Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
Sign In Create an Account Premier Sign In Partner Program Sign In
Contact Us

NetWorker: How To Set up LDAP/AD using authc_config scripts

Summary: This KB provides a basic overview for how to add LDAP/AD authentication using the authc_config script template. Active Directory (AD) or Linux LDAP authentication can be used alongside the default NetWorker Administrator account or other local NetWorker Management Console (NMC) accounts. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

The following process describes how to use scripts to add AD or LDAP authentication to NetWorker. Other methods are available in the Additional Information section of this KB. 

You can use the script templates that are found under the following paths on your NetWorker server:
Windows: C:\Program Files\EMC NetWorker\nsr\authc-server\scripts\
Linux: /opt/nsr/authc-server/scripts/
NOTE: The ad script is used when a Windows AD controller is used for authentication, the ldap script is for linux/unix authentication. You must remove the .template from the file name before running. If these scripts do not exist, .sh (Linux) or .bat (Windows) can be created with the following information.

Syntax: 
call authc_config.bat -u administrator -p <nmc_admin_password> -e add-config ^
-D "config-tenant-id=<tenant_id>" ^
-D "config-active-directory=y" ^
-D "config-name=<authority_name>" ^
-D "config-domain=<domain_name>" ^
-D "config-server-address=<protocol>://<hostname_or_ip_address>:<port>/<base_dn>" ^
-D "config-user-dn=<user_dn>" ^
-D "config-user-dn-password=<user_password>" ^
-D "config-user-search-path=<user_search_path>" ^
-D "config-user-id-attr=sAMAccountName" ^
-D "config-user-object-class=<user_object_class>" ^
-D "config-group-search-path=<group_search_path>" ^
-D "config-group-name-attr=cn" ^
-D "config-group-object-class=group" ^
-D "config-group-member-attr=member" ^
-D "config-user-search-filter=" ^
-D "config-group-search-filter=" ^
-D "config-search-subtree=n" ^
-D "config-user-group-attr=memberOf" ^
-D "config-object-class=objectClass"
NOTE: Any value in the script inside < > must be changed. The values not inside < > can be left as is. 
 
config-tenant-id Tenants can be used in environments where more than one authentication method may be used and/or when multiple authorities need to be configured. You do not need to create a tenant if only one AD/LDAP server is being used; You can use the default tenant, config-tenant-id=1. It is important to note that the use of tenants alters your log-in method. When the default tenant is used, you can log in to the NMC using "domain\user" if a tenant other than the default tenant is used you must specify "tenant-name\domain\user" when logging into the NMC.
config-active-directory If you are using a Microsoft Active Directory (AD) server: y
If you are using an LDAP server (e.g: OpenLDAP): n
Note: There are two different script templates "authc-create-ad-config" and "authc-create-ldap-config." Ensure that you are using the correct template for the authentication platform in use.
config-name This name is only an identifier for the authentication configuration being added to NetWorker. 
config-domain This is the domain name that is used for logging into NetWorker. For example "emclab.local" can be set to "emclab". This can be set to align with how you log in to your workstations and systems integrated with AD/LDAP.
config-server-address <protocol>://<hostname_or_ip_address>:<port>/<base_dn>
Protocol:
  • Specify ldap if non-SSL communication is used.
  • Specify ldaps if you are configuring SSL communication.
  • Notes: 
    • Before you configure the NetWorker Authentication Service to use LDAPS, you must store the CA certificate from the LDAPS server in the Java trust keystore. For more information about this procedure, see NetWorker: How To configure LDAPS Authentication
    • ldap/ldaps must be lower case.
Hostname/IP address:
  • Specify the fully resolvable hostname or IP address of your AD or LDAP server.
Port:
  • If you are using LDAP specify port 389.
  • If you are using LDAPS specify port 636.
Base-DN:
  • Specify your base DN which is consisted of your Domain Component (DC) values of your domain, e.g: DC=my,DC=domain,DC=com. 
config-user-dn Specify the full Distinguished Name image.png(DN) of a user account that has full read access to the LDAP or AD directory, e.g: CN=Administrator,CN=Users,DC=my,DC=domain,DC=com.
config-user-dn-password Specify the password for the account specified in the config-user-dn.
config-user-search-path This field can be left blank in which case authc can query the full domain. Permissions still must be granted for NMC/ NetWorker server access before these users/groups can log in the NMC and manage the NetWorker server. If a Base DN was specified in the config-server-address, specify the relative path (excluding the Base DN) to the domain.
config-user-id-attr The user ID that is associated with the user object in the LDAP or AD hierarchy.
  • For LDAP, this attribute is commonly uid.
  • For AD, this attribute is commonly sAMAccountName.
config-user-object-class The object class that identifies the users in the LDAP or AD hierarchy.
For example, inetOrgPerson (LDAP) or user (AD)
config-group-search-path Like config-user-search-path this field can be left blank in which case authc is capable of querying the full domain. If a Base DN was specified in the config-server-address, specify the relative path (excluding the Base DN) to the domain.
config-group-name-attr The attribute that identifies the group name. For example, cn
config-group-object-class The object class that identifies groups in the LDAP or AD hierarchy.
  • For LDAP, use groupOfUniqueNames or groupOfNames
    • Note: There are other group object classes aside from groupOfUniqueNames and groupOfNames.  Use whatever object class is configured in the LDAP server.
  • For AD, use group.
config-group-member-attr The group membership of the user within a group.
  • For LDAP:
    • When the Group Object Class is groupOfNames the attribute is commonly member.
    • When the Group Object Class is groupOfUniqueNames the attribute is commonly uniquemember.
  •  For AD, the value is commonly member.
config-user-search-filter (Optional.) The filter that the NetWorker Authentication Service can use to perform user searches in the LDAP or AD hierarchy. RFC 2254 defines the filter format.
config-group-search-filter (Optional.) The filter that the NetWorker Authentication Service can use to perform group searches in the LDAP or AD hierarchy. RFC 2254 defines the filter format.
config-search-subtree (Optional.) A yes or no value that specifies if the external authority should perform subtree searches.
Default value: no
config-user-group-attr (Optional.) This option supports configurations that identify the group membership for a user within the properties of the user object. For example, for AD, specify the attribute memberOf.
config-object-class (Optional.) The object class of the external authentication authority. RFC 4512 defines the object class. Default value: objectclass.
Example: 
call "C:\Program Files\EMC NetWorker\nsr\authc-server\bin\authc_config.bat" -u administrator -p Pa$$w0rd04 -e add-config ^
-D "config-tenant-id=1" ^
-D "config-active-directory=y" ^
-D "config-name=ad" ^
-D "config-domain=emclab" ^
-D "config-server-address=ldap://winsrvr2k12.emclab.local:389/DC=emclab,DC=local" ^
-D "config-user-dn=CN=Administrator,CN=Users,DC=emclab,DC=local" ^
-D "config-user-dn-password=XXXXXXXX" ^
-D "config-user-search-path=CN=Users" ^
-D "config-user-id-attr=sAMAccountName" ^
-D "config-user-object-class=user" ^
-D "config-group-search-path=CN=NetWorker_Admins,CN=Users" ^
-D "config-group-name-attr=cn" ^
-D "config-group-object-class=group" ^
-D "config-group-member-attr=member" ^
-D "config-user-search-filter=" ^
-D "config-group-search-filter=" ^
-D "config-search-subtree=y" ^
-D "config-user-group-attr=memberOf" ^
-D "config-object-class=objectClass"

Once the script is populated, you can run it from command line on the NetWorker server.  
C:\Program Files\EMC NetWorker\nsr\authc-server\scripts>authc-create-ad-config.bat
Configuration ad is created successfully.
After the script succeeds, you can confirm that the NetWorker server can authenticate with AD by running the following command:
Syntax: nsrlogin -t tenant -d domain -u user
Example:  
nsrlogin -t default -d emclab -u bkupadmin
130136:nsrlogin: Please enter password:
Authentication succeeded
If authentication succeeds collect the Distinguished Name  image.png (DN) of your AD NetWorker/backup administrators group by running the following command on your NetWorker server:
Syntax:  
authc_mgmt -u administrator -p nmc_admin_password -e query-ldap-groups-for-user -D query-tenant=tenant-name -D query-domain=domain_name -D user-name=ad_user_name
Example:  
authc_mgmt -u Administrator -p Pa$$w0rd04 -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=emclab -D user-name=bkupadmin
The query returns 1 records.
Group Name       Full Dn Name
NetWorker_Admins cn=NetWorker_Admins,cn=Users,dc=emclab,dc=local
Collect the DN of your NetWorker/backup administrator's group.

Log in to the NMC as the default NetWorker Administrator account. Under Setup-->Users and Roles-->NMC Roles, add the group DN collected from the above step to the "External Roles" field of the appropriate roles for that AD group. Full Administrators should have "Console Application Administrator" and "Console Security Administrator" Roles. (See the NetWorker Security Configuration Guide for more information about these roles.)
kA5f1000000XZqICAW_1_0
This makes it so that your AD users can log in to and manage the NMC console; however, you will must provide permissions to these users on the NetWorker server. As the default NetWorker Administrator account connect to the NetWorker server. Under Server-->User Groups, add the group DN to the "External Roles" field of the appropriate roles for that AD group. Full Administrators should have "Application Administrators" and "Security Administrators" permissions.
kA5f1000000XZqICAW_1_1
After the AD group DNs have been added to the External Roles fields on both the NMC and NetWorker server, attempt to log in to the NMC using your AD account.
 
kA5f1000000XZqICAW_1_2
Once logged in the AD/LDAP username appears in the upper right corner of the NMC:
kA5f1000000XZqICAW_1_3
 

Additional Information

NetWorker: How To Set up AD/LDAP Authentication
NetWorker NWUI: How to Configure AD/LDAP from the NetWorker Web User Interface

Affected Products

NetWorker

Products

NetWorker, NetWorker Management Console
Article Properties
Article Number: 000158322
Article Type: How To
Last Modified: 10 Oct 2023
Version:  6
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.