Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
919293949596979899100
Chapter 8 Troubleshooting LDAP Servers and the AMC Working with LDAP
Advanced Technical Reference Guide 4.1 June 2000 89
The cache times out.
The Security Policy is installed.
The user database is downloaded.
Working with LDAP
Managing LDAP through the command line
If the AMC is not available, or if it has not been installed, you can manage the LDAP directory from a remote
terminal, using the command line. This option is also helpful in order to debug LDAP failures, for more details,
see:
How to create users on an LDAP server from a remote terminal? (Solution ID: 10022.0.1178639.2444127) in
the Check Point Technical Services site.
How to get the list of users that is defined on the LDAP server? (Solution ID: 10022.0.1178646.2444127) in the
Check Point Technical Services site.
Working with 3rd party LDAP Servers: fw ikecrypt
On FireWall-1 4.0 SP5 and VPN-1/FireWall-1 4.1 SP1, the fw ikecrypt commandwasaddedtothefw
command line. This command can be used to generate an IKE shared secret that can be used by a 3rd party
LDAP users management tool.
Syntax
fw ikecrypt [SecretKey] [UserPassword]
Options
Table 2: fw ikecrypt options
parameter meaning
SecretKey
A secret string stored in the Account Unit that the user belongs to.
UserPassword
A string that will be used by the user to log in.
The output will be the encrypted secret to place under the “fw1ISAKMP-SharedSecret” user attribute.
This is also useful for writing bulk scripts for LDAP (with LDIF format).
Known LDAP and AMC problems
AMC cannot read synchronized groups
Through the use of the Netscape Directory Synchronization Service (LDAP Server version 4.1) one can load all
NT users and groups into the LDAP database.
By enabling LDAP in Policy Properties, correctly defining an account unit server object, and defining an
external group to use this server, VPN-1/FireWall-1 can authenticate using the synchronized users and their
associated passwords. VPN-1/FireWall-1 will also correctly restrict access based on the NT group if "Only
Group in Branch" is selected as part of the external group's scope definition.