Authentication SecureRemote Users with MS LDAP in P-1 NGx R61 environment

I need help desperately.  
   
  I have a P-1 NGx R61 with HFA_01 running on Redhat Linux
ES.  P-1 Manager is 192.168.114.9/24 and P-1 Container
is 192.168.109.10/24.  The CMA is 192.168.109.14/24.
The CMA manages a Nokia IP560.  Everything has valid
license.  I even have LDAP license module as well and
also the VSR license.  The Nokia is running 
IPSO 4.1 build 33 with NGx R61 with HFA_01.
    
  Everything is synchronizing properly with a
stratum 1 NTP server, including the Microsoft
Windows 2003 AD server
   
  I have a Microsoft Windows 2003 Active Directory (AD) 
Server with IP address of 192.168.109.8/24.  The
AD server is running Service Pack 2.
   
  I tested Remote access vpn with checkpoint internal 
account and everything works.
  
I need to authenticate SecureRemote Users with LDAP 
authentication.   I did the following:
   
  0) Enable LDAP under SmartDirectory of global properties 
  1) Under the template, create "ldap_users" and
select
"Checkpoint password" for authentication scheme,
  2) Manage-->Servers and OPSEC Applications-->New--
LDAP account unit.  Give it a name, profile I 
select Microsoft_AD.  Select "CRL retrieval"  and
"user management".  I called it
"MS_LDAP".
  3) Under "Servers" tab, I enter the AD Server
host
object. Under "login DN", I specified
"CN=Administrator"
and the password of the Administrator account on the
AD server.
  4) Under encryption tab of Servers tab, I select
"use
SSL for port 636" and everything to "strong".
 When
I clicked on the "fetch", I get the fingerprint
from the AD server
  5) Early Version Compability server, I specified
the AD server host object,
  6) Under "object management" tab, I specified
the AD
as the Manage object on.  When I fetch branche, I get
the DC and CN, and stuffs like that so I know that
the CMA can communicated with the AD.  By the way,
this is a very simple AD.  single AD with a the root
domain of LAB,
  7) Under the authentication tab, I select all the
authentication and the users' default values, I used
the 'ldap_users' user template that I created in 
step 2,
  8) Create a LDAP group name vpntest.  Under Account
unit of this windows, I specified "MS_LDAP" in
the
"account unit",
  9) Create VPN remote access community with
the Nokia gateway cluster and the "vpntest" LDAP
group. 
  10) Create vpn rule.  By the way, my cleanup
rule is Any Any accept for testing purpose.
  
The weird part is that if I double clicked
on the MS_LDAP object, I get:
   
  failed to bind to LDAP server.  Wrong user
name, password or DN login.  What does that
mean?
   
  Another thing is that when I use SecureRemote
to login, it always failed and that in the
smartview tracker, I get "IKE failure:
client unknown user".  tcpdump from the P-1
showed that there is NO tcp 389 or tcp 636
traffics leaving the CMA and heading to the
Microsoft AD server.
   
  I heard that I have to run "ldapmodify" on the
  CMA and modify the the schema_microsoft_ad.ldif
  or something like that.  How do I go about doing
  it?  I thought this is only necessary if you have
  to manage account with the dashboard.
   
  Has someone done this before with Provider-1
and get it to work?  Please show me the way.
   
  Thank you very much.

       
---------------------------------
Pinpoint customers who are looking for what you sell. 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

In one of the in-house CCSA training, we encountered the
same issue and in
our case it had to do w/ the 'password' that we were using
for the users in
Windows2003 AD containing special charcater '' (as an
example) which CP
refused to accept - we changed it to some simple
alphanumeric characters w/o
any special characters after which it worked fine. You may
like to rule it
out before we go further.
hth,
Rajeev

On 7/18/07, cisco4ng <cisco4ngyahoo.com> wrote:
>
> I need help desperately.
>
>   I have a P-1 NGx R61 with HFA_01 running on Redhat
Linux
> ES.  P-1 Manager is 192.168.114.9/24 and P-1 Container
> is 192.168.109.10/24.  The CMA is 192.168.109.14/24.
> The CMA manages a Nokia IP560.  Everything has valid
> license.  I even have LDAP license module as well and
> also the VSR license.  The Nokia is running
> IPSO 4.1 build 33 with NGx R61 with HFA_01.
>
>   Everything is synchronizing properly with a
> stratum 1 NTP server, including the Microsoft
> Windows 2003 AD server
>
>   I have a Microsoft Windows 2003 Active Directory
(AD)
> Server with IP address of 192.168.109.8/24.  The
> AD server is running Service Pack 2.
>
>   I tested Remote access vpn with checkpoint internal
> account and everything works.
>
> I need to authenticate SecureRemote Users with LDAP
> authentication.   I did the following:
>
>   0) Enable LDAP under SmartDirectory of global
properties
>   1) Under the template, create "ldap_users"
and select
> "Checkpoint password" for authentication
scheme,
>   2) Manage-->Servers and OPSEC
Applications-->New--
> LDAP account unit.  Give it a name, profile I
> select Microsoft_AD.  Select "CRL retrieval" 
and
> "user management".  I called it
"MS_LDAP".
>   3) Under "Servers" tab, I enter the AD
Server host
> object. Under "login DN", I specified
"CN=Administrator"
> and the password of the Administrator account on the
> AD server.
>   4) Under encryption tab of Servers tab, I select
"use
> SSL for port 636" and everything to
"strong".  When
> I clicked on the "fetch", I get the
fingerprint
> from the AD server
>   5) Early Version Compability server, I specified
> the AD server host object,
>   6) Under "object management" tab, I
specified the AD
> as the Manage object on.  When I fetch branche, I get
> the DC and CN, and stuffs like that so I know that
> the CMA can communicated with the AD.  By the way,
> this is a very simple AD.  single AD with a the root
> domain of LAB,
>   7) Under the authentication tab, I select all the
> authentication and the users' default values, I used
> the 'ldap_users' user template that I created in
> step 2,
>   8) Create a LDAP group name vpntest.  Under Account
> unit of this windows, I specified "MS_LDAP"
in the
> "account unit",
>   9) Create VPN remote access community with
> the Nokia gateway cluster and the "vpntest"
LDAP
> group.
>   10) Create vpn rule.  By the way, my cleanup
> rule is Any Any accept for testing purpose.
>
> The weird part is that if I double clicked
> on the MS_LDAP object, I get:
>
>   failed to bind to LDAP server.  Wrong user
> name, password or DN login.  What does that
> mean?
>
>   Another thing is that when I use SecureRemote
> to login, it always failed and that in the
> smartview tracker, I get "IKE failure:
> client unknown user".  tcpdump from the P-1
> showed that there is NO tcp 389 or tcp 636
> traffics leaving the CMA and heading to the
> Microsoft AD server.
>
>   I heard that I have to run "ldapmodify" on
the
>   CMA and modify the the schema_microsoft_ad.ldif
>   or something like that.  How do I go about doing
>   it?  I thought this is only necessary if you have
>   to manage account with the dashboard.
>
>   Has someone done this before with Provider-1
> and get it to work?  Please show me the way.
>
>   Thank you very much.
>
>
> ---------------------------------
> Pinpoint customers who are looking for what you sell.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================