Citrix Systems CITRIX NETSCALER 9.3 manual Configuring Ldap Authentication

Page 38

Chapter 1 Authentication and Authorization

authentication policies are bound to the system, users are authenticated by the onboard system.

Note: User accounts must be configured on the NetScaler appliance before users can be externally authenticated. You must first create an onboard system user for all users who will access the appliance, so that you can bind command policies to the user accounts. Regardless of the authentication source, users cannot log on if they are not granted sufficient command authorization through command policies bound to their user accounts or to a group of which they are a member.

Configuring LDAP Authentication

You can configure the NetScaler to authenticate user access with one or more LDAP servers. LDAP authorization requires identical group names in Active Directory, on the LDAP server, and on the NetScaler. The characters and case must also be the same.

By default, LDAP authentication is secured by using SSL/TLS protocol. There are two types of secure LDAP connections. In the first type, the LDAP server accepts the SSL/ TLS connection on a port separate from the port used to accept clear LDAP connections. After users establish the SSL/TLS connection, LDAP traffic can be sent over the connection. The second type allows both unsecure and secure LDAP connections and is handled by a single port on the server. In this scenario, to create a secure connection, the client first establishes a clear LDAP connection. Then the LDAP command StartTLS is sent to the server over the connection. If the LDAP server supports StartTLS, the connection is converted to a secure LDAP connection by using TLS.

The port numbers for LDAP connections are:

w389 for unsecured LDAP connections

w636 for secure LDAP connections

w3268 for Microsoft unsecure LDAP connections

w3269 for Microsoft secure LDAP connections

LDAP connections that use the StartTLS command use port number 389. If port numbers 389 or 3268 are configured on the NetScaler, it tries to use StartTLS to make the connection. If any other port number is used, connection attempts use SSL/TLS. If StartTLS or SSL/TLS cannot be used, the connection fails.

When configuring the LDAP server, the case of the alphabetic characters must match that on the server and on the NetScaler. If the root directory of the LDAP server is specified, all of the subdirectories are also searched to find the user attribute. In large directories, this can affect performance. For this reason, Citrix recommends that you use a specific organizational unit (OU).

The following table lists examples of user attribute fields for LDAP servers.

38

Page 37 Page 39
Image 38
Page 37 Page 39
Contents Citrix NetScaler Administration Guide Copyright and Trademark Notice Page Page Contents Snmp Vii Audit Logging Web Server Logging 105 Advanced Configurations Contents Web Interface AppFlow Reporting Tool Contents Xvi Formatting Conventions Meaning Boldface Formatting Conventions for NetScaler DocumentationThis Preface To view the documentation Documentation Available on the NetScaler ApplianceConvention To provide feedback at the Knowledge Center home Getting Service and SupportNetScaler Documentation Feedback Preface Authentication and Authorization TopicsShow system user Example Configuring Users and GroupsConfiguring User Accounts Timeout CLI Idle Session Timeout Secs Parameters for configuring a user accountPassword Password UserName User NameShow system group Example Configuring User GroupsTo create a user group by using the NetScaler command line Show system group groupName Example GroupName Group Name Parameters for configuring a user groupShow system group groupName UserNameCLI Prompt CLI Idle Session Timeout Secs Configuring Command PoliciesBuilt-in Command Policies Except show runningconfig, show Creating Custom Command PoliciesBuilt-in Command Policies Policy name Allows Runningconfig, and sh gslbMatches these commands Command specification regular expressionPolicyname Parameters for configuring a command policySh system cmdPolicy Example ActionBinding Command Policies to Users and Groups Sh system user userName Parameters for binding a command policy to a userSh system user userName Example PrioritySh system group groupName Parameters for binding a command policy to a groupSh system group groupName Example GroupNameResetting the Default Administrator nsroot Password To reset the nsroot passwordExample of a User Scenario Fsck /dev/ad0s1a Mount /dev/ad0s1a /flashConfiguration steps Sample Values for Creating Entities FieldConfiguring External User Authentication Configuring Ldap Authentication Bind DN Examples of Base Distinguished Name Ldap server Base DNExamples of Bind Distinguished Name Ldap server Authentication Type, select LDAP. Next to Server, click New Determining attributes in the Ldap directory Authentication Type, select Radius Configuring Radius AuthenticationChoosing Radius authentication protocols Configuring IP address extraction Authentication Type, select Tacacs Configuring TACACS+ AuthenticationConfiguring NT4 Authentication Authentication Type, select NT4 Authentication and Authorization Snmp Importing MIB Files to the Snmp Manager and Trap Listener Enabling or Disabling an Snmp Alarm Enable snmp alarm alarm name Sh snmp alarm alarm nameParameters for configuring Snmp alarms Configuring AlarmsTo configure an Snmp alarm by using the command line SeverityTo add an Snmp trap by using the NetScaler command line Configuring TrapsTo configure Snmp alarms by using the configuration utility Parameters for configuring Snmp traps To configure Snmp Traps by using the configuration utilityEnabling Unconditional Snmp Trap Logging Parameters for unconditional Snmp trap logging Configuring the NetScaler for Snmp v1 and v2 QueriesSpecifying an Snmp Manager SnmpTrapLogging Snmp Trap LoggingTo add an Snmp manager by using the NetScaler command line Show snmp managerParameters for configuring an Snmp manager IPAddressTo add an Snmp manager by using the configuration utility Sh snmp community Parameters for configuring an Snmp community stringSpecifying an Snmp Community PermissionsCommunity String*-communityName Configuring Snmp Alarms for Rate LimitingConfiguring an Snmp Alarm for Throughput or PPS Show snmp alarm PF-RL-RATE-THRESHOLD NormalValue Show snmp alarm PF-RL-PPS-THRESHOLDThresholdValue StateConfiguring Snmp Alarm for Dropped Packets Alarm Threshold-thresholdValue Normal Threshold-normalValueConfiguring the NetScaler for SNMPv3 Queries Parameters for configuring an Snmp alarm for dropped packetsSetting the Engine ID Parameters for setting the engine ID Configuring a ViewTo set the engine ID by using the NetScaler command line To set the engine ID by using configuration utilityTo add an Snmp group by using the NetScaler command line Configuring a GroupParameters for configuring an Snmp view To configure a user by using the NetScaler command line Configuring a UserParameters for configuring an Snmp group SecurityLevelParameters for configuring an Snmp user Citrix NetScaler Administration Guide Snmp Audit Logging Audit Logging Show audit syslogAction name Configuring the NetScaler Appliance for Audit LoggingConfiguring Audit Servers ServerIP Parameters for configuring auditing serversShow audit nslogAction name ServerPortLog levels defined To configure a Syslog policy by using the command line Configuring Audit PoliciesTo configure an auditing server action Rule To configure an Nslog policy by using the command lineParameters for configuring audit policies Parameters for binding the audit policies globally To configure an audit server policyBinding the Audit Policies Globally Name* name Server* actionTo globally bind the audit policy Configuring Policy-Based LoggingConfiguring an Audit Message Action Pre RequisitesLogtoNewnslog BypassSafetyCheckStringBuilderExpr Installing and Configuring the Nslog Server Binding Audit Message Action to a PolicySoftware requirements Installing Nslog Server on the Linux Operating SystemSupported Platforms for the Nslog Server Operating system Installing Nslog Server on the FreeBSD Operating System Pkginfo grep NSaudserver Pkgdelete NSaudserverTo install Nslog server on a Windows operating system On the system, where you have downloaded the Nslog packageAudserver -remove Nslog Server Command OptionsTo uninstall the Nslog server on a Windows operating system Audserver -stopTo add the IP addresses of the NetScaler appliance Audserver -remove SpecifiesTo start audit server logging Verifying the Nslog Server Configuration FileRunning the Nslog Server To create a filter Customizing Logging on the Nslog ServerCreating Filters Specifying Log Properties Default Settings for the Log Properties Sample Configuration File audit.conf Following is a sample configuration fileWeb Server Logging Configuring the NetScaler Appliance for Web Server Logging Enabling or Disabling Web Server LoggingSh weblogparam Example Modifying the Default Buffer SizeParameter for modifying the buffer size Buffer SizeTo modify the buffer size by using the configuration utility Supported Platforms for the Nswl Client Operating systemCp pathtocd/Utilities/weblog/Solaris/NSweblog.tar /tmp Installing Nswl Client on a Solaris Operating SystemHardware requirements Tar xvf NSweblog.tar Installing Nswl Client on a Linux Operating SystemCd /tmp Pkginfo grep NSweblogTo get more information about the NSweblog RPM file Installing Nswl Client on a FreeBSD Operating SystemTo view the installed Web server logging files Cp pathtocd/Utilities/weblog/macos/NSweblog.tgz /tmp Installing Nswl Client on a Mac OS Operating SystemPkgdelete NSweblog Installing Nswl Client on a Windows Operating System To install the Nswl client on a Windows systemCp pathtocd/Utilities/weblog/AIX/NSweblog.rpm /tmp Installing Nswl Client on an AIX Operating SystemTo uninstall the Nswl client on a Windows system Rpm -i NSweblog.rpmNswl Client Command Options Nswl Command Options Nswl command SpecifiesNswl -addns -f directorypath \log.conf Adding the IP Addresses of the NetScaler ApplianceTo add the Nsip address of the NetScaler appliance Running the Nswl Client Verifying the Nswl Configuration FileTo verify the configuration in the Nswl configuration file Customizing Logging on the Nswl Client SystemParameters for Creating a Filter Specifies On OFFTo create a filter for a virtual server LogFormat Ncsa Understanding the Ncsa and W3C Log Formats Ncsa Common Log FormatW3C Extended Log Format Ncsa Common Log Format Argument SpecifiesDirective Descriptions EntriesDirectives Prefix Descriptions Specifies FieldsIdentifiers ExamplesW3C Extended Log Format Identifiers No Prefix Required DescriptionField Description Creating a Custom Log Format by Using the Nswl LibraryCreating a Custom Log Format To create the custom log format by using the Nswl Library Creating a Custom Log Format ManuallySample Configuration File Creating Apache Log FormatsNcsa Arguments for Defining a Custom Log Format 11.Custom Log Format Argument SpecifiesFoobari Foobaro Formatt Time Format Definition 12.Time Format Definition Argument SpecifiesArgument Specifies 123 Web Server Logging 124 Advanced Configurations Show ntp server Example Configuring Clock SynchronizationTo add an NTP server by using the NetScaler command line Minpoll Parameters for configuring an NTP serverServerName MaxpollStarting or Stopping the NTP Daemon Configuring Clock Synchronization ManuallyEnable ntp sync Disable ntp sync Viewing the System Date and Time Usr/sbin/ntpd -c /nsconfig/ntp.conf -l /var/log/ntpd.logShow ns config Example Configuring TCP Window Scaling WSVal Parameters for configuring window scalingShow ns tcpParam Example Configuring Selective Acknowledgment EnabledClearing the Configuration To enable Sack by using the Configuration UtilityViewing the Http Band Statistics Parameters for clearing a configurationTo clear a configuration by using the configuration utility LevelReqBandSize RespBandSizeTo add an Http profile by using the NetScaler command line Configuring Http ProfilesTo modify the band range by using the configuration utility Built-in Http Profiles Built-in profile DescriptionParameters for adding an Http profile Built-in TCP Profiles Built-in profile Description Configuring TCP ProfilesTo add an Http profile by using the configuration utility To add a TCP profile by using the NetScaler command line Parameters for creating a TCP profile To add a TCP profile by using the configuration utility Specifying a TCP Buffer Size Example Parameters for setting the TCP buffer size in a TCP profile BufferSizeMss Specifying the MSS Value in a TCP ProfileParameters for specifying the MSS value in a TCP profile Learn MSS for VServer LearnVsvrMSS Advanced Configurations 148 Web Interface How Web Interface Works PrerequisitesInstalling the Web Interface JRE tar file path Configuring the Web InterfaceWeb Interface tar file path Parameters for configuring Web interface sites Access Gateway URL Gateway Direct ModeAuthentication Point PortXML Service Port Configuring a Web Interface Site for LAN Users Using HttpXML Service Addresses TransportA Web Interface Site Configured for LAN Users Using Http Site Type Published Resource Type Kiosk ModeVirtual Server Protocol select Https IP Address Port Add service WILoopbackService 127.0.0.1 Http Configuring a Web Interface Site for LAN Users Using Https A Web Interface Site Configured for LAN Users Using Https160 161 Add lb vserver Httpswi SSL 10.102.29.3 Configuring a Web Interface Site for Remote Users Using Agee A Web Interface Site Configured for Remote Users Using Agee 165 166 AppFlow How AppFlow Works NetScaler Flow SequenceFlow Records TemplatesConfiguring the AppFlow Feature Specifying a Collector Enabling or Disabling the AppFlow FeatureTo specify a collector by using the NetScaler command line To specify a collector by using the configuration utility Configuring an AppFlow ActionTo remove a collector by using the NetScaler command line Parameters for specifying a collectorComment Parameters for configuring an AppFlow actionCollectors Configuring an AppFlow Policy Show appflow policy nameParameters for configuring an AppFlow policy Rule ActionTo add an expression by using the Add Expression dialog box HttpBinding an AppFlow Policy Show appflow globalInvoke Invoke flag LabelType Parameters for binding an AppFlow policyGotoPriorityExpression LabelNameEnabling AppFlow for Virtual Servers Click Apply ChangesEnabling AppFlow for a Service Setting the AppFlow ParametersAppFlow Parameters HttpMethod HttpCookieHttpReferer HttpHostReporting Tool Working with Reports Using the Reporting ToolTo invoke the Reporting tool Using Built-in Reports Creating and Deleting ReportsModifying the Time Interval Time Intervals Time interval DisplaysSetting the Data Source and Time Zone Exporting and Importing Custom ReportsModifying a Chart Working with ChartsAdding a Chart Viewing a Chart To change the graph type of a chartTo view numeric data for a graph To change the color and graph type of a data set Examples Deleting a ChartTo export chart data to Excel Stopping and Starting the Data Collection Utility Limits on Entity Numbers Retrieved by nscollect Entity nameEntity name Limit To stop nscollectTo start nscollect on the local system Netscaler/nscollect stopTo start nscollect on the remote system Netscaler/nscollect start
Top Page Image Contents