When logging into NetWorker Management Console (NMC) with an AD/LDAP account, the following error appears: "Unable to login, verify that the authentication service on [servername] is running"
The NMC server's gstd.raw may report:
servername.domain gstd NSR error 78 Unable to login, verify that the authentication service on %s is running: [%s] 2 0 21 servername.domain 0 37 Authentication service is unavailable
The AD/LDAP configuration was done using SSL certificate(s) (LDAPS). These certificates were imported into the NetWorker server Java instance's cacerts keystore. There is a problem with the certificate(s) being used by authc.
For the full procedure on configuring LDAPS with NetWorker refer to:
https://www.dell.com/support/kbdoc/000156132/
Information on configuring LDAPS can be found in the NetWorker Security Configuration guide, available through:
https://www.dell.com/support/
The process specific to the certificates is as follows:
- Get the Root and Chain certificates from the LDAP server:
openssl s_client -showcerts -connect LDAP_server_name:636
Note: In some environments only one certificate will be returned; however, if multiple (chain) certificates are returned create a individual .cer containing the individual certificate outputs. The certificates include the ---BEGIN CERTIFICATE--- and ---END CERTIFICATE--- lines.
- Check the keystore for any existing certificates associated with the certificate:
/opt/nre/java/latest/bin/keytool -list -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit | grep -i LDAP_server_name
a. If any certificate aliases are listed in the keystore associated with the LDAP server remove them with:
/opt/nre/java/latest/bin/keytool -delete -alias ALIAS_NAME -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit
- Add the new chain and root certificates (in that order) to the ‘cacerts’ file …
# /opt/nre/java/latest/bin/keytool -import -alias LDAP_server_name_CHAIN -keystore /opt/nre/java/latest/lib/security/cacerts -file /tmp/chain.cer -storepass changeit
# /opt/nre/java/latest/bin/keytool -import -alias LDAP_server_name_ROOT -keystore /opt/nre/java/latest/lib/security/cacerts -file /tmp/root.cer -storepass changeit
# /opt/nre/java/latest/bin/keytool -list -keystore /opt/nre/java/latest/lib/security/cacerts | grep -i LDAP_server_name
Enter keystore password: changeit
LDAP_server_name_ROOT, Oct 13, 2021, trustedCertEntry,
LDAP_server_name_CHAIN, Oct 13, 2021, trustedCertEntry,
- Restart NetWorker:
nsr_shutdown
systemctl start networker
- re-run the ‘authc_config’
# /opt/nsr/authc-server/bin/authc_config -u Administrator -e update-config -D config-id=2 -D config-active-directory=y -D config-user-dn-password=<PASSWORD FOR USER>
Enter password: <Networker ADMINISTRATOR Password>
Configuration SLDAP is updated successfully.