Run a trace from NetScaler and analyze the LDAP authentication accordingly.

IP address details

The following sections help you to analyze the LDAP authentication:

• LDAP Connectivity
• LDAP Admin Authentication
• LDAP User Search
• LDAP User Authentication

LDAP Connectivity

The following TCP sequence is seen when LDAP server is reached successfully. If you just see the SYN going and no SYN, ACK returning then the LDAP server is not reachable from the NetScaler.

17696 2014-10-08 07:51:10.115393376  10.217.130.219        10.217.130.221        1            62189→389 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=2 TSval=4285775865 TSecr=0 SACK_PERM=1 
17700 2014-10-08 07:51:10.116388554  10.217.130.221        10.217.130.219        0            389→62189 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=1335334427 TSecr=4285775865      0.000514026 5
17702 2014-10-08 07:51:10.116851149  10.217.130.219        10.217.130.221        1            62189→389 [ACK] Seq=1 Ack=1 Win=66608 Len=0 TSval=4285775867 TSecr=1335334427                                                            

LDAP Admin Authentication

You can see in the following capture that an Admin Bind request is sent and the bind response is successful.

2096   2014-10-07 19:51:02.153361649  10.217.130.219        10.217.130.221        1            bindRequest(1) "administrator@ragee.local" simple   
2098   2014-10-07 19:51:02.154359200  10.217.130.221        10.217.130.219        0            bindResponse(1) success  

619     2014-10-08 07:48:24.495567155  10.217.130.219        10.217.130.221        1            bindRequest(1) "administrator@ragee.local" simple
621     2014-10-08 07:48:24.497577290  10.217.130.221        10.217.130.219        0            bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0)

LDAP User Search

From the following you can see that LDAP User Search returned with 1 result as the user is present in Active Directory (AD).

2100   2014-10-07 19:51:02.154888680  10.217.130.219        10.217.130.221        1            searchRequest(2) "dc=ragee,dc=local" wholeSubtree            
2102   2014-10-07 19:51:02.180360713  10.217.130.221        10.217.130.219        0            searchResEntry(2) "CN=user001,CN=Users,DC=ragee,DC=local"  | searchResRef(2)  | searchResRef(2)  | searchResRef(2)  | searchResDone(2) success  [1 result]

User search request for user001:

User search response successful for user001:

From the following you can see that LDAP user search returned with 0 results as the user is not present in AD.

17708 2014-10-08 07:51:10.118851632 10.217.130.219 10.217.130.221 1 searchRequest(2) "dc=ragee,dc=local" wholeSubtree 17710 2014-10-08 07:51:10.119372001 10.217.130.221 10.217.130.219 0 searchResRef(2) | searchResRef(2) | searchResRef(2) | searchResDone(2) success [0 results]

LDAP User Authentication

For successfully authenticated user, the bind response is successful.

2106   2014-10-07 19:51:02.209364120  10.217.130.219        10.217.130.221        1            bindRequest(3) "CN=user001,CN=Users,DC=ragee,DC=local" simple                                                                                                      
2108   2014-10-07 19:51:02.210367665  10.217.130.221        10.217.130.219        0            bindResponse(3) success

For the user who entered invalid credentials, bind response returned invalid credentials and the result code in the bind response details is also invalid credentials.

1068   2014-10-08 08:48:26.531174263  10.217.130.219        10.217.130.221        1            bindRequest(3) "CN=user001,CN=Users,DC=ragee,DC=local" simple      
1070   2014-10-08 08:48:26.533682792  10.217.130.221        10.217.130.219        0            bindResponse(3) invalidCredentials (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0) 

Citrix eDocs - Configuring LDAP authentication