How to determine if a checkpoint device is using LDAP

Check Point
#1

Relevant IKP: https://indeni.atlassian.net/browse/IKP-1127


( hoping you'll get a chance to look at this)


The bug is: if we don't find any ldap fingerprints, the multistep variable is empty, so the multi step script errors out and logs a warning.


One idea is to add an interrogation step to determine in advance whether or not the device is using LDAP; if it's not, don't run the script (via requires).


So, can anyone think of a "good" way to determine if a Checkpoint device is using LDAP? Good == easy, lightweight. Hoping not to to have to parse objects.C.... Liz found fwldap_UseLDAP in objects.C, but I see this set to false even on a device using LDAP (I think).


Another idea is to (somehow) find out whether or not Identity Awarness is enabled. But, I think that even if the device is using Identity Awareness, it may or may not be using LDAP...?


Any thoughts here welcome.



#2

You can use IDA without using LDAP.

You would have to look for the presence of LDAP Account Unit objects, which from a cursory glance of the R80.x API docs are still not (as of R80.10) in the API.

Which means querying via dbedit/CPMI.

As I don't have one set up immediately, I can't easily check what that might be.

#3

Right now the script looks in $FWDIR/conf/objects.C for the line :ldap_ssl_fingerprints ("B4:CC:C8:32:62:4F:1F:57:07:EF:72:6E:F0:DC:36:CD")


If the line ":ldap_ssl_fingerprints" does not exist it means that either LDAP is not used, or that LDAP without SSL is used. In both cases the comparison script for LDAP fingerprints is not needed, and thus the script does not need to run.

So if creating a interrogation script looking for this, name the tag something like "ldap-ssl".


Another method (not sure if it works) is to have a way to abort the script. So if the first part of the script executes and no multistep variable is written, abort instead of going to phase 2.