NSX Manager acts as an LDAP client, and interfaces with LDAP servers.
Three identity sources can be configured for user authentication. When a user logs into NSX Manager, the user is authenticated against the appropriate LDAP server of the user's domain. The LDAP server responds back with the authentication results, and the user group information. Once successfully authenticated, the user is assigned the roles corresponding to the groups that they belong to.
When integrating with Active Directory, NSX Manager allows users to log in using their samAccountName, or userPrincipalName. If the @domain portion of the userPrincipalName does not match the domain of the Active Directory instance, then you must also configure an alternative domain in the LDAP configuration for NSX.
In the following example, the domain of the Active Directory instance is "example.com" and a user with a samAccountName "jsmith" has a userPrincipalName of [email protected]. If you configure an alternative domain of "acquiredcompany.com", then this user can log in as "[email protected]" using the samAccountName, or as [email protected] using the userPrincipalName. If the userPrincipalName has no @domain portion, the user won't be able to log in.
Logging in as [email protected] will not work because the samAccountName can only be used with the primary domain.
NSX can only be authenticated to Active Directory or OpenLDAP using LDAP Simple Authentication. NTLM and Kerberos authentication are not supported.
Procedure
What to do next
Assign roles to users and groups. See Add a Role Assignment or Principal Identity.