Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chris_Hoff
Contributor

Is there a way to have Remote Access Auth via LDAP use the principle name?

Jump to solution

I have my Remote Access setup to use LDAP (AD) for authentication. I am migrating from RADIUS Authentication because I would like to use the LDAP Groups in order to create different levels of access (RADIUS does not seem to push Group membership for use in rules). 

Here is my issue: when using LDAP, the users need to login using the sAMAccountName (e.g. user = jdoe), but we would prefer to use a login of the userPrincipleName (e.g. user = john.doe@company.com). The reason for this is most, if not all, of the places we have login information, we use the userPrincipleName - mostly for cloud based services. All of our documentation is already set to use this as the login, and we would like to continue to use this. 

Is there a way to force a Remote Access Authentication via LDAP to use the userPrincipleName instead of the sAMAccountName? 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

I'm surprised there isn't an SK on this subject, but it appears to be mentioned in a couple of recent SRs.
The correct procedure seems to be:

  1. Ensure SmartConsole is not running
  2. Use GUIdbedit (yes, this works even in R80.10) and find your gateway object.
  3. Look for the field "UserLoginAttr" and make a note of the current value.
  4. Change the value to "userPrincipalName"
  5. Save changes and push policy.

If this doesn't work, I recommend engaging the TAC, who is probably more educated on the subject than I am.
Contact Support | Check Point Software 

Edit: Formatting, Typos

View solution in original post

4 Replies
PhoneBoy
Admin
Admin

I'm surprised there isn't an SK on this subject, but it appears to be mentioned in a couple of recent SRs.
The correct procedure seems to be:

  1. Ensure SmartConsole is not running
  2. Use GUIdbedit (yes, this works even in R80.10) and find your gateway object.
  3. Look for the field "UserLoginAttr" and make a note of the current value.
  4. Change the value to "userPrincipalName"
  5. Save changes and push policy.

If this doesn't work, I recommend engaging the TAC, who is probably more educated on the subject than I am.
Contact Support | Check Point Software 

Edit: Formatting, Typos

View solution in original post

Chris_Hoff
Contributor

Thanks so much Dameon - this seems to have worked!

0 Kudos
Oliver_Fink
Collaborator

For me "userPrincipleName" did not work, but "userPrincipalName" did. Thank you for the information, anyway. It led me to the right way.

0 Kudos
PhoneBoy
Admin
Admin

Had it typo in my original answer, I'm pretty sure.
Updated my original post.

0 Kudos