You can configure the NetScaler Gateway to authenticate user access with one or more LDAP servers.
LDAP authorization requires identical group names in Active Directory, on the LDAP server, and on NetScaler Gateway. The characters and case must also match.
By default, LDAP authentication is secure by using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). There are two types of secure LDAP connections. With one type, the LDAP server accepts the SSL or TLS connections on a port separate from the port that the LDAP server uses to accept clear LDAP connections. After users establish the SSL or TLS connections, LDAP traffic can be sent over the connection.
The port numbers for LDAP connections are:
The second type of secure LDAP connections use the StartTLS command and uses port number 389. If you configure port numbers 389 or 3268 on NetScaler Gateway, the server tries to use StartTLS to make the connection. If you use any other port number, the server attempts to make connections by using SSL or TLS. If the server cannot use StartTLS, SSL, or TLS, the connection fails.
If you specify the root directory of the LDAP server, NetScaler Gateway searches all of the subdirectories to find the user attribute. In large directories, this approach can affect performance. For this reason, Citrix recommends that you use a specific organizational unit (OU).
The following table contains examples of user attribute fields for LDAP servers:
This table contains examples of the base DN:
The following table contains examples of bind DN: