Some or all AD users are unable to log into Aria Operations with a permissions related error message. 

Aria Operations 

LDAP group import is not detecting the effected users in the group in which their role is assigned to. The group and users appear separately, but the group membership is not correctly listed. This is because of an LDAP-side configuration that is preventing the effected user or users' group membership from importing when the user is queried. 

We can query the LDAP group using the following command; 

• ldapsearch -x -H ldap://<AD_Domain> -b "OU=<Example_OU> ,DC=<Example_DC>" 'CN=<Group_Name>' -D <LDAP_Service_Account_For_Aria_Link> -w "${PASSWORD}"  '*' '+' | tee ldapsearch_<Group_Name>_group

Verification Steps: SSH into primary node and run the following command against an effected user. If this issue is present in your environment there will be no "Member Of" section listed: 

• ldapsearch -x -H ldap://<ad_domain> -b "OU=<ExampleOU>, DC=<Example_DC>" 'CN=<User>' -D <LDAP_Service_Account_For_Aria_Link> -w "${PASSWORD}" memberOf | tee ldapsearch_<User>_user_memberOf

Workaround: Assign the group role directly to the effected users in Aria Operations: Roles and Privileges in VMware Aria Operations

Resolution: Please contact your LDAP team to troubleshoot the issue further as the root cause of this issue lies within the LDAP environment.