To configure LDAP authentication by using the configuration utility

  1. Navigate to Citrix Gateway >Policies > Authentication.

  2. Click LDAP.

  3. In the details pane, on the Policies tab, click Add.

  4. In Name, type a name for the policy.

  5. Next to Server, click New.

  6. In Name, type the name of the server.

  7. Under Server, in IP Address and Port, type the IP address and port number of the LDAP server.

  8. In Type, select either AD for Active Directory or NDS for Novell Directory Services.

  9. Under Connection Settings, complete the following:

    1. In Base DN (location of users), type the base DN under which users are located. Base DN search the users located under the selected directory (AD or NDS).

      The base DN is derived from the Bind DN by removing the user name and specifying the group where users are located. Examples of the syntax for base DN are:

    2. In Administrator Bind DN, type the administrator bind DN for queries to the LDAP directory. Examples for the syntax of bind DN are:

      domain/user name
      ou=administrator,dc=ace,dc=com (for Active Directory)

      For Active Directory, the group name specified as cn=groupname is required. The group name that you define in Citrix Gateway and the group name on the LDAP server must be identical.

      For other LDAP directories, the group name either is not required or, if necessary, is specified as ou=groupname.

      Citrix Gateway binds to the LDAP server using the administrator credentials and then searches for the user. After locating the user, Citrix Gateway unbinds the administrator credentials and rebinds with the user credentials.

    3. In Administrator Password and Confirm Administrator Password, type the administrator password for the LDAP server.

  10. To retrieve more LDAP settings automatically, click Retrieve Attributes.

    When you click Retrieve Attributes, the fields under Other Settings populate automatically. If you want to ignore this step, continue with Steps 12 and 13. Otherwise, skip to Step 14.

  11. Under Other Settings, in Server Logon Name Attribute, type the attribute under which Citrix Gateway must look for user logon names for the LDAP server that you are configuring. The default is samAccountName.

  12. In Search Filter, type the value to search for the users associated with single or multiple active directory groups.

    For example, “memberOf=CN=GatewayAccess,OU=Groups,DC=Users,DC=lab”.


    You can use the preceding example to restrict Citrix Gateway access only to the members of a specific AD group.

  13. In Group Attribute, leave the default memberOf for Active Directory or change the attribute to the attribute of the LDAP server type you are using. This attribute enables Citrix Gateway to obtain the groups associated with a user during authorization.

  14. In Security Type, select the security type and then click Create.

  15. To allow users to change their LDAP password, select Allow Password Change.


    • If you select PLAINTEXT as the security type, allowing users to change their passwords is not supported.
    • If you select PLAINTEXT or TLS for security, use port number 389. If you select SSL, use port number 636.
To configure LDAP authentication by using the configuration utility