Creating a NetScaler LDAP Authentication Policy for Administrators
In this walkthrough we will create an LDAP policy for administrators of the NetScaler and point this new policy to our singular, private, internal Microsoft AD LDAP server.
This will involve creating a server to bind to (i.e. telling the NetScaler what server to communicate with for LDAP services) and we will create a policy that will be bound to this newly created server record. Finally the policy and its associated server profile must be bound to the NetScaler so it knows where and when to use this LDAP policy. We will bind this policy globally to the NetScaler which means all users in the LDAP group as specified in the policy will be able to administer the NetScaler device.
|1||Log into your NetScaler
Expand System > Authentication > LDAP
And click the Add button
|2||Give the policy a Name
Set the Expression as ‘ns_true’
Click the + to add a new LDAP Server to authenticate against
Tip: If you keep the naming of the policies, servers and profile creations consistent it is much easier to find them when you have many multiple policies created on the NetScaler
|3||Give the LDAP server profile a Name.
I usually give it the imaginative name of something like:
Fill out the essential information for this server profile
Note: In this guide we are using the following recommended minimum examples:
IP Address / or Name: 192.168.1.11
Base DN: CN=Users,DC=Home,DC=Local
Admin Bind DN: firstname.lastname@example.org (domain administrator account)
Admin Password: <password>
Search Filter: memberof= CN=Domain Admins,CN=Users,DC=home,DC=local
Server Logon Name Attribute: sAMAccountName
Group Attribute: memberof
Sub Attribute Name: cn
Tip: be sure to click the test connection button once you have finished the setup of this LDAP server profile to ensure it connects to your LDAP server successfully
Note: You should use appropriate LDAP details. If you are unsure consult with your AD/LDAP/Authentication team.
|4||Tip: You can connect to a Domain Controller or any Windows machine with the RSAT tools installed to establish your base DN and admin bind DN by querying the accounts using dsquery user and dsquery group||Examples:
If I want the NetScaler to search the Users OU in AD I could query a user name in that OU to get their Base DN
If you need to obtain the Group details for the ‘Search Filter’
|5||Click Test Connection and ensure your LDAP server is reachable||
Note: the Admin Password is not copied when you duplicate these settings at a later stage so always be sure to re-enter them when creating additional AUTHSERVERS
|6||Click Create at the bottom of the ‘Create Authentication LDAP Server’|
|7||Click Create on the ‘Create Authentication LDAP Policy’ Window|
|8||Save the NetScaler Configuration
Click YES to the ‘Are you sure’ message
NetScaler SSH Command References:
|Create LDAP Server||add authentication ldapAction AUTHSERVER_LDAP -serverIP 192.168.1.11 -ldapBase “CN=Users,DC=Home,DC=Local” -ldapBindDn email@example.com -ldapBindDnPassword 1234561234561234561234561234561234561234561234561234561234 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn|
|Create LDAP Policy||add authentication ldapPolicy AUTHPOL_LDAP_Administrators ns_true AUTHSERVER_LDAP|
If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud
Signup below to receive a free 200 page Citrix NetScaler Introduction guide!