NSX-T 3.0 has added support for authentication using AD or LDAP sources. In previous versions, you had to deploy the vIDM (VMware Identity Manager) appliance to allow external authentication. You can still use vIDM but if you only need NSX-T authentication you can now do it without a sole purpose appliance.
This article explains how to enable LDAP authentication in NSX-T 3.0.
Add LDAP Identity Source in NSX-T 3.0
- Open NSX-T Manager GUI
- Navigate to System > Settings > Users and Roles
- Open the LDAP Tab and click Add Identify Source
- Fill out the fields:Name: A label for the identity source
Domain Name: Your domain name. Example: "virten.lab"
Type: Specify LDAP Type (AD or OpenLDAP)
Base DN: The Distinguished Name (DN) of the starting point for directory server searches. Example: If your domain name is virten.lab the DN for the entire directory is "DC=virten,DC=lab".
- Click Set (next to LDAP Servers)
- Click Add LDAP Server
- Enter LDAP Server Information and press Check Status
- When the connection is successful, press ADD followed by APPLY.
- Press SAVE to finish the Identity Source configuration.
You should now have successfully added an LDAP Identity Source. To log in with LDAP users, you have to create User/Group to Role mappings.
Create User/Group to NSX-T Role Mappings
- Open the USERS Tab in System > Settings > Users and Roles
- Click ADD > Role Assignment for LDAP
- I've prepared 3 AD Groups: NSX Admin, NSX Audit, and NSX Network Operator.
- Select your Domain and start typing to search AD users or groups.
- Choose a Role (Enterprise Admin is the highest role in NSX-T)
- Add additional role mappings according to your requirements. If you want to know which permissions each role has, check the Roles tab. You cannot add any new roles at the moment.
You can now login with your LDAP user.