How to Configure LDAP Nested Group Extraction on NetScaler Gateway

How to Configure LDAP Nested Group Extraction on NetScaler Gateway

book

Article ID: CTX216282

calendar_today

Updated On:

Description

The objective of this article is to show the steps in configuring Nested Group extraction in LDAP profile.

Instructions

NetScaler Gateway can query LDAP groups and extract group and user information from ancestor groups that you configure on the authentication server. You can use an authentication policy to configure LDAP nested group extraction. When the query is run, NetScaler Gateway searches the groups until it reaches the maximum nesting level or until it searches all available groups.

For example, User Test11 is part of AD Group NestedGroup and NestedGroup is a member of root group nstestgroup. however user Test11 is not a member of nstestgroup. The administrator wants to allows the users who are part or root group nstestgroup or subgroup NestedGroup.

User-added imageUser-added image

Here, we have a AAA Group defined on the NetScaler for NestedGroup:
User-added image
We want the NetScaler to recognise that Test11 is a member of this group for management purposes.

First, configure your LDAP server on the NetScaler as desired, The details of the LDAP server configuration is explained in https://support.citrix.com/article/CTX108876:
User-added image

Ensure that users of this Nested Group, can successfully authenticate against this LDAP server, before moving on to enabling Nested Group Extraction.

For configuring Nested Group Extraction, click more and then select Enabled.

The Maximum Nesting Level is set to 2 as a default, this is the minimum level due to the NetScaler counting the parent group as the first level and the nested group as the second level.

The Group Name Identifier should be set to sAMAccountName as default.
If you are defining your groups by a different AD attribute, then you are change this to reflect it.

The Group Search Attribute should be set to memberOf as a default.

The Group Search Filter should be set to as memberOf=<Distinguished Name of Parent Group>
To find the Distinguished Name of a group by going into its properties in Active Directory and searching for it in the Attribute Editor Tab:
User-added image

Once you’ve configured all these options, your Nested Group Extraction should look like this:
User-added image

Now, once you authenticate with a user who is a member of NestedGroup, the NetScaler will extract this attribute to help you manage your users:
User-added image
User-added image

Issue/Introduction

This article describes how to configure Nested Group extraction in LDAP profile on NetScaler Gateway

Additional Information


Configuring LDAP Nested Group Extraction
How to Configure LDAP Authentication on NetScaler or NetScaler Gateway 
Powered by Wolken Software