This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jakmic
Participant
‎2023-03-24 04:10 AM
Jump to solution

Integration FreeIPA and Checkpoint Security Gateway

Hello Everyone,

Me and my team from few days are trying to integrate Checkpoint Security Gateway with FreeIPA.

We have integration with Microsoft AD by LDAP Unit Object which is works.

Unfortunately, FreeIPA haven't "samAccountName" object class in directory schema, so when we try to add some users to Checkpoint Access Role we receive only blank directory tree.

We try to change Profile in FreeIPA Ldap Unit from Microsoft AD to OPSEC and Create LDAP Group with some option "Only Group in branch (DN prefix)", where we paste uid path to specific group, but log in to VPN was without success.

 

Somebody have any idea how to integrate this to systems?

 

Best regards

Jakub

0 Kudos
1 Solution

Accepted Solutions
jakmic
Participant
‎2023-03-27 11:56 PM
In response to PhoneBoy
Jump to solution

Finally, we integrated FreeIPA with Checkpoint

Profile: Netscape_DS - this profile has good user info mapping

First: We are integrating two environments, so we forgot about routes - all traffic were from WAN interface (on first environment traffic were accepted, on second environment traffic were drop from WAN or not occur)

Second: To use this object, we need to use LDAP Group, where important is to use good LDAP Filter

Thank you for help, for me this post/issue is solved

View solution in original post

0 Kudos
6 Replies
_Val_
Admin
Admin
‎2023-03-24 06:56 AM
Jump to solution

Generic LDAP definitions should work. 

0 Kudos
jakmic
Participant
‎2023-03-24 07:42 AM
In response to _Val_
Jump to solution

Yes, we thought the same, but no.

User Object Class in FreeIPA is "uid". We try to use another User Directory Profile, but without success to log in.

From another site, when we use old Dashboard, with attribute "uid", we receive good results.

Maybe custom User Directory Profile, but how can we create it? Only by database edit?

Preview file
5 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-24 01:20 PM
In response to jakmic
Jump to solution

Presumably through guidbedit, it might be possible.

0 Kudos
jakmic
Participant
‎2023-03-26 11:07 PM
In response to PhoneBoy
Jump to solution

Is there any manual or KB where this is described?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-27 09:54 AM
In response to jakmic
Jump to solution

You can try asking the TAC about this.
However, you are ultimately trying to integrate with an LDAP directory we don't support.
Which means even if you do somehow make this work, if and when it breaks again, it won't be formally supported.

If this is a business requirement, your best bet is to work with the local Check Point office on an RFE. 

0 Kudos
jakmic
Participant
‎2023-03-27 11:56 PM
In response to PhoneBoy
Jump to solution

Finally, we integrated FreeIPA with Checkpoint

Profile: Netscape_DS - this profile has good user info mapping

First: We are integrating two environments, so we forgot about routes - all traffic were from WAN interface (on first environment traffic were accepted, on second environment traffic were drop from WAN or not occur)

Second: To use this object, we need to use LDAP Group, where important is to use good LDAP Filter

Thank you for help, for me this post/issue is solved

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events