Jump to content


Photo

LDAP authentication - disallow access if not in any group

Started by Ross Bender , 20 April 2017 - 09:22 PM
4 replies to this topic

Ross Bender Members

Ross Bender
  • 112 posts

Posted 20 April 2017 - 09:22 PM

Hello,

 

I have configured an external LDAP server for authentication. I have not created any groups in the Netscaler that map to LDAP groups.

 

When I log in with an LDAP account, it successfully authenticates me and I am able to access the management GUI, but since no groups have been configured, I don't have permission to do any action ("not authorized" errors are shown). Is it possible to disable access to the management GUI completely if a user does not have any groups?

 

I am trying to accomplish access for specific LDAP users rather than allowing access to an LDAP group. I can configure a Netscaler user with the same name same as the LDAP user and enable "external authentication" so LDAP authenticates...and that works. I am now trying to only allow the explicitly created users rather than any LDAP user.

 

I can set the LDAP server to have a search filter, but this again requires use of an LDAP group. I want to only allow specific LDAP users and not need to involve an LDAP group.

 

Appreciate the advice



Carl Stalhood CTP Member

Carl Stalhood
  • 11,611 posts

Posted 20 April 2017 - 09:56 PM

Why no LDAP group? Nested groups can work.



Ross Bender Members

Ross Bender
  • 112 posts

Posted 20 April 2017 - 10:04 PM

I want all authorization to be controlled at the Netscaler. Authentication can occur at LDAP but I don't want authorization mapped to LDAP (via groups).

 

The reason I want to keep authorization at the Netscaler is so that authorizations can only be modified at the Netscaler. Configuring the Netscaler for LDAP groups means an LDAP administrator could elevate their authorization level.



David Kirby Members

David Kirby
  • 149 posts

Posted 21 April 2017 - 08:04 AM

Change the security on the LDAP Group (AD) so the group cannot be modified by a low level admin, e.g. account operators, and only high privalage AD admins can administer add/remove members.

 

Controling by AD group memebrship is the best way to do it.



Ross Bender Members

Ross Bender
  • 112 posts

Posted 21 April 2017 - 12:48 PM

I don't administer the LDAP server. Thus, the desire to completely separate authorization from it...