topic Re: Cannot Delete LDAP Account Unit in Firewall and Security Management

Cannot Delete LDAP Account Unit

ahutchison — Mon, 20 May 2024 18:36:55 GMT

Hello,

We are unable to delete an LDAP Account Unit, we have several objects that utilize the same domain and we wish to delete them in accordance with: sk92782

Upon attempting to delete the extraneous objects, it states that the object is in use, when I perform a "where used" it does not shown the object in use. See the attached screenshots.

Smart Console R81.10

R81.10 Take 139

Re: Cannot Delete LDAP Account Unit

PhoneBoy — Mon, 20 May 2024 18:51:11 GMT

I suspect this may require some surgery with GUIdbedit or similar.
Best to get the TAC involved: https://help.checkpoint.com

Re: Cannot Delete LDAP Account Unit

Lloyd_Braun — Mon, 20 May 2024 19:42:11 GMT

I have occasionally had luck discovering hidden dependencies by opening legacy smartdashboard, from manage, blades, https inspection, is one way to get there. "Where used" from there might give you a clue, but might require professional database surgery as Dameon mentioned.

Re: Cannot Delete LDAP Account Unit

the_rock — Mon, 20 May 2024 21:43:14 GMT

Agree with Phoneboy, guidbedit is your best bet at this time.

Andy

Re: Cannot Delete LDAP Account Unit

Duane_Toler — Tue, 21 May 2024 18:49:58 GMT

You may be able to glean a wee bit more info from the management API, if you have the object UID and you're willing to read through some deep logic. You can get the object UID with:

mgmt_cli -r true -f json show-objects filter LDAP-Servers |jq -r '.uid'

Then look at the object's properties and parameters:

mgmt_cli -r true -f json show-generic-object uid OBJECT_UID # replace OBJECT_UID with the actual object's UID

Careful reading through this output should give you a hint about where the object may be used. Look for references to things like a VPN authentication, or mobile access authentication.

I will wager that your gateway(s) have something like Mobile Access blade, or Endpoint VPN client authentication disabled right now, but may have been enabled previously. If you go back to the gateway properties, enable either Mobile Access blade or select VPN Clients -> Authentication, you will see the list of Authentication methods, and at least one of them may have an LDAP reference enabled. I had this on a customer gateway recently, too. Just because something is "disabled" in SmartConsole doesn't mean the object references were erased (they almost never are). GUIDBedit will show the same

If not VPN authentication, then you may have something configured in the gateway properties -> Other -> User Directory area, where the LDAP AU was referenced, perhaps when someone prior to you had tuned the LDAP server lookup order, but then something was disabled and again this reference was not removed.

Both GUIDBedit, and the "show-generic-object" API, will give you a clue as to where that object is being referenced.

Alternatively, you can look at the API server log on the management server ($FWDIR/log/cpm.elg and $FWDIR/log/api.elg). If you have the object UID, again you can search these logs to find where the API server complained about the error removing it. This may not be a perfect clue, however, but it may be helpful.

Good luck!

Re: Cannot Delete LDAP Account Unit

emmap — Wed, 22 May 2024 03:48:25 GMT

We have an article on a possible cause for this:

https://support.checkpoint.com/results/sk/sk173407

Re: Cannot Delete LDAP Account Unit

the_rock — Wed, 22 May 2024 04:00:07 GMT

I believe @ahutchison said it was not showing used anywhere, but worth double checking.

Re: Cannot Delete LDAP Account Unit

emmap — Wed, 22 May 2024 04:51:54 GMT

Yea the SK has those symptons:

"Failed to delete object: Object is used by a policy or other object" message when deleting an LDAP Account Unit object.
The "Where Used" option in the LDAP Account Unit object does not show any other objects that use it.

Re: Cannot Delete LDAP Account Unit

the_rock — Wed, 22 May 2024 05:42:27 GMT

Irs worth trying, for sure, I agree, could fix it.

We all know you are super smart and logical, so I have high hopes in that sk.

Best,

Andy