Managing Users on a User Directory Server

Managing Users on a User DirectoryClosed Check Point Software Blade on a Management Server that integrates LDAP and other external user management servers with Check Point products and security solutions. Server

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., users and user groups in the Account Unit show in the same tree structure as on the LDAP server.

  • To see User Directory users, open Users and Administrators. The LDAP Groups folder holds the structure and accounts of the server.

  • You can change the User Directory templates. Users associated with this template get the changes immediately. If you change user definitions manually in SmartConsole, the changes are immediate on the server.

Distributing Users in Multiple Servers

The users of an organization can be distributed across several LDAP servers. Each LDAP server must be represented by a separate Account Unit.

Managing LDAP Information

User Directory lets you use SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. to manage information about users and OUs (Organizational Units) that are stored on the LDAP server.

  1. In SmartConsole, go to Manage & Settings > Blades.

  2. Click Configure in SmartDashboard.

    SmartDashboard opens.

  3. From the object tree, select Servers and OPSEC.

  4. Double-click the Account Unit.

    The LDAP domain is shown.

  5. Double-click the LDAP branch.

    The Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. queries the LDAP server and SmartDashboard shows the LDAP objects.

  6. Expand the Objects List pane.

  7. Double-click the LDAP object.

    The Objects List pane shows the user information.

  8. Right-click a user and select Edit.

    The LDAP User Properties window opens.

  9. Edit the user information and settings. Click OK.

LDAP Groups for the User Directory

Create LDAP groups for the User Directory. These groups classify users according to type and can be used in Policy rules. You can add users to groups, or you can create dynamic filters.

  1. In SmartConsole, open Object Categories > New > More > Users > LDAP group.

  2. In the New LDAP Group window that opens, select the Account Unit for the User Directory group.

  3. Define Group's Scope - select one of these:

    • All Account-Unit's Users - All users in the group

    • Only Sub Tree - Users in the specified branch

    • Only Group in branch - Users in the branch with the specified DN prefix

  4. Apply an advanced LDAP filter:

    1. Click Apply filter for dynamic group.

    2. Enter the filter criteria.

  5. Click OK.

  • If the User objects for managers in your organization have the object class "myOrgManager", define the Managers group with the filter: objectclass=myOrgManagers

  • If users in your organization have an e-mail address ending with us.org.com, you can define the US group with the filter: mail=*us.org.com