BugZero updated this defect 40 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
4/9/2024
NSX-T
4.x
No fixed releases provided.
You are currently running NSX 4.xYou are adding role for LDAP user where you are calling AD groups and it fails with below and seen in the manager /var/log/proton/nsxapi.log: "Error: Invalid LDAP user/group. (Error code: 71050)" In NSX-T 3.2 versions, these same AD groups could have been integrated successfully with NSX-T. But post upgrade to 4.x, this is getting failed.The AD group name for which this operation is failing has a name which is prefix of another group name. Ex: You have following AD groups, "pg-nsx-r" and "pg-nsx-ro". You are able to add "pg-nsx-ro" successfully in NSX but operation for "pg-nsx-r" fails with the aforementioned error. Here "pg-nsx-r" name is a prefix of "pg-nsx-ro".
This article is published to describe a known issue observed with current VMware NSX 4.x versions.
VMware NSX does a search in the AD server to validate if the group exists. In the affected versions this search function uses the logic "starts with", rather than "exact match".
Unable to add AD group having same name prefix of another group
This is a known issue impacting VMware NSX 4.x. This will be fixed in a future version.
You can rename the group in AD so that it's name doesn't become prefix of another group.