NetWorker: AD or LDAP External Authentication Integration - Troubleshooting issues with login or missing information

Summary: This Article discusses issues arising from incorrect AD or Lightweight Directory Access Protocol (LDAP) integration with NetWorker and how to resolve them.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

  • Unable to log in to NetWorker user interfaces.
  • nsrlogin command fails or returns errors.
  • NetWorker authentication succeeds, but UIs do not present data correctly.
  • AD or LDAP queries return no results.
  • AD or LDAP returns incomplete responses.

Cause

Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) are enterprise implementations of centrally managed, operationally distributed network entity authentication.

NetWorker can use this protocol to authenticate users and authorize operations, replacing the older method based on a software-specific user account database.

However, incorrect or missing configuration parameters in NetWorker cause AD or LDAP queries to return incomplete results, or none at all.

Resolution

When troubleshooting AD or LDAP integration issues with NetWorker, use the authc_config and authc_mgmt commands on the NetWorker server.

Examples of these commands follow. To see all available options run each command with no additional arguments.

How to find and update your configuration details.

Run the following commands to output your configuration details, using the username and password appropriate to the issue encountered:

authc_config -u Administrator -p 'password' -e find-all-configs
authc_config -u Administrator -p 'password' -e find-all-tenants
authc_config -u Administrator -p 'password' -e find-config -D config-id=#

NOTE: On some systems, specifying passwords as plain text results in an incorrect password error. Rerun the command without the -p password argument prompts to enter the password. Replace the # in the third command with the config-id reported by the first command.

The tenant value and name is used in some of the following commands.

[root@nsrsvr ~]# authc_config -u Administrator -e find-all-configs
Enter password:
The query returns 1 records.
Config Id Config Name
1         lab

[root@nsrsvr ~]# authc_config -u Administrator -e find-all-tenants
Enter password:
The query returns 1 records.
Tenant Id Tenant Name
1         default

[root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1
Enter password:
Config Id                    : 1
Config Tenant Id             : 1
Config Name                  : lab
Config Domain                : lab
Config Server Address        : ldap://winldap.lab.loc:389/DC=lab,DC=loc
Config User DN               : CN=Administrator,CN=Users,DC=lab,DC=loc
Config User Group Attribute  : memberOf
Config User ID Attribute     : sAMAccountName
Config User Object Class     : user
Config User Search Filter    :
Config User Search Path      : CN=Users
Config Group Member Attribute: member
Config Group Name Attribute  : cn
Config Group Object Class    : group
Config Group Search Filter   :
Config Group Search Path     : CN=NetWorker Admins
Config Object Class          : objectClass
Is Active Directory          : true
Config Search Subtree        : true
The above example shows configuration settings that are used in a working lab environment with external AD authentication. Some of the values such as: server address, config user, and user or group search paths are specific to each environment; however, the other values are default AD attributes.
 
To fix any incorrect values, update the external authority resource from the NetWorker Management Console (NMC) or NetWorker Web User Interface (NWUI):
 
Optionally, the script templates can be used:
 
Windows: C:\Program Files\EMC NetWorker\nsr\authc-server\scripts\
Linux: /opt/nsr/authc-server/scripts/
 
Populate the scripts with your information, and change the -e add-config command argument to -e update-config.
NetWorker: How To Set up LDAP/AD using authc_config scripts
 
NOTE: for AD use the authc-create-ad-config and for LDAP use the authc-create-ldap-config script template. Once populated, remove the .template from the file name and run the script from an administrative or root command prompt.

Issue 1: Incorrect Config User ID Attribute

An incorrect value in this field results in an empty User Name column when querying for AD or LDAP users. This column displays how the username is specified for login. The account is reported as invalid if the value is not specified. To retrieve these values, run:

authc_mgmt -u Administrator -p 'PASSWORD' -e query-ldap-users -D query-tenant=TENANT_NAME -D query-domain=DOMAIN_NAME

[root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1
Enter password:
...
Config User ID Attribute     :
...

[root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=default -D query-domain=lab
Enter password:
The query returns 13 records.
User Name Full Dn Name
          cn=Administrator,cn=Users,dc=lab,dc=loc
          cn=Guest,cn=Users,dc=lab,dc=loc
          cn=krbtgt,cn=Users,dc=lab,dc=loc
...
NOTE: The User Name column is blank. The unique user ID associated with the user object in the LDAP or AD hierarchy is commonly uid (LDAP) or sAMAccountName (AD). Updating this value in the configuration corrects the username that is reported in the User Name column. 
[root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1
Enter password:
...
Config User ID Attribute     : sAMAccountName
...

[root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=default -D query-domain=lab
Enter password:
The query returns 13 records.
User Name     Full Dn Name
Administrator cn=Administrator,cn=Users,dc=lab,dc=loc
Guest         cn=Guest,cn=Users,dc=lab,dc=loc
krbtgt        cn=krbtgt,cn=Users,dc=lab,dc=loc
jblog         cn=Joe Bloggs,cn=Users,dc=lab,dc=loc
...

Issue 2: Config User Object Class empty or incorrect.

An incorrect value in this field causes no results to return when querying AD or LDAP users. Use these commands to test for this symptom and cause:

authc_config -u Administrator -p 'PASSWORD' -e find-config -D config-id=CONFIG_ID
authc_mgmt -u Administrator -p 'PASSWORD' -e query-ldap-users -D query-tenant=TENANT_NAME -D query-domain=DOMAIN_NAME

[root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=default -D query-domain=lab
Enter password:
The query returns 0 records.
User Name Full Dn Name

[root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1
Enter password: 
...
Config User Object Class :
The attribute for the object class that identifies the users in the directory hierarchy is commonly inetOrgPerson (LDAP) or user (AD). 

Update the configuration with these values and test to ensure username and Distinguished Names (DN) are properly reported: 
[root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1
Enter password:
...
Config User Object Class     : user
...

[root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=default -D query-domain=lab
Enter password:
The query returns 13 records.
User Name     Full Dn Name
Administrator cn=Administrator,cn=Users,dc=lab,dc=loc
Guest         cn=Guest,cn=Users,dc=lab,dc=loc
krbtgt        cn=krbtgt,cn=Users,dc=lab,dc=loc
jblog         cn=Joe Bloggs,cn=Users,dc=lab,dc=loc
...
Incorrect Config User Search Path is another potential cause for users to be missing. This is a DN that specifies the search path that the authentication service should use when searching for users in the LDAP or AD hierarchy. Specify a search path that is relative to the base DN specified in the config-serveraddress option. For example, for AD, specify cn=users. Confirm with your directory administrator that this field is correct.
 

Issue 3: Config Group Name Attribute is empty or incorrect.

An incorrect value in this field results in an empty Group Name column when querying for AD or LDAP groups for a user. The following commands check for symptom and cause:

authc_mgmt -u Administrator -p 'PASSWORD' -e query-ldap-groups-for-user -D query-tenant=TENANT_NAME -D query-domain=DOMAIN_NAME -D user-name=AD_USERNAME

[root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=lab -D user-name=bkupadmin
Enter password:
The query returns 1 records.
Group Name Full Dn Name
           cn=NetWorker Admins,dc=lab,dc=loc
The attribute that identifies the group name (such as cn) is missing. Update the configuration with these values and ensure that group names are now listed in the Group Name column. 
[root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1
Enter password:
...
Config Group Name Attribute  : cn
...

[root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=lab -D user-name=bkupadmin
Enter password:
The query returns 1 records.
Group Name       Full Dn Name
NetWorker Admins cn=NetWorker Admins,dc=lab,dc=loc

Issue 4: Config Group Object Class is empty or incorrect

An incorrect value in this field causes no results to return when querying AD or LDAP groups for a user. Use these commands to test for symptom and cause:

authc_mgmt -u Administrator -p 'PASSWORD' -e query-ldap-groups-for-user -D query-tenant=TENANT_NAME -D query-domain=DOMAIN_NAME -D user-name=AD_USERNAME
authc_config -u Administrator -p 'PASSWORD' -e find-config -D config-id=1 
[root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=lab -D user-name=bkupadmin
Enter password:
The query returns 0 records.
Group Name Full Dn Name

Configuration lab is updated successfully. [root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1 
... 
Config Group Object Class : 
...
The object class attribute that identifies groups in the directory hierarchy is groupOfUniqueNames (LDAP) or groupOfNames (AD). For AD, use group
 
Update the configuration with these values, you should now see group names and group DNs listed: 
[root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1
Enter password:
...
Config Group Object Class    : group
...

[root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=lab -D user-name=bkupadmin
Enter password:
The query returns 1 records.
Group Name       Full Dn Name
NetWorker Admins cn=NetWorker Admins,dc=lab,dc=loc
Other potential causes for groups to not appear are:
  1. The AD user who is specified in the authc_mgmt command is not a member of an AD group. Test other usernames and check with your AD administrator to confirm user or group membership.
  2. The Config Group Search Path value is incorrect. This is a DN that specifies the search path that the authentication service should use when searching for groups in the directory hierarchy. Specify a search path that is relative to the base DN that you specified in the config-server-address option.

Additional Information

NetWorker: AD and LDAP Integration and Configuration Triage Guide

Methods detailing how to configure AD, LDAP, LDAPS with NetWorker:

For additional documentation, see the NetWorker Security Configuration Guide available through: https://www.dell.com/support/home/product-support/product/networker/docs
 

Affected Products

NetWorker

Products

NetWorker, NetWorker Management Console
Article Properties
Article Number: 000057044
Article Type: Solution
Last Modified: 12 Jun 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.