You can configure the Access Gateway to authenticate user access with one or more LDAP servers. If a user is not located in an LDAP directory or fails authentication on a server, the Access Gateway checks the user against the user information stored locally on the Access Gateway.
LDAP authorization requires identical group names in Active Directory, on the LDAP server, and on the Access Gateway. The characters and case must also be the same.
By default, LDAP authentication is secure using SSL/TLS. There are two types of secure LDAP connections. With one type, the LDAP server accepts the SSL/TLS connection on a port separate from the port used to accept clear LDAP connections. After a client establishes the SSL/TLS connection, LDAP traffic can be sent over the connection. The second type allows both unsecure and secure LDAP connections and is handled by a single port on the server. In this scenario, to create a secure connection, the client first establishes a clear LDAP connection.
Then, the LDAP command StartTLS is sent to the server over the connection. If the LDAP server supports StartTLS, the connection is converted to a secure LDAP connection using TLS.
The port numbers for LDAP connections are:
• 389 for unsecured LDAP connections
• 636 for secure LDAP connections
• 3268 for Microsoft unsecure LDAP connections
• 3269 for Microsoft secure LDAP connections
LDAP connections that use the StartTLS command use port number 389. If port numbers 389 or 3268 are configured on the Access Gateway, it tries to use StartTLS to make the connection. If any other port number is used, connection attempts are made using SSL/TLS. If StartTLS or SSL/TLS cannot be used, the connection fails.
Note When upgrading the Access Gateway from Versions 4.0 or 4.1 and an LDAP realm is already configured, LDAP connections are unsecure by default.
If this is a new installation of the Access Gateway, or you are creating a new LDAP realm, LDAP connections are secure by default.
When configuring the LDAP server, the letter case must match on the server and on the Access Gateway. If the root directory of the LDAP server is specified, all of the subdirectories are also searched to find the user attribute. In large
directories, this can affect performance. For this reason, Citrix recommends that you use a specific organizational unit (OU).
The following table contains examples of user attribute fields for LDAP servers:
This table contains examples of the base dn:
The following table contains examples of bind dn:
LDAP Server User Attribute Case Sensitive
Microsoft Active Directory Server sAMAccountName No
Novell eDirectory cn Yes
IBM Directory Server uid
Lotus Domino CN
Sun ONE directory (formerly iPlanet) uid or cn Yes
LDAP Server Base dn
Microsoft Active Directory Server DC=citrix, DC=local
Novell eDirectory dc=citrix,dc=net
IBM Directory Server
Lotus Domino OU=City, O=Citrix, C=US
Sun ONE directory (formerly iPlanet) ou=People,dc=citrix,dc=com
LDAP Server Bind dn
Microsoft Active Directory Server CN=Administrator, CN=Users, DC=citrix, DC=local
Novell eDirectory cn=admin, dc=citrix, dc=net IBM Directory Server
Lotus Domino CN=Notes Administrator, O=Citrix, C=US Sun ONE directory (formerly
iPlanet) uid=admin,ou=Administrators,
ou=TopologyManagement,o=NetscapeRoot
Note For further information regarding LDAP server settings, see
“Determining Attributes in your LDAP Directory” on page 83.
To create an LDAP authentication realm 1. Click the Authentication tab.
2. Under Add and Authentication Realm, in Realm name, type a name for the authentication realm.
If your site has multiple authentication realms, you might use a name that identifies the LDAP realm for which you specify settings. Realm names are case-sensitive and can contain spaces.
3. Select One Source and click Add.
4. In Select Authentication Type, in Authentication type, choose LDAP authentication and click OK.
The Realm dialog box opens.
After creating the realm, configure LDAP authentication.
To configure LDAP authentication
1. In IP Address, type the IP address of the LDAP server.
2. In Port, type the port number.
The LDAP server port defaults to 389. If you are using an indexed database, such as Microsoft Active Directory with a Global Catalog, changing the LDAP server port to 3268 significantly increases the speed of the LDAP queries.
If your directory is not indexed, Citrix recommends that you use an administrative connection rather than an anonymous connection from the Access Gateway to the database. Download performance improves when you use an administrative connection.
3. Do one of the following:
• To allow unsecure LDAP connections, select Allow Unsecure Connection.
• To secure LDAP connections, clear Allow Unsecure Connection.
When this check box is clear, all LDAP connections are secure.
4. In Administrator Bind DN, type the administrator bind DN for queries to your LDAP directory.
Note If you want the Default realm to use LDAP authentication, remove the Default realm as described in “To remove and create a Default realm”
on page 72.
The following are examples of syntax for bind DN:
domain/user name
ou=administrator,dc=ace,dc=com
[email protected] (for Active Directory) cn=Administrator,cn=Users,dc=ace,dc=com
For Active Directory, the group name specified as cn=groupname is required. The group name that is defined in the Access Gateway must be identical to the group name that is defined on the LDAP server.
For other LDAP directories, the group name either is not required or, if required, is specified as ou=groupname.
The Access Gateway binds to the LDAP server using the administrator credentials and then searches for the user. After locating the user, the Access Gateway unbinds the administrator credentials and rebinds with the user credentials.
5. In Administrator password, type the password.
6. In Base DN (location of users), type the base DN under which users are located.
Base DN is usually derived from the Bind DN by removing the user name and specifying the group where users are located. Examples of syntax for base DN:
ou=users,dc=ace,dc=com cn=Users,dc=ace,dc=com
7. In Server logon name attribute, type the attribute under which the Access Gateway should look for user logon names for the LDAP server that you are configuring. The default is sAMAccountName. If you are using other directories, use cn. Click Submit.
The Access Gateway can be configured to authenticate user access with one or more LDAP servers. If a user is not located in an LDAP directory or fails authentication on a server, the Access Gateway checks the user against the user information stored locally on the Access Gateway if Use the local user database on the Access Gateway is selected on the Settings tab.
LDAP authorization requires identical group names in Active Directory, on the Access Gateway, and on the LDAP server. The characters and case must also be the same.
Note For further information to determine the LDAP server settings, see
“Determining Attributes in your LDAP Directory” on page 83.