Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matthew81
Participant

Access Roles do not get automatically updated after moving users from OUs in Active Directory server

Hi Community,

i just hit the "problem" that if a user object is moved in the AD from one OU to another, the existing Access Role Object for that user will stop matching because the unique identifier in the access role will not update.

I found a SK about that.

sk105494

So it got "fixed" with R.81 and the solution is mentioned in the Identity Awarness Administration Guide under the topic "Configuring Security Identifier (SID) for LDAP Users"

Note - SID support is not activated by default.
To enable SID support on the Check Point Security Gateway:

  1. Run #cpstop command.

  2. Edit the $CPDIR/tmp/.CPprofile.sh file.

  3. Add the line:

    export LDAP_SID=1

  4. Save the file.

  5. Reboot the Security Gateway.

  6. Run this command:

    #pdp nested status

 

First question - why wasn't that set as default from Checkpoint? It feels somehow "experimental" and i don't want to run into problems after setting this up. It should be default to update AD user objects in the case of a OU move.

 

Second question - did someone make that change and run into any problems? 🙂

 

Many thanks.

Best regards

Matt

 

 

0 Kudos
7 Replies
ProxyOps
Contributor

Hi there,

I can't answer your first question, but we have been using SID for two years without any problems and I would say it is no longer "experimental".

We made the change at the end of 2021. We needed to make sure that access groups and users had their SID updated after the management upgrade to R81.X. This is done automatically during the upgrade process, but we had a very large number of AD groups/users (4 digits) - TAC provided us with two shell scripts to update all objects with the SID entry.

You can check this using GuiDBedit. See this post: Re: Identity Awareness - SID instead of DN for AD ... - Check Point CheckMates

 


Regarding your second question - we haven't seen any problems after activation. You just need to check that the SID field is filled in.

Best regards

PhoneBoy
Admin
Admin

To answer your second question, be aware that SID support will only exist for related objects created after the change was made per sk105494.
See: https://community.checkpoint.com/t5/General-Topics/Identity-Awareness-SID-instead-of-DN-for-AD-Users... 
TAC can provide a script that will update the existing objects: https://help.checkpoint.com 

(1)
Matthew81
Participant

Many thanks - we will contact TAC and get that script.

0 Kudos
Matthew81
Participant

...ah one more thing - do i really need to edit the file on every security gateway? Or only the one who is PDP?

0 Kudos
PhoneBoy
Admin
Admin

The documentation states every security gateway needs this changed.

0 Kudos
Matthew81
Participant

Yes, thats why i am asking 🙂
Because we have gateways not doing PDP or PEP. So i do not understand why to add that line into every .sh file mentioned in the documentation.

We have one cluster what is our PDP and some what are PEP getting the infos from the one PDP cluster.
So in my logic only the PDP cluster needs that change.

But sure, if i should add it to every gateway in our Environment, then i will do that. Will take some time i guess.
Somehow it would be better if Checkpoint will do that change by default in a future release 😉

0 Kudos
ProxyOps
Contributor

Hi Matthew, 

we only adjusted this profile.sh setting on the relevant PDP Gateways. This setting is relevant for the LDAP part  of the IA process flow . 
The LDAP process is only relevant on the Gateways with active PDP functionality. 

I would recommend to enable it on all gateways with active PDP and test it.

 

Best regards

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events