Skip to main content

NetScaler 10 Delegating Administration to Active Directory Groups

By June 14, 2013September 12th, 2022No Comments

If we leave the out of box configuration we have but a single account, nsroot, with rights to the appliance. No matter if this is NetScaler from Citrix or other systems we will all want to ensure that we have more than one account with rights and, if we have an external authentication system such as the Active Directory it would make sense to use that as the authentication domain, unifying administration access across all appliances with our domain logon.

Local Accounts

We can, of course create local accounts on the system. We don’t have to link into LDAP directories or the like. The difficulty, as with all local accounts, is as we grow the number of NetScaler Appliances the number of local accounts will grow and we have to manage the accounts and passwords. For smaller systems though this may be an option and I still like the idea of having another local administrator with full rights “just in case”

show system user
add system user bob Password1
bind system user bob superuser 1
show system user

From the command we can see that we display are users, just nsroot to start, create the new user bob with the password supplied and assign super user rights to the user. With this in place we display the users again to show the new user. For more global access we can link the systems to the Active Directory. this way we can use our domain accounts to authenticate into NetScaler and the same account across all NetScaler applicances

Linking to the Active Directory

add system group "Domain Admins"
bind system group "Domain Admins" -policyName superuser 1
add authentication ldapAction auth_ad -serverIP
-ldapBase "DC=example,DC=local"
-ldapBindDn administrator@example.local
-ldapBindDnPassword Password1 -ldaploginName samAccountName
-groupAttrName memberOf -subAttributeName CN
add authentication ldapPolicy auth_policy ns_true auth_ad
bind system global auth_policy -priority 100
save ns config

We start of similarly to before defining the group “Domain Admins” and assigning superuser rights to the account. We then define the Active Directory connection, usually you would use a dedicated ldap account in the AD that has read to all properties but does not need to write to the Ad. This account should be used as the ldapBindDN, for ease I use the administrator but that is not required or secure. The LDAP policy links to the server entry we create in the ldapAction and we assign the rights globally across the NetScaler System.

Setting Timeouts

So we have added in the Domain Admins group so that we can authenticate to the system; however, when using either the SSH sessions to the CLI or GUI interface using the browser the sessions will timeout out on idle. We of course have to manage this in our own way but the timeout is quite short, something like 5 minutes or what seems “as soon as my back is turned“. The default for the nsroot account is not to timeout, 0. We could set that or may be something like 1800 seconds that represents 30 minutes. here we disable the timeout for Domain Admins

set system group "Domain Admins" -timeOut 0
show system group "Domain Admins"

NetScaler Permissions

Permissions in NetScaler are defined using Command Policies. There are 4 supplies by default inlcuding the superuser policy that has rights to everythine. The other rights sets include:

  • operator
  • read_only
  • network

We can create our own and in the demo we see that we can allow the use of just the show command

 add system cmdPolicy show_stuff ALLOW "(^shows+.*)"

The regular expression is defined by the quotes following ALLOW. This defines what is allowed. We have one group defines by the brackets with in the group we start with:

  • ^show : the command must start with show
  • s+ followed by a space s and + defines at least one space but may be more
  • .* The single . specifies any character and the * says any amount none or many

So we have dfines a policy that allows us to ruin the show command and this is all.