In SmartDashboard, select "Policy > Global Properties > SmartDirectory" and enable "Use SmartDirectory".
Create a node object. (In SmartDashboard, select 'Manage > Network Objects > New > Node > Host'.) Type in a descriptive name and the IP address of the LDAP Server.
Create a user template to represent the LDAP users. (Select 'Manage > Users and Administrators > New > Template'.) You need to enter the name and configure the authentication method to "Check Point Password". (No other modification is mandatory here.)
Create an LDAP account unit. (Select 'Manage > Servers and OPSEC applications > New > LDAP Account Unit'.)
In the General Tab: Enter the LDAP Account Unit name, set the profile to Microsoft_AD, and select both the 'CRL Retrieval' and the 'User management' options.
In the Servers Tab: Click 'Add' and specify the node object, created previously, from the drop down list. Leave the port as "389", specify the login DN (i.e. cn=useraccount, cn=users, DC=Domain, DC=org) and specify the password for the specified login. The 'Read data from this server' and 'Write data to this server' options are both selected. (Do not select the Encryption tab as this is relevant for encrypted SSL.) Click 'OK' and 'Add' and then specify 'Early Version Compatibility server' from the drop-down list.(Same object created earlier.)
In the Objects management tab: The 'Manage objects on' is enabled on the previously defined Node object (that represents the LDAP/MSAD server). Click 'fetch branches'. (This must work before the LDAP authentication works.) You should see the AD branches appear. The 'prompt for password' option is not selected, and the 'Return
In the Authentication tab: The 'Use common group path for queries' option is not selected. The 'Allowed authentication schemes' selected must include the 'Check Point Password' scheme. The 'Users default template' option should be selected. Choose the user template that was created previously. All other options are not selected/checked.
Create the necessary LDAP group. (Select 'Manage > Users and Administrators > New > LDAP Group'.) Enter the LDAP group name, and specify the previously created LDAP Account Unit. The "Group's scope" is set to "All Account-Unit's Users".
Create a rule specifying the above LDAP group, as the source. (When you right click on the 'SOURCE' column, specify 'Add Users Access'.) The destination and service in this example are set to "ANY". The VPN column is set to the Remote Access VPN community (Secure client/Secure Remote). The Action is "ACCEPT" and Track is set to "LOG".
