[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] User Management
Joerg, > From: [email protected] [SMTP:[email protected]] > Subject: [FW1] User Management > > very basic question: > I have never seen the Checkpoint LDAP- Usermanager in use. So, my question > is: How comfortable is this toy ? Does it manage users and groups with > different accesrights (i.e. usergroups that can do http & ftp others which > only can do http ) ? Does this work with one general rule, so that every > user only needs to authenticate once ? > > The account management client manages users, and puts them into groups in the LDAP database. It does NOT control what services the user has access to (that is still done by the rules in the firewall/1 rulebase). I can't comment on useability of the AMC, because I only use it if a new group needs to be defined on the LDAP server. To use those groups in your rulebase, you have to define External groups in the firewall/1 user database. (An External group definition points to the appropriate group on the LDAP server). Those external groups can be used in User Authentication rules. To take your example: create groups FTP_HTTP and HTTP_only in the LDAP server, and add the users to the appropriate group. Define external groups FTP_HTTP and HTTP_only in Firewall/1, referring to the corresponding LDAP group. Create two rules: FTP_HTTP@internal->Any->FTP,HTTP->User Auth HTTP_Only@internal->Any->HTTP->User Auth Other ways of separating the users, and of setting up the rules, are possible. You do need two rules, and two groups, regardless of the solution. You need to have separate rules, because Firewall/1 is enforcing the rulebase. The LDAP server is just being queried to validate the users and determine which group the user belongs to. Each user will have to authenticate separately for FTP and for HTTP. The browser should correctly handle authentication for the services that it uses. What you gain from the added expense of the AMC license is that the user management is separated from the firewall rulebase management. Other user management options require that users are defined on both firewall/1 and the authentication system (eg RADIUS) if you need to separate users into different groups. Tim -- Timothy Frost mailto:[email protected] EDS New Zealand Fax: +64-4-495-0473 8 Gilmer Terrace Phone: +64-4-495-0504 P O Box 3647 Wellington New Zealand ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|