ADC CLI Commands

authentication-ldapAction

The following operations can be performed on “authentication-ldapAction”:

rm set add unset show

rm authentication ldapAction

Removes an LDAP profile (action). NOTE: An action cannot be removed if it is bound to a policy.

Synopsis

rm authentication ldapAction

Arguments

name Name of the LDAP profile (action) to be removed.

set authentication ldapAction

Modifies an LDAP server profile (action.) The profile contains all configuration data needed to communicate with that LDAP server.

Synopsis

set authentication ldapAction [-serverIP <ip_addr|ipv6_addr|*>] [-serverName ] [-serverPort ] [-authTimeout ] [-ldapBase ] [-ldapBindDn ] {-ldapBindDnPassword } [-ldapLoginName ] [-searchFilter ] [-groupAttrName ] [-subAttributeName ] [-secType ] [-svrType ( AD | NDS )] [-ssoNameAttribute ] [-authentication ( ENABLED | DISABLED )] [-requireUser ( YES | NO )] [-passwdChange ( ENABLED | DISABLED )] [-validateServerCert ( YES | NO )] [-ldapHostname ] [-nestedGroupExtraction ( ON | OFF )] [-maxNestingLevel ] [-groupNameIdentifier ] [-groupSearchAttribute [-groupSearchSubAttribute ]] [-groupSearchFilter ] [-followReferrals ( ON | OFF )] [-maxLDAPReferrals ] [-referralDNSLookup ] [-msSRVRecordlocation ] [-defaultAuthenticationGroup ] [-Attribute1 ] [-Attribute2 ] [-Attribute3 ] [-Attribute4 ] [-Attribute5 ] [-Attribute6 ] [-Attribute7 ] [-Attribute8 ] [-Attribute9 ] [-Attribute10 ] [-Attribute11 ] [-Attribute12 ] [-Attribute13 ] [-Attribute14 ] [-Attribute15 ] [-Attribute16 ] [-Attributes ] [-OTPSecret ] [-sshPublicKey ] [-pushService ] [-email ] [-KBAttribute ] [-alternateEmailAttr ] [-CloudAttributes ( ENABLED | DISABLED )]

Arguments

name Name of the LDAP profile to modify.

serverIP IP address assigned to the LDAP server.

serverName LDAP server name as a FQDN. Mutually exclusive with LDAP IP address.

serverPort Port on which the LDAP server accepts connections. Default value: 389 Minimum value: 1

authTimeout Number of seconds the Citrix ADC waits for a response from the RADIUS server. Default value: 3 Minimum value: 1

ldapBase Base (node) from which to start LDAP searches. If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com.

ldapBindDn Full distinguished name (DN) that is used to bind to the LDAP server. Default: cn=Manager,dc=netscaler,dc=com

ldapBindDnPassword Password used to bind to the LDAP server.

ldapLoginName LDAP login name attribute. The Citrix ADC uses the LDAP login name to query external LDAP servers or Active Directories.

searchFilter String to be combined with the default LDAP user search string to form the search value. For example, if the search filter “vpnallowed=true” is combined with the LDAP login name “samaccount” and the user-supplied username is “bob”, the result is the LDAP search string ““&(vpnallowed=true)(samaccount=bob)”” (Be sure to enclose the search string in two sets of double quotation marks; both sets are needed.).

groupAttrName LDAP group attribute name. Used for group extraction on the LDAP server.

subAttributeName LDAP group sub-attribute name. Used for group extraction from the LDAP server.

secType Type of security used for communications between the Citrix ADC and the LDAP server. For the PLAINTEXT setting, no encryption is required.

Possible values: PLAINTEXT, TLS, SSL Default value: PLAINTEXT

svrType The type of LDAP server.

Possible values: AD, NDS Default value: AAA_LDAP_SERVER_TYPE_DEFAULT

ssoNameAttribute LDAP single signon (SSO) attribute. The Citrix ADC uses the SSO name attribute to query external LDAP servers or Active Directories for an alternate username.

authentication Perform LDAP authentication. If authentication is disabled, any LDAP authentication attempt returns authentication success if the user is found. CAUTION! Authentication should be disabled only for authorization group extraction or where other (non-LDAP) authentication methods are in use and either bound to a primary list or flagged as secondary.

Possible values: ENABLED, DISABLED Default value: ENABLED

requireUser Require a successful user search for authentication. CAUTION! This field should be set to NO only if usersearch not required [Both username validation as well as password validation skipped] and (non-LDAP) authentication methods are in use and either bound to a primary list or flagged as secondary.

Possible values: YES, NO Default value: YES

passwdChange Allow password change requests.

Possible values: ENABLED, DISABLED Default value: DISABLED

validateServerCert When to validate LDAP server certs

Possible values: YES, NO Default value: NO

ldapHostname Hostname for the LDAP server. If -validateServerCert is ON then this must be the host name on the certificate from the LDAP server. A hostname mismatch will cause a connection failure.

nestedGroupExtraction Allow nested group extraction, in which the Citrix ADC queries external LDAP servers to determine whether a group is part of another group.

Possible values: ON, OFF Default value: OFF

maxNestingLevel If nested group extraction is ON, specifies the number of levels up to which group extraction is performed. Default value: 2 Minimum value: 2

groupNameIdentifier Name that uniquely identifies a group in LDAP or Active Directory.

groupSearchAttribute LDAP group search attribute. Used to determine to which groups a group belongs.

groupSearchSubAttribute LDAP group search subattribute. Used to determine to which groups a group belongs.

groupSearchFilter String to be combined with the default LDAP group search string to form the search value. For example, the group search filter ““vpnallowed=true”” when combined with the group identifier ““samaccount”” and the group name ““g1”” yields the LDAP search string “”(&(vpnallowed=true)(samaccount=g1)””. If nestedGroupExtraction is ENABLED, the filter is applied on the first level group search as well, otherwise first level groups (of which user is a direct member of) will be fetched without applying this filter. (Be sure to enclose the search string in two sets of double quotation marks; both sets are needed.)

followReferrals Setting this option to ON enables following LDAP referrals received from the LDAP server.

Possible values: ON, OFF Default value: OFF

maxLDAPReferrals Specifies the maximum number of nested referrals to follow. Default value: 1 Minimum value: 1

referralDNSLookup Specifies the DNS Record lookup Type for the referrals

Possible values: A-REC, SRV-REC, MSSRV-REC Default value: A-REC

msSRVRecordlocation MSSRV Specific parameter. Used to locate the DNS node to which the SRV record pertains in the domainname. The domainname is appended to it to form the srv record. Example : For “dc._msdcs”, the srv record formed is _ldap._tcp.dc._msdcs.. Default value: NS_S_DEFAULT_MSSRV_RECORDLOCATION

defaultAuthenticationGroup This is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Attribute1 Expression that would be evaluated to extract attribute1 from the ldap response

Attribute2 Expression that would be evaluated to extract attribute2 from the ldap response

Attribute3 Expression that would be evaluated to extract attribute3 from the ldap response

Attribute4 Expression that would be evaluated to extract attribute4 from the ldap response

Attribute5 Expression that would be evaluated to extract attribute5 from the ldap response

Attribute6 Expression that would be evaluated to extract attribute6 from the ldap response

Attribute7 Expression that would be evaluated to extract attribute7 from the ldap response

Attribute8 Expression that would be evaluated to extract attribute8 from the ldap response

Attribute9 Expression that would be evaluated to extract attribute9 from the ldap response

Attribute10 Expression that would be evaluated to extract attribute10 from the ldap response

Attribute11 Expression that would be evaluated to extract attribute11 from the ldap response

Attribute12 Expression that would be evaluated to extract attribute12 from the ldap response

Attribute13 Expression that would be evaluated to extract attribute13 from the ldap response

Attribute14 Expression that would be evaluated to extract attribute14 from the ldap response

Attribute15 Expression that would be evaluated to extract attribute15 from the ldap response

Attribute16 Expression that would be evaluated to extract attribute16 from the ldap response

Attributes List of attribute names separated by ‘,’ which needs to be fetched from ldap server. Note that preceeding and trailing spaces will be removed. Attribute name can be 127 bytes and total length of this string should not cross 2047 bytes. These attributes have multi-value support separated by ‘,’ and stored as key-value pair in AAA session

OTPSecret OneTimePassword(OTP) Secret key attribute on AD. This attribute is used to store and retrieve secret key used for OTP check

sshPublicKey SSH PublicKey is attribute on AD. This attribute is used to retrieve ssh PublicKey for RBA authentication

pushService Name of the service used to send push notifications

email The Citrix ADC uses the email attribute to query the Active Directory for the email id of a user Default value: mail

KBAttribute KnowledgeBasedAuthentication(KBA) attribute on AD. This attribute is used to store and retrieve preconfigured Question and Answer knowledge base used for KBA authentication.

alternateEmailAttr The NetScaler appliance uses the alternateive email attribute to query the Active Directory for the alternative email id of a user

CloudAttributes The Citrix ADC uses the cloud attributes to extract additional attributes from LDAP servers required for Citrix Cloud operations

Possible values: ENABLED, DISABLED Default value: DISABLED

add authentication ldapAction

Creates an action (profile) for an LDAP server. This profile contains all configuration data needed to communicate with that LDAP server.

Synopsis

add authentication ldapAction {-serverIP <ip_addr|ipv6_addr|*> | {-serverName }} [-serverPort ] [-authTimeout ] [-ldapBase ] [-ldapBindDn ] {-ldapBindDnPassword } [-ldapLoginName ] [-searchFilter ] [-groupAttrName ] [-subAttributeName ] [-secType ] [-svrType ( AD | NDS )] [-ssoNameAttribute ] [-authentication ( ENABLED | DISABLED )] [-requireUser ( YES | NO )] [-passwdChange ( ENABLED | DISABLED )] [-nestedGroupExtraction ( ON | OFF ) [-maxNestingLevel ] [-groupSearchSubAttribute ] [-groupSearchFilter ]] [-followReferrals ( ON | OFF ) [-maxLDAPReferrals ]] [-referralDNSLookup [-msSRVRecordlocation ]] [-validateServerCert ( YES | NO )] [-ldapHostname ] [-groupNameIdentifier ] [-groupSearchAttribute ] [-defaultAuthenticationGroup ] [-Attribute1 ] [-Attribute2 ] [-Attribute3 ] [-Attribute4 ] [-Attribute5 ] [-Attribute6 ] [-Attribute7 ] [-Attribute8 ] [-Attribute9 ] [-Attribute10 ] [-Attribute11 ] [-Attribute12 ] [-Attribute13 ] [-Attribute14 ] [-Attribute15 ] [-Attribute16 ] [-Attributes ] [-sshPublicKey ] [-pushService ] [-OTPSecret ] [-email ] [-KBAttribute ] [-alternateEmailAttr ] [-CloudAttributes ( ENABLED | DISABLED )]

Arguments

name Name for the new LDAP action. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the LDAP action is added.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my authentication action” or ‘my authentication action’).

serverIP IP address assigned to the LDAP server.

serverName LDAP server name as a FQDN. Mutually exclusive with LDAP IP address.

serverPort Port on which the LDAP server accepts connections. Default value: 389 Minimum value: 1

authTimeout Number of seconds the Citrix ADC waits for a response from the RADIUS server. Default value: 3 Minimum value: 1

ldapBase Base (node) from which to start LDAP searches. If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com.

ldapBindDn Full distinguished name (DN) that is used to bind to the LDAP server. Default: cn=Manager,dc=netscaler,dc=com

ldapBindDnPassword Password used to bind to the LDAP server.

ldapLoginName LDAP login name attribute. The Citrix ADC uses the LDAP login name to query external LDAP servers or Active Directories.

searchFilter String to be combined with the default LDAP user search string to form the search value. For example, if the search filter “vpnallowed=true” is combined with the LDAP login name “samaccount” and the user-supplied username is “bob”, the result is the LDAP search string ““&(vpnallowed=true)(samaccount=bob)”” (Be sure to enclose the search string in two sets of double quotation marks; both sets are needed.).

groupAttrName LDAP group attribute name. Used for group extraction on the LDAP server.

subAttributeName LDAP group sub-attribute name. Used for group extraction from the LDAP server.

secType Type of security used for communications between the Citrix ADC and the LDAP server. For the PLAINTEXT setting, no encryption is required.

Possible values: PLAINTEXT, TLS, SSL Default value: PLAINTEXT

svrType The type of LDAP server.

Possible values: AD, NDS Default value: AAA_LDAP_SERVER_TYPE_DEFAULT

ssoNameAttribute LDAP single signon (SSO) attribute. The Citrix ADC uses the SSO name attribute to query external LDAP servers or Active Directories for an alternate username.

authentication Perform LDAP authentication. If authentication is disabled, any LDAP authentication attempt returns authentication success if the user is found. CAUTION! Authentication should be disabled only for authorization group extraction or where other (non-LDAP) authentication methods are in use and either bound to a primary list or flagged as secondary.

Possible values: ENABLED, DISABLED Default value: ENABLED

requireUser Require a successful user search for authentication. CAUTION! This field should be set to NO only if usersearch not required [Both username validation as well as password validation skipped] and (non-LDAP) authentication methods are in use and either bound to a primary list or flagged as secondary.

Possible values: YES, NO Default value: YES

passwdChange Allow password change requests.

Possible values: ENABLED, DISABLED Default value: DISABLED

nestedGroupExtraction Allow nested group extraction, in which the Citrix ADC queries external LDAP servers to determine whether a group is part of another group.

Possible values: ON, OFF Default value: OFF

maxNestingLevel If nested group extraction is ON, specifies the number of levels up to which group extraction is performed. Default value: 2 Minimum value: 2

followReferrals Setting this option to ON enables following LDAP referrals received from the LDAP server.

Possible values: ON, OFF Default value: OFF

maxLDAPReferrals Specifies the maximum number of nested referrals to follow. Default value: 1 Minimum value: 1

referralDNSLookup Specifies the DNS Record lookup Type for the referrals

Possible values: A-REC, SRV-REC, MSSRV-REC Default value: A-REC

msSRVRecordlocation MSSRV Specific parameter. Used to locate the DNS node to which the SRV record pertains in the domainname. The domainname is appended to it to form the srv record. Example : For “dc._msdcs”, the srv record formed is _ldap._tcp.dc._msdcs.. Default value: NS_S_DEFAULT_MSSRV_RECORDLOCATION

validateServerCert When to validate LDAP server certs

Possible values: YES, NO Default value: NO

ldapHostname Hostname for the LDAP server. If -validateServerCert is ON then this must be the host name on the certificate from the LDAP server. A hostname mismatch will cause a connection failure.

groupNameIdentifier Name that uniquely identifies a group in LDAP or Active Directory.

groupSearchAttribute LDAP group search attribute. Used to determine to which groups a group belongs.

groupSearchSubAttribute LDAP group search subattribute. Used to determine to which groups a group belongs.

groupSearchFilter String to be combined with the default LDAP group search string to form the search value. For example, the group search filter ““vpnallowed=true”” when combined with the group identifier ““samaccount”” and the group name ““g1”” yields the LDAP search string “”(&(vpnallowed=true)(samaccount=g1)””. If nestedGroupExtraction is ENABLED, the filter is applied on the first level group search as well, otherwise first level groups (of which user is a direct member of) will be fetched without applying this filter. (Be sure to enclose the search string in two sets of double quotation marks; both sets are needed.)

defaultAuthenticationGroup This is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Attribute1 Expression that would be evaluated to extract attribute1 from the ldap response

Attribute2 Expression that would be evaluated to extract attribute2 from the ldap response

Attribute3 Expression that would be evaluated to extract attribute3 from the ldap response

Attribute4 Expression that would be evaluated to extract attribute4 from the ldap response

Attribute5 Expression that would be evaluated to extract attribute5 from the ldap response

Attribute6 Expression that would be evaluated to extract attribute6 from the ldap response

Attribute7 Expression that would be evaluated to extract attribute7 from the ldap response

Attribute8 Expression that would be evaluated to extract attribute8 from the ldap response

Attribute9 Expression that would be evaluated to extract attribute9 from the ldap response

Attribute10 Expression that would be evaluated to extract attribute10 from the ldap response

Attribute11 Expression that would be evaluated to extract attribute11 from the ldap response

Attribute12 Expression that would be evaluated to extract attribute12 from the ldap response

Attribute13 Expression that would be evaluated to extract attribute13 from the ldap response

Attribute14 Expression that would be evaluated to extract attribute14 from the ldap response

Attribute15 Expression that would be evaluated to extract attribute15 from the ldap response

Attribute16 Expression that would be evaluated to extract attribute16 from the ldap response

Attributes List of attribute names separated by ‘,’ which needs to be fetched from ldap server. Note that preceeding and trailing spaces will be removed. Attribute name can be 127 bytes and total length of this string should not cross 2047 bytes. These attributes have multi-value support separated by ‘,’ and stored as key-value pair in AAA session

sshPublicKey SSH PublicKey is attribute on AD. This attribute is used to retrieve ssh PublicKey for RBA authentication

pushService Name of the service used to send push notifications

OTPSecret OneTimePassword(OTP) Secret key attribute on AD. This attribute is used to store and retrieve secret key used for OTP check

email The Citrix ADC uses the email attribute to query the Active Directory for the email id of a user Default value: mail

KBAttribute KnowledgeBasedAuthentication(KBA) attribute on AD. This attribute is used to store and retrieve preconfigured Question and Answer knowledge base used for KBA authentication.

alternateEmailAttr The NetScaler appliance uses the alternateive email attribute to query the Active Directory for the alternative email id of a user

CloudAttributes The Citrix ADC uses the cloud attributes to extract additional attributes from LDAP servers required for Citrix Cloud operations

Possible values: ENABLED, DISABLED Default value: DISABLED

unset authentication ldapAction

Use this command to remove authentication ldapAction settings.Refer to the set authentication ldapAction command for meanings of the arguments.

Synopsis

unset authentication ldapAction [-serverPort] [-authTimeout] [-ldapBase] [-ldapBindDn] [-ldapBindDnPassword] [-ldapLoginName] [-searchFilter] [-groupAttrName] [-subAttributeName] [-secType] [-svrType] [-ssoNameAttribute] [-authentication] [-requireUser] [-passwdChange] [-validateServerCert] [-ldapHostname] [-nestedGroupExtraction] [-maxNestingLevel] [-groupNameIdentifier] [-groupSearchAttribute] [-groupSearchSubAttribute] [-groupSearchFilter] [-followReferrals] [-maxLDAPReferrals] [-referralDNSLookup] [-msSRVRecordlocation] [-defaultAuthenticationGroup] [-Attribute1] [-Attribute2] [-Attribute3] [-Attribute4] [-Attribute5] [-Attribute6] [-Attribute7] [-Attribute8] [-Attribute9] [-Attribute10] [-Attribute11] [-Attribute12] [-Attribute13] [-Attribute14] [-Attribute15] [-Attribute16] [-Attributes] [-OTPSecret] [-pushService] [-email] [-KBAttribute] [-alternateEmailAttr] [-CloudAttributes]

show authentication ldapAction

Displays the current configuration settings for the specified LDAP profile (action).

Synopsis

show authentication ldapAction []

Arguments

name Name of the LDAP profile.

Output

serverIP IP address assigned to the LDAP server.

serverName LDAP server name as a FQDN. Mutually exclusive with LDAP IP address.

serverPort Port on which the LDAP server accepts connections.

authTimeout Number of seconds the Citrix ADC waits for a response from the RADIUS server.

ldapBindDn Full distinguished name (DN) that is used to bind to the LDAP server. Default: cn=Manager,dc=netscaler,dc=com

ldapBindDnPassword Password used to bind to the LDAP server.

ldapLoginName LDAP login name attribute. The Citrix ADC uses the LDAP login name to query external LDAP servers or Active Directories.

ldapBase Base (node) from which to start LDAP searches. If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com.

searchFilter String to be combined with the default LDAP user search string to form the search value. For example, if the search filter “vpnallowed=true” is combined with the LDAP login name “samaccount” and the user-supplied username is “bob”, the result is the LDAP search string ““&(vpnallowed=true)(samaccount=bob)”” (Be sure to enclose the search string in two sets of double quotation marks; both sets are needed.).

groupAttrName LDAP group attribute name. Used for group extraction on the LDAP server.

subAttributeName LDAP group sub-attribute name. Used for group extraction from the LDAP server.

secType Type of security used for communications between the Citrix ADC and the LDAP server. For the PLAINTEXT setting, no encryption is required.

svrType The type of LDAP server.

ssoNameAttribute LDAP single signon (SSO) attribute. The Citrix ADC uses the SSO name attribute to query external LDAP servers or Active Directories for an alternate username.

authentication Perform LDAP authentication. If authentication is disabled, any LDAP authentication attempt returns authentication success if the user is found. CAUTION! Authentication should be disabled only for authorization group extraction or where other (non-LDAP) authentication methods are in use and either bound to a primary list or flagged as secondary.

requireUser Require a successful user search for authentication. CAUTION! This field should be set to NO only if usersearch not required [Both username validation as well as password validation skipped] and (non-LDAP) authentication methods are in use and either bound to a primary list or flagged as secondary.

Success Failure stateflag nestedGroupExtraction Allow nested group extraction, in which the Citrix ADC queries external LDAP servers to determine whether a group is part of another group.

maxNestingLevel If nested group extraction is ON, specifies the number of levels up to which group extraction is performed.

followReferrals Setting this option to ON enables following LDAP referrals received from the LDAP server.

maxLDAPReferrals Specifies the maximum number of nested referrals to follow.

referralDNSLookup Specifies the DNS Record lookup Type for the referrals

msSRVRecordlocation MSSRV Specific parameter. Used to locate the DNS node to which the SRV record pertains in the domainname. The domainname is appended to it to form the srv record. Example : For “dc._msdcs”, the srv record formed is _ldap._tcp.dc._msdcs..

validateServerCert When to validate LDAP server certs

ldapHostname Hostname for the LDAP server. If -validateServerCert is ON then this must be the host name on the certificate from the LDAP server. A hostname mismatch will cause a connection failure.

groupNameIdentifier Name that uniquely identifies a group in LDAP or Active Directory.

groupSearchAttribute LDAP group search attribute. Used to determine to which groups a group belongs.

groupSearchSubAttribute LDAP group search subattribute. Used to determine to which groups a group belongs.

groupSearchFilter String to be combined with the default LDAP group search string to form the search value. For example, the group search filter ““vpnallowed=true”” when combined with the group identifier ““samaccount”” and the group name ““g1”” yields the LDAP search string “”(&(vpnallowed=true)(samaccount=g1)””. If nestedGroupExtraction is ENABLED, the filter is applied on the first level group search as well, otherwise first level groups (of which user is a direct member of) will be fetched without applying this filter. (Be sure to enclose the search string in two sets of double quotation marks; both sets are needed.)

passwdChange Allow password change requests.

defaultAuthenticationGroup This is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Attribute1 Expression that would be evaluated to extract attribute1 from the ldap response

Attribute2 Expression that would be evaluated to extract attribute2 from the ldap response

Attribute3 Expression that would be evaluated to extract attribute3 from the ldap response

Attribute4 Expression that would be evaluated to extract attribute4 from the ldap response

Attribute5 Expression that would be evaluated to extract attribute5 from the ldap response

Attribute6 Expression that would be evaluated to extract attribute6 from the ldap response

Attribute7 Expression that would be evaluated to extract attribute7 from the ldap response

Attribute8 Expression that would be evaluated to extract attribute8 from the ldap response

Attribute9 Expression that would be evaluated to extract attribute9 from the ldap response

Attribute10 Expression that would be evaluated to extract attribute10 from the ldap response

Attribute11 Expression that would be evaluated to extract attribute11 from the ldap response

Attribute12 Expression that would be evaluated to extract attribute12 from the ldap response

Attribute13 Expression that would be evaluated to extract attribute13 from the ldap response

Attribute14 Expression that would be evaluated to extract attribute14 from the ldap response

Attribute15 Expression that would be evaluated to extract attribute15 from the ldap response

Attribute16 Expression that would be evaluated to extract attribute16 from the ldap response

Attributes List of attribute names separated by ‘,’ which needs to be fetched from ldap server. Note that preceeding and trailing spaces will be removed. Attribute name can be 127 bytes and total length of this string should not cross 2047 bytes. These attributes have multi-value support separated by ‘,’ and stored as key-value pair in AAA session

OTPSecret OneTimePassword(OTP) Secret key attribute on AD. This attribute is used to store and retrieve secret key used for OTP check

sshPublicKey SSH PublicKey is attribute on AD. This attribute is used to retrieve ssh PublicKey for RBA authentication

pushService Name of the service used to send push notifications

email The Citrix ADC uses the email attribute to query the Active Directory for the email id of a user

KBAttribute KnowledgeBasedAuthentication(KBA) attribute on AD. This attribute is used to store and retrieve preconfigured Question and Answer knowledge base used for KBA authentication.

alternateEmailAttr The NetScaler appliance uses the alternateive email attribute to query the Active Directory for the alternative email id of a user

CloudAttributes The Citrix ADC uses the cloud attributes to extract additional attributes from LDAP servers required for Citrix Cloud operations

devno count

authentication-ldapAction