Using User Directory

User Directory lets you integrate LDAP and other external user management servers with Check Point products and security solutions. These are some of the Software Blades that work with User Directory:

• Mobile Access
• Identity Awareness
• Data Loss Prevention

User Directory Features

• Use LDAP servers to manage user information for the network
• Security Gateways can retrieve CRLs (Certificate Revocation Lists)
• Security Management Server can use LDAP information to authenticate users
• High Availability can duplicate and backup user information across multiple LDAP servers
• Create multiple Account Units to work with distributed databases
• Use profiles to support multiple LDAP vendors
• Encrypt User Directory connections

Deploying User Directory

User Directory integrates the Security Management Server and an LDAP server and lets the Security Gateways use the LDAP information.

Item	Description
1	Security Gateway - Retrieves LDAP user information and CRLs
2	Internet
3	Security Gateway - Queries LDAP user information, retrieves CRLs, and does bind operations for authentication
4	Security Management Server - Uses User Directory to manage user information
5	LDAP server - Server that holds one or more Account Units

Account Units

An Account Unit represents branches of user information on one or more LDAP servers. The Account Unit is the interface between the LDAP servers and the Security Management Server and Security Gateways.

You can have a number of Account Units representing one or more LDAP servers. Users are divided among the branches of one Account Unit, or between different Account Units.

Note - When you enable the Identity Awareness and Mobile Access Software Blades, SmartConsole opens a First Time Configuration Wizard. The Active Directory Integration window of this wizard lets you create a new AD Account Unit. After you complete the wizard, SmartConsole creates the AD object and Account Unit.

Working with LDAP Account Units

Use the LDAP Account Unit Properties window in SmartConsole to edit an existing Account Unit or to create a new one manually.

To edit an existing LDAP Account Unit:

1. In SmartConsole, open the Object Explorer (press the CTRL+E keys).
2. Select Servers > LDAP Account Units.
3. Right-click the LDAP Account Unit and select Edit.

   The LDAP Account Unit Properties window opens.

4. Edit the settings in these tabs:
   • General - Configure how the Security Management Server uses the Account Unit
   • Servers - Manage LDAP servers that are used by this Account Unit
   • Objects Management - Configure the LDAP server for the Security Management Server to query and the branches to use
   • Authentication - Configure the authentication scheme for the Account Unit
5. Click OK.
6. Install the Access Control Policy.

To create a new LDAP Account Unit:

1. In the Objects tab, click New > More > Server > LDAP Account unit.

   The LDAP Account Unit Properties window opens.

2. Configure the settings on these tabs:
   • General - Configure how the Security Management Server uses the Account Unit
   • Servers - Manage LDAP servers that are used by this Account Unit
   • Objects Management - Configure the LDAP server for the Security Management Server to query and the branches to use
   • Authentication - Configure the authentication scheme for the Account Unit
3. Click OK.
4. Install the Access Control Policy.

General Tab

These are the configuration fields in the General tab:

• Name - Name for the Account Unit
• Comment - Optional comment
• Color - Optional color associated with the Account Unit
• Profile - LDAP vendor
• Domain - Domain of the Active Directory servers, when the same user name is used in multiple Account Units (this value is also necessary for AD Query and SSO)
• Prefix - Prefix for non-Active Directory servers, when the same user name is used in multiple Account Units
• Account Unit usage - Select applicable options:
  • CRL retrieval - The Security Management Server manages how the CA sends information about revoked licenses to the Security Gateways
  • User Management - The Security Management Server uses the user information from this LDAP server (User Directory must be enabled on the Security Management Server)

    Note - LDAP SSO (Single Sign On) is only supported for Account Unit objects that use User Management.

  • Active Directory Query - This Active Directory server is used as an Identity Awareness source.

    Note - This option is only available if the Profile is set to Microsoft_AD.

• Enable Unicode support - Encoding for LDAP user information in non-English languages
• Active Directory SSO configuration - Click to configure Kerberos SSO for Active Directory - Domain Name, Account Name, Password, and Ticket encryption method

Servers Tab

You can add, edit, or delete LDAP server objects.

To configure an LDAP server for the Account Unit:

1. To add a new server, click Add. To edit an existing one, select it from the table and click Edit.

   The LDAP Server Properties window opens.

2. From the Host drop-down menu, select the server object.

   If necessary, create a new SmartConsole server object:

   1. Click New.
   2. In the New Host window opens, enter the settings for the LDAP server.
   3. Click OK.
3. Enter the login credentials and the Default priority.
4. Select access permissions for the Check Point Gateways:
   • Read data from this server
   • Write data to this server
5. In the Encryption tab, configure the optional SSL encryption settings. To learn about these settings, see the Help. Click ? or press F1 in the Encryption tab.
6. Click OK.

To remove an LDAP server from the Account Unit:

1. Select a server from the table.
2. Click Remove.

If all the configured servers use the same login credentials, you can modify those simultaneously.

To configure the login credentials for all the servers simultaneously:

1. Click Update Account Credentials.

   The Update Account to All Servers window opens.

2. Enter the login credentials.
3. Click OK.

Objects Management Tab

Configure the LDAP server for the Security Management Server to query and the branches to fetch.

Note - Make sure there is LDAP connectivity between the Security Management Server and the LDAP Server that holds the management directory.

To configure LDAP query parameters:

1. From the Manage objects on drop-down menu, select the LDAP server object.
2. Click Fetch branches.

   The Security Management Server queries and shows the LDAP branches.

3. Configure Branches in use:
   • To add a branch, click Add and in the LDAP Branch Definition window that opens, enter a new Branch Path
   • To edit a branch, click Edit and in the LDAP Branch Definition window that opens, modify the Branch Path
   • To delete a branch, select it and click Delete
4. Select Prompt for password when opening this Account Unit, if necessary (optional).
5. Configure the number of Return entries that are stored in the LDAP database (the default is 500).

Authentication Tab

These are the configuration fields in the Authentication tab:

• Use common group path for queries - Select to use one path for all the LDAP group objects (only one query is necessary for the group objects)
• Allowed authentication schemes - Select one or more authentication schemes allowed to authenticate users in this Account Unit - Check Point Password, SecurID, RADIUS, OS Password, or TACACS
• Users' default values - The default settings for new LDAP users:
  • User template - Template that you created
  • Default authentication scheme - one of the authentication schemes selected in the Allowed authentication schemes section
• Limit login failures (optional):
  • Lock user's account after - Number of login failures, after which the account gets locked
  • Unlock user's account after - Number of seconds, after which the locked account becomes unlocked
• IKE pre-shared secret encryption key - Pre-shared secret key for IKE users in this Account Unit

Enabling User Directory

Configure SmartConsole to enable the Security Management Server to manage users in the Account Unit. You cannot use the SmartConsole User Database when the User Directory LDAP server is enabled.

For more about using the SmartConsole User Database, see the R80.30 Security Management Administration Guide.

To enable User Directory on the Security Management Server:

1. From the Menu, select Global Properties.

   The Global Properties window opens.

2. In the User Directory view, select Use User Directory for Security Gateways.
3. Configure other login and password settings.
4. Click OK.
5. Make sure that the User Directory Software Blade is enabled:
   1. In SmartConsole, open the Object Explorer (Ctrl+E).
   2. Go to Network Objects > Gateways and Servers.
   3. Double-click the Security Management Server object.

      The object properties window opens.

   4. Make sure that in the Management tab of the General Properties view, Network Policy Management and User Directory are selected.
   5. Click OK.
   6. Click Close.
6. Install the policy.

Managing LDAP Information

User Directory lets you use SmartDashboard to manage information about users and OUs (Organizational Units) that are stored on the LDAP server.

To manage LDAP information from SmartDashboard:

1. In SmartConsole, go to Manage & Settings > Blades.
2. Click Configure in SmartDashboard.

   SmartDashboard opens.

3. From the object tree, select Servers and OPSEC.
4. Double-click the Account Unit.

   The LDAP domain is shown.

5. Double-click the LDAP branch.

   The Security Management Server queries the LDAP server and SmartDashboard shows the LDAP objects.

6. Expand the Objects List pane.
7. Double-click the LDAP object.

   The Objects List pane shows the user information.

8. Right-click a user and select Edit.

   The LDAP User Properties window opens.

9. Edit the user information and settings and then click OK.

To Learn More About Adding Users to the Policy

To learn more about adding users to the Policy, see these guides:

• R80.30 Identity Awareness Administration Guide.
• R80.30 Security Management Administration Guide. Search for Managing User Accounts.