CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 2 of 2

Thread: AD account permissions for LDAP binding

  1. #1
    Join Date
    Rep Power

    Default AD account permissions for LDAP binding


    I have CP R70.40 and R75 gateways on open hardware (R75 management with R75 gateways and R70.40 gateways with R70.40 management). I want to setup remote access VPN and authenticate end user to enterprise wide Active Directory running on Windows 2008 R2.

    My AD team has provided me a non-privileged user account which is to be used for LDAP binding. When I use this account I get the following SmartCenter error:

    "Failed to bind the LDAP server - wrong password or wrong login dn"

    I'm 100% certain the password and DN are correct. If I use ADExplorer (a simple LDAP/AD explorer), the same account/password work fine. If I use an administrator account in SmartCenter, LDAP binding is successful.

    I also created a test environment with a default AD config (not GPO or other customizations) and I can successfully LDAP bind using any standard or admin user account to my lab AD from my gateways.

    I'm certain our AD setup has been customized and the account given to me is missing some permissions or group membership. I don't know enough regarding AD to highlight the gap. Can someone please let me know the prerequisites for an AD account which needs to be used for LDAP binding? Is there any other way I can troubleshoot this further? Will asking the AD team to check their error logs help?

    Thanks in advance!

  2. #2
    Join Date
    Rep Power

    Default Re: AD account permissions for LDAP binding

    By default they expect it to be a Domain Admin account (I know, don't ask me). I gather that there is an SK article explaining how to set it up with a less powerful account. I will post if I can find it.

    Found it:

    But good luck getting your Domain Admins to do this....
    Last edited by trackhappy; 2012-09-23 at 21:43.

Similar Threads

  1. Binding to LDAP server failed w/SC behind private IP address & LDAP Server inside VPN
    By armando.ferreira in forum SmartDirectory/LDAP/Active Directory
    Replies: 0
    Last Post: 2011-08-24, 18:51
  2. Add LDAP Account Unit in SmartCenter w/Private IP to connect to AD on Remote GW
    By armando.ferreira in forum Identity Awareness Blade
    Replies: 0
    Last Post: 2011-08-11, 18:00
  3. Connectra LDAP with two LDAP account units
    By loudermi in forum Mobile Access Blade (Formerly Connectra)
    Replies: 1
    Last Post: 2009-12-13, 19:59
  4. Cant auth via UserAuthority on Terminal Server via AD account
    By ziriy in forum SmartDirectory/LDAP/Active Directory
    Replies: 3
    Last Post: 2007-03-05, 02:11
  5. MS AD as an LDAP Account Unit
    By sagigreen in forum SmartDirectory/LDAP/Active Directory
    Replies: 7
    Last Post: 2006-10-02, 09:21


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts