Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jakmic
Participant
Jump to solution

Integration FreeIPA and Checkpoint Security Gateway

Hello Everyone,

Me and my team from few days are trying to integrate Checkpoint Security Gateway with FreeIPA.

We have integration with Microsoft AD by LDAP Unit Object which is works.

Unfortunately, FreeIPA haven't "samAccountName" object class in directory schema, so when we try to add some users to Checkpoint Access Role we receive only blank directory tree.

We try to change Profile in FreeIPA Ldap Unit from Microsoft AD to OPSEC and Create LDAP Group with some option "Only Group in branch (DN prefix)", where we paste uid path to specific group, but log in to VPN was without success.

 

Somebody have any idea how to integrate this to systems?

 

Best regards

Jakub

0 Kudos
1 Solution

Accepted Solutions
jakmic
Participant

Finally, we integrated FreeIPA with Checkpoint

Profile: Netscape_DS - this profile has good user info mapping

First: We are integrating two environments, so we forgot about routes - all traffic were from WAN interface (on first environment traffic were accepted, on second environment traffic were drop from WAN or not occur)

Second: To use this object, we need to use LDAP Group, where important is to use good LDAP Filter

Thank you for help, for me this post/issue is solved

View solution in original post

0 Kudos
6 Replies
_Val_
Admin
Admin

Generic LDAP definitions should work. 

0 Kudos
jakmic
Participant

Yes, we thought the same, but no.

User Object Class in FreeIPA is "uid". We try to use another User Directory Profile, but without success to log in.

From another site, when we use old Dashboard, with attribute "uid", we receive good results.

Maybe custom User Directory Profile, but how can we create it? Only by database edit?

0 Kudos
PhoneBoy
Admin
Admin

Presumably through guidbedit, it might be possible.

0 Kudos
jakmic
Participant

Is there any manual or KB where this is described?

0 Kudos
PhoneBoy
Admin
Admin

You can try asking the TAC about this.
However, you are ultimately trying to integrate with an LDAP directory we don't support.
Which means even if you do somehow make this work, if and when it breaks again, it won't be formally supported.

If this is a business requirement, your best bet is to work with the local Check Point office on an RFE. 

0 Kudos
jakmic
Participant

Finally, we integrated FreeIPA with Checkpoint

Profile: Netscape_DS - this profile has good user info mapping

First: We are integrating two environments, so we forgot about routes - all traffic were from WAN interface (on first environment traffic were accepted, on second environment traffic were drop from WAN or not occur)

Second: To use this object, we need to use LDAP Group, where important is to use good LDAP Filter

Thank you for help, for me this post/issue is solved

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events