How LDAP Group Extraction Works from the Group Object Indirectly
LDAP servers that evaluate group memberships from group objects indirectly will not work with Citrix Gateway authorization.
Some LDAP servers, such as Lotus Domino, enable group objects only to contain information about users. These LDAP servers do not enable the user object to contain information about groups and thus will not work with Citrix Gateway group extraction. For this type of LDAP server, group membership searches are performed by locating the user in the member list of groups.