Manuals / Citrix Systems / Computer Equipment / Network Router

Citrix Systems CITRIX NETSCALER 9.3 manual Configuring LDAP Authentication

Models: CITRIX NETSCALER 9.3

1 195
Download 195 pages 43.21 Kb
Page 38
Image 38
Configuring LDAP Authentication

Chapter 1 Authentication and Authorization

authentication policies are bound to the system, users are authenticated by the onboard system.

Note: User accounts must be configured on the NetScaler appliance before users can be externally authenticated. You must first create an onboard system user for all users who will access the appliance, so that you can bind command policies to the user accounts. Regardless of the authentication source, users cannot log on if they are not granted sufficient command authorization through command policies bound to their user accounts or to a group of which they are a member.

Configuring LDAP Authentication

You can configure the NetScaler to authenticate user access with one or more LDAP servers. LDAP authorization requires identical group names in Active Directory, on the LDAP server, and on the NetScaler. The characters and case must also be the same.

By default, LDAP authentication is secured by using SSL/TLS protocol. There are two types of secure LDAP connections. In the first type, the LDAP server accepts the SSL/ TLS connection on a port separate from the port used to accept clear LDAP connections. After users establish the SSL/TLS connection, LDAP traffic can be sent over the connection. The second type allows both unsecure and secure LDAP connections and is handled by a single port on the server. In this scenario, to create a secure connection, the client first establishes a clear LDAP connection. Then the LDAP command StartTLS is sent to the server over the connection. If the LDAP server supports StartTLS, the connection is converted to a secure LDAP connection by using TLS.

The port numbers for LDAP connections are:

w389 for unsecured LDAP connections

w636 for secure LDAP connections

w3268 for Microsoft unsecure LDAP connections

w3269 for Microsoft secure LDAP connections

LDAP connections that use the StartTLS command use port number 389. If port numbers 389 or 3268 are configured on the NetScaler, it tries to use StartTLS to make the connection. If any other port number is used, connection attempts use SSL/TLS. If StartTLS or SSL/TLS cannot be used, the connection fails.

When configuring the LDAP server, the case of the alphabetic characters must match that on the server and on the NetScaler. If the root directory of the LDAP server is specified, all of the subdirectories are also searched to find the user attribute. In large directories, this can affect performance. For this reason, Citrix recommends that you use a specific organizational unit (OU).

The following table lists examples of user attribute fields for LDAP servers.

38

Page 37 Page 39
Page 38
Image 38
Citrix Systems CITRIX NETSCALER 9.3 manual Configuring LDAP Authentication
Page 37 Page 39