Archive: November, 2012

Netscaler authentication based on nested groups

2 comments November 23rd, 2012

So i needed to create an LDAP authentication policy in the Netscaler where the users are divided into different groups (DEPT1, DEPT2, DEPT3), and those groups are themselves inside a group (MAINGRP). So i want to authenticate the users based on nested membership in MAINGRP.

Netscaler LDAP dialogue

Normally without nested groups you would use a LDAP filter with something like this:

memberOf=CN=DEPT1,OU=users,OU=subou,OU=ou,DC=domain,DC=com

Which would return a result to the Netscaler if the user were a member of that group.

But how would you go about if your user is in a nested group? Then you also need to find out if one of the groups the user is a member of is itself a member of the specified group. My first thought was to use the nested groups feature in the Netscaler LDAP auth dialogue. So I configured it to use 2 nested levels and the same kind of filter here as on the user. Sadly this didnt work, it turns out that the nested groups part is ONLY for authorization and not authentication. What this means is on the first part the user authenticates and if you have a filter it returns whatever you configured your filter to return. If it doesnt return anything, like a group, your not allowed to login. Once this is done the Netscaler will use the returned result and pars through it and do additional LDAP querys to find the nested groups, and by then the user is already authenticated. The result from the nested groups parsing is then passed on to whatever logic you have in AAA or session policys to do with what you want for authorization.

This meant that in order to use nested groups for authentication i needed to extract the nested group in the first filter and this is how you would do that:

memberOf:1.2.840.113556.1.4.1941:=CN=MAINGRP,OU=subou,OU=ou,DC=domain,DC=com

By using something called OID in the LDAP query you will make LDAP do the parsing of the nested groups and return a result if it finds the group you are looking for.

from Microsoft Technet:

1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN This rule is limited to filters that apply to the DN. This is a special “extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.

And there you go!