Identity Collector and LDAP account unit

cem82 · ‎2021-12-11

Hi

We are using the Identity Collector agent so wondering why we see the gateways directly logging into AD with the credentials configured under the LDAP Account unit config? What exactly is it doing as I understood all the info should come from the IA Collector (other than MDM for creating the IA rules). For the collector I see needs event viewer privileges, what is required for the LDAP acc unit as can't find any documentation that says what's needed here. We were migrating from ADquery so is currently domain admin as saw that is the level required when we set that up and keen to reduce privileges on this account.

Also I am seeing one of the clusters logging into AD with that account that doesn't even have IA enabled and as far as I can tell never has.

G_W_Albrecht · ‎2021-12-13

Please consult sk86441: ATRG: Identity Awareness and sk149854.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

cem82 · ‎2021-12-15

Hi

I'd already had a look through the ATRG and don't seem to see a relevant portion, could you please point out what I'm missing there? I hadn't seen the second SK but it doesn't seem to cover off either.

I'm also concerned as to why the GW that only has FW enabled that it's making connections to AD.

Thanks

mcatanzaro · ‎2021-12-15

Hi,

For your first question, you should be able to use a standard domain user for the AU if all you are using is IDC. AD Query of course requires higher privileges if you want to read forwarded events and remote access requires write access if you allow users to change their passwords. For simpler overhead you should be able to use the same account you use for IDC.

For your second issue, are you seeing security logs on the DC itself stating a login was received from the firewall or are you just seeing LDAP traffic in SMC logs? And to confirm, no other software blades are enabled aside from fw? User Directory is what would come to mind if using any legacy remote access rules etc..

cem82 · ‎2021-12-15

Hi,

Thanks for clarifying the acc privilege requirements so great we can change from domain admin as we are only using IDC. We're not using remote access to these FW. Why would we see the GW that do have IA enabled also logging into AD with the credentials configured under LDAP acc unit? I would have thought they would get everything from IDC (different username), we don't have ADquery enabled at all and all identities that are gathered are showing as coming from IDC.

Currently we have different usernames for LDAP acc unit and IDC is because at one point we were running ADquery and wanted to set up the new solution with the lower privilege requirements. The plan is to delete the one with domain admin once everything working perfectly in case we needed to go back to ADquery.

These logon events are from the domain controller logs which is how we confirmed which username it is doing these logons with.

For the gateway that doesn't have IA, user directory or anything else enabled, it only has FW and ClusterXL.

mcatanzaro · ‎2021-12-16

Hi,

PDP gateways do receive identities from the IDC but need to perform their own lookups via the AU to match on access roles.

As far as the non-IDA gateway goes, a SR should be able to answer it through config and policy review etc.

Are you a member of CheckMates?

Identity Collector and LDAP account unit