Video Screencast Help

Enabling Live LDAP lookup in Enforce

Created: 17 Nov 2010 | 7 comments
Language Translations
jjesse's picture
0 0 Votes
Login to vote

I recently spent several days bashing my head against configuring LDAP lookup within the Symantec Enforce UI for a customer and ran into several problems. In fact I posted a forum post on Symantec Connect (https://www-secure.symantec.com/connect/forums/problems-live-ldap-lookup) discussing some of the problems that I was having. The following article is based on the pain and also some holes in the existing documentation. There are several guides on the Vontu Knowledge base (kb-vontu.altiris.com) specifically KB 42831

Note: Spelling countsas the files are case sensitive

The following steps need to done in the following order:

  1. Configure the Plugins.Properties file in c:\vontu\protect\config
  2. Configure the LiveLdapLookup.Properties file in c:\vontu\protect\config
  3. Add the custom attributes in the Enforce UI
  4. Reload the custom attributes in the Enforce UI
  5. Profit

Configure the Plugins.Properties file

This file enables the different plugin files that can be used by Symantec DLP. As mentioned in the KB article the following lines need to be added: com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Directory Classes,Vontu Live LDAP Lookup and also com.vontu.lookup.liveldap.LiveLdapLookup.properties = LiveLdapLookup.properties. These settings determine which plugins are being used.

Another item that needs to be configured is the attribute lookup parameters. Editing this section of the file is not included in the knowledge base entries. The default attribute lookup parameter is sender-email, which is commented out, uncomment it. If there are other items you will be searching (example: file-owner for Data at Rest items), uncomment them out. Save your changes.

Note: I have attached my working plugins.properties file

Configure the LiveLdapLookup.properties file

This section can be the most challenging to configure, remember this file is case sensitive, what is in Active Directory needs to be matched in this file along with what is configured in the Enforce UI. In looking at the knowledge base entry the common search criteria is email, however in most Active Directory environments the field is actually mail, if that is true the setting will look like the following: (mail=$sender-email$).

The next part that can cause the most trouble is configuring the base dn in the first part of the file. In my test lab my file looks like the following:

servername = dc.itslab.local

port = 389

basedn = DC=ITSLAB,DC=local

How did I determine my basedn? The kb article recommends Softera's LDAP Browser, though I have used ADSI Edit from Microsoft (a part of the Windows 2003 Server tools). The following screenshot shows ADSI Edit for my test domain:

NOTE: The server is dc.itslab.local and then under DC=itslab,DC=local is what I put as my basedn. Remember spelling counts, the lookup will fail if you put in ITSLAB or LOCAL.

Once we have the basedn configured we need to configure the attribute lookup. Remember we need to make sure the attributes we are searching match both Active Directory and the attributes in the Enforce UI.

The default properties file contains the following example: attr.Company = cn=user:(mail=$sender-email$):Company. However in my environment we need to make changes based on how Active Directory is configured in your company. In the above example I need to search the OU ITS_Partners, which changes my search to attr.Company = OU=ITS_Partners:(mail=$sender-email):company. When I look in ADSI Edit I see the following screenshot:

Notice the lower case c for company matches what I am using in my attribute search. Save your changes and restart the Vontu Services.

Add the attributes in the Enforce UI

Once the text files are configured, we need to configure the attributes in the Enforce UI. Navigate in the console to System -> Attributes and click on the Custom Attribute tab as the following screenshot shows:

To add a custom attribute click on Add and then add the corresponding attribute you are looking for. Once all of your attributes are configured, click on the Reload Lookup Plugins button and verify things work correctly.

Testing Attribute Lookup

Now that we have our attributes configured in Enforce, let's test them . Navigate to an existing incident in the Enforce UI and select Lookup. If you are successful the attributes should populate from Active Directory.

As you can see from the screenshot, I have populated First Name, Last Name, Title, Department, Location, and Company from Active Directory

Troubleshooting Tips

Some small troubleshooting tips:

  1. Make sure spelling on all attributes and lookups match
  2. Don't forget to restart the Vontu services after making changes to one of the .properties file
  3. Change the logging level for the plugin framework:
    1. In the ManagerLogging.properties edit com.vontu.logging.ServletLogHandler.level to FINER
    2. Add (if it doesn't exist) com.vontu.lookup.script.level = FINER
  4. Change the logging for LDAP lookup
    1. In the ManagerLogging.properties file add a line: com.vontu.diretory.ldap.LdapLookup.level = FINER
  5. Review VontuManager.log and tomcat\localhost.[date].log for more information

Comments 7 CommentsJump to latest comment

Mohammed Mazher's picture

I have Vontu Version 11- installed- firewall settings are correct- connection is made- but lookup is not able to pull attributes- any suggestions or help- I have a case open with support- but no response yet. thanks-

 

un 3, 2011 12:16:24 PM (INFO) Thread: 10 [com.vontu.enforce.mail.MailClientSettingsStore$ModelListener.notificationActivated] Started to listen to notificaitons for changes in the mail client settings.
Jun 3, 2011 12:16:24 PM (INFO) Thread: 10 [com.vontu.util.config.SystemProperties.setSystemProperties] System Properties:
Jun 3, 2011 12:16:24 PM (INFO) Thread: 10 [com.vontu.logging.LocalLogWriter.write] Loaded Custom Attribute Lookup Plug-ins. The following Custom Attribute Lookup Plug-ins were loaded: com.vontu.lookup.liveldap.LiveLdapLookup.
Jun 3, 2011 12:16:24 PM (INFO) Thread: 10 [com.vontu.enforce.workflow.attributes.notification.ReloadLookupPluginsListener.notificationActivated] Listening to Reload Lookup Plugins events.
Jun 3, 2011 12:16:24 PM (INFO) Thread: 10 [com.vontu.incidenthandler.command.enforce.ResponseRuleService.<init>] ResponseRuleService initialized.
Jun 3, 2011 12:16:24 PM (INFO) Thread: 10 [com.vontu.command.CommandRuntime.startupCommandTriggers] Command trigger started: new-incident-trigger
Jun 3, 2011 12:16:24 PM (INFO) Thread: 10 [com.vontu.incidenthandler.command.enforce.ResponseRuleService.start] ResponseRuleService started.
Jun 3, 2011 12:16:24 PM (INFO) Thread: 10 [com.vontu.incidenthandler.IncidentPersister.main] (INCIDENT_PERSISTER.1) The Incident Persister is running.
Jun 3, 2011 12:17:53 PM (INFO) Thread: 12 [com.vontu.util.config.SystemProperties.setSystemProperties] System Properties:
  com.vontu.api.incident.attributes.AttributeLookup.auto=true
  com.vontu.api.incident.attributes.AttributeLookup.parameters=sender,incident,message
  com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Directory Classes,Vontu Live LDAP Lookup
  com.vontu.api.incident.attributes.AttributeLookup.reload=true
  com.vontu.api.incident.attributes.AttributeLookup.thread_count=5
  com.vontu.api.incident.attributes.AttributeLookup.timeout=60000
  com.vontu.enforce.incidentresponseaction.IncidentResponseActionInvocationService.keep-alive-time=60000
  com.vontu.enforce.incidentresponseaction.IncidentResponseActionInvocationService.maximum-incident-batch-size=100
  com.vontu.enforce.incidentresponseaction.IncidentResponseActionInvocationService.serial-timeout=60000
  com.vontu.lookup.liveldap.LiveLdapLookup.properties=D:\Vontu\Protect\config\LiveLdapLookup.properties
  com.vontu.messaging.induction.Inductor.plugins=Vontu CopyRule Inductor,Vontu FileScan Inductor,Vontu ICAP Inductor,Vontu Inline SMTP Inductor,Vontu PacketCapture Inductor,Vontu Discover Inductor,Vontu Aggregator Inductor,Vontu Lotus Notes Crawler,Vontu Classification Inductor,NCSO.jar,Notes.jar
  com.vontu.plugins.execution.chain=com.vontu.lookup.liveldap.LiveLdapLookup
Jun 3, 2011 12:17:53 PM (INFO) Thread: 12 [com.vontu.logging.LocalLogWriter.write] Loaded Custom Attribute Lookup Plug-ins. The following Custom Attribute Lookup Plug-ins were loaded: com.vontu.lookup.liveldap.LiveLdapLookup.
Jun 3, 2011 12:17:53 PM (INFO) Thread: 12 [com.vontu.enforce.workflow.attributes.notification.ReloadLookupPluginsListener.reloadPlugins] Custom Attribute Lookup plugins reloaded-

Attributes-

attr.sender-email = cn=users:(sAMAccountName=$ADusername$):mail
attr.Sender\ Email = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):mail
attr.First\ Name = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):givenName
attr.Last\ Name = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):sn
attr.ACE\ ID= cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):sAMAccountName
attr.Phone = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):telephoneNumber
attr.Location = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):description
attr.Department = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):title
attr.Company = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):company
attr.TempMgrDn = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):manager
attr.Manager\ Email = cn=users:(distinguishedName=$TempMgrDn$):userPrincipalName
attr.Manager\ First\ Name = cn=users:(distinguishedName=$TempMgrDn$):givenName
attr.Manager\ Last\ Name = cn=users:(distinguishedName=$TempMgrDn$):sn
attr.Manager\ Phone = cn=users:(distinguishedName=$TempMgrDn$):telephoneNumber

 

0
Login to vote
DLP Solutions's picture

Mohammed,

 

What is the basedn setting at the top of the config file. You need to make sure this is accurate for each query will fail of it is wrong.

Also make sure the account and password are correct.. the plugin will load even if this is wrong. Though when you run the query it will fail.

 

Also what is the first line for?

attr.sender-email = cn=users:(sAMAccountName=$ADusername$):mail

$ADUsernasme$ is not a variable that is used by the DLP system.

Please make sure to mark this as a solution

to your problem, when possible.

 

+1
Login to vote
Mohammed Mazher's picture

Thanks for the quick response- I had take out the servername , username and pwd- which is in clr txt :) that;s a bummer- anyway- here you go-

 

 

 

servername = 
#servername = 

port = 389
basedn = DC=dvuadmin,DC=net
authtype = simple
username = 
password = 

## --------- Custom Attribute Mappings --------------
#
#  In the following section custom attributes in the Vontu Enforce server can be assigned
#  an LDAP query.  The format for this mapping is the following:
#
#  attr.VontuCustomAttributeName = searchbase:(searchfilter=$variable$):ldapAttribute
#
#  If the VontuCustomAttributeName requires a space character you should escape it with a backslash.
#
#  You can assign queries to temporary variables and use those variables in subsequent
#  queries.  For example:
#               attr.TemporaryVariable = <query here>
#  This would declare a variable called TemporyVariable.  The value stored in this variable can
#  be referenced using $TemporaryVarible$ in subsequent queries.
#
attr.sender-email = cn=users:(sAMAccountName=$ADusername$):mail
attr.Sender\ Email = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):mail
attr.First\ Name = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):givenName
attr.Last\ Name = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):sn
attr.ACE\ ID= cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):sAMAccountName
attr.Phone = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):telephoneNumber
attr.Location = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):description
attr.Department = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):title
attr.Company = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):company
attr.TempMgrDn = cn=users:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountname=$endpoint-user-name$)):manager
attr.Manager\ Email = cn=users:(distinguishedName=$TempMgrDn$):userPrincipalName
attr.Manager\ First\ Name = cn=users:(distinguishedName=$TempMgrDn$):givenName
attr.Manager\ Last\ Name = cn=users:(distinguishedName=$TempMgrDn$):sn
attr.Manager\ Phone = cn=users:(distinguishedName=$TempMgrDn$):telephoneNumber

0
Login to vote
Mohammed Mazher's picture

 do I replace $ADUsernasme$  with actual user name

0
Login to vote
Mohammed Mazher's picture

Sorry- asking 2many questions-

my Krb5.ini file in C:\windows have wrong DC- should I modify that to reflect the properties files-

0
Login to vote
DLP Solutions's picture

You do not need the line:

attr.sender-email = cn=users:(sAMAccountName=$ADusername$):mail

Remove or comment it out.. the system already knows the "sender-email" variable, you do not need to define it. This might b what is causing the problem..try it after removing it.

 

As far as the basedn goes, what does the tree look like?

If this is the structure: CN=users,DC=dvuadmin,DC=net

Then you have it correct.

 

Ronak

Please make sure to mark this as a solution

to your problem, when possible.

 

+1
Login to vote