Operational Defect Database
BugZero updated this defect 40 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
VMware | 96121
Adding an LDAP group to VMware NSX (4.x) for authentication fails with: "Error: Invalid LDAP user/group. (Error code: 71050)".
Last update date:
4/9/2024
Affected products:
NSX-T
Affected releases:
4.x
Fixed releases:
No fixed releases provided.
Description:
Symptoms
You are currently running NSX 4.xYou are adding role for LDAP user where you are calling AD groups and it fails with below and seen in the manager /var/log/proton/nsxapi.log: "Error: Invalid LDAP user/group. (Error code: 71050)" In NSX-T 3.2 versions, these same AD groups could have been integrated successfully with NSX-T. But post upgrade to 4.x, this is getting failed.The AD group name for which this operation is failing has a name which is prefix of another group name. Ex: You have following AD groups, "pg-nsx-r" and "pg-nsx-ro". You are able to add "pg-nsx-ro" successfully in NSX but operation for "pg-nsx-r" fails with the aforementioned error. Here "pg-nsx-r" name is a prefix of "pg-nsx-ro".
Purpose
This article is published to describe a known issue observed with current VMware NSX 4.x versions.
Cause
VMware NSX does a search in the AD server to validate if the group exists. In the affected versions this search function uses the logic "starts with", rather than "exact match".
Impact / Risks
Unable to add AD group having same name prefix of another group
Resolution
This is a known issue impacting VMware NSX 4.x. This will be fixed in a future version.
Workaround
You can rename the group in AD so that it's name doesn't become prefix of another group.
