If you want to use LDAP for group extraction but not for authentication, you can set the NetScaler appliance to disable authentication on the LDAP server.

Caution: If authentication is disabled, any LDAP authentication attempt is successful if the user is found on LDAP. Do not disable authentication unless LDAP is used only for group extraction and authentication methods other than LDAP are either bound to a primary list or flagged as secondary.

Instructions

Prerequisites

Before disabling LDAP authentication, make sure that:

• The basic Active Directory authentication is configured. See CTX108876 - How to Configure LDAP Authentication on a NetScaler Appliance.
• A NetScaler Gateway virtual server is configured and bound to the LDAP policy.
• You understand the Active Directory and LDAP protocols.

To disable LDAP authentication by using the NetScaler GUI

On the Configuration tab, do one of the following:

Navigate to System > Authentication > LDAP > Servers, select the server, click Edit, and go to step 3 of the following procedure.

OR

Navigate to NetScaler Gateway > Virtual Servers, select the VPN virtual server for which LDAP authentication needs to be disabled, and take the following steps.

1. In the Basic Authentication section, click LDAP Policy.
   

2. Select the LDAP Policy that you want to edit, and, from the Select Action list, select Edit Server.
   

3. Clear the Authentication check box and click OK.
   

To disable LDAP authentication by using the command line

1. Enter the following command to disable authentication on the LDAP server:
   > set authentication ldapaction <LDAPServerName> authentication DISABLED

2. Enter the show authentication command and verify that authentication has been disabled for the chosen LDAP server.

Example

> sh authentication ldapaction ldapabhishek
1)	Name: ldapabhishek
Server Name: 10.105.157.116	Port: 389 Server Type: AD
Timeout: 3 secs	BindDn: administrator@ctxnssfb.com Login: sAMAccountName Base: dc=ctxnssfb,dc=com Secure Type: PLAINTEXT
Password Change: DISABLED
Group Attribute Name: memberOf	Sub Attribute Name: CN Authentication Disabled, User required
Success: 23
Failures: 61
Validate LDAP Server Certificate: NO LDAP Host Name:
Nested Group Extraction: ON	Maximum Nesting Level: 2 Group Name Identifier: cn Group Search Attribute: memberOf

LDAP Referrals: OFF
LDAP Referral DNSLookup : A-REC Attribute1 Name: lastLogon

Now that authentication is disabled, any LDAP authentication attempt will return an authentication success if the user is found.