authentication ldapAction¶
The following operations can be performed on "authentication ldapAction":
add authentication ldapAction¶
Creates an action (profile) for an LDAP server. This profile contains all configuration data needed to communicate with that LDAP server.
Synopsys¶
add authentication ldapAction <name> {-serverIP <ip_addr|ipv6_addr|*> | {-serverName <string>}} [-serverPort <port>] [-authTimeout <positive_integer>] [-ldapBase <string>] [-ldapBindDn <string>] {-ldapBindDnPassword } [-ldapLoginName <string>] [-searchFilter <string>] [-groupAttrName <string>] [-subAttributeName <string>] [-secType <secType>] [-svrType ( AD | NDS )] [-ssoNameAttribute <string>] [-authentication ( ENABLED | DISABLED )] [-requireUser ( YES | NO )] [-passwdChange ( ENABLED | DISABLED )] [-nestedGroupExtraction ( ON | OFF ) [-maxNestingLevel <positive_integer>] [-groupSearchSubAttribute <string>] [-groupSearchFilter <string>]] [-followReferrals ( ON | OFF ) [-maxLDAPReferrals <positive_integer>]] [-validateServerCert ( YES | NO )] [-ldapHostname <string>] [-groupNameIdentifier <string>] [-groupSearchAttribute <string>] [-defaultAuthenticationGroup <string>]
Arguments¶
name
Name for the new LDAP action.
Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the LDAP action is added.
The following requirement applies only to the NetScaler CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, ?my authentication action? or ?my authentication action?).
serverIP
IP address assigned to the LDAP server.
serverName
LDAP server name as a FQDN. Mutually exclusive with LDAP IP address.
serverPort
Port on which the LDAP server accepts connections.
Default value: 389
Minimum value: 1
authTimeout
Number of seconds the NetScaler appliance waits for a response from the RADIUS server.
Default value: 3
Minimum value: 1
ldapBase
Base (node) from which to start LDAP searches.
If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com.
ldapBindDn
Full distinguished name (DN) that is used to bind to the LDAP server.
Default: cn=Manager,dc=netscaler,dc=com
ldapBindDnPassword
Password used to bind to the LDAP server.
ldapLoginName
LDAP login name attribute.
The NetScaler appliance uses the LDAP login name to query external LDAP servers or Active Directories.
searchFilter
String to be combined with the default LDAP user search string to form the search value. For example, if the search filter ?"vpnallowed=true"? is combined with the LDAP login name ?"samaccount"? and the user-supplied username is ?"bob"?, the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" (Be sure to enclose the search string in two sets of double quotation marks; both sets are needed.).
groupAttrName
LDAP group attribute name.
Used for group extraction on the LDAP server.
subAttributeName
LDAP group sub-attribute name.
Used for group extraction from the LDAP server.
secType
Type of security used for communications between the NetScaler appliance and the LDAP server. For the PLAINTEXT setting, no encryption is required.
Possible values: PLAINTEXT, TLS, SSL
Default value: AAA_LDAP_PLAINTEXT
svrType
The type of LDAP server.
Possible values: AD, NDS
Default value: AAA_LDAP_SERVER_TYPE_DEFAULT
ssoNameAttribute
LDAP single signon (SSO) attribute.
The NetScaler appliance uses the SSO name attribute to query external LDAP servers or Active Directories for an alternate username.
authentication
Perform LDAP authentication.
If authentication is disabled, any LDAP authentication attempt returns authentication success if the user is found.
CAUTION! Authentication should be disabled only for authorization group extraction or where other (non-LDAP) authentication methods are in use and either bound to a primary list or flagged as secondary.
Possible values: ENABLED, DISABLED
Default value: ENABLED
requireUser
Require a successful user search for authentication.
Possible values: YES, NO
Default value: YES
passwdChange
Allow password change requests.
Possible values: ENABLED, DISABLED
Default value: DISABLED
nestedGroupExtraction
Allow nested group extraction, in which the NetScaler appliance queries external LDAP servers to determine whether a group is part of another group.
Possible values: ON, OFF
Default value: OFF
maxNestingLevel
If nested group extraction is ON, specifies the number of levels up to which group extraction is performed.
Default value: 2
Minimum value: 2
followReferrals
Setting this option to ON enables following LDAP referrals received from the LDAP server.
Possible values: ON, OFF
Default value: OFF
maxLDAPReferrals
Specifies the maximum number of nested referrals to follow.
Default value: 1
Minimum value: 1
validateServerCert
When to validate LDAP server certs
Possible values: YES, NO
Default value: NO
ldapHostname
Hostname for the LDAP server. If -validateServerCert is ON then this must be the host name on the certificate from the LDAP server.
A hostname mismatch will cause a connection failure.
groupNameIdentifier
Name that uniquely identifies a group in LDAP or Active Directory.
groupSearchAttribute
LDAP group search attribute.
Used to determine to which groups a group belongs.
groupSearchSubAttribute
LDAP group search subattribute.
Used to determine to which groups a group belongs.
groupSearchFilter
String to be combined with the default LDAP group search string to form the search value. For example, the group search filter ""vpnallowed=true"" when combined with the group identifier ""samaccount"" and the group name ""g1"" yields the LDAP search string ""(&(vpnallowed=true)(samaccount=g1)"". (Be sure to enclose the search string in two sets of double quotation marks; both sets are needed.)
defaultAuthenticationGroup
This is the default group that is chosen when the authentication succeeds in addition to extracted groups.
Maximum value: 64
rm authentication ldapAction¶
Removes an LDAP profile (action).NOTE: An action cannot be removed if it is bound to a policy.
Synopsys¶
rm authentication ldapAction <name>
Arguments¶
name
Name of the LDAP profile (action) to be removed.
set authentication ldapAction¶
Modifies an LDAP server profile (action.) The profile contains all configuration data needed to communicate with that LDAP server.
Synopsys¶
set authentication ldapAction <name> [-serverIP <ip_addr|ipv6_addr|*>] [-serverName <string>] [-serverPort <port>] [-authTimeout <positive_integer>] [-ldapBase <string>] [-ldapBindDn <string>] {-ldapBindDnPassword } [-ldapLoginName <string>] [-searchFilter <string>] [-groupAttrName <string>] [-subAttributeName <string>] [-secType <secType>] [-svrType ( AD | NDS )] [-ssoNameAttribute <string>] [-authentication ( ENABLED | DISABLED )] [-requireUser ( YES | NO )] [-passwdChange ( ENABLED | DISABLED )] [-validateServerCert ( YES | NO )] [-ldapHostname <string>] [-nestedGroupExtraction ( ON | OFF )] [-maxNestingLevel <positive_integer>] [-groupNameIdentifier <string>] [-groupSearchAttribute <string> [-groupSearchSubAttribute <string>]] [-groupSearchFilter <string>] [-followReferrals ( ON | OFF )] [-maxLDAPReferrals <positive_integer>] [-defaultAuthenticationGroup <string>]
Arguments¶
name
Name of the LDAP profile to modify.
serverIP
IP address assigned to the LDAP server.
serverName
LDAP server name as a FQDN. Mutually exclusive with LDAP IP address.
serverPort
Port on which the LDAP server accepts connections.
Default value: 389
Minimum value: 1
authTimeout
Number of seconds the NetScaler appliance waits for a response from the RADIUS server.
Default value: 3
Minimum value: 1
ldapBase
Base (node) from which to start LDAP searches.
If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com.
ldapBindDn
Full distinguished name (DN) that is used to bind to the LDAP server.
Default: cn=Manager,dc=netscaler,dc=com
ldapBindDnPassword
Password used to bind to the LDAP server.
ldapLoginName
LDAP login name attribute.
The NetScaler appliance uses the LDAP login name to query external LDAP servers or Active Directories.
searchFilter
String to be combined with the default LDAP user search string to form the search value. For example, if the search filter ?"vpnallowed=true"? is combined with the LDAP login name ?"samaccount"? and the user-supplied username is ?"bob"?, the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" (Be sure to enclose the search string in two sets of double quotation marks; both sets are needed.).
groupAttrName
LDAP group attribute name.
Used for group extraction on the LDAP server.
subAttributeName
LDAP group sub-attribute name.
Used for group extraction from the LDAP server.
secType
Type of security used for communications between the NetScaler appliance and the LDAP server. For the PLAINTEXT setting, no encryption is required.
Possible values: PLAINTEXT, TLS, SSL
Default value: AAA_LDAP_PLAINTEXT
svrType
The type of LDAP server.
Possible values: AD, NDS
Default value: AAA_LDAP_SERVER_TYPE_DEFAULT
ssoNameAttribute
LDAP single signon (SSO) attribute.
The NetScaler appliance uses the SSO name attribute to query external LDAP servers or Active Directories for an alternate username.
authentication
Perform LDAP authentication.
If authentication is disabled, any LDAP authentication attempt returns authentication success if the user is found.
CAUTION! Authentication should be disabled only for authorization group extraction or where other (non-LDAP) authentication methods are in use and either bound to a primary list or flagged as secondary.
Possible values: ENABLED, DISABLED
Default value: ENABLED
requireUser
Require a successful user search for authentication.
Possible values: YES, NO
Default value: YES
passwdChange
Allow password change requests.
Possible values: ENABLED, DISABLED
Default value: DISABLED
validateServerCert
When to validate LDAP server certs
Possible values: YES, NO
Default value: NO
ldapHostname
Hostname for the LDAP server. If -validateServerCert is ON then this must be the host name on the certificate from the LDAP server.
A hostname mismatch will cause a connection failure.
nestedGroupExtraction
Allow nested group extraction, in which the NetScaler appliance queries external LDAP servers to determine whether a group is part of another group.
Possible values: ON, OFF
Default value: OFF
followReferrals
Setting this option to ON enables following LDAP referrals received from the LDAP server.
Possible values: ON, OFF
Default value: OFF
defaultAuthenticationGroup
This is the default group that is chosen when the authentication succeeds in addition to extracted groups.
Maximum value: 64
unset authentication ldapAction¶
Use this command to remove authentication ldapAction settings.Refer to the set authentication ldapAction command for meanings of the arguments.
Synopsys¶
unset authentication ldapAction <name> [-serverIP] [-serverName] [-serverPort] [-authTimeout] [-ldapBase] [-ldapBindDn] [-ldapBindDnPassword] [-ldapLoginName] [-searchFilter] [-groupAttrName] [-subAttributeName] [-secType] [-svrType] [-ssoNameAttribute] [-authentication] [-requireUser] [-passwdChange] [-validateServerCert] [-ldapHostname] [-nestedGroupExtraction] [-maxNestingLevel] [-groupNameIdentifier] [-groupSearchAttribute] [-groupSearchSubAttribute] [-groupSearchFilter] [-followReferrals] [-maxLDAPReferrals] [-defaultAuthenticationGroup]
show authentication ldapAction¶
Displays the current configuration settings for the specified LDAP profile (action).
Synopsys¶
show authentication ldapAction [<name>]
Arguments¶
name
Name of the LDAP profile.
summary
fullValues
format
level
Outputs¶
serverIP
IP address assigned to the LDAP server.
serverName
LDAP server name as a FQDN. Mutually exclusive with LDAP IP address.
serverPort
Port on which the LDAP server accepts connections.
authTimeout
Number of seconds the NetScaler appliance waits for a response from the RADIUS server.
ldapBindDn
Full distinguished name (DN) that is used to bind to the LDAP server.
Default: cn=Manager,dc=netscaler,dc=com
ldapBindDnPassword
Password used to bind to the LDAP server.
ldapLoginName
LDAP login name attribute.
The NetScaler appliance uses the LDAP login name to query external LDAP servers or Active Directories.
ldapBase
Base (node) from which to start LDAP searches.
If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com.
searchFilter
String to be combined with the default LDAP user search string to form the search value. For example, if the search filter ?"vpnallowed=true"? is combined with the LDAP login name ?"samaccount"? and the user-supplied username is ?"bob"?, the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" (Be sure to enclose the search string in two sets of double quotation marks; both sets are needed.).
groupAttrName
LDAP group attribute name.
Used for group extraction on the LDAP server.
subAttributeName
LDAP group sub-attribute name.
Used for group extraction from the LDAP server.
secType
Type of security used for communications between the NetScaler appliance and the LDAP server. For the PLAINTEXT setting, no encryption is required.
svrType
The type of LDAP server.
ssoNameAttribute
LDAP single signon (SSO) attribute.
The NetScaler appliance uses the SSO name attribute to query external LDAP servers or Active Directories for an alternate username.
authentication
Perform LDAP authentication.
If authentication is disabled, any LDAP authentication attempt returns authentication success if the user is found.
CAUTION! Authentication should be disabled only for authorization group extraction or where other (non-LDAP) authentication methods are in use and either bound to a primary list or flagged as secondary.
requireUser
Require a successful user search for authentication.
Success
Failure
stateflag
nestedGroupExtraction
Allow nested group extraction, in which the NetScaler appliance queries external LDAP servers to determine whether a group is part of another group.
maxNestingLevel
If nested group extraction is ON, specifies the number of levels up to which group extraction is performed.
followReferrals
Setting this option to ON enables following LDAP referrals received from the LDAP server.
maxLDAPReferrals
Specifies the maximum number of nested referrals to follow.
validateServerCert
When to validate LDAP server certs
ldapHostname
Hostname for the LDAP server. If -validateServerCert is ON then this must be the host name on the certificate from the LDAP server.
A hostname mismatch will cause a connection failure.
groupNameIdentifier
Name that uniquely identifies a group in LDAP or Active Directory.
groupSearchAttribute
LDAP group search attribute.
Used to determine to which groups a group belongs.
groupSearchSubAttribute
LDAP group search subattribute.
Used to determine to which groups a group belongs.
groupSearchFilter
String to be combined with the default LDAP group search string to form the search value. For example, the group search filter ""vpnallowed=true"" when combined with the group identifier ""samaccount"" and the group name ""g1"" yields the LDAP search string ""(&(vpnallowed=true)(samaccount=g1)"". (Be sure to enclose the search string in two sets of double quotation marks; both sets are needed.)
passwdChange
Allow password change requests.
defaultAuthenticationGroup
This is the default group that is chosen when the authentication succeeds in addition to extracted groups.
devno
count