NetWorker: How to Configure AD or LDAP from the NetWorker Web User Interface
Summary: This article provides instructions for configuring NetWorker to authenticate over active directory (AD) or lightweight directory access protocol (LDAP) for using NetWorker Web User Interface (NWUI). ...
This article applies to
This article does not apply to
Instructions
- Log in to the NetWorker server's NWUI interface:
https://<nwservername.domain.com>:9090/nwui - Log in with the NetWorker Administrator account.
- From the Menu, select Authentication Server > External Authorities.
- From External Authorities, click Add.
- From the Basic Configuration:
| Name: | A Name for the external authority provider, this can be set as per your naming standards. |
| Server Type: | LDAP: Select LDAP when the Authentication server is Linux based. Active Directory: Select this option with Microsoft Active Directory is used. LDAP Over SSL (LDAPS): Select this when the authentication server is LDAP but SSL is required. AD Over SSL (LDAPS): Select when Microsoft Active Directory is used, but SSL is required.
Note: LDAP OR AD over SSL requires the certificate to be manually imported to the Auth Trust Store to ensure secure communication. For more information, see NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI)
|
| Provider Server Name: | Specify the IP Address or FQDN of the authentication service provider winsrvhost (AD or LDAP server). |
| Port: | If non-SSL then port 389 is used, if SSL then port 636 is used. This field should auto-populate from server type selection. |
| Tenant: | *Optional: You can create multiple tenants to serve different authentication providers. For most use cases, default is fine. |
| Domain | The domain value for your service provider |
| User Distinguished Name (DN) | Specify the DN of the AD or LDAP bind account; excluding the DC values. |
| User DN Password | Specify the password of the bind account user. |
Example showing basic AD configuration:
- Check the Advanced Configuration box and click Next.
- Review the Advanced Configuration options, usually the required fields are pre-populated with standard defaults. The values for these fields can be identified on the AD or LDAP server or provided by your domain admin if nonstandard values are used.
- Click Finish to complete the configuration.
- From the Server > User Groups menu, edit the User Groups that contain the rights you want to delegate to AD or LDAP Groups or Users. For example, to grant full Admin rights, the AD group or user DN should be specified in the External Roles field of the Application Administrators and Security Administrators roles.
- Under External Roles, use the + icon to add AD User or Group Distinguished Names (DN)
Example: CN=NetWorker_Admins,DC=amer,DC=lan
This can also be done from the command line:
nsraddadmin -e "AD_DN"Example:
PS C:\Users\Administrator.AMER> nsraddadmin -e "CN=NetWorker_Admins,DC=amer,DC=lan" 134751:nsraddadmin: Added role 'CN=NetWorker_Admins,DC=amer,DC=lan' to the 'Security Administrators' user group. 134751:nsraddadmin: Added role 'CN=NetWorker_Admins,DC=amer,DC=lan' to the 'Application Administrators' user group.
Note: See the Additional Info field for instructions on how to collect Distinguished Name (DN) values.
- Once the AD group or user DNs are specified, click Save.
- You should now be able to log in to NWUI or the NMC with AD or LDAP accounts. If a tenant was created, you must specify the
tenant-name\domain.name\user-nameif the default tenant is used you only must specifydomain.name\user-name.
Additional Information
To get the AD user or Group DN, you can use the following methods:
Open an Administrator PowerShell command and run:
The following method can be used on the NetWorker authentication server once an external authority is added:
Query AD Users visible to NetWorker:
In the above commands, we are specifying the NetWorker Administrator account, you are prompted to enter the NetWorker Administrator Password.
From AD Server:
Open an Administrator PowerShell command and run:
Get-ADUser -Identity AD_USERNAME -Properties DistinguishedName,MemberOfExample:
PS C:\Users\Administrator> Get-ADUser -Identity bkupadmin -Properties DistinguishedName,MemberOf DistinguishedName : CN=Backup Admin,CN=Users,DC=amer,DC=lan Enabled : True GivenName : Backup MemberOf : {CN=NetWorker_Admins,DC=amer,DC=lan} Name : Backup Admin ObjectClass : user ObjectGUID : f37f3ef5-3488-4b53-8844-4fd553ef85b2 SamAccountName : bkupadmin SID : S-1-5-21-3150365795-1515931945-3124253046-9605 Surname : Admin UserPrincipalName : bkupadmin@amer.lanBoth the User's user DN and group DN appear for the AD groups that they belong to.
From NetWorker AuthenticationServer:
The following method can be used on the NetWorker authentication server once an external authority is added:
Query AD Users visible to NetWorker:
authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=TENANT-NAME -D query-domain="DOMAIN.DOMAIN"
Query AD Groups a User belongs to:
authc_mgmt -u Administrator -e query-ldap-groups-for-user -D query-tenant=TENANT-NAME -D query-domain="DOMAIN.DOMAIN" -D user-name=AD-USERNAME
In the above commands, we are specifying the NetWorker Administrator account, you are prompted to enter the NetWorker Administrator Password.
Example:
nve:~ # authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=default -D query-domain="amer.lan" Enter password: The query returns 19 records. User Name Full Dn Name .... bkupadmin CN=Backup Admin,CN=Users,dc=amer,dc=lan nve:~ # authc_mgmt -u Administrator -e query-ldap-groups-for-user -D query-tenant=default -D query-domain="amer.lan" -D user-name=bkupadmin Enter password: The query returns 1 records. Group Name Full Dn Name NetWorker_Admins CN=NetWorker_Admins,dc=amer,dc=lan
If the above commands do not return the expected results, confirm that the configuration has the correct parameters. For example, specifying a User or Group Search Path in the Advanced Configuration Tab of the external authority restricts NetWorker from only viewing users and groups under the search paths specified. Users and groups outside of the search paths are not shown.