This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ClaudiaPeter
Contributor
‎2020-08-28 02:40 AM

Identity Awareness, subdomains and user groups in the main domain

Hi,

we rolled out Identity Awareness in an environment with a main domain and two subdomains with the Identity Collector. According the Admin Guide I defined additional LDAP Account Units for the subdomains, and the users of the subdomains get the roles of Access Roles defined for user groups of the LDAP Account Unit of the according subdomain. So far so good. But Access Roles defined for user groups of the LDAP Account Unit of the main domain are not assigned.

The LDAP Account Unit of the main domain is also used for VPN Users, and if the same user login via Remote Access VPN the Identity with roles of the subdomain and the main domain are propagated. The LDAP Account Unit of the main domain uses the GC, so for VPN users it works as expected.

Is it the intended behaviour, that identities propagated by domain logins get only roles for user groups of the subdomain?
And if so, is there any other workaround than to define AD user groups for users of the subdomain in the subdomain, and don't use subdomain users in user groups of the main domain? (I'm not the admin of the AD, I only use it)

The environment is still on R80.10, the update to R80.40 is already planned.

Regards,
Claudia

 

 

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2020-08-28 11:24 PM

The groups fetched are a function of what LDAP Account Unit the gateway is configured to query.
Don’t remember if you can configure it to look in more than one place, which it sounds like what you need to do here unless @Royi_Priov has a more informed idea.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events