NetBackup IT Analytics Security and Encryption Reference

Last Published:
Product(s): NetBackup IT Analytics (11.6)

AD/LDAP Configuration

NetBackup IT Analytics supports user authentication and optionally supports authorization using Active Directory (AD) or Lightweight Directory Access Protocol (LDAP).

Configuration of AD/LDAP authentication and authorization is driven through the configuration parameters in portal.properties file.

AD/LDAP configuration properties

AD/LDAP configuration supports following properties and can be set in the in portal.properties file.

OS specific portal.properties file location:

  • Linux: /opt/aptare/portalconf/portal.properties

  • Windows: C:\opt\aptare\portalconf\portal.properties

Table: AD/LDAP Configuration Properties

Property

Description

ldap.enabled

To enable LDAP, set this property to true.

Supported Values: true | false

ldap.searchBase

  • Location from where the search will be performed to locate users in the authentication directory.

  • Often referred to as the Active Directory (AD) Search Base, this is the starting point in the Active Directory tree for searching for LDAP users. This search base, in LDAP distinguished name format, contains a fully qualified domain name. NetBackup IT Analytics supports only one Search Base.

Example: dc=example,dc=company,dc=com

ldap.url

  • Set to the host and port of your AD. Note that this URL value has a prefix ldap:. If using SSL, change the prefix to ldaps.

  • If you are using Active Directory for your external LDAP configuration, you may want to use the global catalog port of 3268 instead of port 389.

  • If using SSL, you may want to use the secure global catalog port of 3269 or 636 for standard LDAPs.

Example : ldap://example.company.com:389 OR ldaps://example.company.com:636

ldap.dn

  • Set to the ID of a user who has permission to search the SEARCHBASE. This user must be able to search all LDAP directory servers.

  • NetBackup IT Analytics requires a user that has privileges to search under the Base DN (Distinguished Name) within the Active Directory structure. This must be an account that has administrative privileges, typically an Administrator. It can be the Administrator account that was created when Active Directory was installed, or it can be an account that was created, and either was given administrative privileges or was placed into a group with administrative privileges.

  • If you use Active Directory, specify this setting because Active Directory services do not allow anonymous binds. Microsoft Active Directory requires the username and password of a user that has enough privileges to search the LDAP directory.

Example: 

ldap.dn =CN=Admin,CN=Users,DC=example,
DC=company,DC=com

ldap.password

Set to the password of the user who is used in ldap.dn property. It will get empty and encrypted value will be set in ldap.password.encrypted property when you restart Portal Tomcat Service after configuring LDAP.

ldap.password.encrypted

It is set when you restart the Portal Tomcat service after configuring LDAP. It has encrypted value of the ldap.password property.

ldap.loginAttribute

The login attribute used for authentication. This is the attribute name in Active Directory that specifies the username, such as uid or sAMAccountName.

Example: ldap.loginAttribute=sAMAccountName

ldap.authorization

If set to true, Portal authorizes the user against AD groups.

At least one AD group of which the new user is member must be configured as a User Group in the Portal.

Note:

If the AD group is not mapped with the User Group in the Portal, then authentication fails during login with the error: "No user group mapping present for external LDAP user."

Supported Values: true | false

ldap.newUserDomain

Portal domain name where new user gets created. It is only used if ldap.authorization is set to true.

To find domain name in portal, navigate to Admin > Domains > Domain Name

Example: ldap.newUserDomain=example.company.com

ldap.keystore

If SSL support is enabled for LDAP, then it must have:

  • The keystore path location which contains AD certificates

  • The aptare:tomcat permission

Note:

If SSL is not enabled for LDAP, then this must be commented out.

ldap.keystore.password

Password for the keystore which is set in ldap.keystore property. It will get empty and encrypted value will be set in ldap.keystore.password.encrypted property when you restart the Portal Tomcat Service after configuring LDAP.

Note:

If SSL is not enabled for LDAP, then this must be commented out.

ldap.keystore.password.encrypted

It is set when you restart the Portal Tomcat service after configuring LDAP. It has encrypted value of the ldap.keystore.password property.

Note:

If SSL is not enabled for LDAP, then this must be commented out.

ldap.disable.user.attribute.name

(Available from 11.0)

Its value is the AD attribute that indicates whether the user is active or inactive. During Portal authentication via AD, the REST API uses the AD attribute assigned to this property to check whether the user is still an active AD user.

For example, if ad.user.active is the AD attribute that indicates whether a user is active or disabled, then ad.user.active must be assigned as the value of this property (ldap.disable.user.attribute.name=ad.user.active).

ldap.disable.user.attribute.value

(Available from 11.0)

Its value must be same as that value of the AD attribute (specified in ldap.disable.user.attribute.name), which indicates the AD user is disabled.

For example: If ad.user.active is the attribute for user status in AD, it may have several values such as live, inactive, joined, and so on. If the value inactive indicates the user is disabled in AD, then inactive must be set as value for this property (ldap.disable.user.attribute.value=inactive).

REST API matches this value with the value of the AD attribute specified in ldap.disable.user.attribute.name property. If the values match, the user is disabled on the NetBackup IT Analytics Portal.

Note:

A Portal super user must explicitly activate the user that was deactivated in both AD and Portal in the past but is again activated only in AD. A Portal administrator with adequate privilages can also activate such a user. Without user activation, Portal access will be restricted.

To configure AD/LDAP for user authentication as well as authorization, Portal Administrator must create at least one User Group in portal which is also present in AD/LDAP as a UserGroup.

LDAP support over SSL

If you are using a self-signed certificate or an AD certificate from a non-standard certificate authority (CA), you need a keystore having the AD certificate and update the LDAP configuration in the portal.properties file. You can skip this if you are using a standard certificate from a CA.