[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] LDAP authentication problems with FW-1 NG (FP2) and Netscape Dire ctory Server 4.12
Hi, folks Whilst our existing FW-1 4.0 server will client-authenticate perfectly happily with our Netscape 4.12 Directory Server, I'm having problems trying to get our test FW-1 NG server (now with FP2; running on Solaris 8 with the GUI on W2K) to do likewise... The NG server seems rather inconsistent... This output from the *same* 'telnet 259' session, with the *same* password throughout (some names have been changed to protect site-specific stuff)... ----- START: telnet testfw 259 output ----- Check Point FireWall-1 Client Authentication Server running on testfw User: testuser password: ******* Access denied - wrong user name or password User: testuser User DN : UID=TESTUSER,OU=....,OU=PEOPLE,O=BTON.AC.UK Account unit: LDAP2 password: ******* Failed to authenticate, System Error. User: testuser User DN : UID=TESTUSER,OU=....,OU=PEOPLE,O=BTON.AC.UK Account unit: LDAP2 password: ******* User testuser authenticated by FireWall-1 authentication Choose: (1) Standard Sign-on (2) Sign-off (3) Specific Sign-on Enter your choice: ----- END: telnet testfw 259 output ----- Furthermore, whilst this 'testuser' seems to authenticate (some of the time), others won't. Even though the other users have similar attributes and are in the same templates and their passwords are correct, they receive Access denied - wrong user name or password Looking at the LDAP server's logs suggests that the LDAP server is correctly returning the same kind of information for both failing and successful attempts - it returns successful SEARCHes for both the user and their template. However, no BIND is attempted for the failing users. I'm using "All Account Unit's Users" and other simple defaults. Server profile is set to Netscape_DS, base is set to o=bton.ac.uk (have tried ou=People prefix too), and am now binding using the LDAP server's root user with R+W access. Each time I try the simple "client auth" rule, I try it from my own workstation, but have ruled out caching issues by trying it from other machines. Having got to the point where we thought I'd tried everything, I reinstalled both firewall and GUI (running on W2K) so I could be sure that I was using the defaults as far as possible. No luck. I then upgraded both FW and the GUI to FP2. Still no luck. In case the error lay with our the test LDAP server I've been using (essentially a clone of the production LDAP tree), I added our production LDAP servers to the rulebase. However, even though... (a) they've lower priorities (b) they're not mentioned in the User Access rule (c) the rulebase is saved and re-installed as such ... these servers still get queried (based on the Account Unit output in the Telnet 259 session) unless I only select the test server in the Selected Accounts Units box in the LDAP tab of the firewall server's properties. Is this what you'd expect? Any help gratefully received - upgrading to NG is a waste of time without functioning authentication... Have searched Phoneboy's site and this list's archive; I do hope I'm not missing anything obvious or doing anything too stupid... Kind regards, Steve Holden University of Brighton UK ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|