Video Screencast Help

Configuring LDAP Custom Attributes

Created: 28 Feb 2013 • Updated: 18 Mar 2013 | 7 comments
This issue has been solved. See solution.

ok so here is my problem. I have 3 different domains that include about 30,000 users. on occasion in each domain I might have users with the same login. just in a different domain.

example: jdoe

reality:

domain1\jdoe

domain2\jdoe

The problem is DLP is confusing the two and mixing up managers and user names. So the manager is getting an email they should not get or the manager is getting the email but the persons name is different. In my lookup script that was setup prior to me it looked like this with custom attributes.

attr.TempEmployee=:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):distinguishedName
attr.TempManager=:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):manager
attr.Manager\ Name=:(distinguishedName=$TempManager$):name
attr.Employee\ Dept=:(distinguishedName=$TempEmployee$):department
attr.Manager\ Email=:(distinguishedName=$TempManager$):mail
attr.Employee\ Email=:(distinguishedName=$TempEmployee$):mail
attr.Employee\ Office=:(distinguishedName=$TempEmployee$):physicalDeliveryOfficeName
attr.Manager\ Title=:(distinguishedName=$TempManager$):title
attr.Employee\ Name=:(distinguishedName=$TempEmployee$):name
attr.Employee\ Title=:(distinguishedName=$TempEmployee$):title
attr.Manager\ Phone=:(distinguishedName=$TempManager$):telephoneNumber
attr.Employee\ Phone=:(distinguishedName=$TempEmployee$):telephoneNumber
attr.Employee\ Phone=:(distinguishedName=$TempEmployee$):telephoneNumber
 
I then tried to add the domain in and it completely breaks it. Like this...
 
attr.TempEmployee=DC=charlie,DC=kaplan,DC=com:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):distinguishedName
attr.TempManager=DC=charlie,DC=kaplan,DC=com:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):manager
attr.Manager\ Name=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempManager$):name
attr.Employee\ Dept=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempEmployee$):department
attr.Manager\ Email=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempManager$):mail
attr.Employee\ Email=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempEmployee$):mail
attr.Employee\ Office=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempEmployee$):physicalDeliveryOfficeName
attr.Manager\ Title=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempManager$):title
attr.Employee\ Name=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempEmployee$):name
attr.Employee\ Title=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempEmployee$):title
attr.Manager\ Phone=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempManager$):telephoneNumber
attr.Employee\ Phone=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempEmployee$):telephoneNumber
attr.Employee\ Phone=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempEmployee$):telephoneNumber
 
I am not sure why it is breaking and I cannot figure out why this refuses to work. Can someone take a look at this and help me in the right direction?

 

Operating Systems:

Comments 7 CommentsJump to latest comment

DLP Solutions's picture

Mike..

Being the one who worked on the LDAP plugin.. let me help you out. Though I will need some answers first.

The issue might be resolved quickly if you just modify the System>Group Directories connection the LDAP plugin uses. Modify the Base DN there.. DC=charlie,DC=kaplan,DC=com

This will work ONLY if you need to ONLY look at the specified domain/base dn

Otherwise we will need to explore your needs.

  • Why is there an account with the same name in different domains, and are these different people or the same?
  • Is there a specific Domain that is the Truth all that we can point to?
  • What version of DLP are you on. 11.6 or previous?
  • If 11.6 please post a screen shot of the Group Directory used for LDAP
  • If previous to 11.6, please post the top portion of the LDAP lookup config file, sans the passwords
  • What DLP products do you have?

Please call solved if possible!!

Ronak

Please make sure to mark this as a solution

to your problem, when possible.

 

Mike S.'s picture

Hello Ronak, thanks for responding back. I have a ticket open with Symantec and they cannot figure this out at this point. To answer your questions.

My company has been around for awhile and in the early stages we were divided into different domains for the different groups. Until very recently each group tried to remain separate but due to the economy and budget cuts the company has streamlined itself and brought most of the other domains in closer. Each domain the admins created users not knowing they were creating a user with the same name just under a different domain. We have since made our help desk aware that that practice will stop. I ran an AD pull of the enterprise and found just over 2,000 users that have the same login just under a different domain. It is a big task to have to reach out to each user and change not only their login name but in some cases the apps they login to match the new name. Plus it comes down to time and money to be spent to fix it.

We do have one domain that is above the other two but it is not charlie. We have three major domains with one on top and the other two side by side below.

I currenlt have our system running on DLP version 11.6.1 and screenshot is attached.

We are currently using Network Monitor, Network Discover, Endpoint Prevent, Endpoint Discover, Network Prevent for E-mail.

 

The odd thing is when I try to add the base dn into the lookup plugin everything breaks. Example below:

attr.TempEmployee=DC=kaplaninc,DC=com:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):distinguishedName
attr.TempManager=DC=kaplaninc,DC=com:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):manager

 

Now if I take the base dn out everything works except for the users with identical logins.

attr.TempEmployee=:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):distinguishedName
attr.TempManager=:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):manager

3-14-2013 8-33-59 AM.jpg
Dor E's picture

Hello,

Is there any one here that think that something very bad happened with the last version of DLP?

How come that Symantec did such major change with Attributes and didn't check it?
Since the upgrade to 11.6.1 version, i do not see any attributes on DLP, and it seems a lot of companies as same problem.

I have case which is opened 2 weeks allready with Symanetc support, and still there is no solution. All we tried didn't work.

BTW- Also connectivity to SIEM was changed, without any notice.

I just do not understand how come that no one updated customers about these changes.

Thanks

 

DLP Solutions's picture

Dor.

Check your settings for LDAP in 11.6.

After the upgrade many of the installations changed the order of the LDAP, so you may need to put them in the right order.

 

Post your settings and we can see if we can find the answer.

 

Do you have multiple domains (tree) in your enviornment?

 

Ronak

Please make sure to mark this as a solution

to your problem, when possible.

 

DLP Solutions's picture

Mike..

You cannot add the Basdn to the configuration, that is already defined in the Connection setting. The connecton states where in the LDAP tree to strart searching from. So adding it to the config lines, is telling it to go to DC=kaplan,DC=com,DC=charlie,DC=kaplan,DC=com, which does not exist.

The issue you have here is that the search criteria is based off of the username and the top of the domain. So if there are multiple usernames with the same name, it may not pull the right one.

If it searches for juser it will find the first juser. Then populate it with the first details it finds.So if it found the wrong one, then it will have errors.

I bet this is happening ONLY with Endpoint and Discover incidents.. that is if each user have a different email address?

This will work for all of the SMTP incidnets, but not for Discover or Endpoint (these too are username based searches).

Overall your search is corrupted.

Marked Solved if possible!!

Ronak

Please make sure to mark this as a solution

to your problem, when possible.

 

SOLUTION
Mike S.'s picture

Ronak, you were on the right path. I did go ahead and change the lookup to go off of the top domain in the heirarchy. It has always been this way till about the upgrade to version 11.6.1 and we never had any issues.

 

I did change the lookup order and it did make it better!?! not sure how or why it seems like it is working but it is.

 

Also this is only happening with Endpoint incidents. I will go ahead and mark it solved as I ended up changing the lookup order. Hopefully I will not see any other issues.