• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3842
  • Last Modified:

Using Nested Group Extraction

I'm running my Citrix Access Gateway using a NetScaler (9.2 Build 50.4.nc) and am trying to switch from using a single group for VPN access to multiple groups and can't seem to get my LDAP query string right for Nested group extraction as I'm getting this error:

Fri Mar 11 15:35:31 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[490]: recieve_ldap_bind_event ldap_search returned error

So when moving to Nested Group Extraction, should I be removing the fields directly under Other Settings on my LDAP Profile? (fields Server Logon Name Attribute, Search Filter, Group Attribute, Sub Attribute name, SSO Name Attribute)

Under the nested group extraction section I've configured it as:
Maximum Nesting Level - 32 (expecting this to change to 4 when done testing)
Group Name Identifier - sAMAccountName
Group Search Attribute - memberOf
Group Search Sub-Attribute - cn
Group Search Filter - (&(memberOf=CN=VPN_Users,OU=VPN Access,OU=Data Access Rights,DC=my,DC=compnay,DC=com)(objectClass=*))

I imagine my syntax for the search filter is wrong, any ideas?  I pulled that group search filter from citrix.com and modified it to match my environment...

Thanks in advance.

Here's the full output from a logon event:
Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[612]: process_kernel_socket call to authenticate
user :fred, vsid :9373
Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[115]: start_ldap_auth attempting to auth fred @ 10.99.9.41
Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[293]: recieve_ldap_connect_event setting up for SSL connection to : 10.99.9.41:636
Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[406]: recieve_ldap_bind_event receive ldap bind event

Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[490]: recieve_ldap_bind_event ldap_search returned error

Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1466]: send_reject sending reject to kernel for : fred
Fri Mar 11 16:19:16 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[490]: recieve_ldap_bind_event ldap_search returned error

0
dsiefert
Asked:
dsiefert
  • 2
  • 2
  • 2
1 Solution
 
Carl WebsterCommented:
Unfortunately, there are not many NetScaler experts on EE.
0
 
Daniel BorgerCommented:
I also noticed you had "DC=compnay" Is that correct?

If so can you test with a group without the underscore?
0
 
Daniel BorgerCommented:
doh, I get it now.. that was a typo.
0
 
dsiefertAuthor Commented:
I found my answer here:
http://forums.citrix.com/thread.jspa?threadID=273808&tstart=0

It is the second to last posting by Mark Bryce.  He mentions build 48.6.nc but it's works for me on 50.4.nc also.  Cutting and pasting it here just in case that link breaks:

Running Build 48.6.nc, I got it to work 2 ways:
1. Create Authentication Server:
BaseDN = DC=sub do,DC=Domain,DC=com
Server Logon Name Attribute = samAccountName
Group Attribute = memberOf
Sub Atrributte Name = CN
Sec Type = Plaintext

->Nested Group Extraction
Maximum Nesting Level = 10 {Note: my Citrix Group is deep}
Group Name Identifier = sAMAccountName
Group Search Attribute = memberOf
Group Search Sub-Attribute = CN

(everything else leave blank, except user/password)

Create Session Profile:
Security > Advanced > Groups allowed to Login: {Exact AD Group Name}

2. Create Authentication Server:
BaseDN = DC=sub do,DC=Domain,DC=com
Server Logon Name Attribute = samAccountName
Group Attribute = memberOf
Sub Atrributte Name = CN
Sec Type = Plaintext

->Nested Group Extraction
Maximum Nesting Level = 10 {Note: my Citrix Group is deep}
Group Name Identifier = sAMAccountName
Group Search Attribute = memberOf
Group Search Sub-Attribute = CN
Group Search Filter = &(memberOf=CN=Citrix_Group,OU=Resources,OU=Citrix,OU=CTX Groups,OU=Client Name,DC=sub do,DC=Domain,DC=com)

(everything else leave blank, except user/password)
 

0
 
Carl WebsterCommented:
Glad you found a solution.  Wish we had more CAG and NetScaler experts here.  Or should I say, I wish we had ANY CAG and NetScaler experts here.
0
 
dsiefertAuthor Commented:
None.
0
  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now