This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chris_Hoff
Contributor
‎2018-02-19 08:00 AM
Jump to solution

Is there a way to have Remote Access Auth via LDAP use the principle name?

I have my Remote Access setup to use LDAP (AD) for authentication. I am migrating from RADIUS Authentication because I would like to use the LDAP Groups in order to create different levels of access (RADIUS does not seem to push Group membership for use in rules). 

Here is my issue: when using LDAP, the users need to login using the sAMAccountName (e.g. user = jdoe), but we would prefer to use a login of the userPrincipleName (e.g. user = john.doe@company.com). The reason for this is most, if not all, of the places we have login information, we use the userPrincipleName - mostly for cloud based services. All of our documentation is already set to use this as the login, and we would like to continue to use this. 

Is there a way to force a Remote Access Authentication via LDAP to use the userPrincipleName instead of the sAMAccountName? 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2018-02-19 10:12 PM
Jump to solution

I'm surprised there isn't an SK on this subject, but it appears to be mentioned in a couple of recent SRs.
The correct procedure seems to be:

  1. Ensure SmartConsole is not running
  2. Use GUIdbedit (yes, this works even in R80.10) and find your gateway object.
  3. Look for the field "UserLoginAttr" and make a note of the current value.
  4. Change the value to "userPrincipalName"
  5. Save changes and push policy.

If this doesn't work, I recommend engaging the TAC, who is probably more educated on the subject than I am.
Contact Support | Check Point Software 

Edit: Formatting, Typos

View solution in original post

4 Replies
PhoneBoy
Admin
Admin
‎2018-02-19 10:12 PM
Jump to solution

I'm surprised there isn't an SK on this subject, but it appears to be mentioned in a couple of recent SRs.
The correct procedure seems to be:

  1. Ensure SmartConsole is not running
  2. Use GUIdbedit (yes, this works even in R80.10) and find your gateway object.
  3. Look for the field "UserLoginAttr" and make a note of the current value.
  4. Change the value to "userPrincipalName"
  5. Save changes and push policy.

If this doesn't work, I recommend engaging the TAC, who is probably more educated on the subject than I am.
Contact Support | Check Point Software 

Edit: Formatting, Typos

Chris_Hoff
Contributor
‎2018-02-20 06:36 AM
In response to PhoneBoy
Jump to solution

Thanks so much Dameon - this seems to have worked!

0 Kudos
Oliver_Fink
Advisor
Advisor
‎2020-12-09 02:02 AM
In response to PhoneBoy
Jump to solution

For me "userPrincipleName" did not work, but "userPrincipalName" did. Thank you for the information, anyway. It led me to the right way.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-13 06:51 PM
In response to Oliver_Fink
Jump to solution

Had it typo in my original answer, I'm pretty sure.
Updated my original post.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events