Unable to lookup LDAPS users in NSX after successful addition of LDAPS server.
search cancel

Unable to lookup LDAPS users in NSX after successful addition of LDAPS server.

book

Article ID: 415697

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • The LDAP lookup correctly connects to the server but fails to find users from a specific domain. While the connection is successful, searches for these users return "No items found" and a "Try searching with minimum 3 characters" message.

  • Following log line (/var/log/syslog) is observed while searching for a LDAP user to be added to the NSX.
    2025-10-23T08:51:48.004Z  INFO Processing request 5589d287-8b1a-4bff-acec-4ac7da54c730 BaseProxyDelegate 74556 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Processing request to /policy/api/v1/aaa/ldap-identity-sources/<Display-name>/search (filter_value=<LDAP-username>) with /policy/ -> 127.0.0.1:7440:/nsxapi/
  • Below is curl output for LDAPS configuration in the NSX.
    # curl -k -u admin -H "Content-Type: application/json" -X GET https://localhost/policy/api/v1/aaa/ldap-identity-sources/
Enter host password for user 'admin':
{
  "results" : [ {
    "resolve_nested_groups" : true,
    "group_cache_ttl" : 60,
    "resource_type" : "ActiveDirectoryIdentitySource",
    "id" : "<Display-ID>",
    "display_name" : "<Display-name>",
    "domain_name" : "example.in",
    "base_dn" : "OU=TEST,DC=EXAMPLE,DC=IN",
    "ldap_servers" : [ {
      "url" : "LDAPS://EXAMPLE.IN:636",
      "use_starttls" : false,
      "certificates" : [ "-----BEGIN CERTIFICATE-----
.............................
----END CERTIFICATE-----" ],
      "bind_identity" : "<username>@example.in",
      "enabled" : true
    } ],
    "_system_owned" : false,
    "_protection" : "NOT_PROTECTED",
    "_create_time" : 1759997630347,
    "_create_user" : "admin",
    "_last_modified_time" : 1761043759337,
    "_last_modified_user" : "admin",
    "_revision" : 19
  } ],
  "result_count" : 1
}

Environment

VMware NSX

Cause

If the domain_name and base_dn values are not same, this issue is encountered. All of the user and group entries you intend to use to control access to NSX must be contained within the LDAP directory tree rooted at the specified Base DN. If the Base DN is set to something too specific, such as an Organizational Unit deeper in your LDAP tree, NSX may not be able to find the entries it needs to locate users and determine group membership. 

Resolution

For proper configuration, the domain_name must be identical to the base_dn. In the specific scenario described, you can correct the mismatch by removing the OU from the base_dn to ensure it precisely matches the domain_name.

Additional Information

Powered by Wolken Software