This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matthew81
Participant
‎2023-03-02 04:21 AM
Jump to solution

"LDAP Account Unit" Username - What AD permissions?

Hi all,

we have an "LDAP Account Unit" object, and in this object we have two AD servers. And this AD servers has a username in the properties:

 
 

CP_01.jpg

 

At the moment this account has very high permissions in the AD.

But we want to decrease the permissions, so we need to know what roles this user needs.

I can't find anything in the documentations etc.

So i hope you can help me here.

Many thanks.

Best regards
Matt

Labels
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-02-07 11:23 AM
In response to Chris_Van_Kriek
Jump to solution

Identity Collector only collects usernames from the configured AD servers.
Gateways use LDAP to query for the group, which must be configured with the relevant AD servers.
See: https://support.checkpoint.com/results/sk/sk113747 (LDAP setps also applicable for Identity Collector)

View solution in original post

0 Kudos
15 Replies
Sorin_Gogean
Advisor
‎2023-03-02 04:35 AM
Jump to solution

hy, 

I would say we need more details, like why or for what you use that AD account .

Were/are you with "AD Query" implemented on the Checkpoint ?


We're using CheckPoint Identity with Identity Collector and the account used in IC set-up and in the LDAP objects has only ad read and AD log read writes. (there is an SK that explain the rights, I'll check and come back)

Ty,

0 Kudos
Matthew81
Participant
‎2023-03-02 04:59 AM
In response to Sorin_Gogean
Jump to solution

Mainly we use Identity Agents and Identity Collector:

CP_02.jpg

The users have the ability to change their AD password with the Check Point Endpoint client if the password needs to be renewed. But i don't know if this is done by that user or if there is a different user managing the password change.

0 Kudos
the_rock
Legend
Legend
‎2023-03-02 05:27 AM
In response to Matthew81
Jump to solution

@Timothy_Hall gave you the sk I was thinking of as well, though I will say this. I was on the phone with customer once going through that sk and we spent literally 3 hours on the line with TAC without any success. Eventually, we made it work few days later, but did not last long, so we just gave up on it.

0 Kudos
Wolfgang
Authority
Authority
‎2023-03-02 09:07 AM
In response to Matthew81
Jump to solution

@Matthew81  password change via MOB or VPN client will be done with the expired users credentials, not with the user from the ldap account unit. With the old Smartdashboard you could walk through the AD via LDAP and change the values of every AD object. To do such changes your ldap account unit user needs write rights. I think with newer Smartconsole GUI these feature is not available. And I would prefer to change anything in AD with ADs own management tools.

Timothy_Hall
Legend Legend
Legend
‎2023-03-02 04:55 AM
Jump to solution

Short answer is that it can be a Domain Administrator, but read only.

Long answer is that you can take a regular domain user and grant it the bare minimum privileges it needs for AD Query to function.  See here: sk93938: Using Identity Awareness AD Query without Active Directory Administrator privileges on Wind...

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
PhoneBoy
Admin
Admin
‎2023-03-02 06:00 AM
In response to Timothy_Hall
Jump to solution

If you’re using a Windows Server with the latest patches and using ADQuery, you need to use a full admin user.
However, that’s only for the WMI portion, pretty sure for LDAP you only need read only permissions to the directory.

Machine_Head
Advisor
Advisor
‎2023-03-09 02:26 AM
In response to PhoneBoy
Jump to solution

Does a regular user with read permissions on the LDAP tree suffice for lets say, AD groups reading and VPN authentication?


0 Kudos
Wolfgang
Authority
Authority
‎2023-03-09 03:40 AM
In response to Machine_Head
Jump to solution

Yes.

the_rock
Legend
Legend
‎2023-03-02 06:05 AM
Jump to solution

By the way, as this is CP official recommendation and I will also tell you, its super EASY to set up, if you can go with identity collector, I recommend it 100%, Im positive you will like it much better.

Happy to show you basics of it in my lab if you like.

Andy

https://support.checkpoint.com/results/sk/sk108235

Also, even though its not mentioned in the sk, but you can easily install the software on windows 10 and 11, works with no issues, though maybe I would not in production, as its not officially stated as supported : - )

0 Kudos
Matthew81
Participant
‎2023-03-02 09:59 PM
In response to the_rock
Jump to solution

Thank you all.

We will try with read only and see what happens 🙂

Chris_Van_Kriek
Contributor
‎2024-02-07 02:55 AM
In response to the_rock
Jump to solution

Having migrated to Identity Collectors (BTW that sk above doesn't seem to exist anymore) and it is working perfectly. The LDAP account unit is still in the configuration on the gateway object (Identity Collector --> Authentication settings). Is this account used by the gateway to retrieve user info and/or roles ? I suppose the Identity Collectors are responsable for this ?

How do I check if the account is actually retrieving the correct user info if i.e. a new server (Domain Controller) is added ?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-07 11:23 AM
In response to Chris_Van_Kriek
Jump to solution

Identity Collector only collects usernames from the configured AD servers.
Gateways use LDAP to query for the group, which must be configured with the relevant AD servers.
See: https://support.checkpoint.com/results/sk/sk113747 (LDAP setps also applicable for Identity Collector)

0 Kudos
Chris_Van_Kriek
Contributor
‎2024-02-08 12:17 AM
In response to PhoneBoy
Jump to solution

Thanks Dameon. My assumptions confirmed.

0 Kudos
JP_Rex
Collaborator
Collaborator
‎2025-01-09 10:24 PM
In response to PhoneBoy
Jump to solution

Hello,

There is a new SK which states what rights are needed for the LDAP Account Unit account, if you are using Identity Collector.

sk182905 - Non-Admin service account for LDAP AU (Account Unit) with Identity collector

https://support.checkpoint.com/results/sk/sk182905 

 Date Created 2024-12-06

Regards

Peter

 

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-10 07:26 AM
In response to JP_Rex
Jump to solution

Domain Users, as I understand it from reading the relevant Microsoft documentation, is something all users created on an AD domain get added to by default.
From reviewing the SR associated with the SK, it's not clear why this is required, but the request was for the requirement to be formally documented (it wasn't before). 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events