cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Chris_Hoff
Nickel

Is there a way to have Remote Access Auth via LDAP use the principle name?

Jump to solution

I have my Remote Access setup to use LDAP (AD) for authentication. I am migrating from RADIUS Authentication because I would like to use the LDAP Groups in order to create different levels of access (RADIUS does not seem to push Group membership for use in rules). 

Here is my issue: when using LDAP, the users need to login using the sAMAccountName (e.g. user = jdoe), but we would prefer to use a login of the userPrincipleName (e.g. user = john.doe@company.com). The reason for this is most, if not all, of the places we have login information, we use the userPrincipleName - mostly for cloud based services. All of our documentation is already set to use this as the login, and we would like to continue to use this. 

Is there a way to force a Remote Access Authentication via LDAP to use the userPrincipleName instead of the sAMAccountName? 

0 Kudos
1 Solution

Accepted Solutions
Admin
Admin

Re: Is there a way to have Remote Access Auth via LDAP use the principle name?

Jump to solution

I'm surprised there isn't an SK on this subject, but it appears to be mentioned in a couple of recent SRs.

The correct procedure seems to be:

1. Ensure SmartConsole is not running

2. Use GUIdbedit (yes, this works even in R80.10) and find your gateway object.

3. Look for the field "UserLoginAttr" and make a note of the current value.

4. Change the value to "userPrincipleName"

5. Save changes and push policy.

If this doesn't work, I recommend engaging the TAC, who is probably more educated on the subject than I am.

Contact Support | Check Point Software 

2 Replies
Admin
Admin

Re: Is there a way to have Remote Access Auth via LDAP use the principle name?

Jump to solution

I'm surprised there isn't an SK on this subject, but it appears to be mentioned in a couple of recent SRs.

The correct procedure seems to be:

1. Ensure SmartConsole is not running

2. Use GUIdbedit (yes, this works even in R80.10) and find your gateway object.

3. Look for the field "UserLoginAttr" and make a note of the current value.

4. Change the value to "userPrincipleName"

5. Save changes and push policy.

If this doesn't work, I recommend engaging the TAC, who is probably more educated on the subject than I am.

Contact Support | Check Point Software 

Chris_Hoff
Nickel

Re: Is there a way to have Remote Access Auth via LDAP use the principle name?

Jump to solution

Thanks so much Dameon - this seems to have worked!

0 Kudos