Custom Plugin & Attribute having issues with LDAP Lookup.

I need a solution

Hi All,

I’ve successfully integrated our proxy via ICAP which is feeding our Web Prevent Server.

I noticed the username was showing up as “local://”.  I added a new plugin successfully which outputs Username=sAMaccountname after parsing the ‘sender-email’ argument.  I then created a custom Attribute in our Employee field called “Username”.  We did not have this value prior.  My custom script successfully populates the new “Username” field.

My plugin Chain is as follows:

  1. Custom ICAP Username Parse
  2. LDAP

The exsting LDAP Plugin is as follows:

attr.Employee = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):displayName
attr.Employee Email = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):mail
attr.Employee FirstName = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):givenName
attr.Employee LastName = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):sn
attr.Employee Title = :(|(mail=$sender-email$)(sAMAccountName=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):title
attr.Employee Dept = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):department
attr.Employee Division = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):division
attr.Cost Center = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):ou
attr.TempManager = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):manager
attr.Supervisor First Name = :(distinguishedname=$TempManager$):givenName
attr.Supervisor Last Name = :(distinguishedname=$TempManager$):sn
attr.Supervisor Email = :(distinguishedname=$TempManager$):mail

When I generate a new ICAP event, DLP successfully executes my custom plugin and fills in the attribute “Username” with what is parsed as the AD sAMaccoutname.  All other fields are blank and from my understanding its due to my LDAP plugin missing the new field to lookup with.

1) I’ve tried to modify my LDAP lookup by adding (sAMAccountName=$Username$) but the lookup never works for Network Events and does not autopopulate or populate with a manual lookup.  I may be doing this incorrectly but I tried multiple ways.  I’m not sure if my order is maybe incorrect?  I need some guidance here.

2) After this change, Endpoint Incidents do not populate any custom attribute fields and when i click on “Lookup” an error message occurs with “Custom Attribute Lookup failed”.  I think this is due to my new custom attribute called “Username”

I think I’m missing something easy here but I’m not too sure at this point I’m getting confused.  Maybe how I modified my LDAP plugin? 

Any guidance at this point would be apperciated.



  • No Related Posts

What is “LDAP no such user xxx” and “RADIUS IP attribute missing, packet dropped”

I need a solution


I just wonder what is the meaning of these logs because it is generated almost everyday and too many. I cannot find any KB or article about these logs. Is there a way to stop these logs?

Note: This is ProxyASG S400-30 Version

2019-07-26 15:29:13+07:00ICT  "LDAP: no such user xxx"  5 250023:1  realm_ldap.cpp:3688
2019-07-26 15:29:08+07:00ICT  "Session Monitor: RADIUS IP attribute missing, packet dropped."  0 32000A:96  radius_session_notification_monitor.cpp:582

Any help would be appreciated.



  • No Related Posts

Add multiple Basic Authentication LDAP policies/servers to Gateway or LB VIP

The best way to add additional LDAP servers for authentication is to add another LDAP Authentication Policy which is associated with another LDAP server and then bind that new policy to your Gateway or LB VIP.

This article only works with Basic Authentication with LDAP but if you have an Authentication Profile on Gateway the process below will not work.

For Basic Authentication Policies with LDAP:

Log into the Netscaler GUI.

Click on “Citrix Gateway” (or Traffic Management -> Load Balancing) -> Virtual Server -> select your virtual server where you wish to add more LDAP servers.

Under “Basic Authentication” click on the LDAP Policy (If no policy exists you will create one here). Select the policy and click “Edit Server”. Make sure to copy the settings so that they are the same on the second LDAP server/policy you are about to create. Click Close.

For the existing Policy, write down the Priority value. You will want this to be the same for the new LDAP servers unless you specifically want a lower priority.

Select “Add Binding”. Change the Priority to match the one you just wrote down. Then click “Add” next to “Select Policy”

Create a Name for the policy. Make the Expression in the lower box: NS_TRUE

Click on “Add” next to Server selection box. Add all the server details for the second LDAP server. They should all be the same except for the IP address of the new server. Click on “Create”.

Click “Create” on the LDAP Policy page to create the policy with the new server.

Click on “Bind” to bind the policy with the set priority.

Now you should see two LDAP policies with the same priority and different policy names.

Next to Select Policy press the “Add” button and on the next screen click “Add’ to create a new LDAP policy.

PLEASE NOTE: These LDAP policies will NOT Round Robin. The first LDAP server will always be used unless it cannot authenticate, it goes down, or is otherwise unavailable. Only then will the second LDAP server be used.


  • No Related Posts

ProxySG | LDAP authentication multiple domain in 1 forest

I need a solution

Dear All,

Can I ask if ProxySG (VM) can do LDAP authentication in a multiple domain in 1 forest?

For example, customers have domain A and domain B, which are in the same forest, and there is a case sometimes where there is a user at the branch A to temporarily move to working at branch B.

So still want Authentication and receiving the policy that box proxy on the branch B, like the branch A

(ProxySG Appliances of customers are located in both branches)
Please recommend solution for this case.
If you would like more information please let me know.
Thank you so much for your help.
Best Regards,
Chakuttha R.


  • No Related Posts

“Failure – Probe time out” When Configuring Citrix ADC LDAP Monitor for Service Group

It is a best practice to reduce the returned values to a small number. For Active Directory LDAP systems the filter can be set to cn=Builtin that returns minimal results.

To make this change using ADCGUI, go to Traffic Management > Load balancing > Monitors > edit the LDAP Monitor and add CN=Builtin as filter.

User-added image

To make this change using ADC CLI:

add lb monitor MonitorName -scriptName -dispatcherIP -dispatcherPort 3013 -password password -encrypted -encryptmethod ENCMTHD_3 -LRTM ENABLED -baseDN "DC=dom,DC=com" -bindDN "CN=UserName,OU=CustomOU,DC=com,DC=com" -filter CN=Builtin


  • No Related Posts