App Layering

Connect to a directory service

You can configure the Citrix App Layering appliance to connect to Active Directory. When you connect to your directory service, you create one or more Directory Junctions to access specific domains or organizational units (OUs).

The appliance does not modify the directory service to which you connect. The software caches the attributes for each directory service entry. If the connection to the directory service is lost temporarily, the software can use the cached information for management tasks.

When creating a Directory Junction, use the following industry standard acronyms:

  • OU - Organizational Unit
  • DC - Domain Component

About connecting the appliance to a directory service

What happens when you add Directory Junctions

Each Directory Junction that you create specifies a starting node in the directory tree. A new directory junction cannot include users who are already members of another junction. You can’t nest junctions.

If you’re creating several Distinguished Names

The system compares the Domain Component first; the portions of the Distinguished Name that start with “DC=”.

In Distinguished Names, order matters. For example, DC=A,DC=B is different from DC=B,DC=A.

The system adds Directory Junctions In the following instances:

  • The domain components differ.
  • Their domain components match and the remaining components do not overlap.

Directory Junctions merge if their domain components match and their other components are related.

User attributes are imported from the directory service

The App Layering software imports and caches user and group attributes from your directory service when:

  • You assign administrator privileges to a user.
  • The values of the attributes change in the directory service.

The attributes that the software caches are read-only. All changes to the attributes for directory service users come from the directory server.

Imported attributes are synchronized regularly

The software synchronizes the information it caches for directory service users with the directory service every 12 hours. If a user is no longer an object in the directory service, the user is considered abandoned. You can view this information in the Information view for the user.

To create a directory junction

  1. Click System > Directory Services.

  2. Click Add Directory Junction.

  3. Specify the details for the directory server:

    • Server address - The name for the server that you use for the directory service (IP Address or DNS Name).
    • Port - Specify the port number for communicating with the directory server.
    • Use SSL - Click to enable Secure Sockets Layer (SSL) communication. If certificate errors occur, the wizard displays a list of these errors. If you are sure it is safe to ignore them, click Ignore Certificate Errors.
    • Connect - Click to verify so the appliance can connect to the directory service.
    • Bind Distinguished Name (DN) - To determine the correct syntax for the Bind DN or user name, see the documentation for your directory. The following examples show some of the ways you can specify a user for the directory service:
      • domain\username
      • username@domain.com.
    • Bind Password - Type the password.
    • Connect - Click to verify so the appliance can connect to the directory service.
    • Base Distinguished Name - Specify where the software starts searching for users and groups in the remote directory service.
    • Directory Junction Name - The name of the folder that you see in the tree view. You can use any name, including the name of a domain in your directory service tree.
  4. CLick Confirm and Complete.

Connect to a directory service