topic Re: AD User rights for LDAP Account Unit configuration used with Identity Collector in Firewall and Security Management

AD User rights for LDAP Account Unit configuration used with Identity Collector

Vladimir — Mon, 25 Mar 2019 16:09:58 GMT

What are the AD user rights required for the LDAP Account Unit configuration when it is supposed to be used with Identity Collector?

In the Identity Collector configuration guide, it states:

Identity collector provides information about users, machines and IP addresses to the Security Gateway. LDAP Account Unit(s) should be configured to allow PDP gateways to perform group lookups on IDs that are provided from Identity Collector to match them to Access Roles.

But all the references to the LDAP Account Unit configuration describe the account as having Admin rights on the domain.

This contradicts the intended deployment model and I do not think it is necessary, if we are simply querying the AD group membership data.

Re: AD User rights for LDAP Account Unit configuration used with Identity Collector

Wolfgang — Mon, 25 Mar 2019 20:01:35 GMT

I remember there was an sk article with the needed rights, but I can‘t find them. Maybe one another will have more luck with the correct words to type in the search field.

We are running this with a user having only read rights in all OUs with groups and users.

Wolfgang

Re: AD User rights for LDAP Account Unit configuration used with Identity Collector

Aidan_Luby — Mon, 25 Mar 2019 20:50:39 GMT

You just need the account to be a member of "Event Log Readers"

Re: AD User rights for LDAP Account Unit configuration used with Identity Collector

Vladimir — Mon, 25 Mar 2019 21:54:41 GMT

@Aidan_Luby , there are two different accounts referenced: one, as you described it, with the "Event Log Readers" permission that is assigned to the IdentityCollector. The LDAP Account unit is an additional account necessary to determine group memberships in AD.

Perhaps same rights would work for both, but it is not defined anywhere in documentation that I was able to find.

Re: AD User rights for LDAP Account Unit configuration used with Identity Collector

Norbert_Bohusch — Tue, 26 Mar 2019 07:59:01 GMT

For IDC usage you need a user with LDAP read in the LDAP AU and a user with LDAP read + Event Log Readers Group on IDC.
For sure the most implementations will use the same user on the AU, as on the IDC, because one user can serve both.

If you also use the AU for Remote Access, then you might also need write on LDAP if the users shall be able to change their own passwords if they expire. But this is a different story

Re: AD User rights for LDAP Account Unit configuration used with Identity Collector

Vladimir — Tue, 26 Mar 2019 13:08:02 GMT

Thank you @Norbert_Bohusch . It makes perfect sense, but I was looking for some pointer to the Check Point's official references to this data, as one of my clients has to justify the rights they grant to accounts and I've seen nothing but admin requirements for LDAP AU.

If you happen to come across such a document, please let me know.

BTW, I prefer to use separate accounts for these two functions to simplify differentiation in the tracking their actions in AD logs, but this is just me.

Re: AD User rights for LDAP Account Unit configuration used with Identity Collector

TOM_MORAN — Fri, 23 Oct 2020 18:44:43 GMT

Hi all , i beleive sk93938 is what you are looking for

Re: AD User rights for LDAP Account Unit configuration used with Identity Collector

DR_74 — Fri, 26 Feb 2021 15:47:58 GMT

Hi Vladimir,

This is an old post but were you ale to find documented informations regarding this? I have almost the same question:

Moving from AD query (with an Account User with High privileges on the AD) to Identity Collector

That is fine that Idnetity Collector needs a read only user account, but we still require a user for the LDAP account unit used by the Gateways.

Thanks

Re: AD User rights for LDAP Account Unit configuration used with Identity Collector

Vladimir — Fri, 26 Feb 2021 16:34:46 GMT

Hi @DR_74 ,

Unfortunately, the very limited guidelines we have on LDAP AU is limited to either making those full domain admin (which I reject as an exceptionally bad idea) or an account with slightly more limited rights described here in sk93938 "Using Identity Awareness AD Query without Active Directory Administrator privileges on Windows Server 2008 and higher."

Even as described in sk93938, the account has too many rights for my taste. I cannot guarantee that, but I am pretty sure it would work if you create a Group Policy that will be applied to that account to strip from it RDP, logon locally and shutdown and reboot server capabilities.

Re: AD User rights for LDAP Account Unit configuration used with Identity Collector

Norbert_Bohusch — Fri, 26 Feb 2021 16:41:30 GMT

For the account unit user you need just read for the whole AD.

Re: AD User rights for LDAP Account Unit configuration used with Identity Collector

Vladimir — Fri, 26 Feb 2021 19:12:44 GMT

@Norbert_Bohusch , when you create the AU with "AD read all" and then, during AD Query implementation, specifying same user account, are you not getting prompt that "the user is not a domain admin?"

Do you happen to have a reference to the Check Point sk describing the use of "AD Read All" account for AUs? I would really like to see that.

Thank you,

Vladimir

Re: AD User rights for LDAP Account Unit configuration used with Identity Collector

Norbert_Bohusch — Fri, 26 Feb 2021 22:20:05 GMT

He said he is moving from AD Query to IDC and then you will not need more.

For AD Query there is sk93938, which outlines the needed rights for this user.

Re: AD User rights for LDAP Account Unit configuration used with Identity Collector

Vladimir — Fri, 26 Feb 2021 22:23:30 GMT

True that, but I do not recall seeing CP document stating this AU requirement specifically for IDC configuration.

If you can point me to it, I'd be much obliged.

Re: AD User rights for LDAP Account Unit configuration used with Identity Collector

MtxMan — Thu, 30 Jun 2022 03:45:14 GMT

Hi @Vladimir

Do you have an update for this question?

Re: AD User rights for LDAP Account Unit configuration used with Identity Collector

Vladimir — Thu, 30 Jun 2022 03:54:43 GMT

I do not, but it looks like I'll be implementing IDC for one of my clients within a month and may update this thread then.

Re: AD User rights for LDAP Account Unit configuration used with Identity Collector

Sorin_Gogean — Thu, 30 Jun 2022 09:27:16 GMT

hey,

This is the only thing I found when we started to look and implement IA with IC.

Hope it helps...

"Working with Active Directory Domains in the Identity Collector

To add new Active Directory Domain in the Identity Collector:

Open the Identity Collector application.
At the top, click Domains.
From the top toolbar, click New Domain ().

Enter the Domain name to show in the Identity Collector.
(Optional) Enter the comment.
Enter the Domain account credentials - Username and Password.

Note - The account must be a member of the Event Log Readers group.

From here