I've recently started to put my hands on the Identity Awareness Blade, exploring all the possibilities that it offers (Captive Portal, custom via API, etc...).
I've been working on the Identity Collector scenario for a few days, which is the one that fits our needs the better.
Identity Collector is up and running, collecting identities from some AD and injecting that in some of my CheckPoint gateways. I've created the LDAP Account Unit which is also working, and I can now use the AD groups as a "Source" in my rules which is what I was looking for. Pretty basic stuff and it's working great right now.
Our production deployment is more complex than that and is pretty unusual (historical reasons, you know what I mean..). Basicly, without entering into the details, what I would like to do is to :
- Fetch the Identities from domain X.COM (ActiveDirectory)
- Fetch the users associated groups from domain Y.COM (ActiveDirectory OR OpenLDAP)
I know this looks weird, but all those parts are handled by different teams in a complex environment and is not subject to changes in a near future, so I try to deal with it.
X.COM is the "real" domain where the PC's are registered (so it contains the identities).
Y.COM is a domain that acts as a pure LDAP for authentication and authorization purposes ONLY, all the groups are defined here and only here. (ActiveDirectory or OpenLDAP, we have both to serve this task)
So, here is my question : is it possible to do that?
I've tried to configure my LDAP Account Units with Y.COM, but it's never looking into it (I suppose it has to match the users domain received from the Identity Collector... right?)
I tried differents "hacks" to cheat the gateways, without success...
Does anyone knows if there is any way to do that?
Thank you and sorry for the mess.