Video Screencast Help

LDAP Attribute lookups

Created: 26 Feb 2010 | 7 comments

I believe I have all the required settings set, but obviously I don't.  Whenever I try to do a lookup on an incident I see this in the log file:
 

[com.vontu.manager.admin.workflow.attributes.CustomAttributeLookup] No plugin chains have been configured for the following loaded plugins: [class com.vontu.lookup.liveldap.LiveLdapLookup]Please configure the com.vontu.plugins.execution.chain property in plugins.properties

Here is my plugins.property file:
 

# Inductor plug-ins.
# A comma-separated list of accepted inductor plug-ins specified in Specification-Title attribute
# of plug-in JAR manifest. JAR manifest should also specify Protect-Minimum-Version such as 4.0.0.0.
com.vontu.messaging.induction.Inductor.plugins=Vontu CopyRule Inductor,Vontu FileScan Inductor,Vontu ICAP Inductor,Vontu Inline SMTP Inductor,Vontu PacketCapture Inductor,Vontu Discover Inductor,Vontu Aggregator Inductor,Vontu Lotus Notes Crawler,NCSO.jar,Notes.jar

# AttributeLookup plug-ins.
# A comma-separated list of attribute lookup plug-ins and JARs they depend on
# specified as Specification-Title attribute of plug-in JAR manifest or JAR file name.
com.vontu.api.incident.attributes.AttributeLookup.plugins= Vontu Live LDAP Lookup
# Plugin Execution Chain.
# A comma-separated list of attribute lookup plug-ins to be executed in sequence.
# Example: com.vontu.lookup.script.ScriptLookup, com.vontu.lookup.xls.ExcelLookup, com.vontu.lookup.script.ScriptLookup
# This example will execute Script Lookup #1 -> ExcelLookup -> Script Lookup #2
# Even if there is only one plugin in the chain, it must be listed here.
com.vontu.plugins.execution.chain=com.vontu.lookup.liveldap.LiveLdapLookup


# Plugin JAR manifests to enable Live LDAP lookups
com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Directory Classes,Vontu Live LDAP Lookup
# Attribute Lookup parameters.
# A comma-separated list of parameter groups that specifies what parameters are sent to lookup plug-ins.
# Acceptable value is any combination of the following literals:
# attachment, incident, message, policy, recipient, sender, server, status.
# Each of them specifies a group of one or more attributes:
# attachment
#  attachment-nameX
# attachment-sizeX
# , where X is the unique index to distinguish between mutliple attachments,
#   for example, attachment-name1, attachment-size1, attachment-name2, attachment-size2 and so on. 
# incident
# date-detected
# incident-id
# protocol
# message
# date-sent
# subject
# file-create-date
# file-access-date
# file-created-by
# file-modified-by
# file-owner
# discover-content-root-path
# discover-location
# discover-name
# discover-extraction-date
# discover-server
# discover-notes-database
# discover-notes-url
# endpoint-volume-name
# endpoint-dos-volume-name
# endpoint-application-name
# endpoint-application-path
# endpoint-file-name
# endpoint-file-path
# policy
# policy-name
# recipient
 recipient-emailX
# recipient-ipX
# recipient-urlX
# , where X is the unique index to distinguish between mutliple recipients,
#   for example, recipient-email1, recipient-ip1, recipient-url1, recipient-email2, recipient-ip2, recipient-url2 and so on. 
# sender
 sender-email
# sender-ip
# sender-port
# endpoint-user-name
# endpoint-machine-name
# server
# server-name
# monitor
#  monitor-name
# monitor-host
# monitor-id
# status
# incident-status
# acl
# acl-principalX  (String representing the user or group to whom the acl applies)
# acl-typeX  (String representing whether the acl applies to the FILE or to the SHARE) 
# acl-grant-or-denyX (String representing whether the acl will GRANT or DENY the permission)
# acl-permissionX  (String representing whether the acl denotes READ or WRITE access)
#
# X is the unique index to distinguish between mutliple acl entries,
#   for example, acl-pricinpal1, acl-type1, acl-grant-or-deny1, acl-permission1 
# If none of the above is specified only custom attributes are included into the parameter list.
com.vontu.api.incident.attributes.AttributeLookup.parameters=sender


# Lookup timeout in milliseconds.
#com.vontu.api.incident.attributes.AttributeLookup.timeout=60000
# Automatic lookup.
# Specifies whether the lookup should be triggerred automatically when a new incident is detected.
com.vontu.api.incident.attributes.AttributeLookup.auto=true

# Automatic plugin reload.
# Specifies whether the plugins should be automaticaly reloaded every morning at 3:00.
com.vontu.api.incident.attributes.AttributeLookup.reload=true
# Lookup thread count.
# Specifies maximum number of threads for lookup.
# This setting should be greater than the thread-count of new-incident-commands configuration.
# See com.vontu.manager.command.newincident.new-incident-command.xml in manager.jar
com.vontu.api.incident.attributes.AttributeLookup.thread_count=5


# Live LDAP lookup configuration file
com.vontu.lookup.liveldap.LiveLdapLookup.properties = LiveLdapLookup.properties

# Csv Document Lookup configuration file
#com.vontu.lookup.csv.CsvLookup.properties = CsvLookup.properties

# Script Lookup configuration file
#com.vontu.lookup.script.ScriptLookup.properties = ScriptLookup.properties

Does this look right?

Comments 7 CommentsJump to latest comment

waphil00's picture

Hi try modifying the second section as follows:

# AttributeLookup plug-ins.
# A comma-separated list of attribute lookup plug-ins and JARs they depend on
# specified as Specification-Title attribute of plug-in JAR manifest or JAR file name.
com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Directory Classes,Vontu Live LDAP Lookup

waphil00's picture

Hi

This is working in my test environment. It uses only LDAP lookups to ActiveDirectory.
regards

Philipp

 

# Inductor plug-ins.
# A comma-separated list of accepted inductor plug-ins specified in Specification-Title attribute
# of plug-in JAR manifest. JAR manifest should also specify Protect-Minimum-Version such as 4.0.0.0.
com.vontu.messaging.induction.Inductor.plugins=Vontu CopyRule Inductor,Vontu FileScan Inductor,Vontu ICAP Inductor,Vontu Inline SMTP Inductor,Vontu PacketCapture Inductor,Vontu Discover Inductor,Vontu Aggregator Inductor,Vontu Lotus Notes Crawler,Vontu Classification Inductor,NCSO.jar,Notes.jar

 

# AttributeLookup plug-ins.
# A comma-separated list of attribute lookup plug-ins and JARs they depend on
# specified as Specification-Title attribute of plug-in JAR manifest or JAR file name.
com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Directory Classes,Vontu Live LDAP Lookup

# Plugin Execution Chain.
# A comma-separated list of attribute lookup plug-ins to be executed in sequence.
# Example: com.vontu.lookup.script.ScriptLookup, com.vontu.lookup.xls.ExcelLookup, com.vontu.lookup.script.ScriptLookup, com.vontu.lookup.datainsight.DataInsightLookup
# This example will execute Script Lookup #1 -> ExcelLookup -> Script Lookup #2 -> Data Insight Lookup
# Even if there is only one plugin in the chain, it must be listed here.
com.vontu.plugins.execution.chain=com.vontu.lookup.liveldap.LiveLdapLookup

# Plugin JAR manifests to enable Live LDAP lookups
# com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Directory Classes,Vontu Live LDAP Lookup

# Plugin JAR manifests to enable Data Insight lookups
#com.vontu.api.incident.attributes.AttributeLookup.plugins=Data Insight Lookup

# Attribute Lookup parameters.
# A comma-separated list of parameter groups that specifies what parameters are sent to lookup plug-ins.
# Acceptable value is any combination of the following literals:
# attachment, incident, message, policy, recipient, sender, server, status.
# Each of them specifies a group of one or more attributes:
# attachment
#  attachment-nameX
# attachment-sizeX
# , where X is the unique index to distinguish between mutliple attachments,
#   for example, attachment-name1, attachment-size1, attachment-name2, attachment-size2 and so on. 
# incident
# date-detected
# incident-id
# protocol
# data-owner-name
# data-owner-email
# message
# date-sent
# subject
# file-create-date
# file-access-date
# file-created-by
# file-modified-by
# file-owner
# discover-content-root-path
# discover-location
# discover-name
# discover-extraction-date
# discover-server
# discover-notes-database
# discover-notes-url
# endpoint-volume-name
# endpoint-dos-volume-name
# endpoint-application-name
# endpoint-application-path
# endpoint-file-name
# endpoint-file-path
# policy
# policy-name
# recipient
# recipient-emailX
# recipient-ipX
# recipient-urlX
# , where X is the unique index to distinguish between mutliple recipients,
#   for example, recipient-email1, recipient-ip1, recipient-url1, recipient-email2, recipient-ip2, recipient-url2 and so on. 
# sender
# sender-email
# sender-ip
# sender-port
# endpoint-user-name
# endpoint-machine-name
# server
# server-name
# monitor
#  monitor-name
# monitor-host
# monitor-id
# status
# incident-status
# acl
# acl-principalX  (String representing the user or group to whom the acl applies)
# acl-typeX  (String representing whether the acl applies to the FILE or to the SHARE) 
# acl-grant-or-denyX (String representing whether the acl will GRANT or DENY the permission)
# acl-permissionX  (String representing whether the acl denotes READ or WRITE access)
#
# X is the unique index to distinguish between mutliple acl entries,
#   for example, acl-pricinpal1, acl-type1, acl-grant-or-deny1, acl-permission1 
# If none of the above is specified only custom attributes are included into the parameter list.
com.vontu.api.incident.attributes.AttributeLookup.parameters=sender-email, file-owner

# Attribute Lookup output parameters
# A comma-separated list that specifies which parameters can be modified by lookup plug-ins.  These parameters
# can be specified in lookup plug-in configurations and scripts using the same syntax as custom attributes.
#
# Acceptable value is any combination of the following literals:
#  data-owner-name
# data-owner-email
#
com.vontu.api.incident.attributes.AttributeLookup.output.parameters=sender-email,file-owner,endpoint-user-name

# Lookup timeout in milliseconds.
com.vontu.api.incident.attributes.AttributeLookup.timeout=60000

# Automatic lookup.
# Specifies whether the lookup should be triggerred automatically when a new incident is detected.
com.vontu.api.incident.attributes.AttributeLookup.auto=true

# Automatic plugin reload.
# Specifies whether the plugins should be automaticaly reloaded every morning at 3:00.
com.vontu.api.incident.attributes.AttributeLookup.reload=false

# Lookup thread count.
# Specifies maximum number of threads for lookup.
# This setting should be greater than the thread-count of new-incident-commands configuration.
# See com.vontu.manager.command.newincident.new-incident-command.xml in manager.jar
com.vontu.api.incident.attributes.AttributeLookup.thread_count=5

# Live LDAP lookup configuration file
com.vontu.lookup.liveldap.LiveLdapLookup.properties = LiveLdapLookup.properties

# Csv Document Lookup configuration file
#com.vontu.lookup.csv.CsvLookup.properties = CsvLookup.properties

# Script Lookup configuration file
#com.vontu.lookup.script.ScriptLookup.properties = ScriptLookup.properties

# Data Insight Lookup configuration file
#com.vontu.lookup.datainsight.DataInsightLookup.properties = DataInsightLookup.properties

# Incident Response Action configuration parameters.
#com.symantec.dlpx.flexresponse.Plugin.plugins = plugin1.jar, plugin2.jar, etc...
com.vontu.enforce.incidentresponseaction.IncidentResponseActionInvocationService.maximum-incident-batch-size = 100
com.vontu.enforce.incidentresponseaction.IncidentResponseActionInvocationService.keep-alive-time = 60000
com.vontu.enforce.incidentresponseaction.IncidentResponseActionInvocationService.serial-timeout = 60000

waphil00's picture

## --------- Vontu Live LDAP Plugin -----------------
#
#  This is the property file for Live LDAP Lookup plugin
#
##

## --------- LDAP Server Connection Parameters ------
#
servername = yourdomaincontroller.domain.com
port = 389
basedn = DC=YOURDOMAIN,DC=COM
authtype = simple
username = domain\\yourldapusername
password = yourpassword

## --------- Custom Attribute Mappings --------------
#
#  In the following section custom attributes in the Vontu Enforce server can be assigned
#  an LDAP query.  The format for this mapping is the following:
#
#  attr.VontuCustomAttributeName = searchbase:(searchfilter=$variable$):ldapAttribute
#
#  If the VontuCustomAttributeName requires a space character you should escape it with a backslash.
#
#  You can assign queries to temporary variables and use those variables in subsequent
#  queries.  For example:
#               attr.TemporaryVariable = <query here>
#  This would declare a variable called TemporyVariable.  The value stored in this variable can
#  be referenced using $TemporaryVarible$ in subsequent queries.
#

attr.First\ Name = :(|(proxyAddresses=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)):givenName
attr.Last\ Name = :(|(proxyAddresses=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)):sn
attr.Telephone\ Number = :(|(proxyAddresses=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)):telephoneNumber
attr.Sender\ Email = :(|(proxyAddresses=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)):mail
attr.Business\ Unit = :(|(proxyAddresses=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)):department
attr.Title = :(|(proxyAddresses=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)):title
attr.Office = :(|(proxyAddresses=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)):physicalDeliveryOfficeName
attr.Description = :(|proxyAddresses=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)):description
attr.Mobile = :(|(proxyAddresses=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)):mobile

sys73r's picture

hey guys, I've been trying to get this done without any luck so far:

When i try to reload the plugins:

System > Incident Data > Attributes > custom attributes > reload lookup plugins:

I get the message: "Custom Attribute Lookup Plug-in(s) were loaded successfully."

Then I go to Incidents, go into one and click "Lookup" on the attributes section it shows nothing and on the Incident history it says:

Date Submitted By Summary
8/17/11 2:12 PM testUser
Attribute Lookup Completed
Name=
LName=

the tomcat/log shows:

Thread: 15 INFO [com.vontu.enforce.workflow.attributes.CustomAttributeLookup] Loaded Custom Attribute Lookup Plug-ins. The following Custom Attribute Lookup Plug-ins were loaded: com.vontu.lookup.liveldap.LiveLdapLookup.

the Vontu manager log shows nothing...

 

any suggestions?

 

 

thank you!

 

Lippi's picture

Why you dont use CsvLookup? I know its not dynamic... but its more customizable

Att,

Lippi

sys73r's picture

thanks for the feedback, however with a *zillion users a cvslookup, I'm affraid, isn't the best way to go on my scenario.

fcruchaga's picture

I think the problem you have is that you have this line twice (by default the sample that comes with Vontu has it twice)

com.vontu.api.incident.attributes.AttributeLookup.plugins= Vontu Live LDAP Lookup

You need to comment out (#) the second one for this to work.

 

Hope this helps.