If your administrative user accounts are maintained in an LDAP identity source (Active Directory or OpenLDAP), you can configure the SDDC NSX Manager to enable LDAP users to access NSX with roles you assign to their account or LDAP group in NSX Manager.
In most cases, all you'll need to do after setting up the LDAP service is point NSX Manager to any domain controller on port 389 (LDAP) or 636 (LDAPS).
If you are using Active Directory (AD), and your AD forest is comprised of multiple subdomains, you should point NSX Manager at your AD Global Catalog (GC) and configure each subdomain as an alternative domain name in NSX. The Global Catalog service usually runs on your primary AD domain controllers, and is a read-only copy of the most important information from all the primary and secondary domains. The GC service runs on port 3268 (plaintext), and 3269 (LDAP over TLS, encrypted).
- Configure NSX Manager to use either the LDAP protocol on port 3268 or the LDAPS protocol on port 3269.
- Add alternative domain names "americas.example.com" and "emea.example.com" in the NSX LDAP configuration.
Prerequisites
Your SDDC NSX Manager must be configured to authenticate users using a directory service such as Active Directory over LDAP or OpenLDAP and have access to your LDAP identity source through the Management Gateway firewall. See LDAP Identity Source in the NSX Administration Guide.
Procedure
Results
LDAP group members with NSX roles can use this workflow to log into the NSX Manager private URL using their LDAP credentials.
On the SDDC Settings tab, navigate to NSX Information and expand NSX Manager URLs. Click the link shown under Private URL (Log in through NSX Manager credentials) and provide your LDAP credentials.