Logging in to NSX-T Manager node as an LDAP user in a scaled AD config may take long time or fail
search cancel

Logging in to NSX-T Manager node as an LDAP user in a scaled AD config may take long time or fail

book

Article ID: 336800

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
In a scaled Active Directory (AD) configuration, when users log into the NSX-T Manager, you see these symptoms:

  • There is a delay in logging in or a complete failure to log in.
  • The UI displays an error message similar to:

    LDAP_TIMELIMIT_EXCEEDED
     
  • In the /var/log/proxy/reverse-proxy.log file of the NSX Manager, you see entries similar to:

    nsx_manager_bd292642-####-####-####-8765b962d71a_20201118_144548/var/log/proxy/reverse-proxy.log:org.springframework.ldap.TimeLimitExceededException: [LDAP: error code 3 - Timelimit Exceeded]; nested exception is javax.naming.TimeLimitExceededException: [LDAP: error code 3 - Timelimit Exceeded]; remaining name 'dc=example,dc=com'

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware NSX-T Data Center
VMware NSX-T Data Center 3.x

Cause

This issue occurs due to the time it takes for the system to enumerate the different groups that a user belongs to in a scaled Active Directory configuration.

Resolution

This is a known issue affecting VMware NSX-T Data Center 3.1.x.

Issue is resolved in the release of VMware NSX-T Data Center 3.1.2.

Workaround:
To work around this issue, change the BaseDN so that fewer entries are searched when resolving the groups that a user belongs to.

Note: For users who are part of many groups, consider creating an alternative LDAP identity for that user to use when logging into NSX. Only include that user in the groups needed to allow the user to log into NSX.

If you have a large Active Directory configuration, you can use these steps prior to upgrading to determine if this issue is applicable to your environment.

Before upgrading to VMware NSX-T Datacenter 3.1 or 3.1.1:

  1. Download and install the Microsoft Remote Server Administrator Tools. For more information, see:

    Remote Server Administrator Tools For Windows 10
    Remote Server Administrator Tools For Windows 8
    Remote Server Administrator Tools For Windows 8.1

    For instructions on using the tool, see Remote Server Administration Tools (RSAT) for Windows.

    Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.
     
  2. Once installed, open a command shell on a computer that has joined to your Active Directory (AD) domain and run this command:

    dsquery user  -upn <your_UPN>

    where <your_UPN> is the userPrincipalName you use to log in, typically "[email protected]".

    The output of the command will be your full Distinguished Name (DN). Run this command and make a note of how long it takes to complete and display the command prompt again:

    dsquery *  -filter "member:1.2.840.113556.1.4.1941:=<your DN>"

For example:

dsquery * -filter "member:1.3.840.123456.1.4.1949:=CN=John Doe,OU=Users,OU=SanDiego_California_USA,OU=NA,OU=SITES,DC=example,DC=com"

Notes

  • The string "1.3.840.123456.1.4.1949" is the OID for the Microsoft LDAPv3 Extensible Match LDAP_FILTER_IN_CHAIN and is how you request that AD work out nested group membership on the server side. 
  • If this command takes more than ten seconds to complete, then the user/group structure of your AD is sufficiently complex that NSX login will be very slow or will time out. VMware recommends to not upgrade to NSX-T Datacenter version 3.1 or 3.1.1 at this time.