NetWorker: AD/LDAP External Authentication Integration - Troubleshooting issues with login or missing information

           

   Article Number:     516681                                   Article Version: 4     Article Type:    Break Fix 
   

 


Product:

 

NetWorker,NetWorker 9.0,NetWorker 9.1,NetWorker 9.2,NetWorker Management Console

 

Issue:

 

 

   

         
  •         Errors and warnings logged in daemon.raw and NMC UI     
  •      
  •         nsrlogin command fails or returns errors     
  •      
  •         AD or LDAP queries return no results     
  •      
  •         AD or LDAP return incomplete responses     
  •    
                                                             

 

 

Cause:

 

 

Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) are enterprise implementations of centrally managed, operationally-distributed network entity authentication.   
   
    NetWorker can be configured to use this protocol in concert to authenticate users and authorise NetWorker operations instead of the legacy method of a software-specific user account database.   
   
    However, incorrect or missing configuration parameters in NetWorker will cause AD/LDAP queries to return incomplete results, or none at all.
                                                           

 

 

Resolution:

 

 

   

      When troubleshooting AD/LDAP integration issues with NetWorker, use the authc_config and authc_mgmt commands on the NetWorker server.     
      Examples of these commands follow. To see all available options run each command with no additional arguments.   

   

      How to find and update your configuration details   

   

      Run the following commands to output your configuration details, using the username and password appropriate to the issue encountered:   

   

     
      authc_config -u Administrator -p password -e find-all-configs         
          authc_config -u Administrator -p password -e find-all-tenants         
          authc_config -u Administrator -p password -e find-config -D config-id=#
     
          

   

      Note: On some systems, specifying passwords as plain text will result in an incorrect password error. Re-run the command without the -p password argument will prompt to enter the password  Replace the # in the third command with the config-id reported by the first command. The tenant value and name will be used in some of the following commands.     
          

   
      [root@nsrsvr ~]# authc_config -u Administrator -e find-all-configsEnter password:The query returns 1 records.Config Id Config Name1         lab[root@nsrsvr ~]# authc_config -u Administrator -e find-all-tenantsEnter password:The query returns 1 records.Tenant Id Tenant Name1         default[root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1Enter password:Config Id                    : 1Config Tenant Id             : 1Config Name                  : labConfig Domain                : labConfig Server Address        : ldap://winldap.lab.loc:389/DC=lab,DC=locConfig User DN               : CN=Administrator,CN=Users,DC=lab,DC=locConfig User Group Attribute  : memberOfConfig User ID Attribute     : sAMAccountNameConfig User Object Class     : userConfig User Search Filter    :Config User Search Path      : CN=UsersConfig Group Member Attribute: memberConfig Group Name Attribute  : cnConfig Group Object Class    : groupConfig Group Search Filter   :Config Group Search Path     : CN=NetWorker AdminsConfig Object Class          : objectClassIs Active Directory          : trueConfig Search Subtree        : true    
   
     
      The above example shows configuration settings used in a working lab environment with external AD authentication. Some of the values such as: server address, config user, and user/group search paths are specific to each environment; however, the other values are default AD attributes. To update any incorrect value the default script templates can be used:   
   
          
   
      Windows: C:\Program Files\EMC NetWorker\nsr\authc-server\scripts\     
      Linux: /opt/nsr/authc-server/scripts/     
          
   
      Populate the scripts with your information, and change the -e add-config command argument to -e update-config.     
     
      Note: for AD use the authc-create-ad-config and for LDAP use the authc-create-ldap-config script template. Once populated, remove the .template from the file name and run the script from an administrative/root command prompt.     
     
          
   

      Issue 1: Incorrect Config User ID Attribute   

   

      An incorrect value in this field will result in an empty User Name column when querying for AD/LDAP users. This column displays how the username is specified for login. The account will be reported as invalid if the value is not specified. To retrieve these values, run:   

   

      authc_mgmt -u Administrator -p password -e query-ldap-users -D query-tenant=tenant_name -D query-domain=domain_name     
          

   
      [root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1Enter password:...Config User ID Attribute     :...[root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=default -D query-domain=labEnter password:The query returns 13 records.User Name Full Dn Name          cn=Administrator,cn=Users,dc=lab,dc=loc          cn=Guest,cn=Users,dc=lab,dc=loc          cn=krbtgt,cn=Users,dc=lab,dc=loc...    
   
     
      Note the User Name column is blank. The unique user ID associated with the user object in the LDAP or AD hierarchy is commonly uid (LDAP) or sAMAccountName (AD). Updating this value in the configuration will correct user names reported in the User Name column.   
        
      [root@rhel7 ~]# authc_config -u Administrator -e find-config -D config-id=1Enter password:...Config User ID Attribute     : sAMAccountName...[root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=default -D query-domain=labEnter password:The query returns 13 records.User Name     Full Dn NameAdministrator cn=Administrator,cn=Users,dc=lab,dc=locGuest         cn=Guest,cn=Users,dc=lab,dc=lockrbtgt        cn=krbtgt,cn=Users,dc=lab,dc=locjblog         cn=Joe Bloggs,cn=Users,dc=lab,dc=loc...    
   

     
     
      Issue 2: Config User Object Class​ empty or incorrect   

   

      An incorrect value in this field will cause 0 results to return when querying AD/LDAP users. Use these commands to test for this symptom and cause:     
     
      authc_config -u Administrator -e find-config -D config-id=1     
      authc_mgmt -u Administrator -p password -e query-ldap-users -D query-tenant=tenant_name -D query-domain=domain_name     
          

   
      [root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=default -D query-domain=labEnter password:The query returns 0 records.User Name Full Dn Name[root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1Enter password: ...Config User Object Class :     
   
     
      The attribute for the object class that identifies the users in the directory hierarchy is commonly inetOrgPerson (LDAP) or user (AD).      
      Update the configuration with these values and test to ensure user names and DNs are properly reported:     
          
   
      [root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1Enter password:...Config User Object Class     : user...[root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=default -D query-domain=labEnter password:The query returns 13 records.User Name     Full Dn NameAdministrator cn=Administrator,cn=Users,dc=lab,dc=locGuest         cn=Guest,cn=Users,dc=lab,dc=lockrbtgt        cn=krbtgt,cn=Users,dc=lab,dc=locjblog         cn=Joe Bloggs,cn=Users,dc=lab,dc=loc...    
   
     
      Incorrect Config User Search Path is another potential cause for users to be missing. This is a DN that specifies the search path that the authentication service should use when searching for users in the LDAP or AD hierarchy. Specify a search path that is relative to the base DN specified in the config-serveraddress option. For example, for AD, specify cn=users. Confirm with your directory administrator that this field is correct.   
   

     
      Issue 3: Config Group Name Attribute is empty or incorrect   

   

     
      An incorrect value in this field will result in an empty Group Name column when querying for AD/LDAP groups for a user. The following commands check for symptom and cause:   

   

      authc_mgmt -u Administrator -p password -e query-ldap-groups-for-user -D query-tenant=tenant_name -D query-domain=domain_name -D user-name=AD_username       
        authc_config -u Administrator -e find-config -D config-id=1
     
          

   
      [root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=lab -D user-name=jblogEnter password:The query returns 1 records.Group Name Full Dn Name           cn=NetWorker Admins,dc=lab,dc=loc[root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1Enter password: ... Config Group Name Attribute : ...     
   
     
      The attribute that identifies the group name (e.g. cn) is missing. Update the configuration with these values and ensure group names are now listed in the Group Name column.   
        
      [root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1Enter password:...Config Group Name Attribute  : cn...[root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=lab -D user-name=kloudEnter password:The query returns 1 records.Group Name       Full Dn NameNetWorker Admins cn=NetWorker Admins,dc=lab,dc=loc    
   

     
     
      Issue 4: Config Group Object Class​ is empty or incorrect   

   
      An incorrect value in this field will cause 0 results to return when querying AD/LDAP groups for a user. Use these commands to test for symptom and cause:     
     
      authc_mgmt -u Administrator -p password -e query-ldap-groups-for-user -D query-tenant=tenant_name -D query-domain=domain_name -D user-name=AD_username         
          authc_config -u Administrator -e find-config -D config-id=1
   
        
      [root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=lab -D user-name=kloudEnter password:The query returns 0 records.Group Name Full Dn NameConfiguration lab is updated successfully. [root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1 ... Config Group Object Class : ...    
   
     
      The object class attribute that identifies groups in the directory hierarchy is groupOfUniqueNames (LDAP) or groupOfNames (AD). For AD, use group.      
      Update the configuration with these values, you should now see group names and group DNs listed:   
        
      [root@nsrsvr ~]# authc_config -u Administrator -e find-config -D config-id=1Enter password:...Config Group Object Class    : group...[root@nsrsvr ~]# authc_mgmt -u Administrator -e query-ldap-groups-for-user -D query-tenant=default -D query-domain=lab -D user-name=jblogEnter password:The query returns 1 records.Group Name       Full Dn NameNetWorker Admins cn=NetWorker Admins,dc=lab,dc=loc    
   
     
      Other potential causes for groups to not appear are:   
   
         
  1.         The AD user specified in the authc_mgmt command is not a member of an AD group. Test other usernames and check with your AD administrator to confirm user/group membership.     
  2.      
  3.         The Config Group Search Path value is incorrect. This is a DN that specifies the search path that the authentication service should use when searching for groups in the directory hierarchy. Specify a search path that is relative to the base DN that you specified in the config-server-address option.     
  4.    
                                                             

 

 

Notes:

 

 

This KB goes over resolving common errors/issues with AD/LDAP integration. For more information on the parameters/required fields in the AD/LDAP configuration scripts, see the NetWorker Security Configuration Guide   
   
    See also: Quick Tips How To Setup LDAP/AD authentication in NetWorker 9.0