Data Domain: LDAP Guide

Summary: Lightweight Directory Access Protocol (LDAP) Authentication: Data Domain and PowerProtect systems can use LDAP authentication for users logging in through the CLI or UI. The supported LDAP servers are OpenLDAP, Oracle, and Microsoft Active Directory. However, when Active Directory is configured in this mode, the Common Internet File System (CIFS) data access for Active Directory users and groups is disabled. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

The information and steps in this guide work with DD OS 7.9 and later


Viewing LDAP authentication information

The LDAP Authentication panel displays the LDAP configuration parameters and whether LDAP authentication is enabled or disabled.
Enabling LDAP** lets you use an existing OpenLDAP server or deployment for **system-level user authentication**, **NFSv4 ID mapping**, and **NFSv3 or NFSv4 Kerberos with LDAP.

Steps

  1. Select Administration > Access > Authentication. The Authentication view appears.
  2. Expand the LDAP Authentication panel.

Enabling and disabling LDAP authentication Use the LDAP authentication panel to enable, disable, or reset LDAP authentication.

 

NOTE: An LDAP server must exist before enabling LDAP authentication.


Steps

  1. Select Administration > Access > Authentication. The Authentication view appears.
  2. Expand the LDAP authentication panel.
  3. Click Enable next to LDAP Status to enable or Disable to disable LDAP Authentication.
    The Enable or Disable LDAP authentication dialog box appears.
  4. Click OK.

Resetting LDAP authentication.

The Reset button disables LDAP authentication and clears the LDAP configuration information.

Configuring LDAP authentication

Use the LDAP authentication panel to configure LDAP authentication.

Steps

  1. Select Administration > Access > Authentication. The Authentication view appears.
  2. Expand the LDAP Authentication panel.
  3. Click Configure. The Configure LDAP Authentication dialog box appears.
  4. Specify the base suffix in the Base Suffix field.
  5. Specify the account name to associate with the LDAP server in the Bind DN field.
  6. Specify the password for the Bind DN account in the Bind Password field.
  7. Optionally select Enable SSL.
  8. Optionally select Demand server certificate to require the protection system to import a CA certificate from the LDAP server.
  9. Click OK.
  10. If necessary later, click Reset to return the LDAP configuration to its default values.

Specifying LDAP authentication servers

About this task
Use the LDAP authentication panel to specify LDAP authentication servers.
Prerequisites LDAP authentication must be disabled before configuring an LDAP server.
 

NOTE: Data Domain System Manager (DDSM) performance when logging in with LDAP decreases as the number of hops between the system and the LDAP server increases.

 

Steps

  1. Select Administration > Access > Authentication. The Authentication view appears.
  2. Expand the LDAP authentication panel.
  3. Click the + button to add a server.
  4. Specify the LDAP server in one of the following formats:
    • IPv4 address: nn.nn.nn.nn
    • IPv6 address: [FF::XXXX:XXXX:XXXX:XXXX]
    • Hostname: myldapserver.FQDN
  5. Click OK.

Configuring LDAP groups

Use the LDAP authentication panel to configure LDAP groups.

About this task
LDAP group configuration only applies when using LDAP for user authentication on the protection system.

Steps

  1. Select Administration > Access > Authentication. The Authentication view appears.
  2. Expand the LDAP authentication panel.
  3. Configure the LDAP groups in the LDAP Group table.
    • To add an LDAP group, click Add (+) button, enter the LDAP group name and role, and click OK.
    • To modify an LDAP group, select the checkbox of the group name in the LDAP group list and click Edit (pencil). Change the LDAP group name and click OK.
    • To remove an LDAP group, select the LDAP group in the list and click Delete (X).

Using the CLI to configure LDAP authentication.

Enabling LDAP** allows you to **configure an existing OpenLDAP server or deployment** for **system-level user authentication**, **NFSv4 ID mapping**, and **NFSv3 or NFSv4 Kerberos with LDAP.

This cannot be configured if LDAP authentication is already configured for Active Directory.

Configuring LDAP authentication for Active Directory

DDOS supports the use of LDAP authentication for Active Directory.
LDAP authentication with Active Directory** restricts CIFS data access for Active Directory users and groups, allowing only local users to access CIFS shares on the system.
Only CLI and UI logins are allowed for Active Directory users with this configuration.

Prerequisites
Ensure that the environment meets the following requirements to configure LDAP authentication for Active Directory:

  • TLS/SSL is enabled for LDAP communication.
  • Active Directory users accessing the protection system must have valid UID and GID numbers.
  • Active Directory groups accessing the protection system must have a valid GID number.
NOTE:
  • Specify the username in the format <username>, without specifying a domain name.
  • Specify the groupname in the format <groupname>, without specifying a domain name.
  • User and group names are not case-sensitive.

The following limitations apply to LDAP for Active Directory:

  • Microsoft Active Directory is the only supported Active Directory provider.
  • Active Directory Lightweight Directory Services (LDS) is not supported.
  • The Active Directory native schema for uidNumber and gidNumber population is the only supported schema. There is no support for third-party tools integrated with Active Directory.

About this task
LDAP authentication for Active Directory cannot be used with Active Directory or Kerberos authentication for CIFS.
The CLI is the only way to configure this option.

Steps
Run the authentication LDAP base set base name type active-directory command to enable LDAP authentication for Active Directory.


NOTE: The command fails if the CIFS authentication is already configured as Active Directory. 
# authentication ldap base set "dc=anvil,dc=team" type active-directory


Configure LDAP servers.

You can configure one or more LDAP servers simultaneously. Configure servers from the site nearest to the protection system for minimum latency.

About this task


NOTE: LDAP must be disabled when changing the configuration.
 

Specify the LDAP server in one of the following formats:

  • IPv4 address—10.<A>.<B>.<C>
  • IPv4 address with port number—10.<A>.<B>.<C>:400
  • IPv6 address—[::ffff:9.53.96.21]
  • IPv6 address with port number—[::ffff:9.53.96.21]:400
  • Hostname—myldapserver
  • Hostname with port number—myldapserver:400

When configuring multiple servers:

  • Separate each server with a space.
  • The first server listed when using the authentication LDAP servers add command becomes the primary server.
  • If any of the servers cannot be configured, the command fails for all servers listed.

Steps

  1. Add one or more LDAP servers by using the "authentication ldap servers add" command:
# authentication ldap servers add 10.A.B.C 10.X.Y.Z:400
LDAP server(s) added
LDAP Server(s): 2
# IP Address/Hostname
--- ---------------------
1. 10.A.B.C (primary)
2. 10.X.Y.Z:400
--- ---------------------
  1. Remove one or more LDAP servers by using the "authentication ldapservers del" command:
# authentication ldap servers del 10.X.Y.Z:400
LDAP server(s) deleted.
LDAP Servers: 1
# Server
- ------------ ---------
1 10.A.B.C (primary)
- ------------ ---------
3. Remove all LDAP servers by using the authentication ldap servers reset command:
# authentication ldap servers reset
LDAP server list reset to empty.

Configure the LDAP base suffix.
The base suffix is the base DN for search and is where the LDAP directory begins searching.

About this task
Set the base suffix for OpenLDAP or Active Directory.


NOTE: The base suffix cannot be set for both OpenLDAP and Active Directory.


User login is allowed from the primary Active Directory domain only. Users and groups from trusted Active Directory domains are not supported.
Set the base suffix for OpenLDAP.

Steps
Set the LDAP base suffix by using the "authentication ldap base set" command:

# authentication ldap base set "dc=anvil,dc=team"
LDAP base-suffix set to "dc=anvil,dc=team".

Steps

  1. Set the LDAP base suffix by using the "authentication ldap base set" command:
# authentication ldap base set "dc=anvil,dc=team" type active-directory
LDAP base-suffix set to "dc=anvil,dc=team".

NOTE: In this example, all users in the dd-admins LDAP group have administrative privileges on the protection system. 
# authentication ldap groups add dd-admins role admin
LDAP Group Role
---------- -----
dd-admins admin
---------- -----
Reset the LDAP base suffix

Steps
Reset the LDAP base suffix by using the "authentication ldap base reset" command:

# authentication ldap base reset

LDAP base-suffix reset to empty.

Configure LDAP client authentication.
Configure the account (Bind DN) and password (Bind PW) that is used to authenticate with the LDAP server and make queries.

About this task
You should always configure the Bind DN and password. In the process, LDAP servers require authenticated binds by default. If client-auth is not set, anonymous access is requested, providing no name or password.

The output of "authentication ldap show" command is as follows:

# authentication ldap show

LDAP configuration
 Enabled: yes (*)
 Base-suffix: dc=u2,dc=team
 Binddn: (anonymous)
 Server(s): 1
# Server
- ------------- ---------
1 10.207.86.160 (primary)
- ------------- ---------
Secure LDAP configuration
 SSL Enabled: no
 SSL Method: off
 tls_reqcert: demand

(*) Requires a file system restart for the configuration to take effect.

If binddn is set using client-auth CLI, but bindpw is not provided, unauthenticated access is requested.

# authentication ldap client-auth set binddn "cn=Manager,dc=u2,dc=team"

Enter bindpw:
** Bindpw is not provided. Unauthenticated access would be requested.
LDAP client authentication binddn set to "cn=Manager,dc=u2,dc=team".

Steps

  1. Set the Bind DN and password by using the "authentication ldap client-auth set binddn" command:
# authentication ldap client-auth set binddn "cn=Administrator,cn=Users,dc=anvil,dc=team"

Enter bindpw:
LDAP client authentication binddn is set to:
"cn=Administrator,cn=Users,dc=anvil,dc=team"

  1. Reset the Bind DN and password by using the "authentication ldap client-auth reset" command:
# authentication ldap client-auth reset

LDAP client authentication configuration reset to empty.

Enable LDAP.

Prerequisites
An LDAP configuration must exist before enabling LDAP.
Also, you must disable NIS, ensure that the LDAP server is reachable, and be able to query the root DSE of the LDAP server.

Steps

  1. Enable LDAP by using the "authentication ldap enable" command:
# authentication ldap enable

The details of the LDAP configuration are displayed for you to confirm before continuing. To continue, type Yes and restart the file system for the LDAP configuration to take effect.

View the current LDAP configuration by using the "authentication ldap show" command:


NOTE: If the system is configured to use LDAP for Active Directory, the command output includes a Server Type field to indicate it is connected to an Active Directory server. 
# authentication ldap show
LDAP configuration
 Enabled: no
 Base-suffix: dc=anvil,dc=team
 Binddn: cn=Administrator,cn=Users,dc=anvil,dc=team
 Server(s): 2
# Server
- ---------------- ---------
1 10.26.16.250 (primary)
2 10.26.16.251:400
- ---------------- ---------
Secure LDAP configuration
 SSL Enabled: no
 SSL Method: off
 tls_reqcert: demand

Basic LDAP and secure LDAP configuration details are displayed.

3. View the current LDAP status by using the authentication ldap status command:
# authentication ldap status
The LDAP status is displayed. If the LDAP status is not good, the problem is identified in the output.
For example:
# authentication ldap status
Status:invalid credentials
or
# authentication ldap status
Status: invalid DN syntax
4. Disable LDAP by using the authentication ldap disable command:
# authentication ldap disable LDAP is disabled.

Enable secure LDAP.

You can configure DDR to use secure LDAP by enabling SSL.
For LDAP for Active Directory, configure secure LDAP with SSL/TLS options.
Prerequisites If there is no LDAP CA certificate and tls_reqcert is set to demand, the operation fails.
Import an LDAP CA certificate and try again. If tls_reqcert is set to never, an LDAP CA certificate is not required.

Steps

  1. Enable SSL by using the "authentication ldap ssl enable" command:
# authentication ldap ssl enable

Secure LDAP is enabled with the "ldaps" method.

The default method is secure LDAP, or LDAP. You can specify other methods, such as TLS:

# authentication ldap ssl enable method start_tls

Secure LDAP is enabled with the "start_tls" method.

  1. Disable SSL by using the "authentication ldap ssl disable" command:
# authentication ldap ssl disable Secure LDAP is disabled.

Configure LDAP server certificate verification with imported CA certificates.

You can change the TLS request certificate behavior.

Steps

  1. Change the TLS request certificate behavior by using the "authentication ldap ssl set tls_reqcert" command.

Do not verify the certificate:

# authentication ldap ssl set tls_reqcert never “tls_reqcert” set to "never".

LDAP server certificate is not verified.

 
NOTE: If LDAP is configured for Active Directory, the TLS request certificate behavior cannot be set to never.

Verify the certificate:

# authentication ldap ssl set tls_reqcert demand

"tls_reqcert" set to "demand." LDAP server certificate is verified.

  1. Reset the TLS request certificate behavior by using the "authentication ldap ssl reset tls_reqcert" command.

The default behavior is demand:

# authentication ldap ssl reset tls_reqcert

"tls_reqcert" has been set to "demand." LDAP Server certificate is verified with an imported CA certificate. Use "adminaccess" CLI to import the CA certificate.

Manage CA certificates for LDAP.

You can import or delete certificates and show current certificate information.

Steps

  1. Import a CA certificate for LDAP server certificate verification by using the "adminaccess certificate import" command.

Specify LDAP for CA application:

# adminaccess certificate import {host application {all | aws-federal | ddboost | https | keysecure | dsm | ciphertrust | gklm | } | ca application {all | cloud | ddboost | ldap | login-auth | keysecure | dsm | rsa-securid | ciphertrust | gklm | }} [file ]
  1. Delete a CA certificate for LDAP server certificate verification by using the "adminaccess" certificate delete command. Specify LDAP for application:
# adminaccess certificate delete {subject | fingerprint } [application {all | aws-federal | cloud | ddboost | ldap | login-auth | https | keysecure | dsm | ciphertrust | gklm | support | }]
  1. Show current CA certificate information for LDAP server certificate verification by using the "adminaccess certificate show" command:
# adminaccess certificate show imported-ca application ldap

Additional Information

Ports for Active Directory

Port Protocol Port configurable Description
53 TCP/UDP Open DNS (if AD is also the DNS)
88 TCP/UDP Open Kerberos
139 TCP Open NetBios - NetLogon
389 TCP/UDP Open LDAP
445 TCP/UDP No User authentication and other communication with AD
3268 TCP Open Global Catalog Queries
636 TCP  Open  LDAPS - secure LDAP over SSL/TLS
3269 TCP Open  LDAPS (LDAP over SSL) to the Global Catalog — used for secure directory queries across domains in a forest.

LDAP

When Federal Information Processing Standards (FIPS) is enabled, the LDAP client that runs on a system or DDVE must use TLS.

# authentication ldap ssl enable method start_tls Otherwise, enabling FIPS compliance mode fails.

On a fresh install and upgrade, LDAP SSL ciphers are not explicitly set.
When FIPS compliance mode is enabled, the LDAP SSL ciphers are set to the following:

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-SHA256
  • AES256-GCM-SHA384
  • AES256-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-SHA256
  • AES128-GCM-SHA256
  • AES128-SHA256

The configured cipher-list should be: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSAAES256-SHA256:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSAAES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:AES128- SHA256

When FIPS is disabled, it is set to "", an empty string.

Using an Authentication server for authenticating users before granting administrative access.

DD supports multiple name server protocols such as LDAP, NIS, and AD. DD recommends using OpenLDAP with FIPS enable. DD manages only local accounts. DD recommends using UI or CLI to configure LDAP.

  • UI: Administration > Access > Authentication
  • CLI: Authentication LDAP commands

Active Directory can also be configured for user logins with FIPS enabled. However, CIFS data access with AD users is no longer be supported with that configuration.

LDAP for Network File System (NFS) ID mapping

Data Domain and PowerProtect systems can use LDAP for NFSv4 ID mapping, and NFSv3 or NFSv4 Kerberos with LDAP. User can also configure Secure LDAP with either LDAPS or "start_TLS" method. The LDAP client authentication can use Bind DN or Bind PW, but systems do not support certificate-based LDAP client authentication.


NOTE: The Local user ID starts with the number 500. When setting up LDAP, a similar user ID range (500–1000) cannot be used or a user ID collision occurs. If there is a user ID collision, files that are owned by a name LDAP service user become accessible by the other users due to configuration errors.

Affected Products

Data Domain
Article Properties
Article Number: 000204241
Article Type: How To
Last Modified: 29 Oct 2025
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.