OPERATIONAL DEFECT DATABASE
...
...
You are currently running NSX 4.xYou are adding role for LDAP user where you are calling AD groups and it fails with below and seen in the manager /var/log/proton/nsxapi.log: "Error: Invalid LDAP user/group. (Error code: 71050)" In NSX-T 3.2 versions, these same AD groups could have been integrated successfully with NSX-T. But post upgrade to 4.x, this is getting failed.The AD group name for which this operation is failing has a name which is prefix of another group name. Ex: You have following AD groups, "pg-nsx-r" and "pg-nsx-ro". You are able to add "pg-nsx-ro" successfully in NSX but operation for "pg-nsx-r" fails with the aforementioned error. Here "pg-nsx-r" name is a prefix of "pg-nsx-ro".
This article is published to describe a known issue observed with current VMware NSX 4.x versions.
VMware NSX does a search in the AD server to validate if the group exists. In the affected versions this search function uses the logic "starts with", rather than "exact match".
Unable to add AD group having same name prefix of another group
This is a known issue impacting VMware NSX 4.x. This will be fixed in a future version.
You can rename the group in AD so that it's name doesn't become prefix of another group.
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
