Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

AD User rights for LDAP Account Unit configuration used with Identity Collector

What are the AD user rights required for the LDAP Account Unit configuration when it is supposed to be used with Identity Collector?

In the Identity Collector configuration guide, it states:

  • Identity collector provides information about users, machines and IP addresses to the Security Gateway. LDAP Account Unit(s) should be configured to allow PDP gateways to perform group lookups on IDs that are provided from Identity Collector to match them to Access Roles. 

But all the references to the LDAP Account Unit configuration describe the account as having Admin rights on the domain.

This contradicts the intended deployment model and I do not think it is necessary, if we are simply querying the AD group membership data.

0 Kudos
12 Replies
Wolfgang
Leader
Leader

 I remember there was an sk article  with the needed rights, but I can‘t find them. Maybe one another will have more luck with the correct words to type in the search field.

We are running this with a user having only read rights in all OUs with groups and users.

Wolfgang

0 Kudos
Aidan_Luby
Collaborator

You just need the account to be a member of "Event Log Readers"

0 Kudos
Vladimir
Champion
Champion

@Aidan_Luby , there are two different accounts referenced: one, as you described it, with the "Event Log Readers" permission that is assigned to the IdentityCollector. The LDAP Account unit is an additional account necessary to determine group memberships in AD.

Perhaps same rights would work for both, but it is not defined anywhere in documentation that I was able to find.

0 Kudos
Norbert_Bohusch
Advisor

For IDC usage you need a user with LDAP read in the LDAP AU and a user with LDAP read + Event Log Readers Group on IDC.
For sure the most implementations will use the same user on the AU, as on the IDC, because one user can serve both.

If you also use the AU for Remote Access, then you might also need write on LDAP if the users shall be able to change their own passwords if they expire. But this is a different story Smiley Wink

Vladimir
Champion
Champion

Thank you @Norbert_Bohusch . It makes perfect sense, but I was looking for some pointer to the Check Point's official references to this data, as one of my clients has to justify the rights they grant to accounts and I've seen nothing but admin requirements for LDAP AU.

If you happen to come across such a document, please let me know.

BTW, I prefer to use separate accounts for these two functions to simplify differentiation in the tracking their actions in AD logs, but this is just me. 

0 Kudos
TOM_MORAN
Contributor

Hi all , i beleive sk93938 is what you are looking for
0 Kudos
Rom_D
Contributor

Hi Vladimir,

This is an old post but were you ale to find documented informations regarding this? I have almost the same question: 

Moving from AD query (with an Account User with High privileges on the AD) to Identity Collector 

That is fine that Idnetity Collector needs a read only user account, but we still require a user for the LDAP account unit used by the Gateways.

Thanks

0 Kudos
Vladimir
Champion
Champion

Hi @Rom_D ,

Unfortunately, the very limited guidelines we have on LDAP AU is limited to either making those full domain admin (which I reject as an exceptionally bad idea) or an account with slightly more limited rights described here in sk93938 "Using Identity Awareness AD Query without Active Directory Administrator privileges on Windows Server 2008 and higher."

Even as described in sk93938, the account has too many rights for my taste. I cannot guarantee that, but I am pretty sure it would work if you create a Group Policy that will be applied to that account to strip from it RDP, logon locally and shutdown and reboot server capabilities.

0 Kudos
Norbert_Bohusch
Advisor

For the account unit user you need just read for the whole AD.

0 Kudos
Vladimir
Champion
Champion

@Norbert_Bohusch , when you create the AU with "AD read all" and then, during AD Query implementation, specifying same user account, are you not getting prompt that "the user is not a domain admin?"

Do you happen to have a reference to the Check Point sk describing the use of "AD Read All" account for AUs? I would really like to see that.

Thank you,

Vladimir

0 Kudos
Norbert_Bohusch
Advisor

He said he is moving from AD Query to IDC and then you will not need more.

For AD Query there is sk93938, which outlines the needed rights for this user.

0 Kudos
Vladimir
Champion
Champion

True that, but I do not recall seeing CP document stating this AU requirement specifically for IDC configuration.

If you can point me to it, I'd be much obliged.

0 Kudos