Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matthew81
Participant
Jump to solution

"LDAP Account Unit" Username - What AD permissions?

Hi all,

we have an "LDAP Account Unit" object, and in this object we have two AD servers. And this AD servers has a username in the properties:

 
 

CP_01.jpg

 

At the moment this account has very high permissions in the AD.

But we want to decrease the permissions, so we need to know what roles this user needs.

I can't find anything in the documentations etc.

So i hope you can help me here.

Many thanks.

Best regards
Matt

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Identity Collector only collects usernames from the configured AD servers.
Gateways use LDAP to query for the group, which must be configured with the relevant AD servers.
See: https://support.checkpoint.com/results/sk/sk113747 (LDAP setps also applicable for Identity Collector)

View solution in original post

0 Kudos
13 Replies
Sorin_Gogean
Advisor

hy, 

I would say we need more details, like why or for what you use that AD account .

Were/are you with "AD Query" implemented on the Checkpoint ?


We're using CheckPoint Identity with Identity Collector and the account used in IC set-up and in the LDAP objects has only ad read and AD log read writes. (there is an SK that explain the rights, I'll check and come back)

Ty,

0 Kudos
Matthew81
Participant

Mainly we use Identity Agents and Identity Collector:

CP_02.jpg

The users have the ability to change their AD password with the Check Point Endpoint client if the password needs to be renewed. But i don't know if this is done by that user or if there is a different user managing the password change.

0 Kudos
the_rock
Legend
Legend

@Timothy_Hall gave you the sk I was thinking of as well, though I will say this. I was on the phone with customer once going through that sk and we spent literally 3 hours on the line with TAC without any success. Eventually, we made it work few days later, but did not last long, so we just gave up on it.

0 Kudos
Wolfgang
Authority
Authority

@Matthew81  password change via MOB or VPN client will be done with the expired users credentials, not with the user from the ldap account unit. With the old Smartdashboard you could walk through the AD via LDAP and change the values of every AD object. To do such changes your ldap account unit user needs write rights. I think with newer Smartconsole GUI these feature is not available. And I would prefer to change anything in AD with ADs own management tools.

Timothy_Hall
Champion Champion
Champion

Short answer is that it can be a Domain Administrator, but read only.

Long answer is that you can take a regular domain user and grant it the bare minimum privileges it needs for AD Query to function.  See here: sk93938: Using Identity Awareness AD Query without Active Directory Administrator privileges on Wind...

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
PhoneBoy
Admin
Admin

If you’re using a Windows Server with the latest patches and using ADQuery, you need to use a full admin user.
However, that’s only for the WMI portion, pretty sure for LDAP you only need read only permissions to the directory.

Gojira
Collaborator
Collaborator

Does a regular user with read permissions on the LDAP tree suffice for lets say, AD groups reading and VPN authentication?


0 Kudos
Wolfgang
Authority
Authority

Yes.

the_rock
Legend
Legend

By the way, as this is CP official recommendation and I will also tell you, its super EASY to set up, if you can go with identity collector, I recommend it 100%, Im positive you will like it much better.

Happy to show you basics of it in my lab if you like.

Andy

https://support.checkpoint.com/results/sk/sk108235

Also, even though its not mentioned in the sk, but you can easily install the software on windows 10 and 11, works with no issues, though maybe I would not in production, as its not officially stated as supported : - )

0 Kudos
Matthew81
Participant

Thank you all.

We will try with read only and see what happens 🙂

Chris_Van_Kriek
Contributor

Having migrated to Identity Collectors (BTW that sk above doesn't seem to exist anymore) and it is working perfectly. The LDAP account unit is still in the configuration on the gateway object (Identity Collector --> Authentication settings). Is this account used by the gateway to retrieve user info and/or roles ? I suppose the Identity Collectors are responsable for this ?

How do I check if the account is actually retrieving the correct user info if i.e. a new server (Domain Controller) is added ?

0 Kudos
PhoneBoy
Admin
Admin

Identity Collector only collects usernames from the configured AD servers.
Gateways use LDAP to query for the group, which must be configured with the relevant AD servers.
See: https://support.checkpoint.com/results/sk/sk113747 (LDAP setps also applicable for Identity Collector)

0 Kudos
Chris_Van_Kriek
Contributor

Thanks Dameon. My assumptions confirmed.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events