Article Number: 000156107
NetWorker: How To Set up AD/LDAP Authentication
Summary: This KB provides an overview for how to add external authority to NetWorker using the NetWorker Management Console's (NMC) external authority wizard. Active Directory (AD) or Linux LDAP authentication can be used alongside the default NetWorker Administrator account or other local NMC accounts. ...
Article Content
Instructions
NOTE: For AD over SSL integrations the NetWorker Web User Interface should be used to configure the external authority. See NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI).
Log in to the NetWorker Management Console (NMC) with the default NetWorker Administrator account. Under the Setup tab-->User and Roles there is a new option for External Authority.
You can still use the authc_config and authc_mgmt commands for querying configurations and AD/LDAP users and groups; however, it is recommended to use the NMC to add AD/LDAP to NetWorker.
1) To add a new authority right click in the External Authority window and select New.
2) In the External Authentication Authority box you must populate the required fields with your AD/LDAP information.
3) Check the "Show Advanced Options" box to see all the fields
| Server Type | Select LDAP if the authentication server is a Linux/UNIX LDAP server, Active Directory if you are using a Microsoft Active Directory server. |
| Authority Name | Provide a name for this external authentication authority. This name can be whatever you want it to be, it is only to differentiate between other authorities when multiple are configured. |
| Provider Server Name | This field should contain the Fully Qualified Domain Name (FQDN) of your AD or LDAP server. |
| Tenant | Tenants can be used in environments where more than one authentication method may be used and/or when multiple authorities must be configured. By default, the "default" tenant is selected. The use of tenants alters your log-in method. When the default tenant is used, you can log in to the NMC using "domain\user" if a tenant other than the default tenant is used you must specify "tenant\domain\user" when logging into the NMC. |
| Domain | Specify your full domain name (excluding a hostname). Typically this is your base DN which is consisted of your Domain Component (DC) values of your domain. |
| Port Number | For LDAP and AD integration use port 389. For LDAP over SSL use port 636. These ports are non-NetWorker default ports on the AD/LDAP server. |
| User DN | Specify the Distinguished Name  (DN) of a user account that has full read access to the LDAP or AD directory.Specify the relative DN of the user account, or the full DN if overriding the value set in the Domain field. |
| User DN Password | Specify the password of the user account specified. |
| Group Object Class | The object class that identifies groups in the LDAP or AD hierarchy.
|
| Group Search Path | This field can be left blank in which case authc is capable of querying the full domain. Permissions must be granted for NMC/ NetWorker server access before these users/groups can log in the NMC and manage the NetWorker server. Specify the relative path to the domain instead of full DN. |
| Group Name Attribute | The attribute that identifies the group name. For example, cn. |
| Group Member Attribute | The group membership of the user within a group.
|
| User Object Class | The object class that identifies the users in the LDAP or AD hierarchy. For example, inetOrgPerson or user |
| User Search Path | Like Group Search Path this field can be left blank in which case authc is capable of querying the full domain. Specify the relative path to the domain instead of full DN. |
| User ID Attribute | The user ID that is associated with the user object in the LDAP or AD hierarchy.
|
For example, Active Directory integration:
NOTE: Consult with your AD/LDAP admin to confirm which AD/LDAP specific fields are needed for your environment.
4) Once all the fields are populated, click OK to add the new authority.
5) You can use the authc_mgmt command on your NetWorker server to confirm that the AD/LDAP groups/users are visible:
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-users -D query-tenant=tenant_name -D query-domain=domain_name
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-groups -D query-tenant=tenant_name -D query-domain=domain_name
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-groups-for-user -D query-tenant=tenant_name -D query-domain=domain_name -D user-name=ad/ldap_username
e.g:
authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-users -D query-tenant=default -D query-domain=lab.emc.com
The query returns 21 records.
User Name Full Dn Name
Administrator cn=Administrator,cn=Users,dc=lab,dc=emc,dc=com
Guest cn=Guest,cn=Users,dc=lab,dc=emc,dc=com
...
...
authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-groups -D query-tenant=default -D query-domain=lab.emc.com
The query returns 55 records.
Group Name Full Dn Name
Administrators cn=Administrators,cn=Builtin,dc=lab,dc=emc,dc=com
NetWorker_Admins cn=NetWorker_Admins,cn=Users,dc=lab,dc=emc,dc=com
...
...
authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=lab.emc.com -D user-name=bkupadmin
The query returns 5 records.
Group Name Full Dn Name
Domain Admins cn=Domain Admins,cn=Users,dc=lab,dc=emc,dc=com
NetWorker_Admins cn=NetWorker_Admins,cn=Users,dc=lab,dc=emc,dc=com
...
...
NOTE: On some systems, the authc commands may fail with an "incorrect password" error even when the correct password is given. This is due to the password being specified as visible text with the "-p" option. If you encounter this, remove "-p password" from the commands. You will be prompted to enter the password hidden after running the command.
(DN) of a AD/LDAP group (collected in step 5) in the external roles field. For users who require the same level permissions as the default NetWorker Administrator account, you will also need to specify the AD/LDAP group DN in the "Console Security Administrators" role. For users /groups who do not need administrative rights to the NMC Console, add their full DN in the "Console User" - external roles.
NOTE: By default there is already the DN of the NetWorker server's LOCAL Administrators group, DO NOT delete this.
7) Access permissions also must be applied per NetWorker server configured in the NMC. This can be done one of two ways:
Option 1)
Connect the NetWorker server from the NMC, open Server-->User Groups. Open the properties of the "Application Administrators" role and enter the Distinguished Name 
(DN) of a AD/LDAP group (collected in step 5) in the external roles field. For users who require the same level permissions as the default NetWorker Administrator account, you must specify the AD/LDAP group DN in the "Security Administrators" role.
(DN) of a AD/LDAP group (collected in step 5) in the external roles field. For users who require the same level permissions as the default NetWorker Administrator account, you must specify the AD/LDAP group DN in the "Security Administrators" role.
NOTE: By default there is already the DN of the NetWorker server's LOCAL Administrators group, DO NOT delete this.
Option 2)
For AD users/groups you want to grant Admin rights to the nsraddadmin command can be run from an admin or root command prompt on the NetWorker server:
nsraddadmin -e "OU=group,CN=you,CN=want,CN=to,CN=add,DC=domain,DC=local" example:
nsraddadmin -e "CN=NetWorker_Admins,CN=Users,DC=lab,DC=emc,DC=com"
8) log in to the NMC using your AD/LDAP account (e.g: domain\user):
If a tenant other than the default tenant was used you must specify it before the domain, e.g: tenant\domain\user.
The account that is used will be shown in the upper right corner. The user has the ability to perform actions based on the roles assigned in NetWorker.
9) If you want an AD/LDAP group to be able to manage External Authorities you must perform the following on the NetWorker server.
9) If you want an AD/LDAP group to be able to manage External Authorities you must perform the following on the NetWorker server.
a) Open an administrative/root command prompt.
b) Using the AD group DN (collected in step 5) you want to grant FULL_CONTROL permission to run:
authc_config -u Administrator -p NetWorker_Admin_Pass -e add-permission -D permission-name=FULL_CONTROL -D permission-group-dn="AD/LDAP_group_dn" e.g:
authc_config -u Administrator -p Pa$$w0rd01 -e add-permission -D permission-name=FULL_CONTROL -D permission-group-dn="cn=NetWorker_Admins,cn=Users,dc=lab,dc=emc,dc=com"
Permission FULL_CONTROL is created successfully.
authc_config -u Administrator -p Pa$$w0rd01 -e find-all-permissions
The query returns 2 records.
Permission Id Permission Name Group DN Pattern Group DN
1 FULL_CONTROL ^cn=Administrators,cn=Groups.*$
2 FULL_CONTROL cn=NetWorker_Admins,cn=Users,dc=lab,...
Additional Information
Article Properties
Affected Product
NetWorker
Product
NetWorker, NetWorker Management Console
Last Published Date
10 Oct 2023
Version
8
Article Type
How To