Gateway

How LDAP Group Extraction Works from the User Object Directly

LDAP servers that evaluate group memberships from group objects support Citrix Gateway authorization.

Some LDAP servers enable user objects to contain information about groups to which the objects belong, such as Active Directory (by using the memberOf attribute) or IBM eDirectory (by using the groupMembership attribute). A user’s group membership can be attributes from the user object, such as IBM Directory Server (by using ibm-allGroups) or Sun ONE directory server (by using nsRole). Both of these types of LDAP servers support Citrix Gateway group extraction.

For example, in IBM Directory Server, all group memberships, including the static, dynamic, and nested groups, can be returned by using the ibm-allGroups attribute. In Sun ONE, all roles, including managed, filtered, and nested, are calculated by using the nsRole attribute.

How LDAP Group Extraction Works from the User Object Directly