« previous next »
Pages: [1]   Go Down

Author Topic: LDAP Authentication - how it works?  (Read 1089 times)

Offline mizoran

  • Contributor
  • *
  • Posts: 6
  • Karma: 2
LDAP Authentication - how it works?
« on: September 09, 2011, 09:58:56 PM »
Hi

I do not really have a problem. Rather I am just reviewing one production CAGEE and I would like very very much to understand deeply HOW and WHY does authentication work?

So here we go with some facts first:
 - It is CAGEE v 9.3 working as an ICA proxy

 - There is defined one vserver under Access Gateway node in GUI.

bind vpn vserver vServer_apps.company.com -policy "AD authentication" -priority 100

 - There is one authentication policy bound to vserver which applies always

add authentication ldapPolicy "AD authentication" ns_true VM-AD-01

- authetnication server profile "VM-AD-01" is defined like

add authentication ldapAction VM-AD-01
 -serverIP 10.0.1.20
 -ldapBase "dc=company,dc=ad"
 -ldapBindDn administrator@company.ad
 -ldapBindDnPassword ffffffffffffffff -encrypted
 -ldapLoginName samAccountName
 -groupAttrName memberOf
 -subAttributeName CN
 -secType TLS
 -passwdChange ENABLED

(I broke the line above intentionally just for better overview)

- if I open authentication server in GUI and do click on "Retreive Attributes" it completes with success.

Finally my questions are:

1. How is my username  beeing found in AD directory tree by CAGEE?

2. My username mizoran is (I guess) defined as sAMAccountName attribute under one object in AD,
i.e. "CN=Zoran Milenkovic,OU=City,OU=Users,OU=Company,DC=company,DC=ad"
Why my username is actually allowed to login? Does it mean that all users defined on the AD under domain company.ad will be able to log in successfully?

3. Why do we define  -groupAttrName memberOf? Why is it important?

4. How could I make control so some groups of users can log in, and some others cannot.

5. Can somebody explain what happens behind when we click on Retreive Attributes link in GUI (in Authentication server definition)?

6. How do we use CLI command ldapsearch and why would I like to use it?

7. I saw in examples on net that some like to define Bind Admin Account as "administrator@company.ad" and some others like "CN=administrator,DN=Users,DC=company,DC=ad". What is the difference?

There has been a lot of questions that bother me :) It would be much appreciated even if you try to answer to some of them. I believe it could be useful for the other visitors with poor LDAP knowledge too.

Thanks
mizoran
« Last Edit: September 09, 2011, 10:01:55 PM by mizoran »
Logged

Offline mizoran

  • Contributor
  • *
  • Posts: 6
  • Karma: 2
Re: LDAP Authentication - how it works?
« Reply #1 on: September 10, 2011, 02:46:58 PM »
Hi

I have received pretty much good answer on citrix forums

Follow the link if interested

http://forums.citrix.com/thread.jspa?messageID=1580333&#1580333

BR
mizoran
Logged

Offline jmelika

  • Administrator
  • Hero Member
  • *****
  • Posts: 341
  • Karma: 7
Re: LDAP Authentication - how it works?
« Reply #2 on: September 15, 2011, 09:17:27 AM »
Thanks!
Logged
Pages: [1]   Go Up
« previous next »