Support bundle generation fails for users created in LDAP
search cancel

Support bundle generation fails for users created in LDAP

book

Article ID: 391752

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • NSX Manager is acting as an LDAP client.
  • LDAP is successfully connected with NSX Manager. LDAP servers show status as 'OK' on NSX UI.
  • Recent change done on LDAP: LDAP Identity Source was edited recently and the domain name was changed from all upper case to all lower case OR mixed upper and lower cases.
    Since this change LDAP users and groups, previously added to NSX, no longer have permissions to generate support-bundle.
  • In NSX UI System > Settings - Support Bundle, when user tries to generate a support-bundle, it fails for users created in LDAP, in spite of having enterprise_admin role
  • Error message seen in UI:

Support bundle request failed: User is not authorized to perform this operation on the application. Please contact the system administrator to get access.

  • var/log/proton/nsxapi.log shows the user has the correct enterprise_admin role:

nsxapi.log:2025-02-17T12:31:14.051Z  INFO http-nio-127.0.0.1-7440-exec-86 77176 - [nsx@6876 comp="nsx-manager" level="INFO" reqId="0e35f08d-46ca-##################-####" subcomp="manager" username="[email protected]"] userName: [email protected] groupName: [[email protected]] roles: [enterprise_admin]

  • In spite of this user having 'enterprise_admin' privilege, support bundle extraction fails with 'Insufficient privileges':

api_server.log:24230:2025-02-17T12:31:47.099Z napi.rest_routine_rbac_utils INFO Insufficient privileges invoking POST /api/v1/administration/support-bundles by [email protected] (#########################==) in groups '['[email protected]']' (#########################==) with perms: ''

  • No problems are seen for local users (for example, local user: admin can successfully generate support-bundle).

Environment

VMware NSX-T Data Center 3.2.x
VMware NSX 4.1.x
VMware NSX 4.2.0

Cause

This is a known issue impacting NSX the cause of which is that when performing authorization of LDAP users, the comparison of Host and Domain names is being done in a case-sensitive fashion.

Resolution

This issue is resolved in VMware NSX 4.2.1 and later versions, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.


Workaround: 

As workaround, this issue can be remedied by editing the LDAP Identity Source and restoring the case of the host name part of the user to be all lower case characters.

Powered by Wolken Software