https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-LDAP-Account-Creation/m-p/57280#M12591 <P>The information i've got from PS and support is the account should be an admin account for identity awareness setup. I'm looking for a document from checkpoint that supports this requirement&nbsp;</P> Tue, 02 Jul 2019 18:37:10 GMT Enyi_Ajoku 2019-07-02T18:37:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-LDAP-Account-Creation/m-p/57250#M12587 <P>Hello,</P><P>I am trying to enable identity awareness, the server team needs to create a LDAP account for the firewall.&nbsp;</P><P>Should the LDAP account be an admin account or a user account?</P><P>If it has to be an admin account, is there a documentation i can reference to, which i can provide to the server team?</P><P>greatly appreciate the help</P><P>Thank You&nbsp;</P> Tue, 02 Jul 2019 14:37:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-LDAP-Account-Creation/m-p/57250#M12587 Enyi_Ajoku 2019-07-02T14:37:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-LDAP-Account-Creation/m-p/57257#M12588 <P>Of course there is a very detailed reference :&nbsp;Identity Awareness Administration Guide R80.20<SPAN class="Apple-converted-space">&nbsp;! And for further information we have the&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk86441&amp;partition=Advanced&amp;product=Identity" target="_blank">sk86441: ATRG: <STRONG>Identity</STRONG><STRONG>Awareness</STRONG></A></SPAN><SPAN class="Apple-converted-space">,&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk149255&amp;partition=Advanced&amp;product=Identity" target="_blank">sk149255: <STRONG>Identity</STRONG><STRONG>Awareness</STRONG>- <STRONG>Identity</STRONG>Sharing</A></SPAN><SPAN class="Apple-converted-space">&nbsp;and&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk88520&amp;partition=General&amp;product=Identity" target="_blank">sk88520: Best Practices - <STRONG>Identity</STRONG><STRONG>Awareness</STRONG>Large Scale Deployment</A></SPAN></P> Tue, 02 Jul 2019 14:55:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-LDAP-Account-Creation/m-p/57257#M12588 G_W_Albrecht 2019-07-02T14:55:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-LDAP-Account-Creation/m-p/57263#M12589 <P>Thank You for your feedback. I dont see anywhere on the documentation where it states the LDAP account has to be an administrator account except sk108235 - Identity Collector: Technical Overview which we are not deploying in my environment.</P><P>I would appreciate if you can direct me to where its stated on any of the sks.&nbsp;</P> Tue, 02 Jul 2019 16:42:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-LDAP-Account-Creation/m-p/57263#M12589 Enyi_Ajoku 2019-07-02T16:42:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-LDAP-Account-Creation/m-p/57265#M12590 <P>I think this may be what you're looking for if you don't want admin accounts:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk93938&amp;partition=General&amp;product=Identity" target="_self">Using Identity Awareness AD Query without Active Directory Administrator privileges on Windows Server 2008 and above</A></P> Tue, 02 Jul 2019 16:51:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-LDAP-Account-Creation/m-p/57265#M12590 Daniel_Taney 2019-07-02T16:51:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-LDAP-Account-Creation/m-p/57280#M12591 <P>The information i've got from PS and support is the account should be an admin account for identity awareness setup. I'm looking for a document from checkpoint that supports this requirement&nbsp;</P> Tue, 02 Jul 2019 18:37:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-LDAP-Account-Creation/m-p/57280#M12591 Enyi_Ajoku 2019-07-02T18:37:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-LDAP-Account-Creation/m-p/57282#M12592 <P>I think the closest thing I can find is in the Identity Awareness R80.20 Admin guide where it says:</P> <P>"Enter the Active Directory credentials and click<STRONG class="menuoptions"> Connect</STRONG> to verify the credentials. <BR /><STRONG class="bold">Important</STRONG> - For AD Query you must enter domain administrator credentials. For Browser-Based Authentication standard credentials are sufficient."</P> <P>So, I would read that to mean the default requirement is an admin (or domain admin) account unless you wanted to create a user with custom permissions (without domain admin) as illustrated in the sk article I referenced.</P> <P>Here's a <A href="https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_IdentityAwareness_AdminGuide/html_frameset.htm" target="_self">direct link</A> to that portion of the admin guide for your AD administrator's reference. It should be under the section titled "Enabling Identity Awareness on the Log Server for Identity Logging"</P> <P>&nbsp;</P> Tue, 02 Jul 2019 18:48:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-Awareness-LDAP-Account-Creation/m-p/57282#M12592 Daniel_Taney 2019-07-02T18:48:59Z