User Directory lets you integrate LDAP and other external user management servers with Check Point products and security solutions. These are some of the Software Blades that work with User Directory:
User Directory integrates the Security Management Server and an LDAP server and lets the Security Gateways use the LDAP information.
Item |
Description |
---|---|
1 |
Security Gateway - Retrieves LDAP user information and CRLs |
2 |
Internet |
3 |
Security Gateway - Queries LDAP user information, retrieves CRLs, and does bind operations for authentication |
4 |
Security Management Server - Uses User Directory to manage user information |
5 |
LDAP server - Server that holds one or more Account Units |
An Account Unit represents branches of user information on one or more LDAP servers. The Account Unit is the interface between the LDAP servers and the Security Management Server and Security Gateways.
You can have a number of Account Units representing one or more LDAP servers. Users are divided among the branches of one Account Unit, or between different Account Units.
Note - When you enable the Identity Awareness and Mobile Access Software Blades, SmartConsole opens a First Time Configuration Wizard. The Active Directory Integration window of this wizard lets you create a new AD Account Unit. After you complete the wizard, SmartConsole creates the AD object and Account Unit.
Use the LDAP Account Unit Properties window in SmartConsole to edit an existing Account Unit or to create a new one manually.
To edit an existing LDAP Account Unit:
The LDAP Account Unit Properties window opens.
To create a new LDAP Account Unit:
The LDAP Account Unit Properties window opens.
These are the configuration fields in the General tab:
Note - LDAP SSO (Single Sign On) is only supported for Account Unit objects that use User Management.
Note - This option is only available if the Profile is set to Microsoft_AD.
You can add, edit, or delete LDAP server objects.
To configure an LDAP server for the Account Unit:
The LDAP Server Properties window opens.
If necessary, create a new SmartConsole server object:
To remove an LDAP server from the Account Unit:
If all the configured servers use the same login credentials, you can modify those simultaneously.
To configure the login credentials for all the servers simultaneously:
The Update Account to All Servers window opens.
Configure the LDAP server for the Security Management Server to query and the branches to fetch.
Note - Make sure there is LDAP connectivity between the Security Management Server and the LDAP Server that holds the management directory.
To configure LDAP query parameters:
The Security Management Server queries and shows the LDAP branches.
These are the configuration fields in the Authentication tab:
Configure SmartConsole to enable the Security Management Server to manage users in the Account Unit. You cannot use the SmartConsole User Database when the User Directory LDAP server is enabled.
For more about using the SmartConsole User Database, see the R80.20 Security Management Administration Guide.
To enable User Directory on the Security Management Server:
The Global Properties window opens.
The object properties window opens.
User Directory lets you use SmartDashboard to manage information about users and OUs (Organizational Units) that are stored on the LDAP server.
To manage LDAP information from SmartDashboard:
SmartDashboard opens.
The LDAP domain is shown.
The Security Management Server queries the LDAP server and SmartDashboard shows the LDAP objects.
The Objects List pane shows the user information.
The LDAP User Properties window opens.
To learn more about adding users to the Policy, see these guides: