CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: LDAP groups not working in rule base

  1. #1
    Join Date
    2008-09-23
    Posts
    9
    Rep Power
    0

    Default LDAP groups not working in rule base

    Hello,

    I've managed to get AD info to smartdashboard and I can see group and users (with standard cn=users). But when I create LDAP groups and then use them in rule base for remote access vpn they do not work.

    Users authenticate propely but inspite of situation where LDAP groups = one user rule base doesn't make match.

    I'm using r70.30 and win2003 standard.

    I can see that my AD server is returning success when Checkpoint queries it for user/password.

    Any ideas??

    Regards,
    pioterbrat


    PS When I changed Remote Access Community from All Users to one of my LDAP groups I can't authenticate in vpn
    Last edited by pioterbrat; 2010-09-14 at 11:56.

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,249
    Rep Power
    14

    Default Re: LDAP groups not working in rule base

    Change the LDAP Group setting from whatever group name/subtree you specified and instead select "All Account Unit's Users". Reinstall policy and try again. Can users now authenticate and pass traffic? If so there is something wrong with your LDAP group definition or you might need to manually add the branch your user accounts are sitting under.

  3. #3
    Join Date
    2008-09-23
    Posts
    9
    Rep Power
    0

    Default Re: LDAP groups not working in rule base

    Hello,

    Thanks for help.

    I've made group wit All Account-Unit's Users and it started to work. But it's not enough, I need group.

    I'm creating LDAP Groups like this:
    LDAP Groups -> New LDAP Group :
    My Account Unit
    And for the group scope i choose
    Only Sub Tree -> cn=checkpoint_group, cn=users, dc=something, dc=com

    What can be wrong? I don't understand why it is working with single users and not with groups:/

    Regards,
    pioterbrat

    PS That was configuration error there should be Only Group in Prefix instead Only Sub Tree.
    Last edited by pioterbrat; 2010-09-15 at 08:02.

  4. #4
    Join Date
    2006-10-03
    Location
    Offenbach/ Germany
    Posts
    170
    Rep Power
    14

    Default Re: LDAP groups not working in rule base

    I encountered such a problem in the past. Swapping LDAP to LDAP-SSL solved this problem.

    You could try the following in your Lab environment:

    1.) Perform a Schema extension of Active Directory (is not a popular solution, I know!)

    2.) Swap from LDAP to LDAP-SSL, which requires an Enterprise Root CA to be configured and a Certificate to be minted.

    Should you have any questions regarding how to accomplish this task, let me know.

    Kind regards,
    Yasushi

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,249
    Rep Power
    14

    Default Re: LDAP groups not working in rule base

    When you double-click the AU object in the users tree in SmartDashboard, can you see the checkpoint_group under the users cn? If so, enable the objects list in SmartDashboard by clicking View...Objects List and then double-click the checkpoint_group. Does a list of users in that group appear in the objects list window? If not you have a problem with your group memberships in AD. If the list of users does appear, inspect their DN's closely and make sure they are correctly defined in your LDAP Group object.

  6. #6
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    15

    Default Re: LDAP groups not working in rule base

    I've seen lots of these LDAP/SMDR posts lately and have actually started typing another one of my "how to" docs to publish here. Due to a datacenter move I have had to defer completing this document for a few weeks. Hope to be able to post it by the end of next month.
    There's no place like 127.0.0.1

Similar Threads

  1. LDAP authentication of user groups in checkpoint R65
    By nazimbaksh in forum Authentication
    Replies: 11
    Last Post: 2010-05-22, 19:56
  2. LDAP and Groups
    By Pippa in forum Authentication
    Replies: 0
    Last Post: 2008-04-08, 10:58
  3. rule base via HTTPS
    By MONIQUE in forum SmartDashboard
    Replies: 4
    Last Post: 2008-01-23, 11:50
  4. Details on Rule base
    By sridharraj80 in forum Miscellaneous
    Replies: 1
    Last Post: 2007-03-03, 10:50
  5. AD Groups / LDAP Groups
    By JoeShmoe in forum SmartDirectory/LDAP/Active Directory
    Replies: 6
    Last Post: 2006-12-05, 08:52

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •