Does Live LDAP Lookup support Secure LDAP / LDAPS Symantec Data Loss Prevention


Article ID: 160055


Updated On:


Data Loss Prevention Enforce


Can Live LDAP Lookup authenticate through secure LDAP (636/tcp instead of 389/tcp)?


We can setup the LDAP connection for the lookup plugin to use a secure ldap connection on port 636.  To setup the secure ldap connection we need to import the AD certificate into the cacerts keystore on the enforce server.  Also  see the help on enforce console regarding how to make a secure connection.  search for  SSL in search,  select "Importing SSL certificates to Enforce or Discover servers"  from help file menu.

1. You will have to get the AD certificate that you are connecting to in your LDAP lookup plugin configuration.  Note:  Whatever host you are connecting to, you will get the AD certificate.
2. You will need to import this certificate into the enforce   cacerts  keystore,  see the enforce help file on importing the certificate into enforce cacerts keystore also listed below:
3. Copy the certificate file you want to import to the Enforce Server.
4. Change directory to c:\SymantecDLP\jre\bin on the Enforce Server or Discover Server computer.
5. Execute the keytool utility with the -importcert option to import the public key certificate to the Enforce Server cacerts  keystore:
keytool -importcert -alias myAdServer  -keystore ..\lib\security\cacerts -file   my-domaincontroller.crt
In this example command, myAdServer  is a new alias to assign to the imported certificate and my-domaincontroler.crt is the path to your certificate.
6. When you are prompted, enter the password for the keystore.
       By default, the password is changeit. If you want you can change the password when prompted.
       To change the password, use: keytool -storepasswd -new <newPassword> -alias <aliasName>  -keystore <keystore>
       Example: keytool -storepasswd -new changeit2 -alias myAdServer -keystore ..\lib\security\cacerts
7. Create a directory connection  in enforce,  make sure the port is  636  and you check the box for  secure connection.  Once connection is successful  save the connection on enforce.
8. On your  Ldap lookup plug configuration,  use the  secure_ldap connection you created in the previous steps,  and test the ldap plugin. 

You will now be pulling data securely over port  636  for the ldap plugin,  which is now secure.