LDAP Auth policy

LDAP authentication with Citrix NetScaler 11.

Make sure to catch up this series' previous posts first!

 

In the previous post, we configured the load balancing for our domain controllers. In this post we will configure LDAP authentication using the previously created LB virtual server.

The goal here is to allow users of the RemoteUsers AD group to connect to the external StoreFront website and users of the NetScalerAdmins AD group to connect to the console.

It could be useful if you don’t want all your users to have external access by default.

Requirements

Lab configuration

  • Active Directory controllers load balancing configured in Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
  • LB VIP for LDAPS: 192.168.1.20
  • Service account : citrixguru\svc_ldap 
  • Remote users AD group: citrixguru.lab/groups/remoteusers
    • citrixguru\user1 is member of the group
    • Authorized to connect to NetScaler Gateway
  • NetScaler Admins AD group: citrixguru.lab/groups/netscaleradmins
    • citrixguru\administrator is member of the group
    • Authorized to connect to the NetScaler admin console

Policy for users

Create authentication policy for users

Go to NetScaler > System > Authentication > LDAP > Servers, select Add.

  • Name: vslb-ldap-remoteusers
  • Server IP: 192.168.1.20 (LB VIP LDAPS)
  • Security type: SSL
  • Port: 636
  • Server Type: AD
  • Time-out: 3 secs
  • Base DN: dc=citrixguru,dc=lab
  • Administrator Bind: [email protected]
  • Check Bind password and type the password
  • Server logon name attribute: sAMAccountName
  • Search Filter: memberOf=CN=RemoteAccess,OU=Groups,DC=citrixguru,DC=lab
  • Group attribute: memberOf
  • Sub attribute name: cn
  • Check Allow password change

Create LDAP server for users
Create LDAP server for users

 

Go to NetScaler > System > Authentication > LDAP > Policies, select Add.

  • Name: LDAP_POL_REMOTEUSERS
  • Server: vslb-ldap-remoteusers
  • Expression: ns_true

Create ldap policy for users
Create ldap policy for users

 

Bind policy to NetScaler Gateway virtual server

Go to NetScaler > NetScaler Gateway > NetScaler Gateway Virtual Servers and select the virtual server you want to modify.

Go to Authentication and select +.

Add authentication
Add authentication

Choose Type.

  • Policy: LDAP
  • Type: Primary
Choose type
Choose type

Bind LDAP_POL_REMOTEUSERS policy.

Priority 0.

Bind policy
Bind policy

The policy is bound to the virtual server.

LDAP policy bound
LDAP policy bound

 

Policy for management

Create authentication policy for admins (NetScaler management)

Go to NetScaler > System > Authentication > LDAP > Servers, select Add.

  • Name: vslb-ldap-admins
  • Server IP: 192.168.1.20 (LB VIP LDAPS)
  • Security type: SSL
  • Port: 636
  • Server Type: AD
  • Time-out: 3 secs
  • Base DN: dc=citrixguru,dc=lab
  • Administrator Bind: [email protected]
  • Check Bind password and type the password
  • Server logon name attribute: sAMAccountName
  • Search Filter: memberOf=CN=NetscalerAdmins,OU=Groups,DC=citrixguru,DC=lab
  • Group attribute: memberOf
  • Sub attribute name: cn
  • Check Allow password change

 

Create LDAP server for admins
Create LDAP server for admins

Go to NetScaler > System > Authentication > LDAP > Policies, select Add.

  • Name: LDAP_POL_ADMINS
  • Server: vslb-ldap-admins
  • Expression: ns_true
Create ldap policy for admins
Create ldap policy for admins

 

Bind policy to global

Go to NetScaler > System > Authentication > LDAP > Policies.

Select policy for admins
Select policy for admins

Select Global Bindings, then select the policy for admins (LDAP_POL_ADMINS).

configure binding
configure binding

Select Bind to validate, then Done to apply.

Validation
Validation

The policy is now bound.

Policy globally bound
Policy globally bound

 

Configure NetScaler admins

Go to NetScaler > System > User administration > Groups and select Add.

  • Name: NetscalerAdmins
  • Idle: 900secs
  • Policy name: Superuser

Create system group
Create system group

Superuser policy allows all commands.

superuser policy
superuser policy

 

Testing

  1. Try to connect to the external StoreFront with an account member of RemoteUsers
  2. Try to connect to the NetScaler console with an account member of NetScalerAdmins

Troubleshooting

Go to NetScaler > Authentication > Dashboard.

Authentication dashboard
Authentication dashboard

Go to NetScaler > Authentication > Logs.

Authentication logs
Authentication logs

Make sure to catch up this series' previous posts first!

 

 

 



1 COMMENT

  1. … [Trackback]

    […] Find More Informations here: citrixguru.com/2016/01/04/lab-part-19-configure-active-directory-authenticationldap-with-citrix-netscaler-11/ […]

Comments are closed.