I recently spent several days bashing my head against configuring LDAP lookup within the Symantec Enforce UI for a customer and ran into several problems. In fact I posted a forum post on Symantec Connect (https://www-secure.symantec.com/connect/forums/problems-live-ldap-lookup) discussing some of the problems that I was having. The following article is based on the pain and also some holes in the existing documentation. There are several guides on the Vontu Knowledge base (kb-vontu.altiris.com) specifically KB 42831
Note: Spelling countsas the files are case sensitive
The following steps need to done in the following order:
- Configure the Plugins.Properties file in c:\vontu\protect\config
- Configure the LiveLdapLookup.Properties file in c:\vontu\protect\config
- Add the custom attributes in the Enforce UI
- Reload the custom attributes in the Enforce UI
Configure the Plugins.Properties file
This file enables the different plugin files that can be used by Symantec DLP. As mentioned in the KB article the following lines need to be added: com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Directory Classes,Vontu Live LDAP Lookup and also com.vontu.lookup.liveldap.LiveLdapLookup.properties = LiveLdapLookup.properties. These settings determine which plugins are being used.
Another item that needs to be configured is the attribute lookup parameters. Editing this section of the file is not included in the knowledge base entries. The default attribute lookup parameter is sender-email, which is commented out, uncomment it. If there are other items you will be searching (example: file-owner for Data at Rest items), uncomment them out. Save your changes.
Note: I have attached my working plugins.properties file
Configure the LiveLdapLookup.properties file
This section can be the most challenging to configure, remember this file is case sensitive, what is in Active Directory needs to be matched in this file along with what is configured in the Enforce UI. In looking at the knowledge base entry the common search criteria is email, however in most Active Directory environments the field is actually mail, if that is true the setting will look like the following: (mail=$sender-email$).
The next part that can cause the most trouble is configuring the base dn in the first part of the file. In my test lab my file looks like the following:
servername = dc.itslab.local
port = 389
basedn = DC=ITSLAB,DC=local
How did I determine my basedn? The kb article recommends Softera’s LDAP Browser, though I have used ADSI Edit from Microsoft (a part of the Windows 2003 Server tools). The following screenshot shows ADSI Edit for my test domain:
NOTE: The server is dc.itslab.local and then under DC=itslab,DC=local is what I put as my basedn. Remember spelling counts, the lookup will fail if you put in ITSLAB or LOCAL.
Once we have the basedn configured we need to configure the attribute lookup. Remember we need to make sure the attributes we are searching match both Active Directory and the attributes in the Enforce UI.
The default properties file contains the following example: attr.Company = cn=user:(mail=$sender-email$):Company. However in my environment we need to make changes based on how Active Directory is configured in your company. In the above example I need to search the OU ITS_Partners, which changes my search to attr.Company = OU=ITS_Partners:(mail=$sender-email):company. When I look in ADSI Edit I see the following screenshot:
Notice the lower case c for company matches what I am using in my attribute search. Save your changes and restart the Vontu Services.
Add the attributes in the Enforce UI
Once the text files are configured, we need to configure the attributes in the Enforce UI. Navigate in the console to System -> Attributes and click on the Custom Attribute tab as the following screenshot shows:
To add a custom attribute click on Add and then add the corresponding attribute you are looking for. Once all of your attributes are configured, click on the Reload Lookup Plugins button and verify things work correctly.
Testing Attribute Lookup
Now that we have our attributes configured in Enforce, let’s test them . Navigate to an existing incident in the Enforce UI and select Lookup. If you are successful the attributes should populate from Active Directory.
As you can see from the screenshot, I have populated First Name, Last Name, Title, Department, Location, and Company from Active Directory
Some small troubleshooting tips:
- Make sure spelling on all attributes and lookups match
- Don’t forget to restart the Vontu services after making changes to one of the .properties file
Change the logging level for the plugin framework:
- In the ManagerLogging.properties edit com.vontu.logging.ServletLogHandler.level to FINER
- Add (if it doesn’t exist) com.vontu.lookup.script.level = FINER
Change the logging for LDAP lookup
- In the ManagerLogging.properties file add a line: com.vontu.diretory.ldap.LdapLookup.level = FINER
- Review VontuManager.log and tomcat\localhost.[date].log for more information