Configuring Security Identifier (SID) for LDAP Users

For Access Roles matching for LDAP users, you specify the DN (Distinguished Name) for the LDAP user account, where CN=UserName, OU=Group, DC=Domain, DC=com.

In R81, we added a Security Identifier (SID) support feature.

SID is a unique identifier for each object that LDAP holds. With SID support, Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. matches Access Roles so that if a group name or user name or domain name changes, the user’s SID remains the same and the Access Role Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules. matching occurs because of policy.

Note - SID support is not activated by default.

Warning - The upgrade process replaces all existing files with default files. You must not copy the customized configuration files from the current version to the upgraded version, because these files can be unique for each version. You must make all the custom configurations again after the upgrade.

To enable SID support on the Check Point Security Gateway:

1. Run #cpstop command.

2. Edit the $CPDIR/tmp/.CPprofile.sh file.

3. Add the line:

   export LDAP_SID=1

4. Save the file.

5. Reboot the Security Gateway.

6. Run this command:

   #pdp nested status

   Note - SID support works only when the status enabled - mode 2 or enabled - mode 4 for the nested groups is enabled. If not, run #pdp nested __set_state 4. For more information about the nested groups, see Nested Groups.

7. Do this procedure on every Security Gateway and Cluster Member Security Gateway that is part of a cluster..