Configuring Users on an External LDAP Server

LDAP is an external identity integration technology supported by Check Point Quantum.

An LDAP provides these capabilities:

Other identity integration options include: Check Point Quantum management internal user database, Entra ID, and Check Point Infinity Identity.

Microsoft Active Directory

For an overview of Microsoft Active Directory, see Active Directory Domain Services.

The branch CN=Schema, CN=Configuration, DCROOT contains all schema definitions.

Check Point can take advantage of an existing Active Directory object as well as add new types. For users, the existing user can be used "as is" or be extended with fw1person as an auxiliary of "User" for full feature granularity. The existing Active Directory "Group" type is supported "as is". A User DirectoryClosed Check Point Software Blade on a Management Server that integrates LDAP and other external user management servers with Check Point products and security solutions. template can be created by adding the fw1template object-class. This information is downloaded to the directory using the schema_microsoft_ad.ldif file (see Adding New Attributes to the Active Directory).

Performance

For certain Software Blades, the information which is related to the Active Directory group-is stored in the user object. Therefore, when fetching the user object, no additional query is necessary in order to assign the group to the user. The same is true for users and templates. In some cases, The Security Gateway sends additional queries. See sk128212.

Manageability

SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. allows the creation and management of existing and new objects. However, some specific Active Directory fields are not enabled in SmartDashboard.

Enforcement

You can work with the existing Active Directory objects without extending the schema. This is made possible by defining an Internal Template object and assigning to it the User Directory Account Unit defined on the Active Directory server.

For example, if you wish to enable all users with IKE+Hybrid based on the Active Directory passwords, create a new template with the IKE properties enabled and "Check Point password" as the authentication method.

Updating the Registry Settings

To modify the Active Directory schema, add a new registry DWORD key named Schema Update Allowed with the value different from zero under HKLM\System\CurrentControlSet\Services\NTDS\Parameters.

Delegating Control

Delegating control over the directory to a specific user or group is important because by default the system administrator is not allowed to modify the schema or even manage directory objects through User Directory protocol.

  1. On the Domain Controller, open the Active Directory Users and Computers Control console.

  2. Right-click the domain name displayed in the left pane and select Delegate control from the right-click menu.

    The Delegation of Control wizard window is displayed.

  3. Add a user or a group to the list of users who can control the directory.

  4. Reboot the machine.

Extending the Active Directory Schema

Modify the file with the Active Directory schema, to use SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to configure the Active Directory users.

To extend the Active Directory schema

  1. From the Security Gateway, go to the directory of the schema file: $FWDIR/lib/ldap.

  2. Copy schmea_microsoft_ad.ldif to the C:\ drive in the Active Directory server.

  3. From Active Directory server, with a text editor open the schema file.

  4. Find the value DOMAINNAME, and replace it with the name of your domain in LDIF format.

    For example, the domain sample.checkpoint.com in LDIF format is: DC=sample,DC=checkpoint,DC=com

  5. Make sure that there is a dash character - at the end of the modify section.

    This is an example of the modify section.

    dn: CN=User,CN-Schema,CN=Configuration,DC=sample,DC=checkpoint,DC=com

    changetype: modify

    add: auxiliaryClass

    auxiliaryClass: 1.3.114.7.3.2.0.2

    -

  6. Run:

    ldifde -i -f c:/schema_microsoft_ad.ldif

Adding New Attributes to the Active Directory

Below is an example in LDAP Data Interchange (LDIF) format which shows how to add one attribute to the Microsoft Active Directory:

dn:CN=fw1auth-method,CN=Schema,CN=Configuration,DCROOT

changetype: add

adminDisplayName: fw1auth-method

attributeID: 1.3.114.7.4.2.0.1

attributeSyntax: 2.5.5.4

cn: fw1auth-method

distinguishedName:

CN=fw1auth-method,CN=Schema,CN=Configuration,DCROOT

instanceType: 4

isSingleValued: FALSE

LDAPDisplayName: fw1auth-method

name: fw1auth-method

objectCategory:

CN=Attribute-Schema,CN=ConfigurationCN=Schema,CN=Configuration,DCROOT

ObjectClass: attributeSchema

oMSyntax: 20

rangeLower: 1

rangeUpper: 256

showInAdvancedViewOnly: TRUE

You can add all Check Point attributes in the same way.

The definitions of all attributes in LDIF format are contained in the schema_microsoft_ad.ldif file located in the $FWDIR/lib/ldap directory.

Before attempting to run the ldapmodify command, edit schema_microsoft_ad.ldif and replace all instances of DCROOT with the domain root of your organization. For example, if your domain is support.checkpoint.com, replace DCROOT with dc=support,dc=checkpoint,dc=com.

After modifying the file, run the ldapmodify command to load the file into the directory. For example if you use the system administrator account of the dc=support,dc=checkpoint,dc=com domain, the command syntax will be as follows:

Note - A shell script is available for UNIX gateways. The script is at: $FWDIR/lib/ldap/update_schema_microsoft_ad

ldapmodify -c -h support.checkpoint.com -D cn=administrator,cn=users,dc=support,dc=checkpoint,dc=com" -w SeCrEt -f $FWDIR/lib/ldap/schema_microsoft_ad.ldif

Updating the user or service account password to the LDAP account unit on the Active Directory

Security Gateways authenticate to the LDAP server using the LDAP server user name and password saved in the SmartConsole LDAP account unit. After establishing a connection to the LDAP server from a Security Gateway, the Security Gateway reuses this connection to transmit subsequent LDAP queries without undergoing reauthentication.

If you update the password in the Active Directory on the LDAP server, you must do these steps for the changes to apply:

  1. Update the information in the LDAP account unit.

  2. Install policy.