LDAP authentication for Netscaler GUI or Management
The very common request a netscaler admin receive in enterprises is to allow admins who’s accouts are part of LDAP for netscaler management. This post will cover the complete steps for you. This will avoid password sharing, its very simple and doing below even in a running setup will not impact. Some people are scared to bind ldap policy to global, But this just allow netscaler to LDAP policy globally and its safe to do.
Contents of the Post
Pre-Requisites
- LDAP or AD Server IP
- One domain user account with password : nsldap@sslab.com
- Domain DN : dc=sslab,dc=com
- One Domain Group with Netscaler admins added to it : NS-Admins
- TCP_389 Firewall port opened between NSIP and LDAP server IP
Creating LDAP Server and Policy
Create a LDAP server so that Netscaler can talk to the LDAP server. NSIP will be used for this communication
System- Authentication – Basic Policies – LDAP – Server – ADD
.jpg)
Provide below details and select Test Connection, It should show green with all the connection status successful
- Name : LDAP-SRV
- Select IP: 192.168.1.xx
- Type : plain text
- Port : 389
- Server Type : AD
- Base DN : dc=sslab,dc=com
- Administrator Bind DN : nsldap@sslab.com
- Admin password: password for nsldap account
.jpg)
Scroll Down, Once it is successful Netscaler can pull AD attributes, select as shown below- Create
- Logon Name attribute : samAccountName
- Group Attribute : Member OF
- Sub Attribute: cn
.jpg)
LDAP server will show as below.
.jpg)
Now click on Policies next to server – ADD
.jpg)
Provide below information and create
- Name : LDAP-Pol
- Server: LDAP-SRV ( created before)
- Expression: ns_true
.jpg)
With this the LDAP policy is created.
Binding LDAP policy to Global
Select the same policy as shown below and click Global Bindings
.jpg)
Click to select – Select Policy – Select
.jpg)
Review the Policy to Bind as global, so that netscaler can use this for management gui authentication.
.jpg)
Review and click Done
.jpg)
Adding AD Group and Roles
Now go to System – User administration – Groups – ADD
.jpg)
Provide the AD group as Name (NS-Admins), Click Bind under command policies
.jpg)
Select the roles you would like to give for these group of users , in my case sysadmins
.jpg)
Review the Group Name, Role and Create
.jpg)
Now AD group will show as below. With this users will have admin access
.jpg)
Login and Test
Login to netscaler with ldap user. In my case nsldap is member of NS-Admins
.jpg)
User Login details can be seen as below.
.jpg)
Hope this post is useful. Leave your suggestions and comments below.
Appreciating the hard work you put into your site and detailed information you
present. It’s awesome to come across a blog every once in a while that isn’t the same
out of date rehashed information. Wonderful read!
I’ve saved your site and I’m including your RSS
feeds to my Google account.
Hi Siva,
I forgot my LDAP password using on netscaler VPX. now i need to reset on both NS and AD.
Is there any risk doing reset ? or any mandatory steps to be followed ?
rgds
Manish
Dear
you can reset on Ad and change in netscaler. Make sure that you are using this account only for netscaler LDAP integration.
thanks,
siva
Great article, thank you Siva Sankar. One thing I would like to highlight is the User Administration group that you create should match the AD group name.
true and agree