[FW-1] LDAP authentication problems with FW-1 NG (FP2) and Netscape Dire ctory Server 4.12

[Steve Holden <steve@FW1-NOSPAMBRIGHTON.AC.UK>]

Hi, folks

Whilst our existing FW-1 4.0 server will client-authenticate perfectly
happily with our Netscape 4.12 Directory Server, I'm having problems trying
to get our test FW-1 NG server (now with FP2; running on Solaris 8 with the
GUI on W2K) to do likewise...


The NG server seems rather inconsistent...

This output from the *same* 'telnet 259' session, with the *same* password
throughout (some names have been changed to protect site-specific stuff)...

----- START: telnet testfw 259 output -----
Check Point FireWall-1 Client Authentication Server running on testfw
User: testuser
password: *******
Access denied - wrong user name or password

User: testuser
User DN     : UID=TESTUSER,OU=....,OU=PEOPLE,O=BTON.AC.UK
Account unit: LDAP2
password: *******
Failed to authenticate, System Error.

User: testuser
User DN     : UID=TESTUSER,OU=....,OU=PEOPLE,O=BTON.AC.UK
Account unit: LDAP2
password: *******
User testuser authenticated by FireWall-1 authentication

Choose:
(1) Standard Sign-on
(2) Sign-off
(3) Specific Sign-on
Enter your choice:
----- END: telnet testfw 259 output -----

Furthermore, whilst this 'testuser' seems to authenticate (some of the
time), others won't.
Even though the other users have similar attributes and are in the same
templates and their passwords are correct, they receive
        Access denied - wrong user name or password


Looking at the LDAP server's logs suggests that the LDAP server is correctly
returning the same kind of information for both failing and successful
attempts - it returns successful SEARCHes for both the user and their
template.  However, no BIND is attempted for the failing users.

I'm using "All Account Unit's Users" and other simple defaults.
Server profile is set to Netscape_DS, base is set to o=bton.ac.uk (have
tried ou=People prefix too), and am now binding using the LDAP server's root
user with R+W access.

Each time I try the simple "client auth" rule, I try it from my own
workstation, but have ruled out caching issues by trying it from other
machines.


Having got to the point where we thought I'd tried everything, I reinstalled
both firewall and GUI (running on W2K) so I could be sure that I was using
the defaults as far as possible.  No luck.
I then upgraded both FW and the GUI to FP2.  Still no luck.


In case the error lay with our the test LDAP server I've been using
(essentially a clone of the production LDAP tree), I added our production
LDAP servers to the rulebase.
However, even though...

        (a) they've lower priorities
        (b) they're not mentioned in the User Access rule
        (c) the rulebase is saved and re-installed as such

... these servers still get queried (based on the Account Unit output in the
Telnet 259 session) unless I only select the test server in the Selected
Accounts Units box in the LDAP tab of the firewall server's properties.  Is
this what you'd expect?

Any help gratefully received - upgrading to NG is a waste of time without
functioning authentication...

Have searched Phoneboy's site and this list's archive; I do hope I'm not
missing anything obvious or doing anything too stupid...

Kind regards,
Steve Holden
University of Brighton
UK

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================