Adding AD or LDAP domains in NetBackup
NetBackup supports Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) domain users.
If an AD domain or an LDAP domain is added in NetBackup, the respective domain users can logon to a NetBackup primary server and Security Administrator can assign role-based access control (RBAC) roles to these domain users.
See RBAC features.
The following procedure describes how to add an existing AD or LDAP domain in NetBackup and authenticate the domain users to access NetBackup.
To add an AD domain or an LDAP domain in NetBackup
- Run the following command to add an AD domain or an LDAP domain in the NetBackup primary server:
vssat addldapdomain -d DomainName -s server_URL -u user_base_DN -g group_base_DN [-f trusted_CA_file_name] [-tp TLS_protocol_version_to_be_disabled] [-cs cipher_suite_list] [-t rfc2307 | msad | {-c user_object_class -a user_attribute -q user_GID_attribute -un user_display_name_attribute -ui user_ID_attribute[:value_type] -ud user_description_attribute -x group_object_class -y group_attribute -z group_GID_attribute -gn group_display_name_attribute -gi group_ID_attribute[:value_type] -gd group_description_attribute [-k DN | UID]]} [-b FLAT | BOB] -m admin_user_DN [-w admin_user_password] [-p SUB | ONE | BASE] [-F]Note:
Ensure that the user name that is specified in the -m option has the required rights to query the AD or the LDAP server.
In case of LDAPS, if the Authentication Service (nbatd) does not trust the certificate authority (CA) that has signed the server's certificate, use the -f option to add the CA certificate in the nbatd trust store.
See Certificate authorities trusted by the NetBackup Authentication Service.
For more information about the vssat command, see the NetBackup Commands Reference Guide.
Contact your AD administrator for the correct values for these command-line options. The values may vary based on how your AD is setup.
An example to add an AD domain:
vssat addldapdomain -d domain1 -s ldap://domain1.veritas.com -u "CN=Users,DC=domain1,DC=veritas,DC=com" -g "CN=Users,DC=domain1,DC=veritas,DC=com" -t msad -m "CN=user1,CN=Users,DC=domain1,DC=veritas,DC=com" -b BOB - Run the vssat validateprpl command on the primary server to verify whether the specified AD or LDAP domain is successfully added or not.
validateprpl -p username -d ldap:domain_name -b localhost:1556:nbatd
An example to validate an AD or LDAP domain:
vssat validateprpl -p user1 -d ldap:domain1 -b localhost:1556:nbatdThe domain name must match the one that is used in the addldapdomain command option.
For more information about the vssat command, see the NetBackup Commands Reference Guide.
If the AD or LDAP domain is added and the vssat validateprpl or vssat validategroup command fails, you need to carry out certain troubleshooting steps to resolve the issue.
See Troubleshooting AD or LDAP domain configuration issues .
This procedure is applicable only for the AD/LDAP domain user. The local OS user and PAM authentication type are not supported.
Starting with NetBackup 10.5, in Cloud Scale deployment, the nbatd containerized service runs on a separate Kubernetes Pod cluster server instead of the primary server Kubernetes Pod. Therefore, the existing AD/LDAP domain configuration on the primary server Kubernetes Pod does not work. You must reconfigure the AD/LDAP domain.
To reconfigure the AD/LDAP domain
- Delete the existing AD/LDAP domain from the
nbatdKubernetes Pod. - Add AD/LDAP domains in NetBackup.