Data Loss Prevention

 View Only
Back to discussions
Expand all | Collapse all

IBM LDAP and DLP

  • 1.  IBM LDAP and DLP

    Posted May 03, 2014 09:37 PM

    It seems it is not possible to use the built-in ldap script if your base dn has spaces (per SYMC) with IBM LDAP...Can any one please share a sample script that might work for this?

     

    Thanks.



  • 2.  RE: IBM LDAP and DLP

    Broadcom Employee
    Posted May 04, 2014 04:35 AM

    We had run a testing for IBM LDAP, it worked finely.

    What is the base DN you used?



  • 3.  RE: IBM LDAP and DLP

    Posted May 04, 2014 07:19 AM

    Thanks for responding. I should note that it creates the directory connection fine but when I attempt to create the ldap lookup (to pull attributes) it throws a java error. SYMC has told me there is an etrack on this.

    As an example (note the spacing): Base DN=Acme Products Company, Subunit Acme company



  • 4.  RE: IBM LDAP and DLP

    Broadcom Employee
    Posted May 04, 2014 08:28 AM

    what is the DLP version and the jave error it shows up?

     



  • 5.  RE: IBM LDAP and DLP

    Posted May 04, 2014 01:23 PM

    This is v11.6. 

    Base DN looks like  "ou=acme test one,ou=acme two one,o=large acme,c=ac"

    see etrack 3281783 ...apparently it's to be fixed in 12.5

     

    Error:

     

    12 Apr 2014 11:42:30,613- Thread: 21 SEVERE [com.vontu.enforce.workflow.attributes.AttributeLookupLoader] Error loading plugin [IBM_Test]

    Cause:

    java.lang.reflect.InvocationTargetException

    com.vontu.directory.common.InitializationException: Could not connect to the LDAP server.

    Reason: java.lang.NullPointerException

    java.lang.reflect.InvocationTargetException

                    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

     

     

    ---

    Please note that it does connect as I am able to add groups in a policy...just does not seem to work for the plugin to pull attributes.



  • 6.  RE: IBM LDAP and DLP

    Posted May 06, 2014 10:21 PM

    Any suggestions?



  • 7.  RE: IBM LDAP and DLP

    Trusted Advisor
    Posted May 07, 2014 10:20 AM

    Egar,

    This is a known issue and I was the one who actually found this and sent it to SYMC. Unfortunately the only way to get around this is to not use the base DN and go one level higher than what you are using as the base DN. If your base DN has a space in it then it will not work.

    dc=companyxyz,dc=corp

    I am not 100% sure, but this issue may not exist in 12.0 also I think 12.5 just got released.

     

    Hope this makes sense.

    If this solves your questions please marked as solved.

    Ronak



  • 8.  RE: IBM LDAP and DLP

    Broadcom Employee
    Posted May 14, 2014 07:56 PM

    The space in the DN is still a problem in DLP V12.0, 12.0.1. This has been resolved and verified fixed in 12.5.
     



  • 9.  RE: IBM LDAP and DLP

    Posted May 14, 2014 10:33 PM

    Thanks. Do you have any insight around existing work arounds to get this to work?



  • 10.  RE: IBM LDAP and DLP

    Broadcom Employee
    Posted May 15, 2014 11:49 AM

    I believe that you can use %20 in the DN where you have a space in the name and this might work. Otherwise, I don't think there is one. You would need to rename your objects in AD with no spaces, or wait for 12.5 to drop.



  • 11.  RE: IBM LDAP and DLP

    Trusted Advisor
    Posted May 15, 2014 01:29 PM

    I would be surprised is the %20 would work.. let us know if it does.



  • 12.  RE: IBM LDAP and DLP

    Posted May 16, 2014 08:51 AM

    %20 didn't help nor \



  • 13.  RE: IBM LDAP and DLP

    Broadcom Employee
    Posted May 16, 2014 11:47 AM

    Then you will have to wait for 12.5. I tested this in the beta and it was resolved.