Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Enyi_Ajoku
Collaborator

Identity Awareness - LDAP Account Creation

Hello,

I am trying to enable identity awareness, the server team needs to create a LDAP account for the firewall. 

Should the LDAP account be an admin account or a user account?

If it has to be an admin account, is there a documentation i can reference to, which i can provide to the server team?

greatly appreciate the help

Thank You 

0 Kudos
5 Replies
G_W_Albrecht
Legend Legend
Legend

Of course there is a very detailed reference : Identity Awareness Administration Guide R80.20 ! And for further information we have the sk86441: ATRG: IdentityAwarenesssk149255: IdentityAwareness- IdentitySharing and sk88520: Best Practices - IdentityAwarenessLarge Scale Deployment

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Enyi_Ajoku
Collaborator

Thank You for your feedback. I dont see anywhere on the documentation where it states the LDAP account has to be an administrator account except sk108235 - Identity Collector: Technical Overview which we are not deploying in my environment.

I would appreciate if you can direct me to where its stated on any of the sks. 

0 Kudos
Daniel_Taney
Advisor

I think this may be what you're looking for if you don't want admin accounts: Using Identity Awareness AD Query without Active Directory Administrator privileges on Windows Serve...

R80 CCSA / CCSE
0 Kudos
Enyi_Ajoku
Collaborator

The information i've got from PS and support is the account should be an admin account for identity awareness setup. I'm looking for a document from checkpoint that supports this requirement 

0 Kudos
Daniel_Taney
Advisor

I think the closest thing I can find is in the Identity Awareness R80.20 Admin guide where it says:

"Enter the Active Directory credentials and click Connect to verify the credentials.
Important - For AD Query you must enter domain administrator credentials. For Browser-Based Authentication standard credentials are sufficient."

So, I would read that to mean the default requirement is an admin (or domain admin) account unless you wanted to create a user with custom permissions (without domain admin) as illustrated in the sk article I referenced.

Here's a direct link to that portion of the admin guide for your AD administrator's reference. It should be under the section titled "Enabling Identity Awareness on the Log Server for Identity Logging"

 

R80 CCSA / CCSE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events