The very common request a netscaler admin receive in enterprises is to allow admins who’s accouts are part of LDAP for netscaler management. This post will cover the complete steps for you. This will avoid password sharing, its very simple and doing below even in a running setup will not impact. Some people are scared to bind ldap policy to global, But this just allow netscaler to LDAP policy globally and its safe to do.
- LDAP or AD Server IP
- One domain user account with password : firstname.lastname@example.org
- Domain DN : dc=sslab,dc=com
- One Domain Group with Netscaler admins added to it : NS-Admins
- TCP_389 Firewall port opened between NSIP and LDAP server IP
Creating LDAP Server and Policy
Create a LDAP server so that Netscaler can talk to the LDAP server. NSIP will be used for this communication
System- Authentication – Basic Policies – LDAP – Server – ADD
Provide below details and select Test Connection, It should show green with all the connection status successful
- Name : LDAP-SRV
- Select IP: 192.168.1.xx
- Type : plain text
- Port : 389
- Server Type : AD
- Base DN : dc=sslab,dc=com
- Administrator Bind DN : email@example.com
- Admin password: password for nsldap account
Scroll Down, Once it is successful Netscaler can pull AD attributes, select as shown below- Create
- Logon Name attribute : samAccountName
- Group Attribute : Member OF
- Sub Attribute: cn
LDAP server will show as below.
Now click on Policies next to server – ADD
Provide below information and create
- Name : LDAP-Pol
- Server: LDAP-SRV ( created before)
- Expression: ns_true
With this the LDAP policy is created.
Binding LDAP policy to Global
Select the same policy as shown below and click Global Bindings
Click to select – Select Policy – Select
Review the Policy to Bind as global, so that netscaler can use this for management gui authentication.
Review and click Done
Adding AD Group and Roles
Now go to System – User administration – Groups – ADD
Provide the AD group as Name (NS-Admins), Click Bind under command policies
Select the roles you would like to give for these group of users , in my case sysadmins
Review the Group Name, Role and Create
Now AD group will show as below. With this users will have admin access
Login and Test
Login to netscaler with ldap user. In my case nsldap is member of NS-Admins
User Login details can be seen as below.
Hope this post is useful. Leave your suggestions and comments below.