This article provides information on how to use Lightweight Directory Access Protocol (LDAP) in NetScaler Gateway to change the users passwords. However, Secure LDAP is required to change the password.
Note: Windows Server global catalog port 3268 or secure global catalog port 3269 do not support password change attempts by design.

Instructions

To change the users passwords in NetScaler Gateway using LDPA, complete the following steps:

1. Connect using the SSH protocol to the NetScaler Gateway appliance NSIP (the NetScaler IP, used as the administration GUI IP address).

2. After authentication, type shell to switch the command line interface from the NetScaler context to the UNIX context.

3. Press the ENTER key.

4. Type cd /tmp/ and then type cat aaad.debug to view the the debugging messages generated during the authentication on the NetScaler Gateway virtual server (Vserver).

5. From the NetScaler Gateway configuration utility, expand the NetScaler Gateway node.

6. Go to Policies > Authentication > LDAP.

   

7. Select the Servers tab on the right pane of the window and create a server definition.

   • PLAINTEXT - port 389 - no server-side certificate required
   • TLS - port 389 and 636 - Transport Layer Security (TLS) does require a server-side SSL certificate
   • SSL - port 636 - does require a server-side SSL certificate
   • Allow Password Change - required for the NetScaler Gateway to attempt processing of password change attempts prompted by the server.
     • Example server definition.

       

     • Example policy definition.

       

8. After the server and policy are created, bind the policy to the NetScaler Gateway Vserver within the Authentication tab.

   

9. Log on to the NetScaler Gateway Vserver to test the created policy (while watching the aaad.debug output window established in Step 3).
   A connection attempt to the LDAP server should show as using port 636.

How to enable LDAP over SSL with a third-party certification authority