The LDAP Lookup Plugin pulls data from a live LDAP system (such as Microsoft Active Directory, Novell LDAP, Oracle LDAP (formerly Sun ONE), or IBM LDAP). It then uses that data to populate custom attributes for an incident at the time the incident is generated.
The LDAP Lookup Plugin receives a group of lookup parameters that contain data about an incident from the Enforce Server. These lookup parameters are then used in LDAP queries to pull data out of an existing LDAP directory. For example, the value of the sender-email lookup parameter might be compared to the values in the email attribute of the directory. If the sender-email lookup parameter contains account@financecompany.com, a query can be constructed to search for a record whose email attribute contains account@financecompany.com. Data in the record that the search returns is inserted into the custom attributes for the incident.
To configure one or more LDAP Lookup Plugins, need to follow the below procedure steps.
Procedure Step 1 : Create custom attributes :
Configuring custom attributes
Use the Configure Custom Attribute screen to add or modify the a custom attribute.
Custom attributes can be grouped into attribute groups, similar to how statuses are grouped into status groups, to organize the information in a useful way. Examples of common attribute groups include Employee Information, Manager Information, and Remediation Information. All custom attributes are available for all incidents.
To create custom attributes and add them to a group :
i] On the Enforce Server, click System > Incident Data > Attributes > Custom Attributes. Note that a number of custom attributes were defined and loaded for you by the Solution Pack that you selected during installation. All existing custom attributes are listed in the Custom Attributes window.
ii] To create a new custom attribute, click the Add option.
iii] Type a name for the custom attribute in the Name box. If appropriate, check the Is Email Address box.
The name you give to a custom attribute does not matter. But a custom attribute you create must be structured the same as the corresponding external data source. For example, suppose an external source stores department information as separate geographic location and department name. In this case, you must create corresponding location and department name custom attributes. You cannot create a single department ID custom attribute combining both the location and the department name.
iv] Select an attribute group from the Attribute Group drop-down list. If necessary, create a new attribute group. Select Create New Attribute Group from the drop-down list, and type the new group name in the text box that appears.
v] Click the Save option.
vi] Generate a new incident, or view an existing incident, and verify that it contains the new custom attribute.
Once you define your custom attributes, they become available to every incident. Each incident receives its own set of custom attributes (though some name-value pairs may be empty depending on circumstances). The custom attribute values for an incident can be populated and changed independently of other incidents.
You can edit the custom attribute values if you have been assigned to a role that includes edit access for custom attributes. If you want to update a group of incidents, you can select those incidents on the incident list page. You can then select the Set Attributes command from the Incident Actions menu. You can select Lookup Attributes, to look up the values of custom attributes. Note that the Set Attributes command and Attributes section on the Incident Snapshot page are available only if at least one custom attribute is defined.
Procedure Step 2 : Configure a connection to the LDAP server :
A] A functioning connection to an LDAP server must be available.
B] The connection to the LDAP server can be configured from the link in the LDAP Lookup Plugin.
A] A functioning connection to an LDAP server must be available.
Requirements for LDAP server connections
The following conditions must be met for Symantec Data Loss Prevention to establish a connection with an LDAP directory:
The LDAP directory must be running on a host that is accessible to the Enforce Server.
There must be an LDAP account that the Symantec Data Loss Prevention can use. This account must have read-only access. You must know the user name and password of the account.
You must know the Fully Qualified Domain Name (FQN) of the LDAP server (the IP address cannot be used).
You must know the port on the LDAP server which the Enforce Server uses to communicate with the LDAP server. The default is 389.
You can use an LDAP lookup tool such as Softerra LDAP Browser to confirm that you have the correct credentials to connect to the LDAP server. Also confirm that you have the right fields defined to populate your custom attributes.
B] The connection to the LDAP server can be configured from the link in the LDAP Lookup Plugin.
Configuring directory server connections
The System > Settings > Group Directories > Configure Directory Connection is the home page for configuring directory server connections.
To create q directory connection
- Click Create New Connection.
- Enter a Name for the directory server connection.
- Specify the Network Parameters for the directory server connection..
- Specify the Authentication mode for connecting to the directory server.
- Click Test Connection to verify the connection.
If there is anything wrong with the connection, the system displays an error message describing the problem.
- Click Save to save the direction connection configuration.
- Verify that the directory server is indexed in the Index and Replication Status tab.
After you successfully create, test, and save the directory server connection, the system automatically indexes the directory server. Verify that the Replication Status shows "Completed <date> <time>."
- Adjust the directory server indexing schedule as necessary from the Index Settings tab.
Procedure Step 3 : Create a new LDAP Lookup Plugin:
Creating new lookup plugins
You must have Server Administration privileges to create and configure lookup plugins.
To create new lookup plugin
i] Navigate to System > Lookup Plugins in the Enforce Server administration console.
ii] Click New Plugin at the Lookup Plugins List Page screen.
iii] Select the type of lookup plugin you want to create and configure it.
CSV
LDAP
Script
Data Insight
Custom (Legacy)
iv] Click Save to apply the lookup plugin configuration.
The system displays a success (green) message if the plugin was successfully saved or an error (red) message if the plugin is misconfigured and could not be saved.
v] Click Modify Plugin Chain and enable the lookup plugin and chain multiple plugins.
Procedure Step 4 : Map the attributes :
Map the attributes to the corresponding LDAP directory fields. The syntax is as follows:
attr.CustomAttributeName = search_base:
(search_filter=$variable$):
ldapAttribute
A] Mapping attributes to LDAP data
You map system and custom attributes to LDAP data in the Attribute Mapping field. Each mapping is entered on a separate line. The order in which these mapping entries appear does not matter.
The attribute mapping syntax for LDAP Lookup Plugins is as follows:
attr.CustomAttributeName = search_base:
(search_filter=$variable$):
ldapAttribute
B] Attribute mapping examples for LDAPAttribute mapping examples for LDAP
The following mappings provide additional attribute mapping examples for LDAP Lookup Plugins.
The following example attribute mapping searches the hr.corp LDAP directory for a record with an attribute for mail whose value matches the value of the sender-email lookup parameter. It returns to the Enforce Server the value of the givenName attribute for that record.
attr.First\ Name = dc=corp,dc=hr:(mail=$sender-email$):givenName
In the following attribute mapping example, a separate line is entered for each custom attribute that is to be populated. In addition, note the use of the TempDeptCode temporary variable. The department code is needed to obtain the department name from the LDAP hierarchy. But only the department name needs to be stored as a custom attribute. The TempDeptCode variable is created for this purpose.
attr.First\ Name = cn=users:(email=$sender-email$):firstName
attr.Last\ Name = cn=users:(email=$sender-email$):lastName
attr.TempDeptCode = cn=users:(email=$sender-email$):deptCode
attr.Department = cn=departments:(deptCode=$TempDeptCode$):name
attr.Manager = cn=users:(email=$sender-email$):manager
Procedure Step 5 : Save and enable the plugin :
The LDAP Lookup Plugin must be enabled on the Enforce Server.
Enabling lookup plugins
To enable a lookup plugin you have to change its status from Off, which is the initial status of a plugin after it is configured, to On. The System > Lookup Plugins > Modify Lookup Plugin Execution Chain is where you enable lookup plugins.
To enable a lookup plugin
Navigate to System > Lookup Plugins in the Enforce Server administration console.
Click Modify Plugin Chain at the Lookup Plugins List Page.
In the Dedicated Actions field, select (check) the On option.
Click Save to apply the configuration.
If the plugin cannot be loaded the system will report an error and the plugin state will remain Off. In this case, check the latest Tomcat log file for the error.
Procedure Step 6 : Test and troubleshoot the LDAP lookup plugin.
Troubleshooting lookup plugins
Symantec Data Loss Prevention provides logging and error messages specific to lookup plugins. The most common errors involve the failure of a plugin to load due to one or more misconfigurations. If a lookup plugin fails to load, the exception is logged as a warning at the system events screen and in the Tomcat log. In addition, the attribute map and plugin execution chain is logged in the Tomcat log.
To troubleshoot lookup plugin errors
i] Navigate to the System > Servers > Overview screen and look for any warnings in the Recent Error and Warning Events table at the bottom of the page.
ii] On the Enforce Server host, open the log file \SymantecDLP\protect\Enforce\logs\tomcat\localhost.<date>.log.
iii] Troubleshoot errors that appear in the Tomcat localhost log file.
iv] Configure detailed logging for lookup plugins if the plugin fails but errors are not logged.
v] Refer to the troubleshooting topics for specific plugins.
Testing and troubleshooting LDAP Lookup Plugins
Complete these steps to troubleshoot LDAP Lookup Plugin implementations.
To troubleshoot an LDAP Lookup plugin
If the plugin does not save correctly, verify the configuration.
Before using the LDAP Lookup Plugin you should test the connection to the LDAP server. You can use a lookup tool such as the Softerra LDAP Browser to help confirm that you have the correct fields defined.
Make sure that the plugin is enabled.
Make sure that you created the Custom Attribute definitions.
In particular, check the attribute mapping. The attribute names must be identical.
If you made changes, or edited the lookup parameter keys, reload the plugin.
Select Incidents > All Incidents for the detection server you are using to detect the incident.
Select (check) several incidents and select Lookup Attributes from the Incident Actions drop-down menu. (This action looks up attribute values for all incidents for that form of detection.
Check the Incident Snapshot screen for an incident. Verify that the Lookup Custom Attributes are filled with entries retrieved from the LDAP lookup.
If the correct values are not populated, or there is no value in a custom attribute you have defined, make sure that there are no connection errors are recorded in the Incident History tab.
Check the Tomcat log file.
LDAP Lookup Plugin tutorial:
This tutorial provides steps for implementing a simple LDAP Lookup Plugin.
To implement an LDAP Lookup Plugin
i] Create the following custom attributes at System > Attributes > Custom Attributes:
LDAP givenName
LDAP telephoneNumber
ii] Create a directory connection for the Active Directory server at System > Group Directories.
For example:
Hostname: enforce.dlp.company.com
Port: 389
Base DN: dc=enforce,dc=dlp,dc=com
Encryption: None
Authentication: Authenticated
username: userName
password: password
iii] Test the connection. The system indicates if the connection is successful.
iv] Create a new LDAP plugin at System > Lookup Plugins > New Plugin > LDAP.
Name: LDAP Plugin Name
Description: Description for the LDAP Plugin.
v] Select the directory connection created in Step 2.
vi] Map the attributes to LDAP metadata.
attr.LDAP\ givenName = cn=users:(|(givenName=$endpoint-username$)(mail=$sender-email$)
(streetAddress=$discoverserver$)):givenName
attr.LDAP\ telephoneNumber = cn=users:(|(givenName=$endpointuser-name$)(mail=$sender-email$)
(streetAddress=$discoverserver$)):telephoneNumber
vii] Save the Plugin. Verify that the correct save message for the plugin is displayed.
viii] Enable the following keys at the System > Lookup Plugins > Lookup Parameters page.
Incident
Message
Sender
ix] Create an incident that generates one of the lookup parameters. For example, an email incident will expose the sender-email attribute. There must be some corresponding information in the Active Directory server.
x] Open the Incident Snapshot for the incident.
xi] Click the Lookup button and verify the custom attributes created in the Step 1 are populated in the right panel.