NetWorker: How To configure LDAPS Authentication
Summary: General overview of configuring AD or LDAP authentication over LDAPS with NetWorker 19.x from the NetWorker Management Console's (NMC) external authority wizard. This KB can also be used for instructions on updating an existing external authority configuration. ...
Instructions
Limitations:
When configuring Active Directory LDAPS (AD over SSL), you will notice that there is no AD over SSL option for the Server Type; however, there is an LDAPS over SSL. If you are configuring AD over SSL (LDAPS), the NetWorker Web User Interface (NWUI) should be used, as this provides an "AD over SSL" option. This requires NetWorker 19.6.1.x or later. See: NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI)Process
It is recommended to get the AD or LDAP configuration working over LDAP first (no SSL), then convert it to LDAPS as to rule out any potential certificate or configuration issues.To use LDAPS, you must import the CA certificate (or certificate chain) from the LDAPS server into the JAVA trust keystore. This can be done with the following procedure:
1) Open an administrative/root command prompt.
2, a) Display a list of current trusted certificates in the trust store.
keytool -list -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit
- If you are using NetWorker Runtime Environment for the AUTHC server's Java instance the cacerts file will be in the following locations:
- Linux: /opt/nre/java/latest/lib/security/cacerts
- Windows: C:\Program Files\NRE\java\jrex.x.x_xxx\lib\security\cacerts
- If you are using Oracle Java the cacerts file will be in the Java installation dir under /lib/security/cacerts.
- The default password for the storepass is changeit.
C:\Program Files\NRE\java\jrex.x.x_xxx\bin>keytool -list -keystore C:\Program Files\NRE\java\jrex.x.x_xxx\lib\security\cacerts -storepass changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 96 entries
emcauthctomcat, Feb 6, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
...
...
...
2, b) Review the list for an alias that matches your LDAPS server (this may not exist). You can use operating system grep or findstr commands with the above command to narrow the search. If there is an outdated or existing CA certificate from your LDAPS server, delete it with the following command:
3, b) The above command outputs the CA certificate or a chain of certificates in PEM format, e.g:
3, c) Copy the certificate starting from ---BEGIN CERTIFICATE--- and ending with ---END CERTIFICATE--- and paste it into a new file. If there is a chain of certificates, you must do this with each certificate.
4) Import the certificate or certificates created in 3, c into the JAVA trust keystore:
NOTE: If the NetWorker server services are not restarted, authc will not read the cacerts file, and it will not detect the imported certificates required for establishing SSL communication with the LDAP server.
7, a) If your authentication server is LDAP (Linux LDAP server) or you are using an existing Active Directory (AD) external authority configuration then perform the following. If your authentication server is Active Directory (AD) and you are creating a new external authority go to step 8.
7, b) log in to the NetWorker Management Console (NMC) with your NetWorker Administrator account. Select Setup-->Users and Roles-->External Authority.
7, c) Create or modify your existing external authority configuration, select LDAP over SSL from the Server Type drop down. This will automatically change the port from 389 to 636:
9) You can use the authc_mgmt command on your NetWorker server to confirm that the AD/LDAP groups/users are visible:
10) When logged into the NMC as the default NetWorker Administrator account, open Setup-->Users and Roles-->NMC Roles. Open the properties of the Console Application Administrators role and enter the Distinguished Name
(DN) of a AD/LDAP group (collected in step 9) in the external roles field. For users who require the same level permissions as the default NetWorker Administrator account, you must specify the AD/LDAP group DN in the Console Security Administrators role. For AD users or groups who do not need administrative rights to the NMC Console, add their full DN in the Console User external roles.
11) Connect the NetWorker server from the NMC, open Server-->User Groups. Open the properties of the Application Administrators role and enter the Distinguished Name (DN) of a AD/LDAP group (collected in step 9) in the external roles field. For users who require the same level permissions as the default NetWorker Administrator account, you must specify the AD/LDAP group DN in the Security Administrators role.
12) If you want an AD/LDAP group to be able to manage External Authorities you must perform the following on the NetWorker server.
a) Open an administrative/root command prompt.
b) Using the AD group DN (collected in step 9) you want to grant FULL_CONTROL permission to run:
keytool -delete -alias ALIAS_NAME -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit
- Replace ALIAS_NAME with the alias name of the LDAPS server collected from the output in 2,a.
openssl s_client -showcerts -connect LDAPS_SERVER:636
- By default, Windows hosts do not include the openssl program. If it is not possible to install OpenSSL on the NetWorker server, the certificates can be exported directly from the LDAPS server; however, it is highly recommended to use the OpenSSL utility.
- Linux typically comes with openssl installed, if you have Linux server's in the environment you can use openssl there to collect/create the certificate files. These can be copied to and used on the Windows authc server.
- If you do not have OpenSSL, and it cannot be installed have your AD admin provide one or more certificates by exporting them as Base-64 encoded x.509 format.
- Replace LDAPS_SERVER with the hostname or IP address of your LDAPS server.
3, b) The above command outputs the CA certificate or a chain of certificates in PEM format, e.g:
-----BEGIN CERTIFICATE-----
MIIGQDCCBSigAwIBAgITbgAAAAiwkngyAQWDwwACAAAACDANBgkqhkiG9w0BAQsF
ADBPMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZlbWNs
...
7NZfi9DiEBhpFmbF8xP96qB/kTJC+29t/0VE8Fvlg87fRhs5BceIoX8nUnetNCdm
m4mGyefXz4TBTwD06opJf4NQIDo=
-----END CERTIFICATE-----
NOTE: If there is a chain of certificates the last certificate is the CA certificate. You must import each certificate in the chain in order (top down) ending with the CA certificate.
3, c) Copy the certificate starting from ---BEGIN CERTIFICATE--- and ending with ---END CERTIFICATE--- and paste it into a new file. If there is a chain of certificates, you must do this with each certificate.
4) Import the certificate or certificates created in 3, c into the JAVA trust keystore:
keytool -import -alias ALIAS_NAME -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit -file PATH_TO\CERT_FILE
- Replace ALIAS_NAME with an alias for the imported certificate. Typically this is the LDAPS server name. When importing multiple certificates for a certificate chain, each certificate must have a different ALIAS name and be imported separately. The certificate chain must also be imported in order from step 3, a (top down).
- Replace PATH_TO\CERT_FILE with the location of the cert file that you created in step 3, c.
C:\Program Files\NRE\java\jrex.x.x_xxx\bin>keytool -import -alias winsrvr2k16.emclab.local -keystore "C:\Program Files\NRE\java\jrex.x.x_xxx\lib\security\cacerts" -storepass changeit -file C:\root-ca.cer
Owner: CN=emclab-WINSRVR2K16-CA, DC=emclab, DC=local
Issuer: CN=emclab-WINSRVR2K16-CA, DC=emclab, DC=local
Serial number: 183db0ae21d3108244254c8aad129ecd
...
...
...
Trust this certificate? [no]: yes
Certificate was added to keystore
5) Confirm that the certificate is shown in the keystore:
keytool -list -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit
NOTE: Pipe (|) the operating system grep or findstr command to the above to narrow the result.
C:\Program Files\NRE\java\jrex.x.x_xxx\bin>keytool -list -keystore "C:\Program Files\Java\jre1.8.0_201\lib\security\cacerts" -storepass changeit | findstr winsrvr2k16
winsrvr2k16.emclab.local, Feb 20, 2019, trustedCertEntry,
6) Restart the NetWorker server services.
Linux: nsr_shutdown
service networker start
Windows: net stop nsrd
net start nsrd
service networker start
Windows: net stop nsrd
net start nsrd
NOTE: If the NetWorker server services are not restarted, authc will not read the cacerts file, and it will not detect the imported certificates required for establishing SSL communication with the LDAP server.
7, a) If your authentication server is LDAP (Linux LDAP server) or you are using an existing Active Directory (AD) external authority configuration then perform the following. If your authentication server is Active Directory (AD) and you are creating a new external authority go to step 8.
7, b) log in to the NetWorker Management Console (NMC) with your NetWorker Administrator account. Select Setup-->Users and Roles-->External Authority.
7, c) Create or modify your existing external authority configuration, select LDAP over SSL from the Server Type drop down. This will automatically change the port from 389 to 636:
NOTE: Expand the Show Advanced Options field and ensure that the correct values are set for your authentication server. See the Notes field of this KB for a table explaining the fields and values.
8, a ) There is a known issue where selecting LDAP over SSL sets the internal configuration parameter "is active directory" to false. This prevents successful AD logins even though the configuration succeeds. This can be avoided by using the method detailed in the Limitations section or by using the authc script method outlined in: https://www.dell.com/support/kbdoc/000020799
When using the AD script template the configuration should show:
root@nwserver:~/#: authc_config -u Administrator -e find-all-configs
Enter password:
The query returns 1 records.
Config Id Config Name
3 AD_over_SSL
root@nwserver:~/#: authc_config -u Administrator -e find-config -D config-id=3
Enter password:
Config Id : 3
Config Tenant Id : 1
Config Name : AD_over_SSL
Config Domain : emclab.local
Config Server Address : ldaps://winsrvr2k16.emclab.local:636/dc=emclab,dc=local
Config User DN : cn=Administrator,cn=users,dc=emclab,dc=local
Config User Group Attribute : memberOf
Config User ID Attribute : sAMAccountName
Config User Object Class : user
Config User Search Filter :
Config User Search Path :
Config Group Member Attribute: member
Config Group Name Attribute : cn
Config Group Object Class : group
Config Group Search Filter :
Config Group Search Path :
Config Object Class : objectclass
Is Active Directory : true
Config Search Subtree : true
9) You can use the authc_mgmt command on your NetWorker server to confirm that the AD/LDAP groups/users are visible:
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-users -D query-tenant=tenant_name -D query-domain=domain_name
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-groups -D query-tenant=tenant_name -D query-domain=domain_name
authc_mgmt -u Administrator -p NetWorker_Admin_Pass -e query-ldap-groups-for-user -D query-tenant=tenant_name -D query-domain=domain_name -D user-name=ad/ldap_username e.g:
authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-users -D query-tenant=default -D query-domain=emclab.local
The query returns 21 records.
User Name Full Dn Name
Administrator cn=Administrator,cn=Users,dc=emclab,dc=local
Guest cn=Guest,cn=Users,dc=emclab,dc=local
...
...
authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-groups -D query-tenant=default -D query-domain=emclab.local
The query returns 55 records.
Group Name Full Dn Name
Administrators cn=Administrators,cn=Builtin,dc=emclab,dc=local
NetWorker_Admins cn=NetWorker_Admins,cn=Users,dc=emclab,dc=local
...
...
authc_mgmt -u Administrator -p Pa$$w0rd01 -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=emclab.local -D user-name=bkupadmin
The query returns 5 records.
Group Name Full Dn Name
Domain Admins cn=Domain Admins,cn=Users,dc=emclab,dc=local
NetWorker_Admins cn=NetWorker_Admins,cn=Users,dc=emclab,dc=local
...
...
NOTE: On some systems, the authc commands may fail with an "incorrect password" error even when the correct password is given. This is due to the password being specified as visible text with the "-p" option. If you encounter this, remove "-p password" from the commands. You will be prompted to enter the password hidden after running the command.
10) When logged into the NMC as the default NetWorker Administrator account, open Setup-->Users and Roles-->NMC Roles. Open the properties of the Console Application Administrators role and enter the Distinguished Name
(DN) of a AD/LDAP group (collected in step 9) in the external roles field. For users who require the same level permissions as the default NetWorker Administrator account, you must specify the AD/LDAP group DN in the Console Security Administrators role. For AD users or groups who do not need administrative rights to the NMC Console, add their full DN in the Console User external roles.
NOTE: By default there is already the DN of the NetWorker server's LOCAL Administrators group, do not delete this.
11) Connect the NetWorker server from the NMC, open Server-->User Groups. Open the properties of the Application Administrators role and enter the Distinguished Name (DN) of a AD/LDAP group (collected in step 9) in the external roles field. For users who require the same level permissions as the default NetWorker Administrator account, you must specify the AD/LDAP group DN in the Security Administrators role.
NOTE: By default there is already the DN of the NetWorker server's LOCAL Administrators group, do not delete this.
12) If you want an AD/LDAP group to be able to manage External Authorities you must perform the following on the NetWorker server.
a) Open an administrative/root command prompt.
b) Using the AD group DN (collected in step 9) you want to grant FULL_CONTROL permission to run:
authc_config -u Administrator -p NetWorker_Admin_Pass -e add-permission -D permission-name=FULL_CONTROL -D permission-group-dn="AD/LDAP_group_dn" e.g:
authc_config -u Administrator -p Pa$$w0rd01 -e add-permission -D permission-name=FULL_CONTROL -D permission-group-dn="cn=NetWorker_Admins,cn=Users,dc=emclab,dc=local"
Permission FULL_CONTROL is created successfully.
authc_config -u Administrator -p Pa$$w0rd01 -e find-all-permissions
The query returns 2 records.
Permission Id Permission Name Group DN Pattern Group DN
1 FULL_CONTROL ^cn=Administrators,cn=Groups.*$
2 FULL_CONTROL cn=NetWorker_Admins,cn=Users,dc=emclab..
Additional Information
For additional information see the NetWorker Security Configuration Guide available through: https://www.dell.com/support/home/product-support/product/networker/docs
Configuration values:
NetWorker: How To use authc_config scripts to configure LDAPS Authentication
Configuration values:
| Server Type | Select LDAP if the authentication server is a Linux/UNIX LDAP server, Active Directory if you are using a Microsoft Active Directory server. |
| Authority Name | Provide a name for this external authentication authority. This name can be whatever you want it to be, it is only to differentiate between other authorities when multiple are configured. |
| Provider Server Name | This field should contain the Fully Qualified Domain Name (FQDN) of your AD or LDAP server. |
| Tenant | Tenants can be used in environments where more than one authentication method may be used and/or when multiple authorities must be configured. By default, the "default" tenant is selected. The use of tenants alters your log-in method. When the default tenant is used, you can log in to the NMC using "domain\user" if a tenant other than the default tenant is used you must specify "tenant\domain\user" when logging into the NMC. |
| Domain | Specify your full domain name (excluding a hostname). Typically this is your base DN which is consisted of your Domain Component (DC) values of your domain. |
| Port Number | For LDAP and AD integration use port 389. For LDAP over SSL use port 636. These ports are non-NetWorker default ports on the AD/LDAP server. |
| User DN | Specify the Distinguished Name (DN) of a user account that has full read access to the LDAP or AD directory. Specify the relative DN of the user account, or the full DN if overriding the value set in the Domain field. |
| User DN Password | Specify the password of the user account specified. |
| Group Object Class | The object class that identifies groups in the LDAP or AD hierarchy.
|
| Group Search Path | This field can be left blank in which case authc is capable of querying the full domain. Permissions still must be granted for NMC/ NetWorker server access before these users/groups can log in the NMC and manage the NetWorker server. Specify the relative path to the domain instead of full DN. |
| Group Name Attribute | The attribute that identifies the group name. For example, cn. |
| Group Member Attribute | The group membership of the user within a group.
|
| User Object Class | The object class that identifies the users in the LDAP or AD hierarchy. For example, inetOrgPerson or user |
| User Search Path | Like Group Search Path this field can be left blank in which case authc is capable of querying the full domain. Specify the relative path to the domain instead of full DN. |
| User ID Attribute | The user ID that is associated with the user object in the LDAP or AD hierarchy.
|
NetWorker: How To use authc_config scripts to configure LDAPS Authentication
Affected Products
NetWorkerArticle Properties
Article Number: 000156132
Article Type: How To
Last Modified: 10 Oct 2023
Version: 10
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.
Article Properties
Article Number: 000156132
Article Type: How To
Last Modified: 10 Oct 2023
Version: 10
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.