?
Solved

Using Nested Group Extraction

Posted on 2011-03-11
6
Medium Priority
?
3,777 Views
Last Modified: 2016-10-25
I'm running my Citrix Access Gateway using a NetScaler (9.2 Build 50.4.nc) and am trying to switch from using a single group for VPN access to multiple groups and can't seem to get my LDAP query string right for Nested group extraction as I'm getting this error:

Fri Mar 11 15:35:31 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[490]: recieve_ldap_bind_event ldap_search returned error

So when moving to Nested Group Extraction, should I be removing the fields directly under Other Settings on my LDAP Profile? (fields Server Logon Name Attribute, Search Filter, Group Attribute, Sub Attribute name, SSO Name Attribute)

Under the nested group extraction section I've configured it as:
Maximum Nesting Level - 32 (expecting this to change to 4 when done testing)
Group Name Identifier - sAMAccountName
Group Search Attribute - memberOf
Group Search Sub-Attribute - cn
Group Search Filter - (&(memberOf=CN=VPN_Users,OU=VPN Access,OU=Data Access Rights,DC=my,DC=compnay,DC=com)(objectClass=*))

I imagine my syntax for the search filter is wrong, any ideas?  I pulled that group search filter from citrix.com and modified it to match my environment...

Thanks in advance.

Here's the full output from a logon event:
Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[612]: process_kernel_socket call to authenticate
user :fred, vsid :9373
Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[115]: start_ldap_auth attempting to auth fred @ 10.99.9.41
Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[293]: recieve_ldap_connect_event setting up for SSL connection to : 10.99.9.41:636
Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[406]: recieve_ldap_bind_event receive ldap bind event

Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[490]: recieve_ldap_bind_event ldap_search returned error

Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1466]: send_reject sending reject to kernel for : fred
Fri Mar 11 16:19:16 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[490]: recieve_ldap_bind_event ldap_search returned error

0
Comment
Question by:dsiefert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 37

Expert Comment

by:Carl Webster
ID: 35137331
Unfortunately, there are not many NetScaler experts on EE.
0
 
LVL 12

Expert Comment

by:Daniel Borger
ID: 35143723
I also noticed you had "DC=compnay" Is that correct?

If so can you test with a group without the underscore?
0
 
LVL 12

Expert Comment

by:Daniel Borger
ID: 35143737
doh, I get it now.. that was a typo.
0
 

Accepted Solution

by:
dsiefert earned 0 total points
ID: 35156072
I found my answer here:
http://forums.citrix.com/thread.jspa?threadID=273808&tstart=0

It is the second to last posting by Mark Bryce.  He mentions build 48.6.nc but it's works for me on 50.4.nc also.  Cutting and pasting it here just in case that link breaks:

Running Build 48.6.nc, I got it to work 2 ways:
1. Create Authentication Server:
BaseDN = DC=sub do,DC=Domain,DC=com
Server Logon Name Attribute = samAccountName
Group Attribute = memberOf
Sub Atrributte Name = CN
Sec Type = Plaintext

->Nested Group Extraction
Maximum Nesting Level = 10 {Note: my Citrix Group is deep}
Group Name Identifier = sAMAccountName
Group Search Attribute = memberOf
Group Search Sub-Attribute = CN

(everything else leave blank, except user/password)

Create Session Profile:
Security > Advanced > Groups allowed to Login: {Exact AD Group Name}

2. Create Authentication Server:
BaseDN = DC=sub do,DC=Domain,DC=com
Server Logon Name Attribute = samAccountName
Group Attribute = memberOf
Sub Atrributte Name = CN
Sec Type = Plaintext

->Nested Group Extraction
Maximum Nesting Level = 10 {Note: my Citrix Group is deep}
Group Name Identifier = sAMAccountName
Group Search Attribute = memberOf
Group Search Sub-Attribute = CN
Group Search Filter = &(memberOf=CN=Citrix_Group,OU=Resources,OU=Citrix,OU=CTX Groups,OU=Client Name,DC=sub do,DC=Domain,DC=com)

(everything else leave blank, except user/password)
 

0
 
LVL 37

Expert Comment

by:Carl Webster
ID: 35156087
Glad you found a solution.  Wish we had more CAG and NetScaler experts here.  Or should I say, I wish we had ANY CAG and NetScaler experts here.
0
 

Author Closing Comment

by:dsiefert
ID: 35292446
None.
0
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenDesktop 7.6 Citrix Policies Audio
What if you have to shut down the entire Citrix infrastructure for hardware maintenance, software upgrades or "the unknown"? I developed this plan for "the unknown" and hope that it helps you as well. This article explains how to properly shut down …
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question