LDAP authentication 编辑

As with other types of authentication policies, a Lightweight Directory Access Protocol (LDAP) authentication policy comprises an expression and an action. After creating an authentication policy, you bind it to an authentication virtual server and assign a priority to it. When binding it, you also designate it as either a primary or a secondary policy. In addition to standard authentication functions, LDAP can search other active directory (AD) servers for user accounts for users that do not exist locally. This function is called referral support or referral chasing.

Normally you configure the Citrix ADC to use the IP address of the authentication server during authentication. With LDAP authentication servers, you can also configure the ADC to use the FQDN of the LDAP server instead of its IP address to authenticate users. Using an FQDN can simplify an otherwise much more complex authentication, authorization, and auditing configuration in environments where the authentication server might be at any of several IP addresses, but always uses a single FQDN. To configure authentication by using a server’s FQDN instead of its IP address, you follow the normal configuration process except when creating the authentication action. When creating the action, you use the serverName parameter instead of the serverIP parameter, and substitute the server’s FQDN for its IP address.

Before you decide whether to configure the ADC to use the IP or the FQDN of your LDAP server to authenticate users, consider that configuring authentication, authorization, and auditing to authenticate to an FQDN instead of an IP address adds an extra step to the authentication process. Each time the ADC authenticates a user, it must resolve the FQDN. If a great many users attempt to authenticate simultaneously, the resulting DNS lookups might slow the authentication process.

LDAP referral support is disabled by default and cannot be enabled globally. It must be explicitly enabled for each LDAP action. Make sure that the AD server accepts the same binddn credentials that are used with the referring (GC) server. To enable referral support, you configure an LDAP action to follow referrals, and specify the maximum number of referrals to follow.

If referral support is enabled, and the Citrix ADC receives an LDAP_REFERRAL response to a request, authentication, authorization, and auditing follows the referral to the active directory (AD) server contained in the referral and performs the update on that server. First, authentication, authorization, and auditing looks up the referral server in DNS, and connects to that server. If the referral policy requires SSL/TLS, it connects via SSL/TLS. It then binds to the new server with the binddn credentials that it used with the previous server, and performs the operation which generated the referral. This feature is transparent to the user.

The port numbers for LDAP connections are:

  • 389 for unsecured LDAP connections (for plain text LDAP)
  • 636 for secure LDAP connections (for SSL LDAP)
  • 3268 for Microsoft unsecure LDAP connections (for plain text Global Catalog Server)
  • 3269 for Microsoft secure LDAP connections (for SSL Global Catalog Server)

The following table contains examples of user attribute fields for LDAP servers:

LDAP serverUser attributeCase sensitive
Microsoft Active Directory ServersAMAccountNameNo
Novell eDirectoryouYes
IBM Directory ServeruidYes
Lotus DominoCNYes
Sun ONE directory (formerly iPlanet)uid or cnYes

This table contains examples of the base DN:

LDAP serverBase DN
Microsoft Active Directory ServerDC=citrix,DC=local
Novell eDirectoryou=users,ou=dev
IBM Directory Servercn=users
Lotus DominoOU=City,O=Citrix, C=US
Sun ONE directory (formerly iPlanet)ou=People,dc=citrix,dc=com

The following table contains examples of bind DN:

LDAP serverBind DN
Microsoft Active Directory ServerCN=Administrator, CN=Users, DC=citrix, DC=local
Novell eDirectorycn=admin, o=citrix
IBM Directory ServerLDAP_dn
Lotus DominoCN=Notes Administrator, O=Citrix, C=US
Sun ONE directory (formerly iPlanet)uid=admin,ou=Administrators, ou=TopologyManagement,o=NetscapeRoot

For more information about setting up authentication policies in general, see Authentication Policies. For more information about Citrix ADC expressions, which are used in the policy rule, see Policies and Expressions.

To create an LDAP authentication server by using the CLI

At the command prompt, type the following commands:

add authentication ldapAction <name> {-serverIP} <ip_addr|ipv6_addr|> | {-serverName <string>}}

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:69 次

字数:6773

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文