LDAP authentication for Netscaler GUI or Management

The very common request a netscaler admin receive in enterprises is to allow admins who’s accouts are part of LDAP for netscaler management. This post will cover the complete steps for you. This will avoid password sharing, its very simple and doing below even in a running setup will not impact. Some people are scared to bind ldap policy to global, But this just allow netscaler to LDAP policy globally and its safe to do.

Pre-Requisites

  • LDAP or AD Server IP
  • One domain user account with password : nsldap@sslab.com
  • Domain DN :  dc=sslab,dc=com
  • One Domain Group with Netscaler admins added to it : NS-Admins
  • TCP_389 Firewall port opened between NSIP and LDAP server IP

Creating LDAP Server and Policy

Create a LDAP server so that Netscaler can talk to the LDAP server. NSIP will be used for this communication

System- Authentication – Basic Policies – LDAP – Server – ADD

Provide below details and select Test Connection, It should show green with all the connection status successful

  • Name : LDAP-SRV
  • Select IP: 192.168.1.xx
  • Type : plain text
  • Port : 389
  • Server Type : AD
  • Base DN : dc=sslab,dc=com
  • Administrator Bind DN : nsldap@sslab.com
  • Admin password: password for nsldap account

Scroll Down, Once it is successful Netscaler can pull AD attributes, select as shown below- Create

  • Logon Name attribute : samAccountName
  • Group Attribute : Member OF
  • Sub Attribute: cn

LDAP server will show as below.

 

Now click on Policies next to server – ADD

Provide below information and create

  • Name : LDAP-Pol
  • Server: LDAP-SRV ( created before)
  • Expression: ns_true

With this the LDAP policy is created.

Binding LDAP policy to Global

Select the same policy as shown below and click Global Bindings

Click to select – Select Policy – Select

Review the Policy to Bind as global, so that netscaler can use this for management gui authentication.

Review and click Done

Adding AD Group and Roles

Now go to System – User administration – Groups – ADD

Provide the AD group as Name (NS-Admins), Click Bind under command policies

Select the roles you would like to give for these group of users , in my case sysadmins

Review the Group Name, Role and Create

Now AD group will show as below. With this users will have admin access

Login and Test

Login to netscaler with ldap user. In my case nsldap is member of NS-Admins

User Login details can be seen as below.

Hope this post is useful. Leave your suggestions and comments below.

Siva Sankar

Siva Sankar works as Solution Architect in Abu Dhabi with primary focus on SDDC, Automation,Network Virtualization, Digital Workspace, VDI, HCI and Virtualization products from VMWare, Citrix and Microsoft.

5 thoughts on “LDAP authentication for Netscaler GUI or Management

  • December 25, 2019 at 6:36 am
    Permalink

    Appreciating the hard work you put into your site and detailed information you
    present. It’s awesome to come across a blog every once in a while that isn’t the same
    out of date rehashed information. Wonderful read!
    I’ve saved your site and I’m including your RSS
    feeds to my Google account.

    Reply
  • May 2, 2020 at 6:47 pm
    Permalink

    Hi Siva,
    I forgot my LDAP password using on netscaler VPX. now i need to reset on both NS and AD.

    Is there any risk doing reset ? or any mandatory steps to be followed ?

    rgds
    Manish

    Reply
    • May 13, 2020 at 1:25 pm
      Permalink

      Dear

      you can reset on Ad and change in netscaler. Make sure that you are using this account only for netscaler LDAP integration.

      thanks,
      siva

      Reply
  • April 1, 2022 at 4:59 pm
    Permalink

    Great article, thank you Siva Sankar. One thing I would like to highlight is the User Administration group that you create should match the AD group name.

    Reply

Leave a Reply

Your email address will not be published.

Show Buttons
Hide Buttons