You can assign roles to users of LDAP or TACACS+ remote authentication. The mappings are configured within NSX Advanced Load Balancer rather than the LDAP or TACACS+ server.

To map LDAP or TACACS+ users to NSX Advanced Load Balancer roles, use the following steps. Multiple mappings can be configured if needed, for any combination of user group name and attribute:value pair.


NSX Advanced Load Balancer authentication/authorization is set to remote, and an LDAP or TACACS+ Auth profile has been applied.

Group names are case sensitive for LDAP mapping.


  1. Navigate to Administration > Settings > Authentication/Authorization.
  2. Click New Mapping to get started.
  3. Select the filter for the LDAP group.
    • Any: Users in any LDAP group match the filter.

    • Member: Users must be members of the specified groups. If entering multiple group names, use commas between the names.

    • Not a Member: Users must not be members of the specified groups.

  4. Select the filter for the LDAP attribute.
    • Any: Users match regardless of attributes or their values.

    • Contains: User must have the specified attribute, and the attribute must have one of the specified values.

    • Does Not Contain: User must not have the specified attribute and value(s).

  5. Select the role from the User Role dropdown list.
    • From Select List: Displays a Roles pull-down list. Select the role from the list.

    • All: Assigns all roles.

    • Matching Attribute Value: Assigns the role whose name matches an attribute value from the LDAP server.

    • Matching Group Name: Assigns the role whose name matches a group name on the LDAP server.

  6. If using multitenancy, users also can be mapped to tenants. See Tenant Settings.
  7. Click on Save.


The new mapping appears in theTenant and Role Mapping table.