User Directory

The entry's name.

This is also referred to as "Common Name".

For users this can be different from the uid attribute, the name used to login to the Security Gateway.

This attribute is also used to build the User Directory entry's distinguished name, that is, it is the RDN of the DN.

The user's login name, that is, the name used to login to the Security Gateway.

This attribute is passed to the external authentication system in all authentication methods except for "Internal Password", and must be defined for all these authentication methods.

The login name is used by the Security Management Server to search the User Directory server(s).

For this reason, each user entry should have its own unique UID value.

It is also possible to login to the Security Gateway using the full DN.

The DN can be used when there is an ambiguity with this attribute or in "Internal Password" when this attribute may be missing.

The DN can also be used when the same user (with the same uid) is defined in more than one Account Unit on different User Directory servers.

Descriptive text about the user.

The default is "no value".

User's email address.

The default is "no value".

An entry can have zero or more values for this attribute.

• In a template: The DN of user entries using this template. DNs that are not users (object classes that are not one of: "person", "organizationalPerson", "inetOrgPerson", or "fw1person") are ignored.

• In a group: The DN of user.

Must be given if the authentication method (fw1auth-method) is "Internal Password". The value can be hashed using "crypt". In this case the syntax of this attribute is:

"{crypt}xxyyyyyyyyyyy"

where:

• "xx" is the "salt"

• "yyyyyyyyyyy" is the hashed password

It is possible (but not recommended) to store the password without hashing. However, if hashing is specified in the User Directory server, you should not specify hashing here, in order to prevent the password from being hashed twice. You should also use SSL in this case, to prevent sending an unencrypted password.

The Security Gateway never reads this attribute, though it does write it. Instead, the User Directory bind operation is used to verify a password.

One of these:

• RADIUS

• TACACS

• SecurID

• OS Password

• Defender

This default value for this attribute is overridden by Default authentication scheme in the Authentication tab of the Account Unit window in SmartConsole.

For example: a User Directory server can contain User Directory entries that are all of the object-class "person" even though the proprietary object-class "fw1person" was not added to the server's schema.

If Default authentication scheme in SmartConsole is "Internal Password", all the users will be authenticated using the password stored in the "userPassword" attribute.

The name of the server that will do the authentication.

This field must be given if fw1auth-method is "RADIUS" or "TACACS".

For all other values of fw1auth-method, it is ignored. Its meaning is given below:

The date on which the password was last modified.

The format is yyyymmdd (for example, 20 August 1998 is 19980820).

A password can be modified through the Security Gateway as a part of the authentication process.

The last date on which the user can login to a Security Gateway, or "no value" if there is no expiration date.

The format is yyyymmdd (for example, 20 August 1998 is 19980820).

The default is "no value".

The time from which the user can login to a Security Gateway.

The format is hh:mm (for example, 8:15 AM is 08:15).

The time until which the user can login to a Security Gateway.

The format is hh:mm (for example, 8:15 AM is 08:15).

The days (of week) on which the user can login to a Security Gateway.

Can have the values "SUN","MON", and so on.

The names of one or more network objects from which the user can run a client, or "Any" to remove this limitation, or "no value" if there is no such client.

The names should match the name of network objects defined in Security Management Server.

The names of one or more network objects which the user can access, or "Any" to remove this limitation, or "no value" if there is no such network object.

The names should match the name of network objects defined on the Security Management Server.

Not currently used.

The algorithm used to encrypt the session key in SecuRemote.

Can be "CLEAR", "FWZ1", "DES", or "Any".

The algorithm used to encrypt the data in SecuRemote.

Can be "CLEAR", "FWZ1", "DES", or "Any".

The algorithm used to sign the data in SecuRemote.

Can be "none" or "MD5".

The number of minutes after which a SecuRemote user must re-authenticate himself or herself to the Security Gateway.

The exception to generate on successful authentication via SecuRemote.

Can be "none", "cryptlog", or "cryptalert".

This flag is used to resolve a problem related to group membership.

The group membership of a user is stored in the group entries to which it belongs, in the user entry itself, or in both entries.

Therefore there is no clear indication in the user entry if information from the template about group relationship should be used.

If this flag is "TRUE", then the user is taken to be a member of all the groups to which the template is a member.

This is in addition to all the groups in which the user is directly a member.

The key encryption methods for SecuRemote users using IKE.

This can be one or more of: "DES", "3DES".

A user using IKE (formerly known as ISAMP) may have both methods defined.

The allowed authentication methods for SecuRemote users using IKE, (formerly known as ISAMP).

This can be one or more of: "preshared", "signatures".

The data integrity method for SecuRemote users using IKE, (formerly known as ISAMP).

This can be one or more of: "MD5", "SHA1".

A user using IKE must have both methods defined.

The IPSec Transform method for SecuRemote users using IKE, (formerly known as ISAMP).

This can be one of: "AH", "ESP".

The data integrity method for SecuRemote users using IKE, (formerly known as ISAMP).

This can be one of: "MD5", "SHA1".

The pre-shared secret for SecuRemote users using IKE, (formerly known as ISAMP).

The value can be calculated using the fw ikecrypt command line.

fw1ISAKMP-DataEncMethod

The data encryption method for SecuRemote users using IKE, (formerly known as ISAMP).

The encryption method allowed for SecuRemote users.

This can be one or more of: "FWZ", "ISAKMP" (meaning IKE).

Defines when and by whom the password should and can be changed.

Number of allowed wrong passwords entered sequentially.

Time of the last login failure.

DN of the template that the user is a member of.

To add the propriety schema to your Netscape directory server, use the $FWDIR/lib/ldap/schema.ldif file.

We recommend that you back up the User Directory server before you run the command.

The ldif file:

• Adds the new attributes to the schema

• Deletes old definitions of fw1person and fw1template

• Adds new definitions of fw1person and fw1template

To change the Netscape LDAP schema, run the ldapmodify command with the schema.ldif file.

Note - On some server versions, the delete objectclass operation can return an error, even if it was successful. Use ldapmodify with the -c (continuous) option.

The User Directory profile is a configurable LDAP policy that lets you define more exact User Directory requests and enhances communication with the server.

Profiles control most of the LDAP server-specific knowledge. You can manage diverse technical solutions, to integrate LDAP servers from different vendors.

Use User Directory profiles to make sure that the user management attributes of a Security Management Server are correct for its associated LDAP server.

For example, if you have a certified OPSEC User Directory server, apply the OPSEC_DS profile to get enhanced OPSEC-specific attributes.

LDAP servers have difference object repositories, schemas, and object relations.

• The organization's user database may have unconventional object types and relations because of a specific application.

• Some applications use the cn attribute in the User object's Relatively Distinguished Name (RDN) while others use uid.

• In Microsoft Active Directory, the user attribute memberOf describes which group the user belongs to, while standard LDAP methods define the member attribute in the group object itself.

• Different servers implement different storage formats for passwords.

• Some servers are considered v3 but do not implement all v3 specifications. These servers cannot extend the schema.

• Some LDAP servers already have built in support for certain user data, while others require a Check Point schema extended attribute.

  For example, Microsoft Active Directory has the accountExpires user attribute, but other servers require the Check Point attribute fw1expirationdate, which is part of the Check Point defined fw1person objectclass.

• Some servers allow queries with non-defined types, while others do not.

These profiles are defined by default:

• OPSEC_DS - the default profile for a standard OPSEC certified User Directory.

• Netscape_DS - the profile for a Netscape Directory Server.

• Novell_DS - the profile for a Novell Directory Server.

• Microsoft_AD - the profile for Microsoft Active Directory.

Profiles have these major categories:

• Common - Profile settings for reading and writing to the User Directory.

• Read - Profile settings only for reading from the User Directory.

• Write - Profile settings only for writing to the User Directory.

Some of these categories list the same entry with different values, to let the server behave according to type of operation. You can change certain parameters of the default profiles for finer granularity and performance tuning.

To apply a profile:

1. Open the Account Unit.

2. Select the profile.

To change a profile:

1. Create a new profile.

2. Copy the settings of a User Directory profile into the new profile.

3. Change the values.

The unique username User Directory attribute (uid).

In addition, when fetching users by the username, this attribute is used for query.

This user password is User Directory attribute.

The object class for Check Point User Directory templates.

If you change the default value with another object-class, make sure to extend that objectclass schema definition with relevant attributes from fw1template.

The account expiration date is User Directory attribute.

This could be a Check Point extended attribute or an existing attribute.

Expiration date format.

This format will be applied to the value defined at ExpirationDateAttr.

The format of the password modified date is User Directory attribute.

This formation will be applied to the value defined at PsswdDateAttr.

The password last modified date is User Directory attribute.

User Directory attribute to store and read bad password authentication count.

If 0, the sent password will not be encrypted.

If 1, the sent password will be encrypted with the algorithm specified in the DefaultCryptAlgorithm.

The algorithm used to encrypt a password before updating the User Directory server with a new password.

The text to prefix to the encrypted password when updating the User Directory server with a modified password.

User Directory attribute to store and read the user phone number.

General purpose attribute translation map, to resolve problems related to peculiarities of different server types.

For example, an X.500 server does not allow the "-" character in an attribute name.

To enable the Check Point attributes containing "-", specify a translation entry: (e.g., "fw1-expiration =fw1expiration").

All attribute names listed here will be removed from the default list of attributes included in read/write operations.

This is most useful in cases where these attributes are not supported by the User Directory server schema, which might fail the entire operation.

This is especially relevant when the User Directory server schema is not extended with the Check Point schema extension.

Use this attribute to define which type of objects (objectclass) is queried when the object tree branches are displayed after the Account Unit is opened in SmartConsole.

If "One" is set, an "OR"ed query will be sent and every object that matches the criteria will be displayed as a branch.

If "All" is set, an "AND"ed query will be sent and only objects of all types will be displayed.

This attribute defines what objects should be displayed with an organization object icon.

A new object type specified here should also be in BranchObjectClass.

This attribute defines what objects should be displayed with an organization object icon.

A new object type specified here should also be in BranchObjectClass.

This attribute defines what objects should be displayed with a Domain object icon.

A new object type specified here should also be in BranchObjectClass.

This attribute defines what objects should be read as user objects.

The user icon will be displayed on the tree for object types specified here.

If "One" is set, an "OR"ed query will be sent and every object that matches one of the types will be displayed as a user.

If "All" is set, an "AND"ed query will be sent and only objects of all types will be displayed.

This attribute defines what objects should be read as groups.

The group icon will be displayed on the tree for objects of types specified here.

If "One" is set, an "OR"ed query will be sent and every object that matches one of the types will be displayed as a user.

If "All" is set, an "AND"ed query will be sent and only objects of all types will be displayed.

Defines the relationship Mode between the group and its members (user or template objects) when reading group membership.

Defines what User Directory attribute to use when reading group membership from the user or template object if GroupMembership mode is 'MemberOf' or 'Both' you may be required to extend the user/template object schema in order to use this attribute.

Defines the user to template membership mode when reading user template membership information.

Defines which attribute to use when reading the User members from the template object, as User DNs, if the TemplateMembership mode is Member.

Defines which attribute to use when reading from the User object the template DN associated with the user, if the TemplateMembership mode is MemberOf.

This value will be used as the attribute name in the Relatively Distinguished Name (RDN) when you create a new organizational unit in SmartConsole.

This value is used as the attribute name in the Relatively Distinguished Name (RDN) when you create a new organizational Unit in SmartConsole.

This value is used as the attribute name in the Relatively Distinguished Name (RDN), when you create a new User object in SmartConsole.

This value is used as the attribute name for the RDN, when you create a new Group object in SmartConsole.

This value is used as the attribute name for the RDN, when you create a new Domain object in SmartConsole.

This field is relevant when you create objects in SmartConsole.

The format of this field is Objectclass:name:value. Therefore, if the object created is of type ObjectClass, additional attributes is included in the created object with name 'name' and value 'value'.

This field is used when you modify a group in SmartConsole.

The format of this field is ObjectClass:memberattr meaning that for each group objectclass there is a group membership attribute mapping.

List here all the possible mappings for this User Directory server profile.

When a group is modified, based on the group's objectclass the right group membership mapping is used.

This determines which ObjectClass to use when creating/modifying an OrganizationalUnit object.

These values can be different from the read counterpart.

This determines which ObjectClass to use when creating and/or modifying an Organization object.

These values can be different from the read counterpart.

This determines which ObjectClass to use when creating and/or modifying a user object.

These values can be different from the read counterpart.

Determines which ObjectClass to use when creating and/or modifying a domain context object.

These values can be different from the read counterpart.