cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enyi_Ajoku
Nickel

Identity Awareness - LDAP Account Creation

Hello,

I am trying to enable identity awareness, the server team needs to create a LDAP account for the firewall. 

Should the LDAP account be an admin account or a user account?

If it has to be an admin account, is there a documentation i can reference to, which i can provide to the server team?

greatly appreciate the help

Thank You 

0 Kudos
5 Replies

Re: Identity Awareness - LDAP Account Creation

Of course there is a very detailed reference : Identity Awareness Administration Guide R80.20 ! And for further information we have the sk86441: ATRG: IdentityAwarenesssk149255: IdentityAwareness- IdentitySharing and sk88520: Best Practices - IdentityAwarenessLarge Scale Deployment

0 Kudos
Enyi_Ajoku
Nickel

Re: Identity Awareness - LDAP Account Creation

Thank You for your feedback. I dont see anywhere on the documentation where it states the LDAP account has to be an administrator account except sk108235 - Identity Collector: Technical Overview which we are not deploying in my environment.

I would appreciate if you can direct me to where its stated on any of the sks. 

0 Kudos

Re: Identity Awareness - LDAP Account Creation

I think this may be what you're looking for if you don't want admin accounts: Using Identity Awareness AD Query without Active Directory Administrator privileges on Windows Serve...

0 Kudos
Highlighted
Enyi_Ajoku
Nickel

Re: Identity Awareness - LDAP Account Creation

The information i've got from PS and support is the account should be an admin account for identity awareness setup. I'm looking for a document from checkpoint that supports this requirement 

0 Kudos

Re: Identity Awareness - LDAP Account Creation

I think the closest thing I can find is in the Identity Awareness R80.20 Admin guide where it says:

"Enter the Active Directory credentials and click Connect to verify the credentials.
Important - For AD Query you must enter domain administrator credentials. For Browser-Based Authentication standard credentials are sufficient."

So, I would read that to mean the default requirement is an admin (or domain admin) account unless you wanted to create a user with custom permissions (without domain admin) as illustrated in the sk article I referenced.

Here's a direct link to that portion of the admin guide for your AD administrator's reference. It should be under the section titled "Enabling Identity Awareness on the Log Server for Identity Logging"

 

0 Kudos