Willkommen
Dell Standorte
Dell Standorte
Willkommen bei Dell
Mein Konto
- Bestellungen schnell und einfach aufgeben
- Bestellungen anzeigen und den Versandstatus verfolgen
- Profitieren Sie von exklusiven Prämien und Rabatten für Mitglieder
- Erstellen Sie eine Liste Ihrer Produkte, auf die Sie jederzeit zugreifen können.
NetWorker: How To Set up AD/LDAP Authentication
Zusammenfassung: This KB provides an overview for how to add external authority to NetWorker using the NetWorker Management Console's (NMC) external authority wizard. Active Directory (AD) or Linux LDAP authentication can be used alongside the default NetWorker Administrator account or other local NMC accounts. ...
Dieser Artikel gilt für
Dieser Artikel gilt nicht für
Dieser Artikel ist nicht an ein bestimmtes Produkt gebunden.
In diesem Artikel werden nicht alle Produktversionen aufgeführt.
Weisungen
NOTE: For AD over SSL integrations the NetWorker Web User Interface should be used to configure the external authority. See NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI).
Log in to the NetWorker Management Console (NMC) with the default NetWorker Administrator account. Under the Setup tab-->User and Roles there is a new option for External Authority.
You can still use the authc_config and authc_mgmt commands for querying configurations and AD/LDAP users and groups; however, it is recommended to use the NMC to add AD/LDAP to NetWorker.
1) To add a new authority right click in the External Authority window and select New.
2) In the External Authentication Authority box you must populate the required fields with your AD/LDAP information.
3) Check the "Show Advanced Options" box to see all the fields
| Server Type | Select LDAP if the authentication server is a Linux/UNIX LDAP server, Active Directory if you are using a Microsoft Active Directory server. |
| Authority Name | Provide a name for this external authentication authority. This name can be whatever you want it to be, it is only to differentiate between other authorities when multiple are configured. |
| Provider Server Name | This field should contain the Fully Qualified Domain Name (FQDN) of your AD or LDAP server. |
| Tenant | Tenants can be used in environments where more than one authentication method may be used and/or when multiple authorities must be configured. By default, the "default" tenant is selected. The use of tenants alters your log-in method. When the default tenant is used, you can log in to the NMC using "domain\user" if a tenant other than the default tenant is used you must specify "tenant\domain\user" when logging into the NMC. |
| Domain | Specify your full domain name (excluding a hostname). Typically this is your base DN which is consisted of your Domain Component (DC) values of your domain. |
| Port Number | For LDAP and AD integration use port 389. For LDAP over SSL use port 636. These ports are non-NetWorker default ports on the AD/LDAP server. |
| User DN | Specify the Distinguished Name  (DN) of a user account that has full read access to the LDAP or AD directory.Specify the relative DN of the user account, or the full DN if overriding the value set in the Domain field. |
| User DN Password | Specify the password of the user account specified. |
| Group Object Class | The object class that identifies groups in the LDAP or AD hierarchy.
|
| Group Search Path | This field can be left blank in which case authc is capable of querying the full domain. Permissions must be granted for NMC/ NetWorker server access before these users/groups can log in the NMC and manage the NetWorker server. Specify the relative path to the domain instead of full DN. |
| Group Name Attribute | The attribute that identifies the group name. For example, cn. |
| Group Member Attribute | The group membership of the user within a group.
|
| User Object Class | The object class that identifies the users in the LDAP or AD hierarchy. For example, inetOrgPerson or user |
| User Search Path | Like Group Search Path this field can be left blank in which case authc is capable of querying the full domain. Specify the relative path to the domain instead of full DN. |
| User ID Attribute | The user ID that is associated with the user object in the LDAP or AD hierarchy.
|
For example, Active Directory integration:
NOTE: Consult with your AD/LDAP admin to confirm which AD/LDAP specific fields are needed for your environment.
4) Once all the fields are populated, click OK to add the new authority.
5) You can use the authc_mgmt command on your NetWorker server to confirm that the AD/LDAP groups/users are visible:
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-users -D query-tenant=tenant_name -D query-domain=domain_name
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-groups -D query-tenant=tenant_name -D query-domain=domain_name
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-groups-for-user -D query-tenant=tenant_name -D query-domain=domain_name -D user-name=ad/ldap_username
e.g:
authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-users -D query-tenant=default -D query-domain=lab.emc.com
The query returns 21 records.
User Name Full Dn Name
Administrator cn=Administrator,cn=Users,dc=lab,dc=emc,dc=com
Guest cn=Guest,cn=Users,dc=lab,dc=emc,dc=com
...
...
authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-groups -D query-tenant=default -D query-domain=lab.emc.com
The query returns 55 records.
Group Name Full Dn Name
Administrators cn=Administrators,cn=Builtin,dc=lab,dc=emc,dc=com
NetWorker_Admins cn=NetWorker_Admins,cn=Users,dc=lab,dc=emc,dc=com
...
...
authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=lab.emc.com -D user-name=bkupadmin
The query returns 5 records.
Group Name Full Dn Name
Domain Admins cn=Domain Admins,cn=Users,dc=lab,dc=emc,dc=com
NetWorker_Admins cn=NetWorker_Admins,cn=Users,dc=lab,dc=emc,dc=com
...
...
NOTE: On some systems, the authc commands may fail with an "incorrect password" error even when the correct password is given. This is due to the password being specified as visible text with the "-p" option. If you encounter this, remove "-p password" from the commands. You will be prompted to enter the password hidden after running the command.
(DN) of a AD/LDAP group (collected in step 5) in the external roles field. For users who require the same level permissions as the default NetWorker Administrator account, you will also need to specify the AD/LDAP group DN in the "Console Security Administrators" role. For users /groups who do not need administrative rights to the NMC Console, add their full DN in the "Console User" - external roles.
NOTE: By default there is already the DN of the NetWorker server's LOCAL Administrators group, DO NOT delete this.
7) Access permissions also must be applied per NetWorker server configured in the NMC. This can be done one of two ways:
Option 1)
Connect the NetWorker server from the NMC, open Server-->User Groups. Open the properties of the "Application Administrators" role and enter the Distinguished Name 
(DN) of a AD/LDAP group (collected in step 5) in the external roles field. For users who require the same level permissions as the default NetWorker Administrator account, you must specify the AD/LDAP group DN in the "Security Administrators" role.
(DN) of a AD/LDAP group (collected in step 5) in the external roles field. For users who require the same level permissions as the default NetWorker Administrator account, you must specify the AD/LDAP group DN in the "Security Administrators" role.
NOTE: By default there is already the DN of the NetWorker server's LOCAL Administrators group, DO NOT delete this.
Option 2)
For AD users/groups you want to grant Admin rights to the nsraddadmin command can be run from an admin or root command prompt on the NetWorker server:
nsraddadmin -e "OU=group,CN=you,CN=want,CN=to,CN=add,DC=domain,DC=local" example:
nsraddadmin -e "CN=NetWorker_Admins,CN=Users,DC=lab,DC=emc,DC=com"
8) log in to the NMC using your AD/LDAP account (e.g: domain\user):
If a tenant other than the default tenant was used you must specify it before the domain, e.g: tenant\domain\user.
The account that is used will be shown in the upper right corner. The user has the ability to perform actions based on the roles assigned in NetWorker.
9) If you want an AD/LDAP group to be able to manage External Authorities you must perform the following on the NetWorker server.
9) If you want an AD/LDAP group to be able to manage External Authorities you must perform the following on the NetWorker server.
a) Open an administrative/root command prompt.
b) Using the AD group DN (collected in step 5) you want to grant FULL_CONTROL permission to run:
authc_config -u Administrator -p NetWorker_Admin_Pass -e add-permission -D permission-name=FULL_CONTROL -D permission-group-dn="AD/LDAP_group_dn" e.g:
authc_config -u Administrator -p Pa$$w0rd01 -e add-permission -D permission-name=FULL_CONTROL -D permission-group-dn="cn=NetWorker_Admins,cn=Users,dc=lab,dc=emc,dc=com"
Permission FULL_CONTROL is created successfully.
authc_config -u Administrator -p Pa$$w0rd01 -e find-all-permissions
The query returns 2 records.
Permission Id Permission Name Group DN Pattern Group DN
1 FULL_CONTROL ^cn=Administrators,cn=Groups.*$
2 FULL_CONTROL cn=NetWorker_Admins,cn=Users,dc=lab,...
Weitere Informationen
NetWorker NWUI: How to Configure AD/LDAP from the NetWorker Web User Interface
NetWorker: How To Set up LDAP/AD using authc_config scripts
NetWorker: How To configure LDAPS Authentication.
NetWorker: How To Set up LDAP/AD using authc_config scripts
NetWorker: How To configure LDAPS Authentication.
Betroffene Produkte
NetWorkerProdukte
NetWorker, NetWorker Management ConsoleArtikeleigenschaften
Artikelnummer: 000156107
Artikeltyp: How To
Zuletzt geändert: 10 Okt. 2023
Version: 8
Antworten auf Ihre Fragen erhalten Sie von anderen Dell NutzerInnen
Support Services
Prüfen Sie, ob Ihr Gerät durch Support Services abgedeckt ist.