Integrating LDAP Authentication with your Load Balancer

LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is a lightweight protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. LDAP is an IETF Standard Track protocol and is specified in “Lightweight Directory Access Protocol (LDAP) Technical Specification Road Map” RFC4510.

The LDAP information model is based on entries. An entry is a collection of attributes that has a globally-unique Distinguished Name (DN). The DN is used to refer to the entry unambiguously. Each of the entry’s attributes has a type and one or more values. The types are typically mnemonic strings, like “cn” for common name, or “mail” for email address. The syntax of values depend on the attribute type. For example, a cn attribute might contain the value John Smith. A mail attribute might contain the value “jsmith@example.com”.

In LDAP, directory entries are arranged in a hierarchical tree-like structure. Traditionally, this structure reflected the geographic and/or organizational boundaries. Entries representing countries appear at the top of the tree. Below them are entries representing states and national organizations. Below them might be entries representing organizational units, people, printers, documents, or just about anything else you can think of.

In addition, LDAP allows you to control which attributes are required and allowed in an entry through the use of a special attribute called objectClass. The values of the objectClass attribute determine the schema rules the entry must obey. An entry is referenced by its distinguished name, which is constructed by taking the name of the entry itself (called the Relative Distinguished Name or RDN) and concatenating the names of its ancestor entries. For example, the entry for John Smith in the Internet naming example above has an RDN of uid=jsmith and a DN of uid=jsmith,ou=People,dc=example,dc=com. The full DN format is described in RFC4514, “LDAP: String Representation of Distinguished Names.”

LDAP defines operations for interrogating and updating the directory. Operations are provided for adding and deleting an entry from the directory, changing an existing entry, and changing the name of an entry. Most of the time, though, LDAP is used to search for information in the directory. The LDAP search operation allows some portion of the directory to be searched for entries that match some criteria specified by a search filter. Information can be requested from each entry that matches the criteria.

For example, you might want to search the entire directory subtree at and below dc=example,dc=com for people with the name John Smith, retrieving the email address of each entry found. LDAP lets you do this easily. Or you might want to search the entries directly below the st=California,c=US entry for organizations with the string Acme in their name, and that have a fax number. LDAP lets you do this too.

Some directory services provide no protection, allowing anyone to see the information. LDAP provides a mechanism for a client to authenticate, or prove its identity to a directory server, paving the way for rich access control to protect the information the server contains. LDAP also supports data security (integrity and confidentiality) services.

Configuring NetScaler for LDAP

From the NetScaler GUI -> AAA -> Virtual Servers -> Authentication -> Insert Policy -> New Policy. Create the name then on Authentication Type -> LDAP. For Server select New.

Active Directory:

  • Cleartext: Port 389
  • SSL: Port 636
  • Base DN: dc=example,dc=com
  • Administrator Bind DN: administrator@example.com
  • Password: ******
  • Server Logon Name Attribute: samAccountName
  • Group Attribute: memberOf
  • Sub Attribute Name: CN




OpenLDAP:

  • Cleartext Port: 389
  • SSL Port: 636
  • Base DN: domain=example.com,o=example.com
  • Administrator Bind DN: cn=root,o=example.com
  • Password: ******
  • Server Logon Name Attribute: uid
  • Search Filter: objectClass=*

Read more about OpenLDAP here

Read more about Microsoft LDAP here

Download Citrix NetScaler here

The Citrix Community is powerful!