LDAP Bind Account Requirements for Citrix ADC and Citrix Gateway Authentication Features

book

Article ID: CTX328130

calendar_today

Updated On:

Description

When using the Lightweight Directory Access Protocol (LDAP) for authentication features of Citrix ADC and Citrix Gateway, not all accounts can function as the LDAP bind account. Some minimum requirements are necessary when configuring features that use LDAP Authentication such as Citrix ADC system user logins, AAA Application Traffic virtual servers, or Citrix Gateway.

Resolution

When creating an LDAP Authentication profile, a user account must be defined for connecting to the LDAP directory. This account is known as the Bind Distinguished Name (DN) and the process of connecting to the LDAP directory is known as Binding. During the Bind process, the Bind DN account is used to search for the user account that is attempting to authenticate. The Bind DN must also be configured with the account’s correct password or Bind DN Password.

Because some organizations may wish to use a specific user account for the Bind process, it is important to ensure that the Bind DN account has the correct level of permissions on the LDAP directory.

In the example below, a Bind DN account named LDAP@mycitrixtraining.net will be used to connect to a LDAP directory’s Base DN of DC=mycitrixtraining, DC=net.

At a minimum, the Bind DN account must have:

• Read access to the user objects in the LDAP directory in order to search for user accounts

• Read access to the Base DN (for example, DC=mycitrixtraining, DC=net) with the correct attribute that is used as the LDAP Login Name (for example: sAMAccountName or userPrincipalName)

In order to perform Group Extraction, which is the process of determining a user’s group membership and returning those values to authentication-dependent features like Citrix Gateway, the Bind DN account must also have:

• Read access to the group attributes in the LDAP directory (for example: memberOf)

In order to support password expiration during authentication, the Bind DN account must also have:

• Read access to the PwdLastSet, UserAccountControl, and msDS-User-Account-Control-Computed attributes in the LDAP directory

In order to use an alternative Single Sign On attribute (SSO Name Attribute), such as UPN format, the Bind DN account must also have:

• Read access to the particular SSO Name Attribute of interest in the LDAP directory

Issue/Introduction

Minimum requirements necessary for bind accounts used with LDAP Authentication features (Citrix ADC system user logins, AAA Application Traffic virtual servers, or Citrix Gateway).

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"