Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
919293949596979899100
Chapter 8 Troubleshooting LDAP Servers and the AMC Known LDAP and AMC problems
Advanced Technical Reference Guide 4.1 June 2000 90
On AMC versions (below build 140) there was a problem with the AMC reading the synchronized groups (and
the user associations), in the LDAP database. Even though the NT groups appear in the Netscape "Users &
Groups" console window, they do not appear in the AMC.
The AMC could not recognize the attributes “uniquemember” or the objectclass
"groupofuniquenames" The AMC was looking for attributes of "member" and objectclass
"groupofnames” instead.
Solution:
1. Upgrade to AMC build 140 and above. AMC build 140 and above support both groupOfNames and
groupOfUniqueNames. You can view these groups with different color and you can add/remove
members. There is no need to manually modify the group types (this might have negative effects on
Netscape).
2. If you are using an older AMC version, in order for the AMC to see the group definitions and the users in
those groups, you must make modifications to the user attributes for the group and the objectclass.
Exporting Users Problems
You can export users from the VPN-1/FireWall-1 internal user database to an LDAP directory by using the fw
dbexport command. (For further information, see “Exporting a User Database” in page 41 of Check Point
2000 Reference Guide.
See the SecureKnowledge solution: How to export a user database? (Solution ID: 47.0.3358861.2547129) in
the Check Point Technical Services site
Problems while initiating a connection
Problem: User not found.
Solution:
1. Make sure that Use LDAP Account Management in the LDAP tab of the Properties Setup screen is
checked.
2. Using the Account Management Client, verify that the user is indeed defined in the Account Unit.
Problem: VPN-1/FireWall-1 rejects the user’s password.
Solution: This might happen if the user is defined differently in the VPN-1/FireWall-1 user database, or in an
Account Unit with a higher priority.
Check the Display user’s DN at login field in the LDAP tab of the Properties Setup window and try again. The
user’s DN will be displayed, and you will know from where VPN-1/FireWall-1 is getting the user’s password.
Problems while working with OPSEC LDAP Servers
Issue: Cannot delete user on NDS (BG000560)
LDAP Protocol Error (error 2 in Delete) return via the AMC
SEND_LDAP_RESULT 2::Unknown Request from the LDAP trace screen on the NDS server
Workaround:
Use another LDAP client:
ldapdelete – ldap delete entry tool or