Developer Documentation
ADC NITRO APIs
Current Release 13.1 13

authenticationldapaction

May 23, 2024
Contributed by: 
C

Configuration for LDAP action resource.

Properties

(click to see Operations )

Name Data Type Permissions Description
name Read-write Name for the new LDAP action. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the LDAP action is added. The following requirement applies only to the Citrix ADC CLI If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my authentication action” or ‘my authentication action’). Minimum length = 1
serverip Read-write IP address assigned to the LDAP server.

Minimum length = 1
servername Read-write LDAP server name as a FQDN. Mutually exclusive with LDAP IP address.

Minimum length = 1
serverport Read-write Port on which the LDAP server accepts connections.

Default value: 389

Minimum value = 1
authtimeout Read-write Number of seconds the Citrix ADC waits for a response from the RADIUS server.

Default value: 3

Minimum value = 1
ldapbase Read-write Base (node) from which to start LDAP searches.

If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com.
ldapbinddn Read-write Full distinguished name (DN) that is used to bind to the LDAP server.

Default: cn=Manager,dc=netscaler,dc=com.
ldapbinddnpassword Read-write Password used to bind to the LDAP server.

Minimum length = 1
ldaploginname Read-write LDAP login name attribute.

The Citrix ADC uses the LDAP login name to query external LDAP servers or Active Directories.
searchfilter Read-write String to be combined with the default LDAP user search string to form the search value. For example, if the search filter “vpnallowed=true” is combined with the LDAP login name “samaccount” and the user-supplied username is “bob”, the result is the LDAP search string “”;(vpnallowed=true)(samaccount=bob)”” (Be sure to enclose the search string in two sets of double quotation marks; both sets are needed.).

Minimum length = 1
groupattrname Read-write LDAP group attribute name.

Used for group extraction on the LDAP server.
subattributename Read-write LDAP group sub-attribute name.

Used for group extraction from the LDAP server.
sectype Read-write Type of security used for communications between the Citrix ADC and the LDAP server. For the PLAINTEXT setting, no encryption is required.

Default value: PLAINTEXT

Possible values = PLAINTEXT, TLS, SSL
svrtype Read-write The type of LDAP server.

Default value: AAA_LDAP_SERVER_TYPE_DEFAULT

Possible values = AD, NDS
ssonameattribute Read-write LDAP single signon (SSO) attribute.

The Citrix ADC uses the SSO name attribute to query external LDAP servers or Active Directories for an alternate username.
authentication Read-write Perform LDAP authentication.

If authentication is disabled, any LDAP authentication attempt returns authentication success if the user is found.

CAUTION! Authentication should be disabled only for authorization group extraction or where other (non-LDAP) authentication methods are in use and either bound to a primary list or flagged as secondary.

Default value: ENABLED

Possible values = ENABLED, DISABLED
requireuser Read-write Require a successful user search for authentication.

CAUTION! This field should be set to NO only if usersearch not required [Both username validation as well as password validation skipped] and (non-LDAP) authentication methods are in use and either bound to a primary list or flagged as secondary.

Default value: YES

Possible values = YES, NO
passwdchange Read-write Allow password change requests.

Default value: DISABLED

Possible values = ENABLED, DISABLED
nestedgroupextraction Read-write Allow nested group extraction, in which the Citrix ADC queries external LDAP servers to determine whether a group is part of another group.

Default value: OFF

Possible values = ON, OFF
maxnestinglevel Read-write If nested group extraction is ON, specifies the number of levels up to which group extraction is performed.

Default value: 2

Minimum value = 2
followreferrals Read-write Setting this option to ON enables following LDAP referrals received from the LDAP server.

Default value: OFF

Possible values = ON, OFF
maxldapreferrals Read-write Specifies the maximum number of nested referrals to follow.

Default value: 1

Minimum value = 1
referraldnslookup Read-write Specifies the DNS Record lookup Type for the referrals.

Default value: A-REC

Possible values = A-REC, SRV-REC, MSSRV-REC
mssrvrecordlocation Read-write MSSRV Specific parameter. Used to locate the DNS node to which the SRV record pertains in the domainname. The domainname is appended to it to form the srv record.

Example : For “dc._msdcs”, the srv record formed is _ldap._tcp.dc._msdcs..
validateservercert Read-write When to validate LDAP server certs.

Default value: NO

Possible values = YES, NO
ldaphostname Read-write Hostname for the LDAP server. If -validateServerCert is ON then this must be the host name on the certificate from the LDAP server.

A hostname mismatch will cause a connection failure.
groupnameidentifier Read-write Name that uniquely identifies a group in LDAP or Active Directory.
groupsearchattribute Read-write LDAP group search attribute.

Used to determine to which groups a group belongs.
groupsearchsubattribute Read-write LDAP group search subattribute.

Used to determine to which groups a group belongs.
groupsearchfilter Read-write String to be combined with the default LDAP group search string to form the search value. For example, the group search filter ““vpnallowed=true”” when combined with the group identifier ““samaccount”” and the group name ““g1”” yields the LDAP search string “”(;(vpnallowed=true)(samaccount=g1)””. If nestedGroupExtraction is ENABLED, the filter is applied on the first level group search as well, otherwise first level groups (of which user is a direct member of) will be fetched without applying this filter. (Be sure to enclose the search string in two sets of double quotation marks; both sets are needed.).
defaultauthenticationgroup Read-write This is the default group that is chosen when the authentication succeeds in addition to extracted groups.
attribute1 Read-write Expression that would be evaluated to extract attribute1 from the ldap response.
attribute2 Read-write Expression that would be evaluated to extract attribute2 from the ldap response.
attribute3 Read-write Expression that would be evaluated to extract attribute3 from the ldap response.
attribute4 Read-write Expression that would be evaluated to extract attribute4 from the ldap response.
attribute5 Read-write Expression that would be evaluated to extract attribute5 from the ldap response.
attribute6 Read-write Expression that would be evaluated to extract attribute6 from the ldap response.
attribute7 Read-write Expression that would be evaluated to extract attribute7 from the ldap response.
attribute8 Read-write Expression that would be evaluated to extract attribute8 from the ldap response.
attribute9 Read-write Expression that would be evaluated to extract attribute9 from the ldap response.
attribute10 Read-write Expression that would be evaluated to extract attribute10 from the ldap response.
attribute11 Read-write Expression that would be evaluated to extract attribute11 from the ldap response.
attribute12 Read-write Expression that would be evaluated to extract attribute12 from the ldap response.
attribute13 Read-write Expression that would be evaluated to extract attribute13 from the ldap response.
attribute14 Read-write Expression that would be evaluated to extract attribute14 from the ldap response.
attribute15 Read-write Expression that would be evaluated to extract attribute15 from the ldap response.
attribute16 Read-write Expression that would be evaluated to extract attribute16 from the ldap response.
attributes Read-write List of attribute names separated by ‘,’ which needs to be fetched from ldap server.

Note that preceeding and trailing spaces will be removed.

Attribute name can be 127 bytes and total length of this string should not cross 2047 bytes.

These attributes have multi-value support separated by ‘,’ and stored as key-value pair in AAA session.
sshpublickey Read-write SSH PublicKey is attribute on AD. This attribute is used to retrieve ssh PublicKey for RBA authentication.

Minimum length = 1
pushservice Read-write Name of the service used to send push notifications.

Minimum length = 1
otpsecret Read-write OneTimePassword(OTP) Secret key attribute on AD. This attribute is used to store and retrieve secret key used for OTP check.

Minimum length = 1
email Read-write The Citrix ADC uses the email attribute to query the Active Directory for the email id of a user.

Default value: mail

Maximum length = 128
kbattribute Read-write KnowledgeBasedAuthentication(KBA) attribute on AD. This attribute is used to store and retrieve preconfigured Question and Answer knowledge base used for KBA authentication.

Minimum length = 1

Maximum length = 127
alternateemailattr Read-write The NetScaler appliance uses the alternateive email attribute to query the Active Directory for the alternative email id of a user.

Maximum length = 128
cloudattributes Read-write The Citrix ADC uses the cloud attributes to extract additional attributes from LDAP servers required for Citrix Cloud operations.

Default value: DISABLED

Possible values = ENABLED, DISABLED
success Read-only .
failure Read-only .
__count Read-only count parameter

Operations

(click to see Properties )

  • ADD
  • DELETE
  • UPDATE
  • UNSET
  • GET (ALL)
  • GET
  • COUNT

Some options that you can use for each operations:

  • Getting warnings in response: NITRO allows you to get warnings in an operation by specifying the 'warning' query parameter as 'yes'. For example, to get warnings while connecting to the NetScaler appliance, the URL is as follows:

    http:// <netscaler-ip-address> /nitro/v1/config/login?warning=yes

    If any, the warnings are displayed in the response payload with the HTTP code '209 X-NITRO-WARNING'.

  • Authenticated access for individual NITRO operations: NITRO allows you to logon to the NetScaler appliance to perform individual operations. You can use this option instead of creating a NITRO session (using the login object) and then using that session to perform all operations,

    To do this, you must specify the username and password in the request header of the NITRO request as follows:

    X-NITRO-USER: <username>

    X-NITRO-PASS: <password>

    Note: In such cases, make sure that the request header DOES not include the following:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

*Note: * Mandatory parameters are marked in red and placeholder content is marked in green

unset

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationldapaction? action=unset HTTP Method: POST

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Content-Type:application/json

Request Payload: 

{"authenticationldapaction":{
<b>"name":<String_value>,
</b>"serverport":true,
"authtimeout":true,
"ldapbase":true,
"ldapbinddn":true,
"ldapbinddnpassword":true,
"ldaploginname":true,
"searchfilter":true,
"groupattrname":true,
"subattributename":true,
"sectype":true,
"svrtype":true,
"ssonameattribute":true,
"authentication":true,
"requireuser":true,
"passwdchange":true,
"validateservercert":true,
"ldaphostname":true,
"nestedgroupextraction":true,
"maxnestinglevel":true,
"groupnameidentifier":true,
"groupsearchattribute":true,
"groupsearchsubattribute":true,
"groupsearchfilter":true,
"followreferrals":true,
"maxldapreferrals":true,
"referraldnslookup":true,
"mssrvrecordlocation":true,
"defaultauthenticationgroup":true,
"attribute1":true,
"attribute2":true,
"attribute3":true,
"attribute4":true,
"attribute5":true,
"attribute6":true,
"attribute7":true,
"attribute8":true,
"attribute9":true,
"attribute10":true,
"attribute11":true,
"attribute12":true,
"attribute13":true,
"attribute14":true,
"attribute15":true,
"attribute16":true,
"attributes":true,
"otpsecret":true,
"pushservice":true,
"email":true,
"kbattribute":true,
"alternateemailattr":true,
"cloudattributes":true
}}

<!--NeedCopy-->

Response: HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

delete

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationldapaction/ name_value<String> HTTP Method: DELETE

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Response: HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

update

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationldapaction HTTP Method: PUT

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Content-Type:application/json

Request Payload: 

{"authenticationldapaction":{
<b>"name":<String_value>,
</b>"serverip":<String_value>,
"servername":<String_value>,
"serverport":<Integer_value>,
"authtimeout":<Double_value>,
"ldapbase":<String_value>,
"ldapbinddn":<String_value>,
"ldapbinddnpassword":<String_value>,
"ldaploginname":<String_value>,
"searchfilter":<String_value>,
"groupattrname":<String_value>,
"subattributename":<String_value>,
"sectype":<String_value>,
"svrtype":<String_value>,
"ssonameattribute":<String_value>,
"authentication":<String_value>,
"requireuser":<String_value>,
"passwdchange":<String_value>,
"validateservercert":<String_value>,
"ldaphostname":<String_value>,
"nestedgroupextraction":<String_value>,
"maxnestinglevel":<Double_value>,
"groupnameidentifier":<String_value>,
"groupsearchattribute":<String_value>,
"groupsearchsubattribute":<String_value>,
"groupsearchfilter":<String_value>,
"followreferrals":<String_value>,
"maxldapreferrals":<Double_value>,
"referraldnslookup":<String_value>,
"mssrvrecordlocation":<String_value>,
"defaultauthenticationgroup":<String_value>,
"attribute1":<String_value>,
"attribute2":<String_value>,
"attribute3":<String_value>,
"attribute4":<String_value>,
"attribute5":<String_value>,
"attribute6":<String_value>,
"attribute7":<String_value>,
"attribute8":<String_value>,
"attribute9":<String_value>,
"attribute10":<String_value>,
"attribute11":<String_value>,
"attribute12":<String_value>,
"attribute13":<String_value>,
"attribute14":<String_value>,
"attribute15":<String_value>,
"attribute16":<String_value>,
"attributes":<String_value>,
"otpsecret":<String_value>,
"sshpublickey":<String_value>,
"pushservice":<String_value>,
"email":<String_value>,
"kbattribute":<String_value>,
"alternateemailattr":<String_value>,
"cloudattributes":<String_value>
}}

<!--NeedCopy-->

Response: HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

add

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationldapaction HTTP Method: POST

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Content-Type:application/json

Request Payload: 

{"authenticationldapaction":{
<b>"name":<String_value>,
</b>"serverip":<String_value>,
"servername":<String_value>,
"serverport":<Integer_value>,
"authtimeout":<Double_value>,
"ldapbase":<String_value>,
"ldapbinddn":<String_value>,
"ldapbinddnpassword":<String_value>,
"ldaploginname":<String_value>,
"searchfilter":<String_value>,
"groupattrname":<String_value>,
"subattributename":<String_value>,
"sectype":<String_value>,
"svrtype":<String_value>,
"ssonameattribute":<String_value>,
"authentication":<String_value>,
"requireuser":<String_value>,
"passwdchange":<String_value>,
"nestedgroupextraction":<String_value>,
"maxnestinglevel":<Double_value>,
"followreferrals":<String_value>,
"maxldapreferrals":<Double_value>,
"referraldnslookup":<String_value>,
"mssrvrecordlocation":<String_value>,
"validateservercert":<String_value>,
"ldaphostname":<String_value>,
"groupnameidentifier":<String_value>,
"groupsearchattribute":<String_value>,
"groupsearchsubattribute":<String_value>,
"groupsearchfilter":<String_value>,
"defaultauthenticationgroup":<String_value>,
"attribute1":<String_value>,
"attribute2":<String_value>,
"attribute3":<String_value>,
"attribute4":<String_value>,
"attribute5":<String_value>,
"attribute6":<String_value>,
"attribute7":<String_value>,
"attribute8":<String_value>,
"attribute9":<String_value>,
"attribute10":<String_value>,
"attribute11":<String_value>,
"attribute12":<String_value>,
"attribute13":<String_value>,
"attribute14":<String_value>,
"attribute15":<String_value>,
"attribute16":<String_value>,
"attributes":<String_value>,
"sshpublickey":<String_value>,
"pushservice":<String_value>,
"otpsecret":<String_value>,
"email":<String_value>,
"kbattribute":<String_value>,
"alternateemailattr":<String_value>,
"cloudattributes":<String_value>
}}

<!--NeedCopy-->

Response: HTTP Status Code on Success: 201 Created

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

get (all)

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationldapaction Query-parameters: attrs http:// <netscaler-ip-address> /nitro/v1/config/authenticationldapaction? attrs=property-name1,property-name2

Use this query parameter to specify the resource details that you want to retrieve.

filter http:// <netscaler-ip-address> /nitro/v1/config/authenticationldapaction? filter=property-name1:property-val1,property-name2:property-val2

Use this query-parameter to get the filtered set of authenticationldapaction resources configured on NetScaler.Filtering can be done on any of the properties of the resource.

view http:// <netscaler-ip-address> /nitro/v1/config/authenticationldapaction? view=summary

Use this query-parameter to get the summary output of authenticationldapaction resources configured on NetScaler.

Note: By default, the retrieved results are displayed in detail view (?view=detail).

pagination http:// <netscaler-ip-address> /nitro/v1/config/authenticationldapaction? pagesize=#no;pageno=#no

Use this query-parameter to get the authenticationldapaction resources in chunks.

HTTP Method: GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Accept:application/json

Response: HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

Response Header:

Content-Type:application/json

Response Payload: 

{ "authenticationldapaction": [ {
"name":<String_value>,
"serverip":<String_value>,
"servername":<String_value>,
"serverport":<Integer_value>,
"authtimeout":<Double_value>,
"ldapbinddn":<String_value>,
"ldapbinddnpassword":<String_value>,
"ldaploginname":<String_value>,
"ldapbase":<String_value>,
"searchfilter":<String_value>,
"groupattrname":<String_value>,
"subattributename":<String_value>,
"sectype":<String_value>,
"svrtype":<String_value>,
"ssonameattribute":<String_value>,
"authentication":<String_value>,
"requireuser":<String_value>,
"success":<Double_value>,
"failure":<Double_value>,
"nestedgroupextraction":<String_value>,
"maxnestinglevel":<Double_value>,
"followreferrals":<String_value>,
"maxldapreferrals":<Double_value>,
"referraldnslookup":<String_value>,
"mssrvrecordlocation":<String_value>,
"validateservercert":<String_value>,
"ldaphostname":<String_value>,
"groupnameidentifier":<String_value>,
"groupsearchattribute":<String_value>,
"groupsearchsubattribute":<String_value>,
"groupsearchfilter":<String_value>,
"passwdchange":<String_value>,
"defaultauthenticationgroup":<String_value>,
"attribute1":<String_value>,
"attribute2":<String_value>,
"attribute3":<String_value>,
"attribute4":<String_value>,
"attribute5":<String_value>,
"attribute6":<String_value>,
"attribute7":<String_value>,
"attribute8":<String_value>,
"attribute9":<String_value>,
"attribute10":<String_value>,
"attribute11":<String_value>,
"attribute12":<String_value>,
"attribute13":<String_value>,
"attribute14":<String_value>,
"attribute15":<String_value>,
"attribute16":<String_value>,
"attributes":<String_value>,
"otpsecret":<String_value>,
"sshpublickey":<String_value>,
"pushservice":<String_value>,
"email":<String_value>,
"kbattribute":<String_value>,
"alternateemailattr":<String_value>,
"cloudattributes":<String_value>
}]}

<!--NeedCopy-->

get

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationldapaction/ name_value<String> Query-parameters: attrs http:// <netscaler-ip-address> /nitro/v1/config/authenticationldapaction/ name_value<String> ? attrs=property-name1,property-name2

Use this query parameter to specify the resource details that you want to retrieve.

view http:// <netscaler-ip-address> /nitro/v1/config/authenticationldapaction/ name_value<String> ? view=summary

Use this query-parameter to get the summary output of authenticationldapaction resources configured on NetScaler.

Note: By default, the retrieved results are displayed in detail view (?view=detail).

HTTP Method: GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Accept:application/json

Response: HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

Response Header:

Content-Type:application/json

Response Payload: 

{  "authenticationldapaction": [ {
"name":<String_value>,
"serverip":<String_value>,
"servername":<String_value>,
"serverport":<Integer_value>,
"authtimeout":<Double_value>,
"ldapbinddn":<String_value>,
"ldapbinddnpassword":<String_value>,
"ldaploginname":<String_value>,
"ldapbase":<String_value>,
"searchfilter":<String_value>,
"groupattrname":<String_value>,
"subattributename":<String_value>,
"sectype":<String_value>,
"svrtype":<String_value>,
"ssonameattribute":<String_value>,
"authentication":<String_value>,
"requireuser":<String_value>,
"success":<Double_value>,
"failure":<Double_value>,
"nestedgroupextraction":<String_value>,
"maxnestinglevel":<Double_value>,
"followreferrals":<String_value>,
"maxldapreferrals":<Double_value>,
"referraldnslookup":<String_value>,
"mssrvrecordlocation":<String_value>,
"validateservercert":<String_value>,
"ldaphostname":<String_value>,
"groupnameidentifier":<String_value>,
"groupsearchattribute":<String_value>,
"groupsearchsubattribute":<String_value>,
"groupsearchfilter":<String_value>,
"passwdchange":<String_value>,
"defaultauthenticationgroup":<String_value>,
"attribute1":<String_value>,
"attribute2":<String_value>,
"attribute3":<String_value>,
"attribute4":<String_value>,
"attribute5":<String_value>,
"attribute6":<String_value>,
"attribute7":<String_value>,
"attribute8":<String_value>,
"attribute9":<String_value>,
"attribute10":<String_value>,
"attribute11":<String_value>,
"attribute12":<String_value>,
"attribute13":<String_value>,
"attribute14":<String_value>,
"attribute15":<String_value>,
"attribute16":<String_value>,
"attributes":<String_value>,
"otpsecret":<String_value>,
"sshpublickey":<String_value>,
"pushservice":<String_value>,
"email":<String_value>,
"kbattribute":<String_value>,
"alternateemailattr":<String_value>,
"cloudattributes":<String_value>
}]}

<!--NeedCopy-->

count

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationldapaction? count=yes HTTP Method: GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Accept:application/json

Response: HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

Response Header:

Content-Type:application/json

Response Payload: 

{ "authenticationldapaction": [ { "__count": "#no"} ] }

<!--NeedCopy-->
authenticationldapaction
May 23, 2024
Contributed by: 
C
May 23, 2024
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.