Hi Rajeev, Fortunately, I got it resolved. The problem has to do with the configuration of LDAP account Unit in the CMA. DN name has to be something like cn=Administrator,cn=users,dc=lab,dc=com After that, everything works like a charm.
Rajeev Gupta <[EMAIL PROTECTED]> wrote: In one of the in-house CCSA training, we encountered the same issue and in our case it had to do w/ the 'password' that we were using for the users in Windows2003 AD containing special charcater '@' (as an example) which CP refused to accept - we changed it to some simple alphanumeric characters w/o any special characters after which it worked fine. You may like to rule it out before we go further. hth, Rajeev On 7/18/07, cisco4ng wrote: > > I need help desperately. > > I have a P-1 NGx R61 with HFA_01 running on Redhat Linux > ES. P-1 Manager is 192.168.114.9/24 and P-1 Container > is 192.168.109.10/24. The CMA is 192.168.109.14/24. > The CMA manages a Nokia IP560. Everything has valid > license. I even have LDAP license module as well and > also the VSR license. The Nokia is running > IPSO 4.1 build 33 with NGx R61 with HFA_01. > > Everything is synchronizing properly with a > stratum 1 NTP server, including the Microsoft > Windows 2003 AD server > > I have a Microsoft Windows 2003 Active Directory (AD) > Server with IP address of 192.168.109.8/24. The > AD server is running Service Pack 2. > > I tested Remote access vpn with checkpoint internal > account and everything works. > > I need to authenticate SecureRemote Users with LDAP > authentication. I did the following: > > 0) Enable LDAP under SmartDirectory of global properties > 1) Under the template, create "ldap_users" and select > "Checkpoint password" for authentication scheme, > 2) Manage-->Servers and OPSEC Applications-->New-- > LDAP account unit. Give it a name, profile I > select Microsoft_AD. Select "CRL retrieval" and > "user management". I called it "MS_LDAP". > 3) Under "Servers" tab, I enter the AD Server host > object. Under "login DN", I specified "CN=Administrator" > and the password of the Administrator account on the > AD server. > 4) Under encryption tab of Servers tab, I select "use > SSL for port 636" and everything to "strong". When > I clicked on the "fetch", I get the fingerprint > from the AD server > 5) Early Version Compability server, I specified > the AD server host object, > 6) Under "object management" tab, I specified the AD > as the Manage object on. When I fetch branche, I get > the DC and CN, and stuffs like that so I know that > the CMA can communicated with the AD. By the way, > this is a very simple AD. single AD with a the root > domain of LAB, > 7) Under the authentication tab, I select all the > authentication and the users' default values, I used > the 'ldap_users' user template that I created in > step 2, > 8) Create a LDAP group name vpntest. Under Account > unit of this windows, I specified "MS_LDAP" in the > "account unit", > 9) Create VPN remote access community with > the Nokia gateway cluster and the "vpntest" LDAP > group. > 10) Create vpn rule. By the way, my cleanup > rule is Any Any accept for testing purpose. > > The weird part is that if I double clicked > on the MS_LDAP object, I get: > > failed to bind to LDAP server. Wrong user > name, password or DN login. What does that > mean? > > Another thing is that when I use SecureRemote > to login, it always failed and that in the > smartview tracker, I get "IKE failure: > client unknown user". tcpdump from the P-1 > showed that there is NO tcp 389 or tcp 636 > traffics leaving the CMA and heading to the > Microsoft AD server. > > I heard that I have to run "ldapmodify" on the > CMA and modify the the schema_microsoft_ad.ldif > or something like that. How do I go about doing > it? I thought this is only necessary if you have > to manage account with the dashboard. > > Has someone done this before with Provider-1 > and get it to work? Please show me the way. > > Thank you very much. > > > --------------------------------- > Pinpoint customers who are looking for what you sell. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
