This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matthew81
Participant
‎2023-03-02 04:21 AM

"LDAP Account Unit" Username - What AD permissions?

Hi all,

we have an "LDAP Account Unit" object, and in this object we have two AD servers. And this AD servers has a username in the properties:

 
 

CP_01.jpg

 

At the moment this account has very high permissions in the AD.

But we want to decrease the permissions, so we need to know what roles this user needs.

I can't find anything in the documentations etc.

So i hope you can help me here.

Many thanks.

Best regards
Matt

Labels
0 Kudos
10 Replies
Sorin_Gogean
Advisor
‎2023-03-02 04:35 AM

hy, 

I would say we need more details, like why or for what you use that AD account .

Were/are you with "AD Query" implemented on the Checkpoint ?


We're using CheckPoint Identity with Identity Collector and the account used in IC set-up and in the LDAP objects has only ad read and AD log read writes. (there is an SK that explain the rights, I'll check and come back)

Ty,

0 Kudos
Matthew81
Participant
‎2023-03-02 04:59 AM
In response to Sorin_Gogean

Mainly we use Identity Agents and Identity Collector:

CP_02.jpg

The users have the ability to change their AD password with the Check Point Endpoint client if the password needs to be renewed. But i don't know if this is done by that user or if there is a different user managing the password change.

0 Kudos
the_rock
Legend
Legend
‎2023-03-02 05:27 AM
In response to Matthew81

@Timothy_Hall gave you the sk I was thinking of as well, though I will say this. I was on the phone with customer once going through that sk and we spent literally 3 hours on the line with TAC without any success. Eventually, we made it work few days later, but did not last long, so we just gave up on it.

0 Kudos
Wolfgang
Mentor
Mentor
‎2023-03-02 09:07 AM
In response to Matthew81

@Matthew81  password change via MOB or VPN client will be done with the expired users credentials, not with the user from the ldap account unit. With the old Smartdashboard you could walk through the AD via LDAP and change the values of every AD object. To do such changes your ldap account unit user needs write rights. I think with newer Smartconsole GUI these feature is not available. And I would prefer to change anything in AD with ADs own management tools.

Timothy_Hall
Champion
Champion
‎2023-03-02 04:55 AM

Short answer is that it can be a Domain Administrator, but read only.

Long answer is that you can take a regular domain user and grant it the bare minimum privileges it needs for AD Query to function.  See here: sk93938: Using Identity Awareness AD Query without Active Directory Administrator privileges on Wind...

Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com
PhoneBoy
Admin
Admin
‎2023-03-02 06:00 AM
In response to Timothy_Hall

If you’re using a Windows Server with the latest patches and using ADQuery, you need to use a full admin user.
However, that’s only for the WMI portion, pretty sure for LDAP you only need read only permissions to the directory.

juan_lo
Contributor
‎2023-03-09 02:26 AM
In response to PhoneBoy

Does a regular user with read permissions on the LDAP tree suffice for lets say, AD groups reading and VPN authentication?


0 Kudos
Wolfgang
Mentor
Mentor
‎2023-03-09 03:40 AM
In response to juan_lo

Yes.

the_rock
Legend
Legend
‎2023-03-02 06:05 AM

By the way, as this is CP official recommendation and I will also tell you, its super EASY to set up, if you can go with identity collector, I recommend it 100%, Im positive you will like it much better.

Happy to show you basics of it in my lab if you like.

Andy

https://support.checkpoint.com/results/sk/sk108235

Also, even though its not mentioned in the sk, but you can easily install the software on windows 10 and 11, works with no issues, though maybe I would not in production, as its not officially stated as supported : - )

0 Kudos
Matthew81
Participant
‎2023-03-02 09:59 PM
In response to the_rock

Thank you all.

We will try with read only and see what happens 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫