Solved

Using Nested Group Extraction

Posted on 2011-03-11
6
3,613 Views
Last Modified: 2016-10-25
I'm running my Citrix Access Gateway using a NetScaler (9.2 Build 50.4.nc) and am trying to switch from using a single group for VPN access to multiple groups and can't seem to get my LDAP query string right for Nested group extraction as I'm getting this error:

Fri Mar 11 15:35:31 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[490]: recieve_ldap_bind_event ldap_search returned error

So when moving to Nested Group Extraction, should I be removing the fields directly under Other Settings on my LDAP Profile? (fields Server Logon Name Attribute, Search Filter, Group Attribute, Sub Attribute name, SSO Name Attribute)

Under the nested group extraction section I've configured it as:
Maximum Nesting Level - 32 (expecting this to change to 4 when done testing)
Group Name Identifier - sAMAccountName
Group Search Attribute - memberOf
Group Search Sub-Attribute - cn
Group Search Filter - (&(memberOf=CN=VPN_Users,OU=VPN Access,OU=Data Access Rights,DC=my,DC=compnay,DC=com)(objectClass=*))

I imagine my syntax for the search filter is wrong, any ideas?  I pulled that group search filter from citrix.com and modified it to match my environment...

Thanks in advance.

Here's the full output from a logon event:
Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[612]: process_kernel_socket call to authenticate
user :fred, vsid :9373
Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[115]: start_ldap_auth attempting to auth fred @ 10.99.9.41
Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[293]: recieve_ldap_connect_event setting up for SSL connection to : 10.99.9.41:636
Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[406]: recieve_ldap_bind_event receive ldap bind event

Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[490]: recieve_ldap_bind_event ldap_search returned error

Fri Mar 11 16:20:23 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1466]: send_reject sending reject to kernel for : fred
Fri Mar 11 16:19:16 2011
 /usr/home/build/rs_92_50_3/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[490]: recieve_ldap_bind_event ldap_search returned error

0
Comment
Question by:dsiefert
  • 2
  • 2
  • 2
6 Comments
 
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
Unfortunately, there are not many NetScaler experts on EE.
0
 
LVL 12

Expert Comment

by:Daniel Borger
Comment Utility
I also noticed you had "DC=compnay" Is that correct?

If so can you test with a group without the underscore?
0
 
LVL 12

Expert Comment

by:Daniel Borger
Comment Utility
doh, I get it now.. that was a typo.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Accepted Solution

by:
dsiefert earned 0 total points
Comment Utility
I found my answer here:
http://forums.citrix.com/thread.jspa?threadID=273808&tstart=0

It is the second to last posting by Mark Bryce.  He mentions build 48.6.nc but it's works for me on 50.4.nc also.  Cutting and pasting it here just in case that link breaks:

Running Build 48.6.nc, I got it to work 2 ways:
1. Create Authentication Server:
BaseDN = DC=sub do,DC=Domain,DC=com
Server Logon Name Attribute = samAccountName
Group Attribute = memberOf
Sub Atrributte Name = CN
Sec Type = Plaintext

->Nested Group Extraction
Maximum Nesting Level = 10 {Note: my Citrix Group is deep}
Group Name Identifier = sAMAccountName
Group Search Attribute = memberOf
Group Search Sub-Attribute = CN

(everything else leave blank, except user/password)

Create Session Profile:
Security > Advanced > Groups allowed to Login: {Exact AD Group Name}

2. Create Authentication Server:
BaseDN = DC=sub do,DC=Domain,DC=com
Server Logon Name Attribute = samAccountName
Group Attribute = memberOf
Sub Atrributte Name = CN
Sec Type = Plaintext

->Nested Group Extraction
Maximum Nesting Level = 10 {Note: my Citrix Group is deep}
Group Name Identifier = sAMAccountName
Group Search Attribute = memberOf
Group Search Sub-Attribute = CN
Group Search Filter = &(memberOf=CN=Citrix_Group,OU=Resources,OU=Citrix,OU=CTX Groups,OU=Client Name,DC=sub do,DC=Domain,DC=com)

(everything else leave blank, except user/password)
 

0
 
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
Glad you found a solution.  Wish we had more CAG and NetScaler experts here.  Or should I say, I wish we had ANY CAG and NetScaler experts here.
0
 

Author Closing Comment

by:dsiefert
Comment Utility
None.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

#Citrix #Citrix Policies #XenDesktop #VDI #POC #Citrix Univeral Printer Driver #Citrix UPD
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now