How to Configure LDAP Authentication on NetScaler

This article describes how to configure LDAP authentication on NetScaler.

Background

In this article, an LDAP authentication policy is created at a global level for the NetScaler, which all users use when authenticating. You can also create an LDAP authentication policy only for the users authenticating to the SSL VPN under the NetScaler Gateway node.

For a NetScaler to authenticate users through LDAP, create a?? LDAP policy. ?? Then,?? bind the LDAP?? policy to the target virtual server. A NetScaler appliance will default to the?? standard LDAP TCP port of 389?? or to the secure LDAP TCP port of 636 if a?? Security Type selected during?? configuration. ?? Note: If using Microsoft Active Directory Global Catalog Server, the standard port is?? 3268?? or the secure port is 3269.

Prerequisites

1. An Active Directory account that meets?? the following requirements:

At a minimum, the Bind DN account must have:

• Read access to the user objects in the LDAP directory in order to search for user accounts.
• Read access to the?? Base DN?? (for example, DC=angsupport, DC=com) with the correct attribute that is used as the?? LDAPLogin Name (for example, samAccountName).

• Read access to the group attributes in the LDAP directory.

In order to support password expiration during authentication, the Bind DN account must have?? read?? access to the following attributes in the LDAP directory

• PwdLastSet
• UserAccountControl
• msDS-User-Account-Control-Computed

In order to use an alternative Single Sign-On attribute (SSO Name Attribute), such as UPN format, the Bind DN account must have:

• Read access is required to the particular SSO Name Attribute of interest in the LDAP directory.????

2. ???? The NetScaler IP needs to be able to communicate to the LDAP server on the port that the LDAP server is listening:

• 389 for plain text LDAP
• 636 for SSL LDAP
• 3268 for plain text Global Catalog Server
• 3269 for SSL Global Catalog Server)

3. If password change is a requirement, Microsoft requires the connection to LDAP server to be SSL/TLS for password change to work. This requires the LDAP server is set up to accept TLS/SSL connections. By default, Global catalog Servers are read-only and usually cannot be used for password change. Consult your Active Directory Admin to access the?? Global Catalog Servers for password change and the domain controllers are ready to accept SSL/TLS connections. The NetScaler appliance allows password change for naturally expired passwords. New user accounts may not work until the user has logged in to the Active Directory Domain and build their profile.

To configure LDAP authentication on a NetScaler, complete the following tasks:
Note: Each of the following task can be performed either from the (GUI) graphical interface or the (CLI) command-line interface.

Create Authentication Server ??		Create Authentication Policy ??
GUI	CLI	GUI	CLI

Creating?? an Authentication Server

To add an authentication server, complete the following procedure from the graphical Interface:

1. Select?? System?? >?? Authentication?? >?? LDAP?? >?? Servers?? >?? Add.

   Or

   Select?? NetScaler Gateway?? >?? Policies?? >?? Authentication?? >?? LDAP?? >?? Sever?? >?? Add.

   You can then configure the parameters for the LDAP server in the?? Create Authentication?? dialog box, as shown in the following screen shot:

   

2. Specify the required information to define the LDAP Server. The required fields are:

   • Name*?? - Name of the server.

   • Authentication Type?? - The authentication type, in this scenario is LDAP.

   • Server?? – The IP address and TCP port used by the LDAP server.

   • Base DN?? – The base, or node from where the ldapsearch should start.

   • Bind DN?? – The full distinguished name that is used to bind to the LDAP server.

   • Bind DN Password?? – The password for the Bind DN account.

   • Confirm Bind DN Password?? – The password for the Bind DN account.

   • Login Name?? – The name attribute used by the NetScaler appliance to query the external LDAP server or an Active Directory.

   • Search Filter?? – The string to be combined with the default LDAP user search string to form the value.

   • Group Attribute Name?? – The Attribute name for group extraction from LDAP server.

   • Sub Attribute Name?? – The Sub Attribute name for group extraction from LDAP server.

   • Security Type?? – Select Plaintext for non-secure LDAP communication or select TLS or SSL for secure LDAP communication.

3. The new policy should appear

Top of Page

To add the authentication server from the CLI, run the following command from the command line interface of the appliance:

>add authentication ldapaction ldap_Server
-serverip 10.3.255.157
-ldapBase "DC=citrix,DC=com"
-ldapBindDn user@citrix.com
-ldapBindDnPassword ..dd2604527edf70
-ldapLoginName sAMAccountName -groupAttrName "memberOf "

Top of Page

Creating?? an Authentication Policy

To add the authentication policy, complete the following procedure from the graphical interface:

1. Select?? System?? >?? Authentication?? >?? LDAP?? >?? Policies?? >?? Add.
   
   Or navigate to the following section: NetScaler Gateway?? >?? Policies?? >?? Authentication?? > LDAP>?? Policies?? >?? Add.

2. Specify the following details in the?? Create Authentication Policy?? dialog box:

   • Name*?? - The name for the policy.

   • Authentication Type?? – The type of authentication used.

   • Server?? - The server defined in the preceding step.

   • Expression?? - The name of the rule or expression the policy will use.

   ???? Click Create

   ????

The new policy should appear.

???? Top of Page

To add the authentication policy from CLI, run the following command from the command line interface of the appliance:

>add authentication ldappolicy ldap-service_policy ns_true ldap_Server

Top of Page