NetWorker: How To configure LDAPS Authentication

Summary: Overview of configuring AD or Secure Lightweight Directory Access Protocol (LDAPS) with NetWorker using the NMC's external authority wizard. This KB can also be used for instructions on updating an existing external authority configuration. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

This article can be broken down into the following sections. Carefully review each section before proceeding:

Prerequisites:

  • Determine which host is the authc server. This is helpful in larger NetWorker datazones. In smaller datazones with a single NetWorker server, the NetWorker server is the authentication server. 
  • Determine which Java Runtime Environment is used for the authentication service.
  • Set command-line variables to help facilitate importing the CA certificates used for SSL with NetWorker external authentication.

Setting up SSL:

  • Import the certificates used for LDAPS authentication into the authentication services runtime environment cacerts keystore.

Configuring the External Authority Resource:

  • Create the external authority resource in the authentication service.
  • Determine external users or groups to be used for NetWorker.
  • Define which external users or groups have access to the NetWorker Management Console (NMC).
  • Define the NetWorker server permissions external users and groups have.
  • (Optional) Configure FULL_CONTROL security permissions for an external user or group.

Prerequisites:

To use LDAPS, you must import the CA certificate (or certificate chain) from the LDAPS server into the NetWorker authentication server's Java cacerts keystore.

  1. Determine which host is the NetWorker Authentication server. This can be validated in the NetWorker Management Console (NMC) server's gstd.conf file:
Linux: /opt/lgtonmc/etc/gstd.conf
Windows: C:\Program Files\EMC NetWorker\Management\GST\etc\gstd.conf
 
NOTE: The gstd.conf file contains a string authsvc_hostname which defines the authentication server used to process login requests for the NetWorker Management Console (NMC).
  1. On the NetWorker authentication server, identify the Java instance used.
Windows:
A. Search About in the Windows search bar.
B. From About, click Advanced System Settings.
C. From System Properties, click Environment Variables.
D. The NSR_JAVA_HOME variable defines the path of the Java Runtime Environment used by NetWorker authc:

NSR_JAVA_HOME

    1. E. From an Administrative command prompt, set command-line variables specifying the java install path determined in the above step:
set JAVA="Path\to\java"
Example:
 Example setting JAVA variable Windows  
Facilitates java keytool commands in Setting up SSL and ensures the correct cacerts file imports the CA certificate. This variable is removed once the command-line session is closed and does not interfere with any other NetWorker operations.

Linux:

    A. Check the /nsr/authc/conf/installrc file to see which Java location was used when configuring the authentication service:

    sudo cat /nsr/authc/conf/installrc
    Example: 
    [root@nsr ~]# cat /nsr/authc/conf/installrc
JAVA_HOME=/opt/nre/java/latest
    NOTE: This variable only applies to NetWorker processes. It is possible that echo $JAVA_HOME will return a different path; for example, if Oracle Java Runtime Environment (JRE) is also installed. In the next step, it is important to use the $JAVA_HOME path as defined in NetWorker's /nsr/authc/conf/installrc file.

    B. ​​​​Set command-line variables specifying the java install path determined in the above step.

    JAVA=/path/to/java
    Example:
    setting java variable Linux 
    Facilitates java keytool commands in Setting up SSL and ensures the correct cacerts file imports the CA certificate. This variable is removed once the command-line session is closed and does not interfere with any other NetWorker operations.

    Setting up SSL

    To use LDAPS, you must import the CA certificate (or certificate chain) from the LDAPS server into the JAVA trust keystore. This can be done with the following procedure:

    NOTE: The below process uses command-line variables set following the Prerequisites section. If the command-line variables are not set, specify the full java path instead.
    1. Open an administrative/root command prompt.
    2. Display a list of current trusted certificates in the trust store.
    Windows: 
    %JAVA%\bin\keytool -list -keystore %JAVA%\lib\security\cacerts -storepass changeit
    Linux: 
    $JAVA/bin/keytool -list -keystore $JAVA/lib/security/cacerts -storepass changeit
    3. Review the list for an alias that matches your LDAPS server (this may not exist). You can use operating system grep or findstr commands with the above command to narrow the search. If there is an outdated or existing CA certificate from your LDAPS server, delete it with the following command:

    Windows:

    %JAVA%\bin\keytool -delete -alias ALIAS_NAME -keystore %JAVA%\lib\security\cacerts -storepass changeit
    Linux: 
    $JAVA/bin/keytool -delete -alias ALIAS_NAME -keystore $JAVA/lib/security/cacerts -storepass changeit
    NOTE: Replace ALIAS_NAME with the alias name of the old or expired certificates from step 2.
      4. Use the OpenSSL tool to obtain a copy of the CA certificate from the LDAPS server. 
      openssl s_client -showcerts -connect LDAPS_SERVER:636
      • By default, Windows hosts do not include the openssl program. If it is not possible to install OpenSSL on the NetWorker server, the certificates can be exported directly from the LDAPS server; however, it is highly recommended to use the OpenSSL utility. 
      • Linux typically comes with openssl installed. If Linux server's exist in the environment, you can use openssl there to collect the certificate files. These can be copied to and used on the Windows authc server.
      • If you do not have OpenSSL, and it cannot be installed have your AD admin provide one or more certificates by exporting them as Base-64 encoded x.509 format.
      • Replace LDAPS_SERVER with the hostname or IP address of your LDAPS server.
      5. The above command outputs the CA certificate or a chain of certificates in Privacy Enhanced Mail (PEM) format, e.g: 
      -----BEGIN CERTIFICATE-----
MIIGQDCCBSigAwIBAgITbgAAAAiwkngyAQWDwwACAAAACDANBgkqhkiG9w0BAQsF
ADBPMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZlbWNs
...
7NZfi9DiEBhpFmbF8xP96qB/kTJC+29t/0VE8Fvlg87fRhs5BceIoX8nUnetNCdm
m4mGyefXz4TBTwD06opJf4NQIDo=
-----END CERTIFICATE-----
      NOTE: If there is a chain of certificates, the last certificate is the CA certificate. You must import each certificate in the chain in order (top down) ending with the CA certificate.
       
      6. Copy the certificate starting from ---BEGIN CERTIFICATE--- and ending with ---END CERTIFICATE--- and paste it into a new file. If there is a chain of certificates, you must do this with each certificate.
      7. Import the certificate or certificates files created into the JAVA trust keystore:
      Windows: 
      %JAVA%\bin\keytool -import -alias ALIAS_NAME -keystore %JAVA%\lib\security\cacerts -storepass changeit -file \PATH_TO\CERT_FILE

      Linux:

      $JAVA/bin/keytool -import -alias ALIAS_NAME -keystore $JAVA/lib/security/cacerts -storepass changeit -file /PATH_TO/CERT_FILE
      • Replace ALIAS_NAME with an alias for the imported certificate (For example, RCA (root CA)). When importing multiple certificates for a certificate chain, each certificate must have a different ALIAS name and be imported separately. The certificate chain must also be imported in order from step 5 (top down).
      • Replace PATH_TO\CERT_FILE with the location of the cert file that you created in step 6.
      8. You are prompted to import the certificate, type yes and press enter. 
      C:\Users\administrator>%JAVA%\bin\keytool -import -alias RCA -keystore %JAVA%\lib\security\cacerts -storepass changeit -file C:\root-ca.cer
Owner: CN=networker-DC-CA, DC=networker, DC=lan
Issuer: CN=networker-DC-CA, DC=networker, DC=lan
Serial number: 183db0ae21d3108244254c8aad129ecd
...
...
...

Trust this certificate? [no]:  yes
Certificate was added to keystore
      9. Confirm that the certificate is shown in the keystore:
      Windows: 
      %JAVA%\bin\keytool -list -keystore %JAVA%\lib\security\cacerts -storepass changeit

      Linux:

      $JAVA/bin/keytool -list -keystore $JAVA/lib/security/cacerts -storepass changeit
      NOTE: Pipe (|) the operating system grep or findstr command to the above to narrow the result. 
      C:\Users\administrator>%JAVA%\bin\keytool -list -keystore %JAVA%\lib\security\cacerts -storepass changeit | findstr RCA
RCA, Jan 15, 2025, trustedCertEntry,
      10. Restart the NetWorker server services. 
      Windows:  
      net stop nsrd
net start nsrd
      Linux:  
      nsr_shutdown
service networker start
      NOTE: Restart NetWorker server services to ensure authc reads the cacerts file and detects imported certificates for SSL communication with the LDAP server.
       

      Configuring the External Authority Resource

      This KB focuses on using the NetWorker Management Console (NMC) for configuring LDAP over SSL. When configuring AD over SSL it is recommended to use the NetWorker Web User Interface (NWUI). This process is detailed in:

      If either of the articles are followed, you can skip to the part where the external authority resource is created, it is not necessary to repeat the certificate import procedure.

      NOTE: This KB can be followed when configuring AD over SSL; however, additional steps are required. These steps are outlined below.

      1. Log in to the NetWorker Management Console (NMC) with your NetWorker Administrator account. Select Setup-->Users and Roles-->External Authority.
      2. Create or modify your existing external authority configuration, select LDAP over SSL from the Server Type drop down. This automatically changes the port from 389 to 636:
      Example of adding AD over SSL from NMC
      NOTE: Expand the Show Advanced Options field and ensure that the correct values are set for your authentication server. See the Additional Info field of this KB for a table explaining the fields and values.

      For Active Directory over SSL:

      WARNING: Using the NMC "LDAP over SSL" setting with Microsoft Active Directory, sets an internal configuration parameter "is active directory" to "false." This prevents successful AD authentication in NetWorker. The following steps can be used to correct this.

      A. Get the config id details:

      authc_config -u Administrator -p 'NetWorker_AdminPass' -e find-all-configs
authc_config -u Administrator -p 'NetWorker_AdminPass' -e find-config -D config-id=CONFIG_ID#

      Example:

      nve:~ # authc_config -u Administrator -p '!Password1' -e find-all-configs
The query returns 1 records.
Config Id Config Name
1         AD

nve:~ # authc_config -u Administrator -p '!Password1' -e find-config -D config-id=1
Config Id                    : 1
Config Tenant Id             : 1
Config Name                  : AD
Config Domain                : networker.lan
Config Server Address        : ldaps://dc.networker.lan:636/dc=networker,dc=lan
Config User DN               : cn=nw authadmin,ou=dell,dc=networker,dc=lan
Config User Group Attribute  :
Config User ID Attribute     : sAMAccountName
Config User Object Class     : person
Config User Search Filter    :
Config User Search Path      :
Config Group Member Attribute: member
Config Group Name Attribute  : cn
Config Group Object Class    : group
Config Group Search Filter   :
Config Group Search Path     :
Config Object Class          : objectclass
Is Active Directory          : false
Config Search Subtree        : true
      B. Use the authc_config command to set is-active-directory=y: 
      authc_config -u Administrator -p 'NETWORKER_ADMIN_PASSWORD' -e update-config -D config-id=CONFIG_ID# -D config-server-address="ldaps://DOMAIN_SERVER:636/BASE_DN" -D config-user-dn="CONFIG_USER_DN" -D config-user-dn-password='CONFIG_USER_PASSWORD' -D config-active-directory=y
      NOTE: The values required for these fields can be obtained from step A.
       
      Example: 
      nve:~ # authc_config -u Administrator -p '!Password1' -e update-config -D config-id=1 -D config-server-address="ldaps://dc.networker.lan:636/dc=networker,dc=lan" -D config-user-dn="cn=nw authadmin,ou=dell,dc=networker,dc=lan" -D config-user-dn-password='PASSWORD' -D config-active-directory=y
Configuration AD is updated successfully.
nve:~ #
nve:~ # authc_config -u Administrator -p '!Password1' -e find-config -D config-id=1
Config Id                    : 1
Config Tenant Id             : 1
Config Name                  : AD
Config Domain                : networker.lan
Config Server Address        : ldaps://dc.networker.lan:636/dc=networker,dc=lan
Config User DN               : cn=nw authadmin,ou=dell,dc=networker,dc=lan
Config User Group Attribute  :
Config User ID Attribute     : sAMAccountName
Config User Object Class     : person
Config User Search Filter    :
Config User Search Path      :
Config Group Member Attribute: member
Config Group Name Attribute  : cn
Config Group Object Class    : group
Config Group Search Filter   :
Config Group Search Path     :
Config Object Class          : objectclass
Is Active Directory          : true
Config Search Subtree        : true

      The external authority resource is now correctly configured for Microsoft Active Directory.

       
      3. You can use the authc_mgmt command on your NetWorker server to confirm that the AD/LDAP groups/users are visible: 
      authc_mgmt -u Administrator -p 'NetWorker_Admin_Pass' -e query-ldap-users -D query-tenant=tenant_name -D query-domain=domain_name
authc_mgmt -u Administrator -p 'NetWorker_Admin_Pass' -e query-ldap-groups -D query-tenant=tenant_name -D query-domain=domain_name
authc_mgmt -u Administrator -p 'NetWorker_Admin_Pass' -e query-ldap-groups-for-user -D query-tenant=tenant_name -D query-domain=domain_name -D user-name=ad/ldap_username
      Example: 
      nve:~ # authc_mgmt -u Administrator -p '!Password1' -e query-ldap-users -D query-tenant=default -D query-domain=networker.lan
The query returns 40 records.
User Name            Full Dn Name
...
...
bkupadmin            CN=Backup Administrator,OU=Support_Services,OU=DELL,dc=networker,dc=lan


nve:~ # authc_mgmt -u Administrator -p '!Password1' -e query-ldap-groups -D query-tenant=default -D query-domain=networker.lan
The query returns 71 records.
Group Name                              Full Dn Name
...
...
NetWorker_Admins                        CN=NetWorker_Admins,OU=DELL,dc=networker,dc=lan

nve:~ # authc_mgmt -u Administrator -p '!Password1' -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=networker.lan -D user-name=bkupadmin
The query returns 1 records.
Group Name       Full Dn Name
NetWorker_Admins CN=NetWorker_Admins,OU=DELL,dc=networker,dc=lan
      NOTE: On some systems, the authc commands may fail with an "incorrect password" error even when the correct password is given. This is due to the password being specified as visible text with the "-p" option. If you encounter this, remove "-p password" from the commands. You will be prompted to enter the password hidden after running the command.
       

      Configuring NMC to accept external authentication:

      4. When logged into the NMC as the default NetWorker Administrator account, open Setup-->Users and Roles-->NMC Roles. Open the properties of the Console Application Administrators role and enter the Distinguished Name This hyperlink is taking you to a website outside of Dell Technologies.  (DN) of a AD/LDAP group in the external roles field. For users who require the same level permissions as the default NetWorker Administrator account, specify the AD/LDAP group DN in the Console Security Administrators role. For AD users or groups who do not need administrative rights to the NMC Console, add their full DN in the Console User external roles.

      Example of external roles set in NMC roles 
      NOTE: By default there is already the DN of the NetWorker server's LOCAL Administrators group, do not delete this.
       

      Configuring the NetWorker server external user permissions:

      5. Connect the NetWorker server from the NMC, open Server-->User Groups. Enter the Distinguished Name (DN) of an AD/LDAP group in the external roles field of the Application Administrators role properties. For users who require the same level permissions as the default NetWorker Administrator account, you must specify the AD/LDAP group DN in the Security Administrators role.
      Configuring nsr user groups with external users or groups
      NOTE: By default there is already the DN of the NetWorker server's LOCAL Administrators group, do not delete this.
       
      Alternatively, you can use the nsraddadmin to achieve this for external users/groups who should have full NetWorker admin rights: 
      nsraddadmin -e "USER/GROUP_DN"
      Example: 
      nve:~ # nsraddadmin -e "CN=NetWorker_Admins,OU=DELL,dc=networker,dc=lan"
134749:nsraddadmin: 'CN=NetWorker_Admins,OU=DELL,dc=networker,dc=lan' added to the 'external roles' list of 'Security Administrators' user group.
134749:nsraddadmin: 'CN=NetWorker_Admins,OU=DELL,dc=networker,dc=lan' added to the 'external roles' list of 'Application Administrators' user group.
      Access the NMC:
      You should have access to the NMC and NetWorker server with the external users who have been granted permission to do so.
      logging in as an external user
      Once logged in, the user is shown in the upper-right corner of the NMC:
      NMC showing AD user

      Extra Security Permissions

      6. (OPTIONAL) If you want an AD/LDAP group to be able to manage External Authorities you must perform the following on the NetWorker server.
       
      A. Open an administrative/root command prompt.
      B. Using the AD group DN you want to grant FULL_CONTROL permission to run: 
      authc_config -u Administrator -p 'NetWorker_Admin_Pass' -e add-permission -D permission-name=FULL_CONTROL -D permission-group-dn="AD/LDAP_group_dn"
      Example: 
      nve:~ # authc_config -u Administrator -p '!Password1' -e add-permission -D permission-name=FULL_CONTROL -D permission-group-dn="CN=NetWorker_Admins,OU=DELL,dc=networker,dc=lan"
Permission FULL_CONTROL is created successfully.
nve:~ #
nve:~ # authc_config -u Administrator -p '!Password1' -e find-all-permissions
The query returns 2 records.
Permission Id Permission Name Group DN Pattern                Group DN
1             FULL_CONTROL    ^cn=Administrators,cn=Groups.*$
2             FULL_CONTROL                                    CN=NetWorker_Admins,OU=DELL,dc=networ...

      Additional Information

      For additional information, see the NetWorker Security Configuration Guide available through: https://www.dell.com/support/home/product-support/product/networker/docs

      Configuration values:

      Server Type Select LDAP if the authentication server is a Linux/UNIX LDAP server, Active Directory if you are using a Microsoft Active Directory server.
      Authority Name Provide a name for this external authentication authority. This name can be whatever you want it to be, it is only to differentiate between other authorities when multiple are configured.
      Provider Server Name This field should contain the Fully Qualified Domain Name (FQDN) of your AD or LDAP server.
      Tenant Tenants can be used in environments where more than one authentication method may be used or when multiple authorities must be configured. By default, the "default" tenant is selected. The use of tenants alters your log-in method. Log in to the NMC with 'domain\user' for the default tenant, or 'tenant\domain\user' for other tenants.
      Domain Specify your full domain name (excluding a hostname). Typically this is your base DN which is consisted of your Domain Component (DC) values of your domain. 
      Port Number For LDAP and AD integration, use port 389. For LDAP over SSL, use port 636.
      These ports are non-NetWorker default ports on the AD/LDAP server.
      User DN Specify the Distinguished Name (DN) of a user account that has full read access to the LDAP or AD directory.
      Specify the relative DN of the user account, or the full DN if overriding the value set in the Domain field.
      User DN Password Specify the password of the user account specified.
      Group Object Class The object class that identifies groups in the LDAP or AD hierarchy.
      • For LDAP, use groupOfUniqueNames or groupOfNames 
        NOTE: There are other group object classes aside from groupOfUniqueNames and groupOfNames.  Use whatever object class is configured in the LDAP server.
      • For AD, use group
      Group Search Path This field can be left blank in which case authc is capable of querying the full domain. Permissions must be granted for NMC/ NetWorker server access before these users/groups can log in the NMC and manage the NetWorker server. Specify the relative path to the domain instead of full DN.
      Group Name Attribute The attribute that identifies the group name. For example, cn
      Group Member Attribute The group membership of the user within a group
      • For LDAP:
        • When the Group Object Class is groupOfNames, the attribute is commonly member.
        • When the Group Object Class is groupOfUniqueNames, the attribute is commonly uniquemember.
      •  For AD, the value is commonly member.
      User Object Class The object class that identifies the users in the LDAP or AD hierarchy.
      For example, inetOrgPerson or user
      User Search Path Like Group Search Path this field can be left blank in which case authc is capable of querying the full domain. Specify the relative path to the domain instead of full DN.
      User ID Attribute The user ID that is associated with the user object in the LDAP or AD hierarchy.
      • For LDAP, this attribute is commonly uid.
      • For AD, this attribute is commonly sAMAccountName.

      Other relevant articles:

      Affected Products

      NetWorker
      Article Properties
      Article Number: 000156132
      Article Type: How To
      Last Modified: 17 Jun 2025
      Version:  14
      Find answers to your questions from other Dell users
      Support Services
      Check if your device is covered by Support Services.