Configuring LDAP Nested Group Extraction
Citrix Gateway can query LDAP groups and extract group and user information from ancestor groups that you configure on the authentication server. For example, you created group1 and within that group, you created group2 and group3. If the user belongs to group3, Citrix Gateway extracts information from all the nested ancestor groups (group2, group1) up to the specified level.
You can use an authentication policy to configure LDAP nested group extraction. When the query is run, Citrix Gateway searches the groups until it reaches the maximum nesting level or until it searches all available groups.
To configure LDAP nested group extraction
- In the configuration utility, in the navigation pane, expand Citrix Gateway > Policies > Authentication/Authorization > Authentication > Authentication and then click LDAP.
- In the details pane, on the Policies tab, click Add.
- In Name, type a name for the policy.
- Next to Server, click New.
- In Name, type the name of the server.
- Configure the settings for the LDAP server.
- Expand Nested Group Extraction, and then click Enable.
- In Maximum Nesting Level, type the number of levels that Citrix Gateway checks.
- In Group Name Identifier, type the LDAP attribute name that uniquely identifies a group name on the LDAP server, such as
sAMAccountName
. - In Group Search Attribute, type the LDAP attribute name that is to be obtained in the search response to determine the parent groups of any group. For example,
memberOf
. - In Group Search Sub-Attribute, type the LDAP subattribute name that is to be searched for as part of the Group Search Attribute to determine the parent groups of any group. For example, type CN.
- In Group Search Filter, type the query string. For example, the filter can be
&(samaccountname=test)(objectClass=\*)
. - Click Create, and then click Close.
- In the Create Authentication Policy dialog box, next to Named Expressions, select the expression, click Add Expression, click Create, and then click Close.