• PKS authentication fails for ldap users.

• In the Uaa.logs on PKS VM, you see the entries similar to:

[2019-02-26 22:06:51.645] uaa - 1074 [https-jsse-nio-8443-exec-3] ....  WARN --- UaaAuthorizationRequestManager: The requested scopes are invalid
[2019-02-26 22:06:51.645] uaa - 1074 [https-jsse-nio-8443-exec-3] .... DEBUG --- BackwardsCompatibleTokenEndpointAuthenticationFilter: Authentication request failed with Oauth exception: [pks.clusters.admin, pks.clusters.manage] is invalid. This user is not allowed any of the requested scopes
[2019-02-26 22:06:51.646] uaa - 1074 [https-jsse-nio-8443-exec-3] .... DEBUG --- DefaultOAuth2ExceptionRenderer: Written [error="invalid_scope", error_description="[pks.clusters.admin, pks.clusters.manage] is invalid. This user is not allowed any of the requested scopes"] as "application/json;charset=UTF-8" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@45085f8f]
[2019-02-26 22:06:51.647] uaa - 1074 [https-jsse-nio-8443-exec-3] .... DEBUG --- SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed
[2019-02-26 22:06:52.481] uaa - 1074 [pool-4-thread-1] .... DEBUG --- JdbcTemplate: Executing SQL query [select count(*) from users]
[2019-02-26 22:06:52.482] uaa - 1074 [pool-4-thread-1] .... DEBUG --- JdbcTemplate: Executing SQL query [select count(*) from oauth_client_details]

• when you run the below command to check the validity, it replies invalid access token. 

$uaac group map --name pks.clusters.manage GROUP-DISTINGUISHED-NAME

error response:

{
"error": "invalid_token".
error_description": "invalid access token" 
}

To resolve this issue, fetch the token via client credentials agent.
$uaac token client get admin -s 'UAA-ADMIN-SECRET'

Where UAA-ADMIN-SECRET is your UAA admin secret. Refer to Ops Manager > Pivotal Container Service > Credentials > Pks Uaa Management Admin Client to retrieve your UAA admin secret.