Configuring Security Identifier (SID) for LDAP Users

For Access Roles matching for LDAP users, you specify the DN (Distinguished Name) for the LDAP user account, where CN=UserName, OU=Group, DC=Domain, DC=com.

In R81, we added a Security Identifier (SID) support feature.

SID is a unique identifier for each object that LDAP holds. With SID support, Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. matches Access Roles so that if a group name or user name or domain name changes, the user’s SID remains the same and the Access RoleClosed Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules. matching occurs because of policy.

Note - SID support is not activated by default.

To enable SID support on the Check Point Security Gateway:

  1. Run #cpstop command.

  2. Edit the $CPDIR/tmp/.CPprofile.sh file.

  3. Add the line:

    export LDAP_SID=1

  4. Save the file.

  5. Reboot the Security Gateway.

  6. Run this command:

    #pdp nested status

    Note - SID support works only when the status enabled - mode 2 or enabled - mode 4 for the nested groups is enabled. If not, run #pdp nested __set_state 4.

    For more information about the nested groups, see Nested Groups.

  7. Do this procedure on every Security Gateway and Cluster MemberClosed Security Gateway that is part of a cluster..