NetWorker: How to Configure AD or LDAP from the NetWorker Web User Interface

Сводка: This article provides instructions for configuring NetWorker to authenticate over active directory (AD) or lightweight directory access protocol (LDAP) for using NetWorker Web User Interface (NWUI). ...

Данная статья применяется к Данная статья не применяется к Эта статья не привязана к какому-либо конкретному продукту. В этой статье указаны не все версии продуктов.
Ознакомьтесь с другими ресурсами

Инструкции

  1. Log in to the NetWorker server's NWUI interface: https://<nwservername.domain.com>:9090/nwui
  2. Log in with the NetWorker Administrator account.
  3. From the Menu, select Authentication Server > External Authorities.
  4. From External Authorities, click Add.
  5. From the Basic Configuration:
Name: Provide a name for the external authority provider. This name can be set as per your naming standards.
Server Type: LDAP: Select LDAP when the Authentication server is Linux based.
Active Directory: Select this option with Microsoft Active Directory is used.
LDAP Over SSL (LDAPS): Select this when the authentication server is LDAP but SSL is required.
AD Over SSL (LDAPS): Select when Microsoft Active Directory is used, but SSL is required.
 
NOTE: LDAP OR AD over SSL requires the certificate to be manually imported to the Auth Trust Store to ensure secure communication. For more information, see NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI)
Provider Server Name: Specify the IP Address or Fully Qualified Domain Name (FQDN) of the authentication service provider (AD or LDAP server).
Port: If non-SSL then port 389 is used, if SSL then port 636 is used. This field should auto-populate from server type selection.
Tenant: *Optional: You can create multiple tenants to serve different authentication providers.
For most use cases, default is fine.
Domain The domain value for your service provider
User Distinguished Name (DN) Specify the DN of the AD or LDAP bind account; excluding the DC values.
User DN Password Specify the password of the bind account user.

 

Example showing basic AD configuration:
example of basic configuration
  1. Check the Advanced Configuration box and click Next.
  2. Review the Advanced Configuration options, usually the required fields are pre-populated with standard defaults. The values for these fields can be identified on the AD or LDAP server or provided by your domain admin if nonstandard values are used.
  3. Click Finish to complete the configuration.
  4. From the Server User Groups menu, edit the User Groups that contain the rights you want to delegate to AD or LDAP Groups or Users. For example, to grant full Admin rights, the AD group or user DN should be specified in the External Roles field of the Application Administrators and Security Administrators roles.
  5. Under External Roles, use the + icon to add AD User or Group Distinguished Names (DN)
Example: CN=NetWorker_Admins,DC=amer,DC=lan
External roles settings

This can also be done from the command line: 
nsraddadmin -e "AD_DN"
Example: 
PS C:\Users\Administrator.AMER> nsraddadmin -e "CN=NetWorker_Admins,DC=amer,DC=lan"
134751:nsraddadmin: Added role 'CN=NetWorker_Admins,DC=amer,DC=lan' to the 'Security Administrators' user group.
134751:nsraddadmin: Added role 'CN=NetWorker_Admins,DC=amer,DC=lan' to the 'Application Administrators' user group.

NOTE: See the Additional Info field for instructions on how to collect Distinguished Name (DN) values.
 
  1. Once the AD group or user DNs are specified, click Save.
  2. You should now be able to log in to NWUI or the NMC with AD or LDAP accounts. If a tenant was created, you must specify the tenant-name\domain.name\user-name if the default tenant is used you only must specify domain.name\user-name.
NWUI login with AD user

Дополнительная информация

To get the AD user or Group DN, you can use the following methods:


From AD Server:

Open an Administrator PowerShell command and run: 
Get-ADUser -Identity AD_USERNAME -Properties DistinguishedName,MemberOf
Example: 
PS C:\Users\Administrator> Get-ADUser -Identity bkupadmin -Properties DistinguishedName,MemberOf

DistinguishedName : CN=Backup Admin,CN=Users,DC=amer,DC=lan
Enabled           : True
GivenName         : Backup
MemberOf          : {CN=NetWorker_Admins,DC=amer,DC=lan}
Name              : Backup Admin
ObjectClass       : user
ObjectGUID        : f37f3ef5-3488-4b53-8844-4fd553ef85b2
SamAccountName    : bkupadmin
SID               : S-1-5-21-3150365795-1515931945-3124253046-9605
Surname           : Admin
UserPrincipalName : bkupadmin@amer.lan
Both the User's user DN and group DN appear for the AD groups that they belong to.


    From NetWorker AuthenticationServer:

    The following method can be used on the NetWorker authentication server once an external authority is added:

    Query AD Users visible to NetWorker: 
    authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=TENANT-NAME -D query-domain="DOMAIN.DOMAIN"
    Query AD Groups a User belongs to: 
    authc_mgmt -u Administrator -e query-ldap-groups-for-user -D query-tenant=TENANT-NAME -D query-domain="DOMAIN.DOMAIN" -D user-name=AD-USERNAME

    In the above commands, we are specifying the NetWorker Administrator account, you are prompted to enter the NetWorker Administrator Password.
    Example: 
    nve:~ # authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=default -D query-domain="amer.lan"
Enter password:
The query returns 19 records.
User Name        Full Dn Name
....
bkupadmin        CN=Backup Admin,CN=Users,dc=amer,dc=lan

nve:~ # authc_mgmt -u Administrator -e query-ldap-groups-for-user -D query-tenant=default -D query-domain="amer.lan" -D user-name=bkupadmin
Enter password:
The query returns 1 records.
Group Name       Full Dn Name
NetWorker_Admins CN=NetWorker_Admins,dc=amer,dc=lan
     
    If the above commands do not return the expected results, confirm that the configuration has the correct parameters. Setting a User or Group Search Path in the Advanced Configuration tab limits NetWorker to viewing only users and groups within those paths. Users and groups outside of the search paths are not shown.

    Затронутые продукты

    NetWorker

    Продукты

    NetWorker Family, NetWorker Series
    Свойства статьи
    Номер статьи: 000189029
    Тип статьи: How To
    Последнее изменение: 21 May 2025
    Версия:  9
    Получите ответы на свои вопросы от других пользователей Dell
    Услуги технической поддержки
    Проверьте, распространяются ли на ваше устройство услуги технической поддержки.