Enabling Live LDAP Lookup for Symantec DLP

I recently spent several days bashing my head against configuring LDAP lookup within the Symantec Enforce UI for a customer and ran into several problems. In fact I posted a forum post on Symantec Connect (https://www-secure.symantec.com/connect/forums/problems-live-ldap-lookup) discussing some of the problems that I was having. The following article is based on the pain and also some holes in the existing documentation. There are several guides on the Vontu Knowledge base (kb-vontu.altiris.com) specifically KB 42831

Note: Spelling countsas the files are case sensitive

The following steps need to done in the following order:

  1. Configure the Plugins.Properties file in c:\vontu\protect\config
  2. Configure the LiveLdapLookup.Properties file in c:\vontu\protect\config
  3. Add the custom attributes in the Enforce UI
  4. Reload the custom attributes in the Enforce UI
  5. Profit

Configure the Plugins.Properties file

This file enables the different plugin files that can be used by Symantec DLP. As mentioned in the KB article the following lines need to be added: com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Directory Classes,Vontu Live LDAP Lookup and also com.vontu.lookup.liveldap.LiveLdapLookup.properties = LiveLdapLookup.properties. These settings determine which plugins are being used.

Another item that needs to be configured is the attribute lookup parameters. Editing this section of the file is not included in the knowledge base entries. The default attribute lookup parameter is sender-email, which is commented out, uncomment it. If there are other items you will be searching (example: file-owner for Data at Rest items), uncomment them out. Save your changes.

Note: I have attached my working plugins.properties file

Configure the LiveLdapLookup.properties file

This section can be the most challenging to configure, remember this file is case sensitive, what is in Active Directory needs to be matched in this file along with what is configured in the Enforce UI. In looking at the knowledge base entry the common search criteria is email, however in most Active Directory environments the field is actually mail, if that is true the setting will look like the following: (mail=$sender-email$).

The next part that can cause the most trouble is configuring the base dn in the first part of the file. In my test lab my file looks like the following:

servername = dc.itslab.local

port = 389

basedn = DC=ITSLAB,DC=local

How did I determine my basedn? The kb article recommends Softera’s LDAP Browser, though I have used ADSI Edit from Microsoft (a part of the Windows 2003 Server tools). The following screenshot shows ADSI Edit for my test domain:

NOTE: The server is dc.itslab.local and then under DC=itslab,DC=local is what I put as my basedn. Remember spelling counts, the lookup will fail if you put in ITSLAB or LOCAL.

Once we have the basedn configured we need to configure the attribute lookup. Remember we need to make sure the attributes we are searching match both Active Directory and the attributes in the Enforce UI.

The default properties file contains the following example: attr.Company = cn=user:(mail=$sender-email$):Company. However in my environment we need to make changes based on how Active Directory is configured in your company. In the above example I need to search the OU ITS_Partners, which changes my search to attr.Company = OU=ITS_Partners:(mail=$sender-email):company. When I look in ADSI Edit I see the following screenshot:

Notice the lower case c for company matches what I am using in my attribute search. Save your changes and restart the Vontu Services.

Add the attributes in the Enforce UI

Once the text files are configured, we need to configure the attributes in the Enforce UI. Navigate in the console to System -> Attributes and click on the Custom Attribute tab as the following screenshot shows:

To add a custom attribute click on Add and then add the corresponding attribute you are looking for. Once all of your attributes are configured, click on the Reload Lookup Plugins button and verify things work correctly.

Testing Attribute Lookup

Now that we have our attributes configured in Enforce, let’s test them . Navigate to an existing incident in the Enforce UI and select Lookup. If you are successful the attributes should populate from Active Directory.

As you can see from the screenshot, I have populated First Name, Last Name, Title, Department, Location, and Company from Active Directory

Troubleshooting Tips

Some small troubleshooting tips:

  1. Make sure spelling on all attributes and lookups match
  2. Don’t forget to restart the Vontu services after making changes to one of the .properties file
  3. Change the logging level for the plugin framework:
    1. In the ManagerLogging.properties edit com.vontu.logging.ServletLogHandler.level to FINER
    2. Add (if it doesn’t exist) com.vontu.lookup.script.level = FINER
  4. Change the logging for LDAP lookup
    1. In the ManagerLogging.properties file add a line: com.vontu.diretory.ldap.LdapLookup.level = FINER
  5. Review VontuManager.log and tomcat\localhost.[date].log for more information

One thought on “Enabling Live LDAP Lookup for Symantec DLP

  1. Pingback: Tweets that mention Enabling Live LDAP Lookup for Symantec DLP « A Conservative Techie -- Topsy.com

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s