Skip to content

How to Enable and Configure LDAP Authentication Login for NetWorker Management Console

November 28, 2011

IMPORTANT NOTE: once you set up LDAP authentication you can’t use the built in administrator account to log on NMC unless you reset it again (Check at the end of the article how to reset it back again)

  1. Create a user as an example called NsrValley where its logon name is NsrValley in the “Users” Container in the Active Directory.
  2. Launch Management Console.
  3. Select Setup Button.
  4. Select Setup Pull-Down Menu.
  5. Select Configure Login Authentication
  6. Select External Repository and click Next
  7. Click Add and then provide information in the following Attributes:
  • Authority Name: Any Name of this LDAP authority. ( let’s say LDAP).
  • Type: The types of protocol used. Example: LDAP-v3 or AD.
  • Provider Server Name: Hostnames or IP addresses of the LDAP server to use for authentication. Put the domain controller FQDN or the IP address of it. (let’s say as an example dc.domain.root)
  • Distinguished Name:Distinguished name (DN) of the privileged account used to perform operations, such as searching users and groups, on the LDAP directory. There is no default value. An example distinguished name in the prescribed format is: “cn=NsrValley,cn=Users,dc=domain,dc=root “                      Note: Spaces are only allowed within this attribute
  • Password: Password created above for the account created called NsrValley
  • User Search Path: The distinguished name (dn) at which to begin user searches on the node.  Example: cn=Users,dc=domain,dc=root
  • Group Search Path: The distinguished name (dn) at which to begin group searches on the node.   Example: cn=Users,dc=domain,dc=root
  • Group Name Attribute: Attribute identifying the group name. The default attribute is cn.
  • LDAP Timeout (millisecond): Timeout for the LDAP calls. The default timeout is (30000).

In the Advanced section provide the following:

  • User ID Attribute: Attribute identifying the user login ID in Active Directory (AD), the attribute used for user account names is typically sAMAccountName. For other directories, the default user id uid is often used. So specify this attribute as  sAMAccountName
  • User Object Class: specify this attribute as User
  • Group Object Class: specify this attribute as group
  • Group Member Attribute: specify this attribute as member
  • Protocol: Protocol to use is LDAP or LDAPS (SSL)
  • Port Number: The port number of the LDAP service. Valid values are 1 through 65535. Value for LDAP is 389 and for LDAPS is 636.
  • Click Next
  • On the “Setup Console Security Administrator Role” screen, under External Roles , you have to specify and add the logon name of at least one account or group from Active Directory, The users or groups added must be located in active directory where the search paths were defined (Like in our example cn=Users,dc=domain,dc=root)
  • Click Finish
  • Restart the EMC GST Service.
  • You should now be able to login using the account specified in the External Roles. You can add more users and groups in the External roles (one external role per line)

If you run into an issue and can’t login, you can override to the internal authentication or reset it back again to the internal authentication, you have to perform the following steps:

  • Navigate to the following directory

  <NMC install path>\cst

  • Create a zero-byte file with the following name and with no extension


  • Restart “EMC GST Service”
  • Now you should be able to login back in using the internal defined accounts used previously before attempting the “Configure Login Authentication” wizard

From → Procedures

  1. PeLe permalink

    Good article, but also not complete. But scanning the net and putting the pieces together made it work for me. However, the last bit, disabling it, didn’t work… But that seems to be rather important, as in Emergency Restore Situations it is very likely, there is no AD or LDAP working to validate the logins…
    We are using NetWorker 8.0 and I’ve created the “zero-file” in the /cst directory and restarted the service. But the internal login still doesn’t work. Anything missing here?
    Thanks in advance,

  2. PeLe permalink

    fixed, I worked with the “wrong” /cst directory. Never mind.

  3. Manny permalink

    Really appreciate for putting this article together.

  4. Really helpful article. I only hope EMC support personnel are as knowledgeable…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: