PowerProtect DP Series Appliance and IDPA: Instructions and Troubleshooting Guidelines on LDAP Integration

• IDPA supports integrating LDAP with all point products through ACM or Appliance Configuration Manager.
• After successful LDAP integration, a user should be able to log in to all IDPA point products using LDAP user and their domain credentials.
• On versions 2.6.1 and below, LDAP is configured from the ACM, but only set up on DPC and Search servers.
  • For DPA, Data Domain (DD), and Avamar components, LDAP must be configured manually. 
• On versions 2.7.0 and above, LDAP is configured from the ACM for all servers, Data Domain (DD), Avamar, Data Protection Advisor (DPA), Data Protection Central (DPC), and Search.

LDAP Configuration Type External Vs Internal

• IDPA sets up an internal LDAPs server on the ACM at the time of deployment and that is integrated by default. 
• Users can choose to configure external LDAP based on their LDAP Server Type post deployment. 
• IDPA supports Active Directory and OPENLDAP directory services for integration. 

1. Go to the PowerProtect DP Series Appliance and IDPA Manuals page in Dell Support.
2. Sign in to the portal.
3. Select the Manuals and Documents to find the PowerProtect DP Series appliance and IDPA Product Guides based on your version

• Server Hostname: Users must provide FQDN, IP addresses do not work.
• Query username: Users must provide username in User Principal name format (Abc@domain.com). 
• Admin Group Settings: Scope should be set to 'Global', and type should be 'Security'.
• Query username must be a member of LDAP admin group.
• Best practice is to use lowercase for all values. 
• For secure LDAP configurations, users must provide root CA certificate in '.cer' format.
• Nested group is not allowed. Users should be a direct member of the LDAP admin group. 

NOTE:

• For LDAP integration to work successfully on Protection Storage (Data Domain), the LDAP query user must have Create/Remove "Full Control" permissions for Computer object. 

• Ensure connectivity using ping command.
  ping -c 4 <FQDN_OF_LDAP_SERVER>

  acm-4400-xxxx:~ #  ping -c 4 dc.amer.lan
  PING dc.amer.lan (192.168.7.100) 56(84) bytes of data.
  64 bytes from DC.amer.lan (192.168.7.100): icmp_seq=1 ttl=128 time=0.246 ms
  64 bytes from DC.amer.lan (192.168.7.100): icmp_seq=2 ttl=128 time=0.439 ms
  64 bytes from DC.amer.lan (192.168.7.100): icmp_seq=3 ttl=128 time=0.414 ms
  64 bytes from DC.amer.lan (192.168.7.100): icmp_seq=4 ttl=128 time=0.495 ms
  

• DNS search domain missing in "/etc/resolv.conf" can cause ping failures to LDAP server hostname. 

  acm-4400-xxxx:~ # cat /etc/resolv.conf
  search abc.com
  nameserver 10.xx.xx.xx
  nameserver 10.yy.yy.yy

• Port requirements for LDAP integration
  • TCP Ports 389 and 636 must be open for communication between IDPA Components and Active Directory/OPENLDAP.
  • TCP Ports 88 and 464 must be open for Kerberos authentication between Protection Software (Avamar), Protection Storage (DD), and the AD/OPENLDAP.
• How to test port connectivity?
  curl -kv <FQDN_OF_LDAP_SERVER>:<PORT>  

  acm-4400-xxxx:~ # curl -kv abc.test.com:636
  * Rebuilt URL to: abc.test.com:636/
  *   Trying xx.xx.xx.xx...
  * TCP_NODELAY set
  * Connected to dc.x400.sh (10.xx.xx.xx) port 636 (#0)
  > GET / HTTP/1.1
  > Host: abc.test.com:636
  > User-Agent: curl/7.60.0
  > Accept: */*

Troubleshooting using LDAPSEARCH

ldapsearch is a command-line tool that opens a connection to an LDAP server, binds to it, and performs a search using a filter.

The results are then displayed in the LDIF (LDAP Data Interchange Format).
 

ldapsearch tool can be used on IDPA components like ACM to test connection with LDAP server and validate the settings.

Syntax

• Unsecure LDAP:

  ldapsearch -h "LDAP_Server_FQDN" -p 389 -D "<LDAP_Query_username>" -b "<Base_DN>" -w "<Query_user_password>"

• Secure LDAP (LDAPS):

  ldapsearch -h ldaps://<LDAP_Server_FQDN>:636 -D "<DN of query user>" -W -b "<DN for domain, or DN for user, or DN for group>"

 

Troubleshooting Certificates 

The following command will get and show you the certificate from the LDAP server:           

openssl s_client -connect <LDAP_Server_FQDN>:<port>

Validating Query Username and Search Group on AD/DC PowerShell for External Active Directory LDAP type

Powershell on the Active Directory server can be queried to fetch the user and group objects in DN format.

• The Get-ADUser cmdlet gets a specified user object or performs a search to get multiple user objects.
• The Get-ADGroup cmdlet gets a group or performs a search to retrieve multiple groups from an Active Directory.

Steps to update external LDAP query user password

If LDAP query user password changes on external AD/OpenLDAP, then it can be updated on ACM using same "Configure external LDAP" popup.
This is a mandatory step to avoid "LDAP password out of sync" error message.

Troubleshooting Logs

When troubleshooting LDAP issues, users must analyze the following logs on ACM for any configuration, integration, validation errors:

– /usr/local/dataprotection/var/configmgr/server_data/logs/server.log

We must analyze logs on the components where LDAP configuration failed and the 'server.log' from the ACM.

 

Functionality	Log location
ACM/Component products – LDAP validation, configuration, integration, and monitoring	/usr/local/dataprotection/var/configmgr/server_data/logs/server.log
Data Protection Central (DPC) – LDAP configuration and authentication	/var/log/dpc/elg/elg.log
Search – LDAP configuration and authentication	/usr/local/search/log/cis/cis.log
Protection Software (Avamar) – LDAP configuration and authentication	/usr/local/avamar/var/mc/server_log/userauthentication.log
Protection Storage (Data Domain) – LDAP configuration and authentication	/ddr/var/log/debug/messages.engineering
Reporting & Analytics (DPA) – LDAP configuration and authentication	/opt/emc/dpa/services/logs/server.log