Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
Sign In Create an Account Premier Sign In Partner Program Sign In
Contact Us

NetWorker: How to Configure AD or LDAP from the NetWorker Web User Interface

Summary: This article provides instructions for configuring NetWorker to authenticate over active directory (AD) or lightweight directory access protocol (LDAP) for using NetWorker Web User Interface (NWUI). ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

  1. Log in to the NetWorker server's NWUI interface: https://<nwservername.domain.com>:9090/nwui
  2. Log in with the NetWorker Administrator account.
  3. From the Menu, select Authentication Server > External Authorities.
  4. From External Authorities, click Add.
  5. From the Basic Configuration:
Name: A Name for the external authority provider, this can be set as per your naming standards.
Server Type: LDAP: Select LDAP when the Authentication server is Linux based.
Active Directory: Select this option with Microsoft Active Directory is used.
LDAP Over SSL (LDAPS): Select this when the authentication server is LDAP but SSL is required.
AD Over SSL (LDAPS): Select when Microsoft Active Directory is used, but SSL is required.
 
Note: LDAP OR AD over SSL requires the certificate to be manually imported to the Auth Trust Store to ensure secure communication. For more information, see NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI)
Provider Server Name: Specify the IP Address or FQDN of the authentication service provider winsrvhost (AD or LDAP server).
Port: If non-SSL then port 389 is used, if SSL then port 636 is used. This field should auto-populate from server type selection.
Tenant: *Optional: You can create multiple tenants to serve different authentication providers.
For most use cases, default is fine.
Domain The domain value for your service provider
User Distinguished Name (DN) Specify the DN of the AD or LDAP bind account; excluding the DC values.
User DN Password Specify the password of the bind account user.
 
Example showing basic AD configuration:
example of basic configuration
  1. Check the Advanced Configuration box and click Next.
  2. Review the Advanced Configuration options, usually the required fields are pre-populated with standard defaults. The values for these fields can be identified on the AD or LDAP server or provided by your domain admin if nonstandard values are used.
  3. Click Finish to complete the configuration.
  4. From the Server User Groups menu, edit the User Groups that contain the rights you want to delegate to AD or LDAP Groups or Users. For example, to grant full Admin rights, the AD group or user DN should be specified in the External Roles field of the Application Administrators and Security Administrators roles.
  5. Under External Roles, use the + icon to add AD User or Group Distinguished Names (DN)
Example: CN=NetWorker_Admins,DC=amer,DC=lan
External roles settings

This can also be done from the command line: 
nsraddadmin -e "AD_DN"
Example: 
PS C:\Users\Administrator.AMER> nsraddadmin -e "CN=NetWorker_Admins,DC=amer,DC=lan"
134751:nsraddadmin: Added role 'CN=NetWorker_Admins,DC=amer,DC=lan' to the 'Security Administrators' user group.
134751:nsraddadmin: Added role 'CN=NetWorker_Admins,DC=amer,DC=lan' to the 'Application Administrators' user group.

Note: See the Additional Info field for instructions on how to collect Distinguished Name (DN) values.
 
  1. Once the AD group or user DNs are specified, click Save.
  2. You should now be able to log in to NWUI or the NMC with AD or LDAP accounts. If a tenant was created, you must specify the tenant-name\domain.name\user-name if the default tenant is used you only must specify domain.name\user-name.
NWUI login with AD user

Additional Information

To get the AD user or Group DN, you can use the following methods:


From AD Server:

Open an Administrator PowerShell command and run: 
Get-ADUser -Identity AD_USERNAME -Properties DistinguishedName,MemberOf
Example: 
PS C:\Users\Administrator> Get-ADUser -Identity bkupadmin -Properties DistinguishedName,MemberOf

DistinguishedName : CN=Backup Admin,CN=Users,DC=amer,DC=lan
Enabled           : True
GivenName         : Backup
MemberOf          : {CN=NetWorker_Admins,DC=amer,DC=lan}
Name              : Backup Admin
ObjectClass       : user
ObjectGUID        : f37f3ef5-3488-4b53-8844-4fd553ef85b2
SamAccountName    : bkupadmin
SID               : S-1-5-21-3150365795-1515931945-3124253046-9605
Surname           : Admin
UserPrincipalName : bkupadmin@amer.lan
Both the User's user DN and group DN appear for the AD groups that they belong to.


    From NetWorker AuthenticationServer:

    The following method can be used on the NetWorker authentication server once an external authority is added:

    Query AD Users visible to NetWorker: 
    authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=TENANT-NAME -D query-domain="DOMAIN.DOMAIN"
    Query AD Groups a User belongs to: 
    authc_mgmt -u Administrator -e query-ldap-groups-for-user -D query-tenant=TENANT-NAME -D query-domain="DOMAIN.DOMAIN" -D user-name=AD-USERNAME

    In the above commands, we are specifying the NetWorker Administrator account, you are prompted to enter the NetWorker Administrator Password.
    Example: 
    nve:~ # authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=default -D query-domain="amer.lan"
Enter password:
The query returns 19 records.
User Name        Full Dn Name
....
bkupadmin        CN=Backup Admin,CN=Users,dc=amer,dc=lan

nve:~ # authc_mgmt -u Administrator -e query-ldap-groups-for-user -D query-tenant=default -D query-domain="amer.lan" -D user-name=bkupadmin
Enter password:
The query returns 1 records.
Group Name       Full Dn Name
NetWorker_Admins CN=NetWorker_Admins,dc=amer,dc=lan
     
    If the above commands do not return the expected results, confirm that the configuration has the correct parameters. For example, specifying a User or Group Search Path in the Advanced Configuration Tab of the external authority restricts NetWorker from only viewing users and groups under the search paths specified. Users and groups outside of the search paths are not shown.

    Affected Products

    NetWorker

    Products

    NetWorker Family, NetWorker Series
    Article Properties
    Article Number: 000189029
    Article Type: How To
    Last Modified: 12 Jul 2024
    Version:  8
    Find answers to your questions from other Dell users
    Support Services
    Check if your device is covered by Support Services.