Support Center > Search Results > SecureKnowledge Details
No items are found when using user selection in access roles
Symptoms
  • No items are found when using user selection in access roles while the domain represents Microsoft Active Directory.
Cause

This issue may occur as the result of behavior change that was introduced in R80 release.

(1) The behavior change:

The originator of the LDAP connection to the domain controller is no longer the client (SmartConsole), but it the Check Point Management Server.

Note that this change is relevant to access role editor only (other usages remained the same).

(2) In R77.X versions:

In these versions, when the administrator searches for LDAP entities, such as users and groups, the candidates that are presented to him, are fetched from the Microsoft AD domain controller. In order to fetch the entities, the SmartDashboard opens the LDAP connection to the domain controller, and performs LDAP queries against it. In case the administrator configured the Account Unit object to work with SSL, then the SSL is used by Security Gateways and not by SmartDashboard. The bind request from SmartDashboard is always the LDAP Kerberos bind.

(3) Improvement in R80 version:

In R80, when the administrator searches for LDAP entities, such as users and groups, the flow is as follows:

  1. Administrator searches for LDAP entities, such as users and groups.
  2. The search properties are sent from the SmartConsole GUI client to the Management Server.
  3. The Management Server opens the LDAP connection to the AD domain controller based on the operating system routing and interfaces.
  4. The Management Server performs an LDAP query against the AD domain controller and sends the result back to the SmartConsole GUI client.
  5. The SmartConsole GUI client presents the candidates to the administrator.
  6. If the administrator configured the Account Unit object to work with SSL, then the Management Server opens the LDAPS connection. In addition, the port that is configured, is the port that is used.

The available LDAP connection options in the above case are:

  • Simple LDAP bind
  • LDAPS bind

(4) Improvement in R80.10 version:

In R80.10, the communication between the Management Server and the Microsoft AD domain controller was improved. Specifically, the option to choose Kerberos authentication during an LDAP bind operation was added.
The improvement is related to user selection in access role editor only.

The available LDAP connection options are:

  • Kerberos LDAP bind with encryption
  • Kerberos LDAP bind with encryption, but if it fails, use a Simple LDAP bind.
  • Simple LDAP bind
  • LDAPS bind

(5) Notes:

  • The recommendation is to use LDAPS bind. However, the domain controller should allow it.
  • The default option is Kerberos LDAP bind with encryption, but if it fails, use the regular LDAP bind.

Solution
Note: To view this solution you need to Sign In .