NSX-T LDAP Configuration

Intro

Prior to NSX-T 3.0 in order to authenticate users via LDAP you needed to deploy a vIDM (Vmware Identity Manager) appliance. Now however you now longer need the appliance you can instead setup LDAP directly in the NSX-T GUI and thats what this post is all about.

For this I am going to use Active Directory over LDAP as its the most common solution and what I know.

Configuring for users in the default user OU.

To start off simply I’ll setup LDAP to use the default Users OU in Active Directory. We are going to need to know the Base DN for this. To get it run the Active Directory Users and Computer mmc from the AD server. In order to see the DN we need to enable Advanced Features. Click the View menu and select Advanced Features.

Now right click the Users folder and select Properties

Select the Attribute Editor tab then distinguishedName click View and make a note of the Value.

Next create a user in the Users OU.

NSX-T LDAP Configuration Users OU

We can now setup NSX-T to authenticate users from the Users OU.
Login to the NSX-T web console and go to System then Users and Roles under the Settings section then select LDAP and click ADD IDENTITY SOURCE

Give it a Name enter the Domain Name (FQDN) ensure that the Type is set to Active Directory over LDAP and enter the Base DN that we saved in the previous step, now under LDAP Servers click Set

Click ADD LDAP SERVER enter the Name leave the LDAP Protocol as LDAP leave the Port as 389, under Bind Identity enter an user that has a minimum of read rights to the AD user then enter the Password and click Check Status you should get a Successful Status. Click ADD then APPLY

Now click SAVE

LDAP is now setup to authenticate users in the Users OU so let’s test it. Before you add the user in NSX-T make sure you have created the user in Active Directory once done carry on.
Before we can test user access we of course first need to create a user, so go to the USERS tab and click ADD then Role Assignment for LDAP

Select the Domain then start to type the username and select the user from the dropdown list then select the desired role finally click SAVE

You should now see the user in the list note the Type is LDAP User

The last step is to login with the user to make sure its working so logout and log back in as the new user.

Success.

NSX-T LDAP Configuration via a Group in Custom OU

Unfortunately NSX-T does not seem to like it when you set the Base DN to a specific OU To configure NSX-T to use a AD user group the process is the same as before you can create the groups in the Users OU and reference that in the LDAP configuration or to use an OU in the root domain you can configure LDAP to use the root of the domain which is what I’ll cover here. First lets create a new OU and a new Group in Active Directory. from Active Directory Users and Computers right click on the root Domain and select New then Organizational Unit

Give it a name and click OK

Select the new OU and right click then select NEW then Group

Enter a name and click OK.

In order for us to use different groups for different roles we need to now get the Base DN of the domain not the group we just created so right click the domain root and select Properties then go to the Attribute Editor tab. As before find the distinguishedName and click View then make a note of the Value

Now add a user to the newly created group.

Back to the NSX-T web console now and the process is the same as before apart from the Base DN note difference in the screenshot below.

Click Set and add the LDAP server as we did before then click SAVE you may need to delete the previous configuration first if you set it up for the Users OU previously.

Now we can add our group to NSX-T go to the Users tab and click ADD then Role Assignment for LDAP

Select the Domain then type the first few letters of the group and select it from the dropdown list then select the Role and click SAVE

We can now see the Group has been added as Type LDAP User

Finally we can test it so log out and log back in using an account that is a member of the group.

Leave a Reply

Your email address will not be published.