How to determine what LDAP settings to use when installing Protection Engine 9.x using the Windows Active Directory-based authentication option
Article ID: 270669
Updated On:
Products
Issue/Introduction
When installing Symantec Protection Engine (SPE) for NAS 9.x and you choose the option "Windows Active Directory-based authentication" you are asked to fill out several pieces of information from Active Directory such as URL, Base DN and Group DN and need help understanding what should go in these fields.
Environment
SPE 9.x
Resolution
Here is a hypothetical domain for this exercise.
- Domain: example.com
- Domain Group: {the group the console user must be a member of}: <Group Name>.example.com
During Installation Wizard
Below are examples of the settings needed to use when Windows Active Directory-based authentication is selected during SPE installation.
Active Directory URL
Example:
<Server Name>.example.com
This should be the nearest LDAP server with a copy of the directory. The following command could be used to locate the server.
nltest /dsgetdc:example.com
Example output
C:\<user>\<User Name> >nltest /dsgetdc:example.com
DC: \\<Server Name>.example.com
Address: \\###.###.###.###
Enable Secure Connection
This won’t be covered in this example. If this box is checked then the next box (Active Directory Port) will need to be set to 636 (or whatever the server/domain admin established as the secure port). You will also need to acquire the SSL certificate required to interact with it.
Active Directory Port
- Default: 389
- Secure: 636
The most common is port 389. If the domain is part of multiple domains with bidirectional trusts established then port 3269 (the Global Catalog port) might also work.
Active Directory Base DN
Example:
dc=example,dc=com
This contains the root elements of your domain.
Active Directory Group DN
Example:
CN=<User Name>,OU=<Group Name>,DC=example,DC=com
To find this information for your environment, below are a couple options dsquery or Get-ADPrincipalGroupMembership
Using dsquery (command prompt)
dsquery is a command line tool built-in to windows. It is available if Active Directory Domain Services server role is installed. From an elevated command prompt type in
dsquery group -name "<Group Name>"
Example output
Using Get-ADPrincipalGroupMembership (PowerShell)
Get-ADPrincipalGroupMembership is another command that can be used. Below is an example of the PowerShell command. The -Identity parameter may be needed.
Get-ADPrincipalGroupMembership <User Name>
or
Get-ADPrincipalGroupMembership -Identity <User Name>
Completed Example
These settings are added to the #LDAP Configuration section of C:\Program Files\Symantec\Scan Engine\RestAPI\Application.properties during install.
Existing SPE Installation
If SPE is already installed and you need to modify LDAP settings, this can be done by changing settings in the SPE REST API configuration file named Application.properties. By default, the location for this file is
C:\Program Files\Symantec\Scan Engine\RestAPI
Scroll down to the #LDAP Configuration section of Application.properties and update as needed. Below is an example of the LDAP Configuration section of Application.properties
#LDAP Configuration
sperestapi.ldap.enabled=true
sperestapi.ldap.url=<Server Name>.example.com
sperestapi.ldap.port=636
sperestapi.ldap.basedn=dc=example,dc=com
sperestapi.ldap.groupdn=cn=<Group Name>,ou=<OU Name>,dc=example,dc=com
sperestapi.ldap.ssl.enabled=true
These settings can be manually updated if you're receiving error messages when trying to add a SPE server to a SPE console. You may encounter an error like
Failed to add following server(s): <ip address or name>. Reason: Authentication failed due to invalid LDAP configurations.
An example error message from the SPE Console when adding a SPE
After making any changes to Application.properties, the Symantec Protection Engine REST API service must be restarted for the changes to take effect.
Windows
- Open Services Manager, restart Symantec Protection Engine REST API
Linux
- Run the command, /etc/init.d/symcrestapiservice restart
Feedback
