[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Checkpoint sucks ? checkpoint-firewall and openldap



try this article:
http://support.checkpoint.com/kb/docs/public/firewall1/ng/pdf/openldap_f
w1_rev1.83.pdf

that is if you are using openldap...  are you using openldap or edir?

-----Original Message-----
From: Marc Schoechlin [mailto:ms-ldap@bart.LF.net]
Sent: Wednesday, January 28, 2004 1:55 PM
To: openldap-software@OpenLDAP.org
Subject: Checkpoint sucks ? checkpoint-firewall and openldap


Hi !

I´m currently trying to setup a "SecureClient NG FP3" to 
"Checkpoint NG with Application Intelligence R54/Secureplattform"
Authentification.

Fetching entries seems to work, but I´m not able
authentificate.

What I have done:

 * Did the setup described in
 
http://www.opsec.com/solutions/partners/downloads/novell-int_edir8.7_w_f
w1.pdf
   (Adding a schema, adding users, ...)
   

 * Added a "client-encrypt" rule with a LDAP-Group in the source-field

 * Added a Posix-Account to the LDAP-Dir
   (Auth via PAM_LDAP works)

If I now try to connenct to the firewall I enter the ip-addess, the user
and the password.

After that I get a notification about the certificate, and after
confirming this dialog
I get a message which says complains 

"Negotiation with gateway 212.9.190.70 at site 212.9.190.70 has failed.
Access denied - wrong user name or password"

If I now watch my firewall-logs, i get the following
firewall-log-message:

"reason: Client-Encryption: Unix Password not supported"

If I trace the traffic over the network with ethereal, i see that
OpenLDAP
found the right entry.

Is that a problem regarding to the password encryption in the directory 
(RFC 2307 : {CRYPT}, {MD5}, {SMD5}, {SSHA}, and {SHA})

I tried out the CRYPT and SSHA encryption - but that does also not help.

What can I do ?

Best regards

Marc Schoechlin

-- 

Gruss / Best regards  |  LF.net GmbH        |  fon +49 711 90074-413
Marc Schoechlin       |  Ruppmannstr. 27    |  fax +49 711 90074-33
ms@LF.net             |  D-70565 Stuttgart  |  http://www.lf.net
 
NOTICE: This E-mail may contain confidential information. If you are not
the addressee or the intended recipient please do not read this E-mail
and please immediately delete this e-mail message and any attachments
from your workstation or network mail system. If you are the addressee
or the intended recipient and you save or print a copy of this E-mail,
please place it in an appropriate file, depending on whether
confidential information is contained in the message.