https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195628#M36448 <P>Hi Community,</P><P>i just hit the "problem" that if a user object is moved in the AD from one OU to another, the existing Access Role Object for that user will stop matching because the unique identifier in the access role will not update.</P><P>I found a SK about that.</P><P>sk105494</P><P>So it got "fixed" with R.81 and the solution is mentioned in the Identity Awarness Administration Guide under the topic "Configuring Security Identifier (SID) for LDAP Users"</P><P><SPAN class="">Note</SPAN><SPAN>&nbsp;</SPAN>- SID support is not activated by default.<BR />To enable SID support on the<SPAN>&nbsp;</SPAN><SPAN class="">Check Point</SPAN><SPAN>&nbsp;</SPAN><SPAN class="">Security Gateway</SPAN>:</P><OL><LI><P>Run<SPAN>&nbsp;</SPAN><EM>#cpstop</EM><SPAN>&nbsp;</SPAN>command.</P></LI><LI><P>Edit the<SPAN>&nbsp;</SPAN><EM>$CPDIR/tmp/.CPprofile.sh</EM><SPAN>&nbsp;</SPAN>file.</P></LI><LI><P>Add the line:</P><P><EM>export LDAP_SID=1</EM></P></LI><LI><P>Save the file.</P></LI><LI><P>Reboot the<SPAN>&nbsp;</SPAN><SPAN class="">Security Gateway</SPAN>.</P></LI><LI><P>Run this command:</P><P>#pdp nested status</P></LI></OL><P>&nbsp;</P><P>First question - why wasn't that set as default from Checkpoint? It feels somehow "experimental" and i don't want to run into problems after setting this up. It should be default to update AD user objects in the case of a OU move.</P><P>&nbsp;</P><P>Second question - did someone make that change and run into any problems? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>Many thanks.</P><P>Best regards</P><P>Matt</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 19 Oct 2023 13:09:40 GMT Matthew81 2023-10-19T13:09:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195628#M36448 <P>Hi Community,</P><P>i just hit the "problem" that if a user object is moved in the AD from one OU to another, the existing Access Role Object for that user will stop matching because the unique identifier in the access role will not update.</P><P>I found a SK about that.</P><P>sk105494</P><P>So it got "fixed" with R.81 and the solution is mentioned in the Identity Awarness Administration Guide under the topic "Configuring Security Identifier (SID) for LDAP Users"</P><P><SPAN class="">Note</SPAN><SPAN>&nbsp;</SPAN>- SID support is not activated by default.<BR />To enable SID support on the<SPAN>&nbsp;</SPAN><SPAN class="">Check Point</SPAN><SPAN>&nbsp;</SPAN><SPAN class="">Security Gateway</SPAN>:</P><OL><LI><P>Run<SPAN>&nbsp;</SPAN><EM>#cpstop</EM><SPAN>&nbsp;</SPAN>command.</P></LI><LI><P>Edit the<SPAN>&nbsp;</SPAN><EM>$CPDIR/tmp/.CPprofile.sh</EM><SPAN>&nbsp;</SPAN>file.</P></LI><LI><P>Add the line:</P><P><EM>export LDAP_SID=1</EM></P></LI><LI><P>Save the file.</P></LI><LI><P>Reboot the<SPAN>&nbsp;</SPAN><SPAN class="">Security Gateway</SPAN>.</P></LI><LI><P>Run this command:</P><P>#pdp nested status</P></LI></OL><P>&nbsp;</P><P>First question - why wasn't that set as default from Checkpoint? It feels somehow "experimental" and i don't want to run into problems after setting this up. It should be default to update AD user objects in the case of a OU move.</P><P>&nbsp;</P><P>Second question - did someone make that change and run into any problems? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>Many thanks.</P><P>Best regards</P><P>Matt</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 19 Oct 2023 13:09:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195628#M36448 Matthew81 2023-10-19T13:09:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195657#M36454 <P>Hi there,</P><P>I can't answer your first question, but we have been using SID for two years without any problems and I would say it is no longer "experimental".</P><P>We made the change at the end of 2021. We needed to make sure that access groups and users had their SID updated after the management upgrade to R81.X. This is done automatically during the upgrade process, but we had a very large number of AD groups/users (4 digits) - TAC provided us with two shell scripts to update all objects with the SID entry.</P><P>You can check this using GuiDBedit. See this post: Re: Identity Awareness - SID instead of DN for AD ... - Check Point CheckMates</P><P>&nbsp;</P><P><BR />Regarding your second question - we haven't seen any problems after activation. You just need to check that the SID field is filled in.<BR /><BR />Best regards</P> Thu, 19 Oct 2023 14:55:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195657#M36454 ProxyOps 2023-10-19T14:55:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195691#M36475 <P>To answer your second question, be aware that SID support will only exist for related objects created after the change was made per sk105494.<BR />See:&nbsp;<A href="https://community.checkpoint.com/t5/General-Topics/Identity-Awareness-SID-instead-of-DN-for-AD-Users-Migration-for/m-p/195364#M32758" target="_blank">https://community.checkpoint.com/t5/General-Topics/Identity-Awareness-SID-instead-of-DN-for-AD-Users-Migration-for/m-p/195364#M32758</A>&nbsp;<BR />TAC can provide a script that will update the existing objects: <A href="https://help.checkpoint.com" target="_blank">https://help.checkpoint.com</A>&nbsp;</P> Thu, 19 Oct 2023 21:10:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195691#M36475 PhoneBoy 2023-10-19T21:10:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195725#M36494 <P><SPAN>Many thanks - we will contact TAC and get that script.</SPAN></P> Fri, 20 Oct 2023 05:29:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195725#M36494 Matthew81 2023-10-20T05:29:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195727#M36496 <P>...ah one more thing - do i really need to edit the file on every security gateway? Or only the one who is PDP?</P> Fri, 20 Oct 2023 06:18:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195727#M36496 Matthew81 2023-10-20T06:18:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195782#M36513 <P>The documentation states every security gateway needs this changed.</P> Fri, 20 Oct 2023 20:04:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195782#M36513 PhoneBoy 2023-10-20T20:04:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195877#M36528 <P>Yes, thats why i am asking <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR />Because we have gateways not doing PDP or PEP. So i do not understand why to add that line into every .sh file mentioned in the documentation.</P><P>We have one cluster what is our PDP and some what are PEP getting the infos from the one PDP cluster.<BR />So in my logic only the PDP cluster needs that change.</P><P>But sure, if i should add it to every gateway in our Environment, then i will do that. Will take some time i guess.<BR />Somehow it would be better if Checkpoint will do that change by default in a future release <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 23 Oct 2023 05:16:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195877#M36528 Matthew81 2023-10-23T05:16:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195879#M36529 <P>Hi Matthew,&nbsp;<BR /><BR />we only adjusted this profile.sh setting on the relevant PDP Gateways. This setting is relevant for the LDAP part&nbsp; of the IA process flow .&nbsp;<BR />The LDAP process is only relevant on the Gateways with active PDP&nbsp;functionality.&nbsp;<BR /><BR />I would recommend to enable it on all gateways with active PDP and test it.</P><P>&nbsp;</P><P>Best regards</P> Mon, 23 Oct 2023 08:19:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Roles-do-not-get-automatically-updated-after-moving-users/m-p/195879#M36529 ProxyOps 2023-10-23T08:19:33Z