Troubleshooting AD or LDAP domain configuration issues
After you added an AD or LDAP domain configuration, verify the configuration using the vssat validateprpl and vssat validategroup commands. The commands validate the existing AD / LDAP user and group respectively.
A successful execution of the vssat validateprpl and the vssat validategroup commands implies that the associated AD or LDAP domain is successfully added.
For information about these commands, see the NetBackup Commands Reference Guide.
If the commands fail, the following error message is displayed:
The principal or group does not exist.
Validation of AD or LDAP domain can fail because of any of the following reasons:
Connection cannot be established with the AD or LDAP server
Invalid user credentials
Invalid user base DN or group base DN
Multiple users or groups exist with the same name under the user base DN or the group base DN
User or group does not exist
To troubleshoot the issue
- Check if the nbatd logs contain the following error:
(authldap.cpp) CAuthLDAP::validatePrpl - ldap_simple_bind_s() failed for user 'CN=Test User,OU=VTRSUsers,DC=VRTS,DC=com', error = -1, errmsg = Can't contact LDAP server,9:debugmsgs,1
- Check if any of the following scenarios is true and carry out the steps provided for that scenario.
The LDAP server URL (-s option) that is provided with the vssat addldapdomain may be wrong
Run the following command to validate:
ldapsearch -H <LDAP_URI> -D "<admin_user_DN>" -w <passwd> -d <debug_level> -o nettimeout=<seconds>
Example:
ldapsearch -H ldaps://example.veritas.com:389 -D "CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ******** -d 5 -o nettimeout=60
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized. ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The server certificate issuer is not a trusted CA
This is applicable if the ldaps option is used and can be validated using the ldapsearch command:
set env var LDAPTLS_CACERT to cacert.pem
ldapsearch -H <LDAPS_URI> -D "<admin_user_DN>" -w <passwd> -d <debug_level> -o nettimeout=<seconds>
File path for
cacert.pem:On Windows:
<Install_path>\NetBackup\var\global\vxss\eab\data\systemprofile\certstore\trusted\pluggins\ldap\cacert.pem
On Unix:
/usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/certstore/trusted/pluggins/ldap/cacert.pem
Example:
ldapsearch -H ldaps://example.veritas.com:389 -D "CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ******** -d 5 -o nettimeout=60
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized.. ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The NetBackup Authentication Service (nbatd) does not trust the certificate authority that has signed the LDAP server's security certificate
See Certificate authorities trusted by the NetBackup Authentication Service.
Use the -f option of the vssat addldapdomain command to add the CA certificate in the Authentication Service (nbatd) trust store.
TLS cipher suite list that is provided for the LDAP server may be wrong
By default, NetBackup authentication service communicates with the LDAP server using the cipher suite list:
"ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:
ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA"
Run the following command to view the TLS cipher suite list that is provided for the LDAP server:
On UNIX:
/usr/openv/netbackup/sec/at/bin/vssat listldapdomains
On Windows:
Install_path\NetBackup\sec\at\bin\vssat listldapdomains
Use any utility like sslscan to find out the cipher suites that the LDAP server supports.
Modify the value of TLS cipher suite list as required for the LDAP server by running the following command:
On UNIX:
/usr/openv/netbackup/sec/at/bin/vssregctl -s -f /usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/VRTSatlocal.conf -b "Security\Authentication\Authentication Broker\AtPlugins\ldap\ServerInfos\LDAP_server_name" -k "SSLCipherSuite" -t string -v LDAP_server_supported_cipher_suites
On Windows:
Install_path\NetBackup\sec\at\bin\vssregctl -s -f Install_path\NetBackup\var\global\vxss\eab\data\systemprofile\VRTSatlocal.conf -b "Security\Authentication\Authentication Broker\AtPlugins\ldap\ServerInfos\LDAP_server_name" -k "SSLCipherSuite" -t string -v LDAP_server_supported_cipher_suites
Example:
/usr/openv/netbackup/sec/at/bin/vssregctl -s -f /usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/VRTSatlocal.conf -b "Security\Authentication\Authentication Broker\AtPlugins\ldap\ServerInfos\example.veritas.com" -k "SSLCipherSuite" -t string -v "DHE-RSA-AES256-SHA:AES256-GCM-SHA384"
TLS protocol version that is disabled for the LDAP server may be wrong
By default, NetBackup authentication service communicates with the LDAP server using the TLS 1.2 or later protocol. TLS protocols with versions earlier than 1.2 are disabled.
Run the following command to view the TLS protocol version that is disabled for the LDAP server.
On UNIX:
/usr/openv/netbackup/sec/at/bin/vssat listldapdomains
On Windows:
Install_path\NetBackup\sec\at\bin\vssat listldapdomains
Modify the value of TLS protocol version that is disabled for the LDAP server using the given command. The specified version and all the earlier versions of the TLS protocol are disabled. Supported values are: "SSLv2", "SSLv3", "TLSv1" and "TLSv1.1".
Run the following command:
On UNIX:
/usr/openv/netbackup/sec/at/bin/vssregctl -s -f /usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/VRTSatlocal.conf -b "Security\Authentication\Authentication Broker\AtPlugins\ldap\ServerInfos\LDAP_server_name" -k "DisableTLSProtocol" -t string -v TLS_protocol_version_to_be_disabled
On Windows:
Install_path\NetBackup\sec\at\bin\vssregctl -s -f Install_path\NetBackup\var\global\vxss\eab\data\systemprofile\VRTSatlocal.conf -b "Security\Authentication\Authentication Broker\AtPlugins\ldap\ServerInfos\LDAP_server_name" -k "DisableTLSProtocol" -t string -v TLS_protocol_version_to_be_disabled
Example:
/usr/openv/netbackup/sec/at/bin/vssregctl -s -f /usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/VRTSatlocal.conf -b "Security\Authentication\Authentication Broker\AtPlugins\ldap\ServerInfos\example.veritas.com" -k "DisableTLSProtocol" -t string -v "TLSv1"
To troubleshoot the issue
- Check if the nbatd logs contain the following error:
CAuthLDAP::validatePrpl - ldap_simple_bind_s() failed for user 'CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com', error = 49, errmsg = Invalid credentials,9:debugmsgs,1
- Check if the following scenario is true and carry out the steps provided for the scenario.
Invalid admin user DN or password provided while adding an LDAP domain using the vssat addldapdomain command
Run the following command to validate:
ldapsearch -H <LDAP_URI> -D "<admin_user_DN>" -w <passwd> -d <debug_level> -o nettimeout=<seconds>
Example:
ldapsearch -H ldap://example.veritas.com:389 -D "CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ******** -d 5 - o nettimeout=60 ldap_bind: Invalid credentials (49)
To troubleshoot the issue
- Check if the nbatd logs contain the following error:
CAuthLDAP::validatePrpl - ldap_search_s() error = 10, errmsg = Referral,9:debugmsgs,1 CAuthLDAP::validatePrpl - ldap_search_s() error = 34, errmsg = Invalid DN syntax,9:debugmsgs,1
- You may see the errors in the logs if user base DN (the -u option) or group base DN (the -g option) values are incorrect.
Run the following command to validate:
Example:
ldapsearch -H ldap://example.veritas.com:389 -D "CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ****** -b "OU=VRTSUsers,DC=VRTS,DC=con" "(&(cn=test user)(objectClass=user))"
ldapsearch -H ldap://example.veritas.com:389 -D "CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ****** -b "VRTS" "(&(cn=test user)(objectClass=user))"
To troubleshoot the issue
- Check if the nbatd logs contain the following error:
CAuthLDAP::validateGroup - search returned '2' entries for group name 'team_noone', even with referrals set to OFF,9:debugmsgs,1
- This is applicable if user search attribute (-a option) and group search attribute (-y option) do not have unique values for the existing user base DN and group base DN respectively.
Validate the number of matching entries for the existing base DN using the ldapsearch command.
ldapsearch -H <LDAP_URI> -D "<admin_user_DN>" -w <passwd> -d <debug_level> -o nettimeout=<seconds> -b <BASE_DN> <search_filter>
Example:
ldapsearch -H ldap://example.veritas.com:389 -D "CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ****** -b "DC=VRTS,DC=com" "(&(cn=test user)(objectClass=user))" # LDAPv3 # base <DC=VRTS,DC=com> with scope subtree # filter: (cn=Test User) # requesting: ALL # Test User, VRTSUsers, VRTS.com dn: CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com # Test User, RsvUsers, VRTS.com dn: CN=Test User,OU=RsvUsers,DC=VRTS,DC=com # numEntries: 2
To troubleshoot the issue
- Check if the nbatd logs contain the following error:
CAuthLDAP::validatePrpl - user 'test user' NOT found,9:debugmsgs,4 CAuthLDAP::validateGroup - group 'test group' NOT found,9:debugmsgs,4
- If a user or group exists in the LDAP domain, but the vssat validateprpl or the vssat validategroup command fails with this error, validate if the user or the group exists in the current base DNs (-u and -g options) using the following command.
ldapsearch -H <LDAP_URI> -D "<admin_user_DN>" -w <passwd> -d <debug_level> -o nettimeout=<seconds> -b <BASE_DN> <search_filter>