Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
81828384858687888990
Chapter 8 Troubleshooting LDAP Servers and the AMC Troubleshooting LDAP Issues
Advanced Technical Reference Guide 4.1 June 2000 82
Lightweight Directory Access Protocol
Lightweight Directory Access Protocol (LDAP) is used to communicate with a server that maintains
information about users and items within an organization. LDAP is the lightweight version of the X.500 ISO
standard. Each LDAP server is called an “Account Unit.”
Three features of LDAP are as follows:
LDAP is based on a client/server model in which an LDAP client makes a TCP connection to an LDAP
server.
Each entry has a unique distinguished name (DN).
Default port numbers are 389 for a standard connection and 636 for a Secure Sockets Layer (SSL)
connection.
Distinguished Name
A globally unique name for an entry, called a distinguished name (DN), is constructed by concatenating the
sequence of DNs from the lowest level of a hierarchical structure to the root. The root becomes the relative DN.
This structure becomes apparent when setting up the Account Management Client (AMC), which manages
multiple user databases in one firewalled network.
Example
If searching for the name John Brown, the search path would start with John Brown’s CommonName (CN).
You would then narrow the search from that point, to the organization he works for, to the country. If John
Brown (CommonName) works for the ABC Company, one possible DN might be:
cn=John Brown, o=ABC Company, c=US
This can be read as “John Brown of ABC Company in the United States”.
A different John Brown who works at the 123 Company might have a DN as follows:
“cn=John Brown, o=123 Company, c=UK”
The two common names “John Brown” belong to two different organizations with different DNs.
The Account Management Client (AMC)
To look for information in an LDAP server, or to change it, administrators need a graphical user interface
(GUI).
All of the major LDAP Server comes with their own GUI. Check Point provides the Account Management
client as a graphical user interface to manage VPN-1/FireWall-1 specific object attributes over LDAP.
Most LDAP clients include only the standard LDAP fields. Check Point has its own requirements from a user
database.
Troubleshooting LDAP Issues
The LDAP Server configuration consists of several components, which must work together properly. The
primary problem is to identify the component that causes the failure.
The problem could reside at the AMC, the LDAP, VPN-1/FireWall-1 or even at the SR client, which initiate the
connection. The most important step is to identify the failure location. There are few steps, which you can
follow in order to find this failure.
1. Test the connection without SR client, and with users defined in the VPN-1/FireWall-1 database. If the
problem consists then it is not related to the LDAP server or to the SR.