Configuring LDAP authentication for NetWorker Management Console
This article provides the steps necessary to enable and configure LDAP authentication for the NetWorker Management Console (NMC).
Once you set up LDAP authentication you can't use the built in administrator account to log on NMC unless you reset it again (Check at the end of the article how to reset it back again)
Setting up LDAP authentication
- In the Users container of your active directory, create a new user that you wish to use for the NMC login, for the benefit of this article we will use
nsradmin, - Launch Management Console,
- Select the Setup button,
- Select Setup frmo the pulldown menu,
- Select Configure Login Authentication,
- Select , then click Next,
- Click Add and then provide information in the following Attributes:
- Authority Name: Any Name of this LDAP authority. ( let's say LDAP).
- Type: The types of protocol used. For example: LDAP-v3 or AD.
- Provider Server Name: Hostnames or IP addresses of the LDAP server to use for authentication. NOTE: Use the FQDN or IP address of the domain controller
- Distinguished Name: The distinguished name (DN) of the privileged account used to perform operations, such as searching users and groups, on the LDAP directory. There is no default value. An example distinguished name in the prescribed format is:
cn=nsradmin,cn=Users,dc=domain,dc=root
NOTE: spaces are only allowed within this attribute - Password: This is the password created in step 1 for the account created called nsradmin
- User Search Path: The distinguished name (dn) at which to begin user searches on the node. For example:
cn=Users,dc=domain,dc=root
- Group Search Path: The distinguished name (dn) at which to begin group searches on the node. For example:
cn=Users,dc=domain,dc=root
- Group Name Attribute: The attribute identifying the group name. The default attribute is cn.
- LDAP Timeout (millisecond): Timeout for the LDAP calls. (default is (30000).
- In the Advanced section provide the following:
- User ID Attribute: The attribute identifying the user login ID in Active Directory (AD), the attribute used for user account names is typically a SAMAccountName. For other directories, the default user id uid is often used. So specify this attribute as SAMAccountName
- User Object Class: specify this attribute as User
- Group Object Class: specify this attribute as group
- Group Member Attribute: specify this attribute as member
- Protocol: Protocol to use is LDAP or LDAPS (SSL)
- Port Number: The port number of the LDAP service. Valid values are 1 through 65535 (default values: LDAP is 389 and LDAPS is 636), then click Next
- On the Setup Console Security Administrator Role screen, under External Roles , you have to specify and add the logon name of at least one account or group from Active Directory, The users or groups added must be located in active directory where the search paths were defined, for example
cn=Users,dc=domain,dc=root
click Finish
- Restart the EMC GST Service.
You should now be able to login using the account specified in the External Roles. You can add more users and groups in the External roles (one external role per line)
Reset NMC authentication
If you run into an issue using LDAP authentication where you cannot login, you can override to the internal authentication or reset it back again to the internal authentication, by performing the following steps:
- Navigate to the following directory:
<NMC_install_path>/cst
- Create a zero-byte file with the name authoverride with no extension
- For UNIX and Linux systems:
# touch /opt/gst/cst/authoverride
- For Windows:
C:> copy con D:\networker\gst\cst\authoverride (press Ctrl+Z to create the empty file)
- For UNIX and Linux systems:
- Restart the EMC GST Service
Now you should be able to login back in using the internal defined accounts used previously before attempting the Configure Login Authentication wizard.