Search This Blog

Thursday, 30 July 2015

Configuring Data Protector with LDAP

I was happily following the instructions in the Installation guide when I hit a problem: the baseCtxDN that I needed to use had a space in it (OU=Acme Corp) and the Jboss interface doesn't seem to allow you to enter a value with a space in it.

The first step (on Windows) is:

jboss-cli.bat --file=ldapinit.cli

This modified C:\ProgramData\Omniback\config\server\appserver\standalone.xml . It is possible to edit this file by hand. In this case I had to log into Active Directory as the user dpuser, with a password of "Password-whatever".

I searched for the following:
  <login-module code="LdapExtended" flag="optional">

Then I added the following the lines:

<module-option name="java.naming.provider.url" value="ldap://"/>
<module-option name="bindDN" value="cn=dpuser,OU=Users,OU=Acme Corp,DC=acme,DC=com"/>
<module-option name="bindCredential" value="Password-whatever"/>
<module-option name="rolesCtxDN" value="OU=Groups,OU=Acme Corp,DC=acme,DC=com"/>
<module-option name="baseCtxDN" value="OU=Users,OU=Acme Corp,DC=acme,DC=com"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>

There's something wrong with the rolesCtxDN, though, as this lets me control LDAP users, but not LDAP groups. That is, if I have a line:

"" "gregb" "@LDAP_USER" * "admin"

in the UserList file, I can log in with my credentials. But if I replace that with

"" "Administrators" "@LDAP_GROUP" * "admin"

(which is what I really wanted to do), then on login I get a message about "insufficient privileges". Good enough for now, but I'll have to revisit this.

Greg Baker is an independent consultant who happens to do a lot of work on HP DataProtector. He is the author of the only published books on HP Data Protector ( He works with HP and HP partner companies to solve the hardest big-data problems (especially around backup). See more at IFOST's DataProtector pages at