp="manager" username="admin"] AD domain exceeds maximum(=500) org units

Error in NSX 4.2:
<Date>T<Time>Z  ERROR http-nio-127.0.0.1-7440-exec-4 AdLdapFetcher 91030 INVENTORY [nsx@6876 comp="nsx-manager" errorCode="MP38032" level="ERROR" reqId="<id>" subcomp="manager" username="admin"] AD domain exceeds maximum(=2000) org units



Environment

VMware NSX

vDefend Firewall

Cause

This is expected behaviour from the NSX UI.

The UI imposes a maximum of 500 (NSX 3.x, 4.1) or 2000 (NSX 4.2) OUs in order to limit the time spent in fetching the entire OU tree.

Resolution

To workaround this UI limitation, us the NSX Policy API to configure the domain with selected OUs instead.

Use the following API calls to manually select OUs:

For VMware NSX-T: PUT /policy/api/v1/infra/firewall-identity-stores/<id>

Steps using VMware NSX API calls:

1.Use the GET command to list identity stores:

GET /policy/api/v1/infra/firewall-identity-stores/

2.Identify the store in question and use the id in the GET API call to bring up details on that specific store:

GET /policy/api/v1/infra/firewall-identity-stores/<id>

Example: GET /policy/api/v1/infra/firewall-identity-stores/fw-ad-1

"resource_type": "IdentityFirewallAdStore",
    "id": "fw-ad-1",

3.Copy the output of the GET for use in the PUT API call. Change the below parameters and specify the OUs to sync, as per the below example:

PUT /policy/api/v1/infra/firewall-identity-stores/<id>

Example: PUT /policy/api/v1/infra/firewall-identity-stores/fw-ad-1

    },
    "selective_sync_settings": {
        "enabled": true,
        "selected_org_units": [
            "OU=Domain Controllers,DC=corp,DC=local"
        ]
    },

The above example illustrates how to use API the sync the OU Domain Controllers to the identity store fw-ad-1

Additional Information

 
Powered by Wolken Software