When the 21st LDAP/VIDM group or user is added, NSX responds with the following error message in the UI:
"Error: The maximum number of group role bindings for LDAP identity source <LDAP UUID> has been reached. (Error code: 71065)."

VMware NSX 4.2.0.*
VMware NSX 4.2.1.*

A maximum of 20 LDAP/VIDM users and groups can be added to NSX from any single LDAP Identity Source.
This is a known behavior impacting VMware NSX 4.2.0 and 4.2.1

This issue is resolved in VMware NSX 4.2.2, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

The workaround below is only applicable to VMware NSX 4.2.0.* and 4.2.1.*

Workaround : 

• Create a group in Active Directory that contains the other groups and add the top-level group. This assumes that the same role needs to be granted to all the nested groups

Alternatively, Use the script attached to this Knowledge base article to increase the LDAP group binding limit from 20 to 500 groups: 

1. Download the below attached script
2. Use WinSCP or similar tool to copy the script in to the /image directory of the NSX Manager
3. SSH into the NSX Manager as 'root'.
4. Change the permission of the script: 
   #chmod +x /image/max_group_role_bindings_script.sh
5. Run the script: 
   #/image/max_group_role_bindings_script.sh
   
   Output will show:
   Archive:  /opt/vmware/proton-tomcat/webapps/nsxapi/WEB-INF/lib/libuserauth.jar
     inflating: META-INF/spring/userauth.properties
6. Verify the change by checking the properties file inflated by the previous command:
   
   #cat /opt/vmware/proton-tomcat/webapps/nsxapi/WEB-INF/classes/META-INF/spring/userauth.properties | grep max_group_role_bindings_per_identity_source
ldapidentitysources.max_group_role_bindings_per_identity_source=500
7. Repeat the same steps on all NSX Managers. 

Note: You will need to re-run the script after upgrade of NSX or after restore of NSX Manager from backup.