Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
919293949596979899100
Chapter 8 Troubleshooting LDAP Servers and the AMC Special Configurations
Advanced Technical Reference Guide 4.1 June 2000 91
ldapmodify – ldap modify entry tool.
Alternatively use Novell ConsoleOne.
See: NDS users cannot be deleted from the AMC (Solution ID: 10043.0.1133507.2535007
)intheCheckPoint
Technical Services site Fix: AMC build 142 fixed this issue.
Special Configurations
Multiple LDAP Servers
There are several advantages in using more than one LDAP server, including the following:
Compartmentalization, by allowing a large number of users to be distributed across several servers
High availability, by duplicating information on several servers
Remote sites can have their own LDAP servers that contain the database, and so speed up access time
See: Are multiple account management licenses required for multiple, autonomous LDAP servers? (Solution
ID: 55.0.639999.2564039) in the Check Point Technical Services site.
Known Issues between LDAP and Meta IP
Meta IP uses LDAP for mapping between machines and IP addresses.
There are a few solutions available in the Check Point Technical Services site regarding the integration of
LDAP Servers with Meta IP, as follows:
Are there any LDAP issues addressed by service pack 3 for Meta IP? (Solution ID: 55.0.1500760.2572592)
How to manually replicate the LDAP directory? (Solution ID: 21.0.1533853.2440442).
Solution regarding error messages:
Error: "LDAP Error: Invalid credentials (0x31)" (Solution ID: 36.0.1900980.2504068).
PKI Issues related to LDAP
How to achieve Entrust communication between two FireWall-1 Modules and two different LDAP servers with
same database? (Solution ID: 10022.0.574263.2413933) in the Check Point Technical Services site.
Problem: A user is trying to integrate Certificate Manager with Netscape LDAP 4.0, and it
cannot import the ldif file.
Solution: This is a problem in Netscape. The Netscape 4.0 does not recognize the ‘-’ character in our schema
even though this is RFC compliant for schema definitions.
Netscape has already fixed this in their 4.1 beta. You can supposedly get it to work by adding the following flag
in slapd.conf:
attribute_name_exceptions 1
Problem: LDAP Cache setting ignored when using certificates (BG000551)
Firewall is set to cache LDAP users for a longer period than 15 minutes. If SR uses Entrust certificates for
authentication, then when SR reauthenticates after its 15 minute timeout, the LDAP server is queried again by
the firewall rather than caching information. This causes VPN-1/FireWall-1 to not cache LDAP users with
certificates per the timeout value.