Home » KBArticles » Creating a Citrix NetScaler LDAP Authentication Policy for Administrators

Creating a Citrix NetScaler LDAP Authentication Policy for Administrators

Creating a NetScaler LDAP Authentication Policy for Administrators

In this walkthrough we will create an LDAP policy for administrators of the NetScaler and point this new policy to our singular, private, internal Microsoft AD LDAP server.

This will involve creating a server to bind to (i.e. telling the NetScaler what server to communicate with for LDAP services) and we will create a policy that will be bound to this newly created server record. Finally the policy and its associated server profile must be bound to the NetScaler so it knows where and when to use this LDAP policy. We will bind this policy globally to the NetScaler which means all users in the LDAP group as specified in the policy will be able to administer the NetScaler device.

Step Description Screenshot
 1 Log into your NetScaler

Expand System > Authentication > LDAP

And click the Add button

2 Give the policy a Name

e.g.

‘AUTHPOL_LDAP_Administrators’

Set the Expression as ‘ns_true

Click the + to add a new LDAP Server to authenticate against

Tip: If you keep the naming of the policies, servers and profile creations consistent it is much easier to find them when you have many multiple policies created on the NetScaler

3 Give the LDAP server profile a Name.

I usually give it the imaginative name of something like:

‘AUTHSERVER_LDAP’

Fill out the essential information for this server profile

Note: In this guide we are using the following recommended minimum examples:

IP Address / or Name: 192.168.1.11

Base DN: CN=Users,DC=Home,DC=Local

Admin Bind DN: admin@home.local (domain administrator account)

Admin Password: <password>

Search Filter: memberof= CN=Domain Admins,CN=Users,DC=home,DC=local

Server Logon Name Attribute: sAMAccountName

Group Attribute: memberof

Sub Attribute Name: cn

Tip: be sure to click the test connection button once you have finished the setup of this LDAP server profile to ensure it connects to your LDAP server successfully

Note: You should use appropriate LDAP details. If you are unsure consult with your AD/LDAP/Authentication team.

4 Tip: You can connect to a Domain Controller or any Windows machine with the RSAT tools installed to establish your base DN and admin bind DN by querying the accounts using dsquery user and dsquery group Examples:

If I want the NetScaler to search the Users OU in AD I could query a user name in that OU to get their Base DN

If you need to obtain the Group details for the ‘Search Filter’

 5 Click Test Connection and ensure your LDAP server is reachable

Note: the Admin Password is not copied when you duplicate these settings at a later stage so always be sure to re-enter them when creating additional AUTHSERVERS

 6 Click Create at the bottom of the ‘Create Authentication LDAP Server’
7 Click Create on the ‘Create Authentication LDAP Policy’ Window
8 Save the NetScaler Configuration

Click YES to the ‘Are you sure’ message

NetScaler SSH Command References:

Create LDAP Server add authentication ldapAction AUTHSERVER_LDAP -serverIP 192.168.1.11 -ldapBase “CN=Users,DC=Home,DC=Local” -ldapBindDn admin@home.local -ldapBindDnPassword 1234561234561234561234561234561234561234561234561234561234 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn
Create LDAP Policy add authentication ldapPolicy AUTHPOL_LDAP_Administrators ns_true AUTHSERVER_LDAP

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.