Summary
This document discusses how to configure the NetScaler to allow access to the NetScaler VPN based on Active Directory groups through Lightweight Directory Access Protocol (LDAP) authentication. It is recommended that the basic Active Directory authentication be configured and working properly before attempting to filter based on Active Directory groups. You can reference the following article below to configure LDAP authentication:
CTX108876 – Configuring LDAP Authentication for NetScaler
Note: An understanding of the Active Directory and LDAP protocol is assumed.
Overview
When you enter your credentials into the NetScaler VPN logon page and then press ENTER, the credentials are passed to Active Directory for validation. If the user name and password are valid, Active Directory then sends your user attributes back to the NetScaler.
One attribute that is sent back is the memberOf attribute(s) or the Group that you are a member of as defined by Active Directory and the value of that attribute. If you are a member of more than one Active Directory group, there are multiple memberOf attributes sent back to the NetScaler.
NetScaler then parses this information to determine if the memberOf attribute matches the Search filter parameter set by the NetScaler. If they match, you are allowed to log on. The following is an example of what Active Directory may send to NetScaler.
dn: CN=johnd,CN=Users,DC=citrix,DC=com
changetype: add
memberOf: CN=VPNAllowed,OU=support,DC=citrix,DC=com
cn: johnd
givenName: john
objectClass: user
sAMAccountName: johnd
Steps
Step 1: Determine the Active Directory Group that will permit access.
In order to configure the NetScaler for group extraction, it is necessary to first define which group a user needs to be a memberOf that is allowed access. Once a user is part of that group, you can configure that LDAP server search filter. In the example above the user johnd is a member of the Group VPNAllowed.
Note: To determine that exact syntax it may be necessary to follow the Troubleshooting first.
Step 2: Determining the Search Filter syntax.
Once you define the group a user needs for access, it is necessary to enter the correct syntax into the Search Filter attribute. The syntax can be either by where your group is within your Active Directory context or by using the Troubleshooting information below. The syntax is as follows:
memberOf=<FullDistinguishedName>
It is mandatory to prepend the “memberOf=” before the fully distinguished name without a space. The following is an example of for the above VPNAllowed group configured through the NetScaler GUI:
Below is the CLI command to configure LDAP authentication with group extractions using the example above:
Note: It is mandatory that the Sub Attribute Name be set to CN.
add authentication ldapaction LDAP-Authentication
-serverip 10.3.4.15
-ldapBase "CN=Users,DC=citrix,DC=com"
-ldapBindDn “CN=administrator,CN=Users,DC=citrix,DC=com"
-ldapBindDnPassword ..dd2604527edf70
-ldapLoginName sAMAccountName
-searchFilter "memberOf=CN=VPNAllowed,OU=support,DC=citrix,DC=com"
-groupAttrName memberOf
-subAttributeName CN
The most important two arguments that relate to this document are –searchFilter and the –subAttributeName. All the other arguments are described in Configuring LDAP Authentication for NetScaler.
The -searchFilter argument is what is matched. The format of the string is specific and MUST be preceded by memberOf= and the rest of the context string starting with the group name.
Example:
-searchFilter memberOf=CN=VPNAllowed,OU=support,DC=citrix,DC=com
The -subAttributeName argument specifies the Sub Attribute Name for group extraction from LDAP server. This will typically always be CN.
Example:
-subAttributeName CN
If the LDAP policy fails after configuring for Group Extraction, it is best to create a new policy that does not have the group extraction configured to make sure that LDAP is configured properly.
It may be necessary to use a Microsoft utility called LDIFDE that extracts the attributes from the Active Directory server to determine the exact context of the memberOf group. This is done on the Active Directory server itself. This document only gives a simple overview of the behavior of LDIFDE. Any additional information can be researched on the Microsoft site.
The command string below is an example:
ldifde -f <filename> -s <ADservername> -d "dc=citrix,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName,memberOf"
(Change the –s <ADservername> –d (domain) so that it matches your environment.
This creates a text file of <filename> and contains all objects from Active Directory. Below is a snippet of the text file:
dn: CN=johnd,CN=Users,DC=citrix,DC=com
changetype: add
memberOf: CN=VPNAllowed,OU=support,DC=citrix,DC=com
cn: johnd
givenName: john
objectClass: user
sAMAccountName: johnd
More Information
Using LDIFDE to import and export directory objects to Active Directory
