Check Point VPN-1/FireWall-1
User authentication with OpenLDAP
LDAP-server system specifications
-
OS
-
Red Hat Linux 7.1.93, also tested Red Hat Linux 7.1
-
OpenLDAP version
-
2.0.11-9 (Red Hat Linux 7.1.93)
LDAP-client
-
OS
-
LDAP client
-
Check Point Account Management Client 1.1
LDAP-server configuration
-
Install OS
-
Install OpenLDAP server
-
Configure basic LDAP and bring it to work
-
Run some tests, perhaps use following nice Java-based LDAP browser: http://www.iit.edu/~gawojar/ldap/
-
Were tests are succesfully? If yes, continue...
-
Download firewall-1.conf from
this server (it's converted from original Check Point's SCHEMA.LDIFF [can be found at $fwdir/lib/ldap/] for
use with OpenLDAP 2.x)
-
Copy given firewall-1.conf into /etc/openldap/
-
Check permissions of firewall-1.conf
-
chmod 644 /etc/openldap/firewall-1.conf
-
Edit /etc/openldap/slapd.conf
-
Insert somewhere below existing schema includes new lines like (see also
diff slapd.conf-cpschema.diff
against original)
# Check Point VPN-1/FireWall-1
include /etc/openldap/firewall-1.conf
-
There is a (common) known issue if you have already LDAP entries before
using them for Firewall-1 authentication known as "schema check problem"
-
In this case, you have 2 choices:
-
add on each existing user entry the new objectClass "fw1person"
(recommended, can be e.g. done using some selfmade scripts)
-
disable schema checking (not really recommended)
-
Edit /etc/openldap/slapd.conf
-
Add new lines like (see also diff slapd.conf-schemacheckoff.diff
against previous patched original)
# disable schemacheck (not really recommended)
schemacheck off
-
Restart LDAP server
LDAP-client configuration
Configuration of Check Point's Account Management Client
Hint: this Account Management Client is a Java application...
Start the Account Management Client
Create a new Account Unit
Set properties like:
-
Hint: Fetch won't work, so you have to fill in your branch using
Add
Login:
Main menu
Edit user
Configuration of Check Point VPN-1/FireWall-1 4.1 to use OpenLDAP for authentication
Create account unit
-> Manage Servers / New / LDAP Account Unit
and adjust settings to yours
Create groups
-> Manage / Users / New External Group
Use groups in rules
No warranty at all, your Feedback
is welcome!
© 2001-2008 AERAsec Network Services and
Security GmbH, last change 2002-03-24
back to http://www.vpn-1.de