Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Champion
Champion

AD User rights for LDAP Account Unit configuration used with Identity Collector

What are the AD user rights required for the LDAP Account Unit configuration when it is supposed to be used with Identity Collector?

In the Identity Collector configuration guide, it states:

  • Identity collector provides information about users, machines and IP addresses to the Security Gateway. LDAP Account Unit(s) should be configured to allow PDP gateways to perform group lookups on IDs that are provided from Identity Collector to match them to Access Roles. 

But all the references to the LDAP Account Unit configuration describe the account as having Admin rights on the domain.

This contradicts the intended deployment model and I do not think it is necessary, if we are simply querying the AD group membership data.

0 Kudos
5 Replies
Highlighted
Leader
Leader

 I remember there was an sk article  with the needed rights, but I can‘t find them. Maybe one another will have more luck with the correct words to type in the search field.

We are running this with a user having only read rights in all OUs with groups and users.

Wolfgang

0 Kudos
Highlighted
Collaborator

You just need the account to be a member of "Event Log Readers"

0 Kudos
Highlighted
Champion
Champion

@Aidan_Luby , there are two different accounts referenced: one, as you described it, with the "Event Log Readers" permission that is assigned to the IdentityCollector. The LDAP Account unit is an additional account necessary to determine group memberships in AD.

Perhaps same rights would work for both, but it is not defined anywhere in documentation that I was able to find.

0 Kudos
Highlighted

For IDC usage you need a user with LDAP read in the LDAP AU and a user with LDAP read + Event Log Readers Group on IDC.
For sure the most implementations will use the same user on the AU, as on the IDC, because one user can serve both.

If you also use the AU for Remote Access, then you might also need write on LDAP if the users shall be able to change their own passwords if they expire. But this is a different story Smiley Wink

Highlighted
Champion
Champion

Thank you @Norbert_Bohusch . It makes perfect sense, but I was looking for some pointer to the Check Point's official references to this data, as one of my clients has to justify the rights they grant to accounts and I've seen nothing but admin requirements for LDAP AU.

If you happen to come across such a document, please let me know.

BTW, I prefer to use separate accounts for these two functions to simplify differentiation in the tracking their actions in AD logs, but this is just me. 

0 Kudos