This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Enyi_Ajoku
Contributor
‎2019-07-02 07:37 AM

Identity Awareness - LDAP Account Creation

Hello,

I am trying to enable identity awareness, the server team needs to create a LDAP account for the firewall. 

Should the LDAP account be an admin account or a user account?

If it has to be an admin account, is there a documentation i can reference to, which i can provide to the server team?

greatly appreciate the help

Thank You 

0 Kudos
Reply
5 Replies
G_W_Albrecht
Champion
Champion
‎2019-07-02 07:55 AM

Of course there is a very detailed reference : Identity Awareness Administration Guide R80.20 ! And for further information we have the sk86441: ATRG: IdentityAwarenesssk149255: IdentityAwareness- IdentitySharing and sk88520: Best Practices - IdentityAwarenessLarge Scale Deployment

0 Kudos
Reply
Enyi_Ajoku
Contributor
‎2019-07-02 09:42 AM

Thank You for your feedback. I dont see anywhere on the documentation where it states the LDAP account has to be an administrator account except sk108235 - Identity Collector: Technical Overview which we are not deploying in my environment.

I would appreciate if you can direct me to where its stated on any of the sks. 

0 Kudos
Reply
Daniel_Taney
Advisor
‎2019-07-02 09:51 AM
In response to Enyi_Ajoku

I think this may be what you're looking for if you don't want admin accounts: Using Identity Awareness AD Query without Active Directory Administrator privileges on Windows Serve...

R80 CCSA / CCSE
0 Kudos
Reply
Enyi_Ajoku
Contributor
‎2019-07-02 11:37 AM
In response to Daniel_Taney

The information i've got from PS and support is the account should be an admin account for identity awareness setup. I'm looking for a document from checkpoint that supports this requirement 

0 Kudos
Reply
Daniel_Taney
Advisor
‎2019-07-02 11:48 AM
In response to Enyi_Ajoku

I think the closest thing I can find is in the Identity Awareness R80.20 Admin guide where it says:

"Enter the Active Directory credentials and click Connect to verify the credentials.
Important - For AD Query you must enter domain administrator credentials. For Browser-Based Authentication standard credentials are sufficient."

So, I would read that to mean the default requirement is an admin (or domain admin) account unless you wanted to create a user with custom permissions (without domain admin) as illustrated in the sk article I referenced.

Here's a direct link to that portion of the admin guide for your AD administrator's reference. It should be under the section titled "Enabling Identity Awareness on the Log Server for Identity Logging"

 

R80 CCSA / CCSE
0 Kudos
Reply