Configuring Administrators and Users on an External LDAP Server

Check Point's environment integrates LDAP and other external management technologies with the Check Point solution.

If you have a large administrator and user count, we recommend that you use an external database such as LDAP for enhanced Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. performance.

You can select to manage Domains on the Check Point management database, or to implement an external LDAP server.

Microsoft Active Directory

The Microsoft Windows 2000 advanced server (or later) includes a sophisticated User DirectoryClosed Check Point Software Blade on a Management Server that integrates LDAP and other external user management servers with Check Point products and security solutions. server that can be adjusted to work as a user database for the Security Management Server.

By default, the Active Directory services are disabled. In order to enable the directory services:

  • run the dcpromo command from the Start > Run menu, or

  • run the Active Directory setup wizard using the System Configuration window.

The Active Directory has the following structure:

DC=qa, DC=checkpoint,DC=com
CN=Configuration,DCROOT
CN=Schema,CN=Configuration,DCROOT
CN=System,DCROOT
CN=Users,DCROOT
CN=Builtin,DCROOT
CN=Computers,DCOOT
OU=Domain Controllers,DCROOT
...

Most of the user objects and group objects created by Windows 2000 tools are stored under the CN=Users, DCROOT branch, others under CN=Builtin, DCROOT branch, but these objects can be created under other branches as well.

The branch CN=Schema, CN=Configuration, DCROOT contains all schema definitions.

Check Point can take advantage of an existing Active Directory object as well as add new types. For users, the existing user can be used "as is" or be extended with fw1person as an auxiliary of "User" for full feature granularity. The existing Active Directory "Group" type is supported "as is". A User Directory template can be created by adding the fw1template object-class. This information is downloaded to the directory using the schema_microsoft_ad.ldif file (see Adding New Attributes to the Active Directory).

Performance

The number of queries performed on the directory server is significantly low with Active Directory. This is achieved by having a different object relations model. The Active Directory group-related information is stored inside the user object. Therefore, when fetching the user object no additional query is necessary to assign the user with the group. The same is true for users and templates.

Manageability

SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. allows the creation and management of existing and new objects. However, some specific Active Directory fields are not enabled in SmartConsole.

Enforcement

It is possible to work with the existing Active Directory objects without extending the schema. This is made possible by defining an Internal Template object and assigning it with the User Directory Account Unit defined on the Active Directory server.

For example, if you wish to enable all users with IKE+Hybrid based on the Active Directory passwords, create a new template with the IKE properties enabled and "Check Point password" as the authentication method.

Updating the Registry Settings

To modify the Active Directory schema, add a new registry DWORD key named Schema Update Allowed with the value different from zero under HKLM\System\CurrentControlSet\Services\NTDS\Parameters.

Delegating Control

Delegating control over the directory to a specific user or group is important since by default the Administrator is not allowed to modify the schema or even manage directory objects through User Directory protocol.

  1. Display the Users and Computers Control console.

  2. Right-click on the domain name displayed in the left pane and choose Delegate control from the right-click menu.

    The Delegation of Control wizard window is displayed.

  3. Add an Administrator or another user from the System Administrators group to the list of users who can control the directory.

  4. Reboot the machine.

Extending the Active Directory Schema

Modify the file with the Active Directory schema, to use SmartConsole to configure the Active Directory users.

  1. From the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., go to the directory of the schema file: $FWDIR/lib/ldap.

  2. Copy schmea_microsoft_ad.ldif to the C:\ drive in the Active Directory server.

  3. From Active Directory server, with a text editor open the schema file.

  4. Find the value DOMAINNAME, and replace it with the name of your domain in LDIF format.

    For example, the domain sample.checkpoint.com in LDIF format is: DC=sample,DC=checkpoint,DC=com

  5. Make sure that there is a dash character - at the end of the modify section.

    This is an example of the modify section.

    dn: CN=User,CN-Schema,CN=Configuration,DC=sample,DC=checkpoint,DC=com

    changetype: modify

    add: auxiliaryClass

    auxiliaryClass: 1.3.114.7.3.2.0.2

    -

  6. Run:

    ldifde -i -f c:/schema_microsoft_ad.ldif

Adding New Attributes to the Active Directory

Below is the example in LDAP Data Interchange (LDIF) format that adds one attribute to the Microsoft Active Directory:

dn:CN=fw1auth-method,CN=Schema,CN=Configuration,DCROOT

changetype: add

adminDisplayName: fw1auth-method

attributeID: 1.3.114.7.4.2.0.1

attributeSyntax: 2.5.5.4

cn: fw1auth-method

distinguishedName:

CN=fw1auth-method,CN=Schema,CN=Configuration,DCROOT

instanceType: 4

isSingleValued: FALSE

LDAPDisplayName: fw1auth-method

name: fw1auth-method

objectCategory:

CN=Attribute-Schema,CN=ConfigurationCN=Schema,CN=Configuration,DCROOT

ObjectClass: attributeSchema

oMSyntax: 20

rangeLower: 1

rangeUpper: 256

showInAdvancedViewOnly: TRUE

All Check Point attributes can be added in the same way.

The definitions of all attributes in LDIF format are contained in the schema_microsoft_ad.ldif file located in the $FWDIR/lib/ldap directory.

Before attempting to run the ldapmodify command, edit schema_microsoft_ad.ldif and replace all instances of DCROOT with the domain root of your organization. For example if your domain is support.checkpoint.com, replace DCROOT with dc=support,dc=checkpoint,dc=com.

After modifying the file, run the ldapmodify command to load the file into the directory. For example if you use the Administrator account of the dc=support,dc=checkpoint,dc=com domain the command syntax will be as follows:

Note - A shell script is available for UNIX gateways. The script is at: $FWDIR/lib/ldap/update_schema_microsoft_ad

ldapmodify -c -h support.checkpoint.com -D cn=administrator,cn=users,dc=support,dc=checkpoint,dc=com" -w SeCrEt -f $FWDIR/lib/ldap/schema_microsoft_ad.ldif

Updating the administrator or service account password to the LDAP account unit on the Active Directory

Security Gateways authenticate to the LDAP server using the LDAP server user name and password saved in the Smart Console LDAP account unit. After establishing a connection to the LDAP server from a Security Gateway, it reuses this connection to transmit subsequent LDAP queries without undergoing reauthentication.

If you update the password in the Active Directory on the LDAP server, you must do these steps for the changes to apply:

  1. Update the information in the LDAP account unit.

  2. Install policy.