PDA

View Full Version : LDAP groups not working in rule base



pioterbrat
2010-09-14, 11:23
Hello,

I've managed to get AD info to smartdashboard and I can see group and users (with standard cn=users). But when I create LDAP groups and then use them in rule base for remote access vpn they do not work.

Users authenticate propely but inspite of situation where LDAP groups = one user rule base doesn't make match.

I'm using r70.30 and win2003 standard.

I can see that my AD server is returning success when Checkpoint queries it for user/password.

Any ideas??

Regards,
pioterbrat


PS When I changed Remote Access Community from All Users to one of my LDAP groups I can't authenticate in vpn

ShadowPeak.com
2010-09-14, 18:01
Change the LDAP Group setting from whatever group name/subtree you specified and instead select "All Account Unit's Users". Reinstall policy and try again. Can users now authenticate and pass traffic? If so there is something wrong with your LDAP group definition or you might need to manually add the branch your user accounts are sitting under.

pioterbrat
2010-09-15, 07:52
Hello,

Thanks for help.

I've made group wit All Account-Unit's Users and it started to work. But it's not enough, I need group.

I'm creating LDAP Groups like this:
LDAP Groups -> New LDAP Group :
My Account Unit
And for the group scope i choose
Only Sub Tree -> cn=checkpoint_group, cn=users, dc=something, dc=com

What can be wrong? I don't understand why it is working with single users and not with groups:/

Regards,
pioterbrat

PS That was configuration error there should be Only Group in Prefix instead Only Sub Tree.

Yasushi Kono
2010-09-24, 11:07
I encountered such a problem in the past. Swapping LDAP to LDAP-SSL solved this problem.

You could try the following in your Lab environment:

1.) Perform a Schema extension of Active Directory (is not a popular solution, I know!)

2.) Swap from LDAP to LDAP-SSL, which requires an Enterprise Root CA to be configured and a Certificate to be minted.

Should you have any questions regarding how to accomplish this task, let me know.

Kind regards,
Yasushi

ShadowPeak.com
2010-09-24, 13:13
When you double-click the AU object in the users tree in SmartDashboard, can you see the checkpoint_group under the users cn? If so, enable the objects list in SmartDashboard by clicking View...Objects List and then double-click the checkpoint_group. Does a list of users in that group appear in the objects list window? If not you have a problem with your group memberships in AD. If the list of users does appear, inspect their DN's closely and make sure they are correctly defined in your LDAP Group object.

lammbo
2010-09-24, 13:47
I've seen lots of these LDAP/SMDR posts lately and have actually started typing another one of my "how to" docs to publish here. Due to a datacenter move I have had to defer completing this document for a few weeks. Hope to be able to post it by the end of next month.