Knowledge Base Article: 000522562

How To Setup AD/LDAP Authentication in NetWorker 18 and 19 (000522562)

Primary Product : NetWorker
Product : NetWorker,NetWorker Management Console,NetWorker 18.1,NetWorker
18.2,NetWorker 19.1

Version: 5 Article Type: How To Audience: Level 30 = Customers Last Published: Tue Nov 05 16:46:12 GMT 2019

Summary: This KB provides a basic overview for how to add LDAP/AD authentication in NetWorker 18.x and later

Instructions: This KB provides a basic overview for how to add AD/LDAP authentication in NetWorker 18.x and later. Please refer to the NetWorker Security

NetWorker 18.x has re-added the ability to use the NetWorker Management Console (NMC) for integrating AD/LDAP authentication with NetW
for External Authority.

You can still use the authc_config and authc_mgmt commands for querying configurations and AD/LDAP users and groups; however, it is reco

1) To add a new authority right click in the External Authority window and select New
2) In the External Authentication Authority box you will need to populate the required fields with your AD/LDAP information
3) Check the "Show Advanced Options" box to see all of the fields
Server Type Select LDAP if the authentication server is a Linux/UNIX LDAP server, Active Directory if you are using a Microsoft Ac
Authority
Provide a name for this external authentication authority. This name can be whatever you want it to be, it is only to diff
Name
Provider
Server This field should contain the Fully Qualified Domain Name (FQDN) of your AD or LDAP server
Name
Tenants can be used in environments where more than one authentication method may be used and/or when multiple
Tenant
log in method. When the default tenant is used you can log into the NMC using "domain\user" if a tenant other than the
Domain Specify your full domain name (excluding a host name). Typically this is your base DN which is comprised of your Dom
Port Number For LDAP and AD integration use port 389. For LDAP over SSL use port 636. These ports are non-NetWorker default
Specify the Distinguished Name (DN) of a user account that has full read access to the LDAP or AD directory.
User DN
Specify the relative DN of the user account, or the full DN if overriding the value set in the Domain field.
User DN
Specify the password of the user account specified.
Password
The object class that identifies groups in the LDAP or AD hierarchy.
Group For LDAP, use groupOfUniqueNames or groupOfNames.
Object Class Note: There are other group object class aside from groupOfUniqueNames and groupOfNames. Use whatever object
For AD, use group.
Group This field can be left blank in which case authc is capable of querying the full domain. Permissions still need to be gran
Search Path Specify the relative path to the domain instead of full DN.
Group Name
The attribute that identifies the group name. For example, cn.
Attribute
The group membership of the user within a group.
Group For LDAP:
 Member When the Group Object Class is groupOfNames the attribute is commonly member.
Attribute When the Group Object Class is groupOfUniqueNames the attribute is commonly uniquemember.
For AD, the value is commonly member
User Object The object class that identifies the users in the LDAP or AD hierarchy.
Class For example, inetOrgPerson or user
User Search
Like Group Search Path this field can be left blank in which case authc is capable of querying the full domain. Specify
Path
The user ID that is associated with the user object in the LDAP or AD hierarchy.
User ID
For LDAP, this attribute is commonly uid.
Attribute
For AD, this attribute is commonly sAMAccountName.
For example, Active Directory integration:

Note: Please consult with your AD/LDAP admin to confirm which AD/LDAP specific fields are needed for your environment.
4) Once all of the fields are populated, click OK to add the new authority.
5) You can use the authc_mgmt command on your NetWorker server to confirm that the AD/LDAP groups/users are visible:
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-users -D query-tenant=ten
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-groups -D query-tenant=te
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-groups-for-user -D query-t
e.g:

authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-users -D query-tenant=default -D que

The query returns 21 records.
User Name Full Dn Name
Administrator cn=Administrator,cn=Users,dc=lab,dc=emc,dc=com
Guest cn=Guest,cn=Users,dc=lab,dc=emc,dc=com
...
...

authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-groups -D query-tenant=default -D qu

The query returns 55 records.
Group Name Full Dn Name
Administrators cn=Administrators,cn=Builtin,dc=lab,dc=emc,dc=com
NetWorker_Admins cn=NetWorker_Admins,cn=Users,dc=lab,dc=emc,dc=com
...
...

authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-groups-for-user -D query-tenant=defa

The query returns 5 records.
Group Name Full Dn Name
Domain Admins cn=Domain Admins,cn=Users,dc=lab,dc=emc,dc=com
NetWorker_Admins cn=NetWorker_Admins,cn=Users,dc=lab,dc=emc,dc=com
...
...
 Note: On some systems the authc commands may fail with a "incorrect password" error even when the correct password is given. Th
commands. You will be prompted to enter the password hidden after running the command.

6) When logged into the NMC as the default NetWorker Administrator account, open Setup-->Users and Roles-->NMC Roles. Open t
in step 5) in the external roles field. For users who require the same level permissions as the default NetWorker Administrator accoun
need administrative rights to the NMC Console, add their full DN in the " Console User" - external roles.
Note: By default there is already the DN of the NetWorker server's LOCAL Administrators group, DO NOT delete this.

7) Connect the the NetWorker server from the NMC, open Server-->User Groups. Open the properties of the "Application Administr
require the same level permissions as the default NetWorker Administrator account, you will also need to specify the AD/LDAP group
Note: By default there is already the DN of the NetWorker server's LOCAL Administrators group, DO NOT delete this.

8) Log into the NMC using your AD/LDAP account (e.g: domain\user):

Note: if a tenant other than the default tenant was used you will need to specify it before the domain, e.g: tenant\domain\user.
The account used will be shown in the top right corner. The user will have the ability to perform actions based on the roles assigned in

9) If you want an AD/LDAP group to be able to manage External Authorities you will need to perform the following on the NetWorker s
a) Open an administrative/root command prompt.
b) Using the AD group DN (collected in step 5) you want to grant FULL_CONTROL permission to run:
authc_config -u Administrator -p NetWorker_Admin_Pass -e add-permission -D permission
e.g:

authc_config -u Administrator -p Pa$$w0rd01 -e add-permission -D permission-name=FULL

Permission FULL_CONTROL is created successfully.

authc_config -u Administrator -p Pa$$w0rd01 -e find-all-permissions

The query returns 2 records.
Permission Id Permission Name Group DN Pattern Group DN
1 FULL_CONTROL ^cn=Administrators,cn=Groups.*$
2 FULL_CONTROL cn=NetWorker_Admins,cn=
Note: On some systems the authc commands may fail with a "incorrect password" error even when the correct password is
commands. You will be prompted to enter the password hidden after running the command.

If you do not do this the External Authorities will only be visible to the default NetWorker Administrator account.

Primary Product: NetWorker

Product: NetWorker,NetWorker Management Console,NetWorker 18.1,NetWorker 18.2,NetWorker 19.1

Component/Sub-component: Active Directory,Active Directory Integration,LDAP / Active Directory