This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marco_Valenti
Advisor
‎2018-04-05 09:12 AM

Properly define Ldap Group

Hey expert

I know this question seems more a micr****t question but still I want to give it a try since today I was struggling with that argument , create an account unit and make the Identity Awareness went pretty fine .

Users are authenticated with ldap ,defining an ldap group in such way

-Only group in branch (dn prefix) CN=test,OU=customer,DC=customer,DC=local does not seems to match the group test in the OU customer and the remote access traffic are hitting clean up rule

while define the group in the way

-Only Sub Tree CN=Users DC=customer,DC=local match my remote access rule with as a source the defined ldap group

Triple checked the path on the domain controller , looks like I'm missing something obvious here , if someone got some hint I'll appreciate it

Cheers

6 Replies
Heath_Mote
Collaborator
‎2018-04-21 07:57 AM

Did you get this figured out? I’m seeing the same thing and following LDAP Configuration - Best Practice it looks like the example is setup to allow anyone from AD but we only want specific users.

0 Kudos
Marco_Valenti
Advisor
‎2018-04-22 11:44 PM
In response to Heath_Mote

Really not , working with some smb appliance and founding out ( I don't know if this is relevant) that the dc did not reply to the ldap query with the attribute member of so the gateway can't match the ldap group defined in the remote access rule

Ldap group was set in this way CN=(nameofthegroup),OU=(nameoftheouu)DC=(nameoftecompany),DC=(local) 

Thanks for pointing out the sk

0 Kudos
Heath_Mote
Collaborator
‎2018-04-23 03:49 PM
In response to Heath_Mote

The only way that I've been able to get this work is when I set the source to 'All Users@Any'...I wouldn't think that's the best solution.

0 Kudos
Johnny_Sjolund
Explorer
‎2018-11-28 06:56 AM
In response to Heath_Mote

I have the exact same problem with my 1400 devices. Any solution to this? Just want to work with AD groups as Source in a VPN rule.

0 Kudos
Sal_Previtera
Contributor
‎2018-12-20 07:47 AM

First, you need a group defined in AD, example "my-test-group"....then user ( your case user = "test" )has to be part of the newly created group.....

Account unit = should have selected your AD domain...possible defined earlier when you enabled "Identity Awareness blade"

then choose only group in branch....

CN= my-test-group, OU=groups      .... the rest of the prefix should already be populated if already had an account unit defined.

Assuming that the 1400 devices have access available to your AD somehow...via VPN or other means.

0 Kudos
Richard_Anton_V
Explorer
‎2021-04-13 04:59 AM
In response to Sal_Previtera

Good day,

Anyone already solved this issue? Im having the same problem whereas using the group doesnt match the rulebase.

Thank you!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events