LDAP/Active Directory - Authentication

Enterprise

Bacula Enterprise Only

This solution is only available for Bacula Enterprise. For subscription inquiries, please reach out to sales@baculasystems.com.

Note

If you are experiencing any troubles with this method, it is recommended to use the Configure the HTTPD method.

1. Edit the /opt/bweb/etc/httpd.conf file.

   Comment

   #auth.backend = "htpasswd"
   #auth.backend.htpasswd.userfile = "/opt/bweb/etc/htpasswd.bweb"
   

2. Add the following for LDAP server (for Linux):

   server.modules += ( "mod_authn_ldap" )
   auth.backend = "ldap"
   auth.backend.ldap.hostname = "192.168.1.8" <--- change to you Ldap Server
   auth.backend.ldap.base-dn = "ou=people,dc=my-domain,dc=com" <-- change to you Ldap Users Directory tree
   auth.backend.ldap.filter = "(uid=$)"
   auth.backend.ldap.bind-dn = "cn=admin,dc=my-domain,dc=com" <----- Ldap Authentication user to check users
   auth.backend.ldap.bind-pw = "xxxxxx" <----- Password User
   
   # "disable" for requiring passwords, "enable" for allowing empty passwords
   auth.backend.ldap.allow-empty-pw = "disable"
   

   or

   Add the following for ACTIVE DIRECTORY server (for Windows):

   server.modules += ( "mod_authn_ldap" )
   auth.backend = "ldap"
   auth.backend.ldap.hostname = "192.168.1.8" <--- change to you Ldap Server
   
   auth.backend.ldap.base-dn = "ou=Users,dc=supportlab,dc=baculasystems,dc=com" <--- Change to you Ldap Users Directory tree
   
   auth.backend.ldap.filter = "(cn=?)"                                          <--- Change to Username Active Directory Field confrotation
   
   auth.backend.ldap.bind-dn = "CN=ad-admin,CN=Users,DC=supportlab,DC=baculasystems,DC=com"     <--- AD Administration username to check users
   
   auth.backend.ldap.bind-pw = "xxxxxx"                                         <--- Password User
   
   # "disable" for requiring passwords, "enable" for allowing empty passwords
   auth.backend.ldap.allow-empty-pw = "disable"
   
   
   ##### YOU CAN ALSO DO THIS ########
   
   auth.backend.ldap.bind-dn ="SUPPORTLAB\ad-admin"
   auth.backend.ldap.bind-pw = "xxxxxx"
   

Note

To Activate LDAPS, copy the CA certificate to Bweb Server and add the following Configuration to HTTPD. Conf:

auth.backend.ldap.hostname = "192.168.1.8" <--- change to you Ldap Server | DO NOT SPECIFY SSL PORT

auth.backend.ldap.starttls   = "enable" auth.backend.ldap.ca-file    = "/etc/openldap/certs/ca.cert.pem" auth.backend.ldap.allow-empty-pw = "disable"

Example configuration for LDAP/Active directory:

Set 09 10:26:41 po-ldap slapd[10200]: conn=1039 op=4 SRCH base="ou=People,dc=supportlab,dc=lan" scope=2 deref=0 filter="(uid=user1)"
Set 09 10:26:41 po-ldap slapd[10200]: conn=1039 op=4 SRCH attr=1.1
Set 09 10:26:41 po-ldap slapd[10200]: <= bdb_equality_candidates: (uid) not indexed
Set 09 10:26:41 po-ldap slapd[10200]: conn=1039 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 fd=22 ACCEPT from IP=10.0.110.174:58650 (IP=0.0.0.0:389)
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 op=0 STARTTLS
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 op=0 RESULT oid= err=0 text=
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 fd=22 TLS established tls_ssf=256 ssf=256   <--------------
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 op=1 BIND dn="uid=user1,ou=People,dc=supportlab,dc=lan" method=128
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 op=1 BIND dn="uid=user1,ou=People,dc=supportlab,dc=lan" mech=SIMPLE ssf=0
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 op=1 RESULT tag=97 err=0 text=
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 op=2 UNBIND
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 fd=22 closed

Note

See Tips and Tricks for LDAP/Active Directory.

3. Restart Bweb service.

4. Try to Login with user “admin” and “bwebadmin” and check if exists any error on the logs.

   The logs:

   tail -f /var/log/messages
   
   Mar 16 12:15:11 bee lighttpd: 2018-03-16 12:15:10: (mod_auth.c.525) password doesn't match for /cgi-bin/bweb/bweb.pl username: user1, IP: 192.168.1.11
   Mar 16 12:15:18 bee lighttpd: 2018-03-16 12:15:18: (mod_auth.c.525) password doesn't match for /bweb/natcompare.js username: user1, IP: 192.168.1.11
   Mar 16 12:15:52 bee lighttpd: 2018-03-16 12:15:52: (mod_auth.c.525) password doesn't match for /bweb/remove.png username: user1, IP: 192.168.1.11
   Mar 16 12:21:49 bee systemd: Stopping Bacula Enterprise Bweb...
   Mar 16 12:21:49 bee lighttpd: 2018-03-16 12:21:49: (server.c.2005) server stopped by UID = 0 PID = 1
   Mar 16 12:21:49 bee systemd: Starting Bacula Enterprise Bweb...
   Mar 16 12:21:49 bee lighttpd: 2018-03-16 12:21:49: (server.c.1412) server started (lighttpd/1.4.48)
   Mar 16 12:21:49 bee systemd: Started Bacula Enterprise Bweb.
   Mar 16 12:32:36 bee dhclient[672]: DHCPREQUEST on enp0s3 to 192.168.1.1 port 67 (xid=0x3bc9f94d)
   

Note

The LDAP users that are allowed to use BWeb must be added to the local list of Bweb users. Click here to learn how to do it.

Read more:

• Tips and Tricks for LDAP/Active Directory

See also

Next articles:

• Authentication via Pam LDAP

• How to Synchronize LDAP Users with Bweb Users

Go back to: LDAP Authentication.