If your administrative user accounts are maintained in an LDAP identity source (Active Directory or OpenLDAP), you can configure the SDDC NSX Manager to enable LDAP users to access NSX with roles you assign to their account or LDAP group in NSX Manager.

In most cases, all you'll need to do after setting up the LDAP service is point NSX Manager to any domain controller on port 389 (LDAP) or 636 (LDAPS).

If you are using Active Directory (AD), and your AD forest is comprised of multiple subdomains, you should point NSX Manager at your AD Global Catalog (GC) and configure each subdomain as an alternative domain name in NSX. The Global Catalog service usually runs on your primary AD domain controllers, and is a read-only copy of the most important information from all the primary and secondary domains. The GC service runs on port 3268 (plaintext), and 3269 (LDAP over TLS, encrypted).

For example, if your primary domain is "example.com" and you have subdomains "americas.example.com" and "emea.example.com", you should:
  1. Configure NSX Manager to use either the LDAP protocol on port 3268 or the LDAPS protocol on port 3269.
  2. Add alternative domain names "americas.example.com" and "emea.example.com" in the NSX LDAP configuration.
Users in one of the subdomains must log in using the appropriate domain in their login name. For example, user "john" in the emea.example.com domain, must log in with the username "john@emea.example.com".

Prerequisites

Your SDDC NSX Manager must be configured to authenticate users using a directory service such as Active Directory over LDAP or OpenLDAP and have access to your LDAP identity source through the Management Gateway firewall. See LDAP Identity Source in the NSX Administration Guide.

Procedure

  1. Log in to VMware Cloud Services at https://vmc.vmware.com.
  2. Click Inventory > SDDCs, then pick an SDDC card and click OPEN NSX MANAGER. to open the local NSX Manager at its default public IP address. You are logged in to NSX using your VMware Cloud on AWS credentials. See Open NSX Manager for more information about firewall rules that may be needed when connecting to NSX Manager from the VMware Cloud Console.
  3. Assign NSX roles from the NSX Manager LDAP identity source.
    In the NSX Manager UI, click System > User Management. In the User Role Assignment tab, click ADD ROLE FOR LDAP USER and select an LDAP domain to search.
  4. Specify NSX roles for the LDAP user or group. scopes.
    1. Enter the first few characters of a user or group name to search the LDAP directory, then select a user or group from the list that appears.
    2. On the Set Roles/Scope page, assign an NSX role to the user or group.
      You can assign either of these NSX roles:
      Cloud Admin
      This role can perform all tasks related to deployment and administration of the NSX service.
      Cloud Operator
      This role can view NSX service settings and events but cannot make any changes to the service.
      No other roles can be assigned here.
    3. Click APPLY.
    4. Click SAVE.

Results

LDAP group members with NSX roles can use this workflow to log into the NSX Manager private URL using their LDAP credentials.

On the SDDC Settings tab, navigate to NSX Information and expand NSX Manager URLs. Click the link shown under Private URL (Log in through NSX Manager credentials) and provide your LDAP credentials.