Feature Request V13: LDAPS for AD integration from within V13 GUI

[kbr]

Currently only user that have been locally created on the V13 appliance and then added once again to the GUI can be given access. Why not build in an option to the GUI to add LDAPS connectivity to for instance windows AD. Currently this is a manual CLI proces which gives lot of questions about how supportability etc.

[Mildur]

Hi Karl,

Our appliances can be joined to a Active Directory domain (Help Center). If you join the appliance to your Active Directory domain, you can assign domain users or groups permissions on the backup server.

Additionally, Veeam Backup & Replication v13 has now SAML support.

Best,
Fabian

[kbr]

Hi Fabian, i have a SR running for this for quite a while now, no clue why they did not come back with this AD join functionality. Question is, what is the impact of joining the appliance to AD? With all versions before 13 we were instructed to keep away from joining an AD because of the security implications. Is it now OK and fine to join an AD??

[Mildur]

With Windows-based backup servers (v13 and earlier), a hijacked domain administrator account could potentially log on via RDP or the command line and manipulate the system.
That is not possible on the appliance: SSH can be disabled, root access is disabled by default and must be explicitly approved by a local Security Officer account (if enabled during deployment). With an immutable backup storage on a dedicated repository, the backups are protected as well.
And considering that you can enable MFA for every user connecting to the backup server on the appliance, joining a Linux based backup server to Active Directory does not feel unsafe to me. Even if an attacker compromises your Active Directory, he can't do any damage on the appliance backup server if he doesn't have the MFA token.

Some scenarios, such as Hyper-V clusters, also require a domain-joined backup server appliance.

Best,
Fabian