Does Live LDAP Lookup support Secure LDAP / LDAPS Symantec Data Loss Prevention

book

Article ID: 160055

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Can Live LDAP Lookup authenticate through secure LDAP (636/tcp instead of 389/tcp)?

Resolution

We can setup the LDAP connection for the lookup plugin to use a secure ldap connection on port 636.  To setup the secure ldap connection we need to import the AD certificate into the cacerts keystore on the enforce server.  Also  see the help on enforce console regarding how to make a secure connection.  search for  SSL in search,  select "Importing SSL certificates to Enforce or Discover servers"  from help file menu.

 

  1. You will have to get the AD certificate that you are connecting to in your LDAP lookup plugin configuration. Note: Whatever host you are connecting to, you will get the AD certificate.
  2. You will need to import this certificate into the enforce cacerts keystore, see the enforce help file on importing the certificate into enforce cacerts keystore also listed below:
  3. Note:
  4. Copy the certificate file you want to import to the Enforce Server.
  5. Change directory to
    1. For DLP 15.1-15.7 -- C:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_202\bin on the Enforce Server or Discover Server computer.
    2. For DLP 15.8 and newer – C:\Program Files\AdoptOpenJRE\jdk8u262-b10-jre\bin
  6. Execute the keytool utility with the -importcert option to import the public key certificate to the Enforce Server cacerts keystore:
  7. keytool -importcert -alias myAdServer -keystore ..\lib\security\cacerts -file my-domaincontroller.crt
  8. In this example command, myAdServer is a new alias to assign to the imported certificate and my-domaincontroller.crt is the path to your certificate.
  9. When prompted, enter the password for the keystore.
  10. By default, the password is changeit. If you want, you can change the password when prompted.
  11. To change the password, use: keytool -storepasswd -new <newPassword> -alias <aliasName> -keystore <keystore>
  12. Example: keytool -storepasswd -new changeit2 -alias myAdServer -keystore ..\lib\security\cacerts
  13. Create a directory connection in enforce; make sure the port is 636 and you check the box for secure connection. Once connection is successful, save the connection on enforce.
  14. On your Ldap lookup plugin configuration, use the secure_ldap connection you created in the previous steps, and test the ldap plugin.

You will now be pulling data securely over port  636  for the ldap plugin,  which is now secure.

 

 

 

Attachments