NSX Manager acts as an LDAP client, and interfaces with LDAP servers.

Three identity sources can be configured for user authentication. When a user logs into NSX Manager, the user is authenticated against the appropriate LDAP server of the user's domain. The LDAP server responds back with the authentication results, and the user group information. Once successfully authenticated, the user is assigned the roles corresponding to the groups that they belong to.

NSX Manager does not support multiple LDAP servers behind a load balancer, and LDAPS or StartTLS. If LDAP servers are behind a load balancer, configure NSX to connect directly to one of the LDAP servers, and not the load balancer virtual IP address.

Note: Nested Active Directory groups with the parent group mapped as an NSX role is not supported.


  1. Navigate to System > Users and Roles > LDAP.
  2. Click Add Identity Source.
  3. Enter a name for the identity source.
  4. Enter the domain name This must correspond to the domain name of your Active Directory server, if using Active Directory.
  5. Select the type: either Active Directory over LDAP or Open LDAP.
  6. Click set to configure LDAP servers. One LDAP server is supported for each domain.

    The hostname or IP address of your LDAP server.

    LDAP Protocol Select the protocol: LDAP (unsecured) or LDAPS (secured).
    Port The default port is populated based on the selected protocol. If your LDAP server is running on a non-standard port, you can edit this text box to give the port number.
    Connection Status After filling in the mandatory text boxes, including the LDAP server information, you can click this to test the connection.
    Use StartTLS

    If selected, the LDAPv3 StartTLS extension is used to upgrade the connection to use encryption. To determine if you should use this option, consult your LDAP server administrator.

    This option can only be used if LDAP protocol is selected.

    If you are using LDAPS or LDAP + StartTLS, this text box should contain the PEM-encoded X.509 certificate of the server. If you leave this text box blank and click the Check Status link, NSX connects to the LDAP server. NSX then retrieves the LDAP server's certificate, and asks if you want to trust that certificate. If you have verified that the certificate is correct, click OK, and the certificate text box will be populated with the retrieved certificate.

    Bind Identity The format is user@domainName, or you can specify the distinguished name.

    For Active Directory, you can use either the userPrincipalName (user@domainName) or the distinguished name. For OpenLDAP, you must supply a distinguished name.

    This text box is required unless your LDAP server supports anonymous bind, then it is optional. Consult your LDAP server administrator if you are not sure.

    Password Enter a password for the LDAP server.

    This text box is required unless your LDAP server supports anonymous bind, then it is optional. Consult your LDAP server administrator.

  7. Click Add.
  8. Enter the Base Domain.
    A base distinguished name (Base DN) is needed to add an Active Directory domain. A Base DN is the starting point that an LDAP server uses when searching for users authentication within an Active Directory domain. For example, if your domain name is corp.local the DN for the Base DN for Active Directory would be "DC=corp,DC=local".

    All of the user and group entries you intend to use to control access to NSX-T Data Center must be contained within the LDAP directory tree rooted at the specified Base DN. If the Base DN is set to something too specific, such as an Organizational Unit deeper in your LDAP tree, NSX may not be able to find the entries it needs to locate users and determine group membership. Selecting a broad Base DN is a best practice if you are unsure.

  9. Your NSX-T Data Center end users can now log in using their login name followed by @ and the domain name of your LDAP server, user_name@domain_name.

What to do next

Assign roles to users and groups. See Add a Role Assignment or Principal Identity.