LDAP authentication for Netscaler GUI or Management

The very common request a netscaler admin receive in enterprises is to allow admins who’s accouts are part of LDAP for netscaler management. This post will cover the complete steps for you. This will avoid password sharing, its very simple and doing below even in a running setup will not impact. Some people are scared to bind ldap policy to global, But this just allow netscaler to LDAP policy globally and its safe to do.

Pre-Requisites

  • LDAP or AD Server IP
  • One domain user account with password : nsldap@sslab.com
  • Domain DN :  dc=sslab,dc=com
  • One Domain Group with Netscaler admins added to it : NS-Admins
  • TCP_389 Firewall port opened between NSIP and LDAP server IP

Creating LDAP Server and Policy

Create a LDAP server so that Netscaler can talk to the LDAP server. NSIP will be used for this communication

System- Authentication – Basic Policies – LDAP – Server – ADD

Provide below details and select Test Connection, It should show green with all the connection status successful

  • Name : LDAP-SRV
  • Select IP: 192.168.1.xx
  • Type : plain text
  • Port : 389
  • Server Type : AD
  • Base DN : dc=sslab,dc=com
  • Administrator Bind DN : nsldap@sslab.com
  • Admin password: password for nsldap account

Scroll Down, Once it is successful Netscaler can pull AD attributes, select as shown below- Create

  • Logon Name attribute : samAccountName
  • Group Attribute : Member OF
  • Sub Attribute: cn

LDAP server will show as below.

 

Now click on Policies next to server – ADD

Provide below information and create

  • Name : LDAP-Pol
  • Server: LDAP-SRV ( created before)
  • Expression: ns_true

With this the LDAP policy is created.

Binding LDAP policy to Global

Select the same policy as shown below and click Global Bindings

Click to select – Select Policy – Select

Review the Policy to Bind as global, so that netscaler can use this for management gui authentication.

Review and click Done

Adding AD Group and Roles

Now go to System – User administration – Groups – ADD

Provide the AD group as Name (NS-Admins), Click Bind under command policies

Select the roles you would like to give for these group of users , in my case sysadmins

Review the Group Name, Role and Create

Now AD group will show as below. With this users will have admin access

Login and Test

Login to netscaler with ldap user. In my case nsldap is member of NS-Admins

User Login details can be seen as below.

Hope this post is useful. Leave your suggestions and comments below.

Siva Sankar

Siva Sankar works as Solution Architect in Abu Dhabi with primary focus on SDDC, Mobility, Virtualization, VDI, HCI and Network Virtualization products from VMWare, Citrix and Microsoft.

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons