Post-upgrade to NSX 4.2.0, LDAP authenticated users are assigned incorrect roles and permissions. In the NSX Manager Audit log, located in the /var/log/nsx-audit.log directory, indicates that the Granted Authorities reflect incorrect Active Directory (AD) groups for the respective AD users.

<###>1 YYYY-MM-DDTHH:MM:SS.SSSZ <NSX Manager FQDN> NSX 3322 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="http"] UserName="LdapUserDetailsImpl [Dn=CN=#####.,CN=Users,DC=#####,DC=#####; Username=<username>@<AD Domain>; Password=[PROTECTED]; Enabled=true; AccountNonExpired=true; CredentialsNonExpired=true; AccountNonLocked=true; Granted Authorities=[Example AD Group 1, Example AD Group 2]]@127.0.0.1", ModuleName="ACCESS_CONTROL", Operation="LOGOUT", Operation status="success"

The Active Directory groups to which the user belongs can be verified by executing the following PowerShell CLI command.

VMware NSX-T Data Center

VMware NSX

This issue occurred due to a defect identified in the cache that maps LDAP group names to NSX roles. As a result, users are granted incorrect privileges.

This is a known issue and resolved in NSX version 4.2.0.2 or later.

VMware NSX 4.2.0.2 Release Notes

Note: This only impacts users when NSX Manager is integrated with LDAP directly. vIDM uses a different method to authenticate NSX and is not affected by this.