How to Configure Live LDAP Lookup
search cancel

How to Configure Live LDAP Lookup


Article ID: 160400


Updated On:


Data Loss Prevention Enforce Data Loss Prevention Data Loss Prevention Core Package


Configuration steps for setting up Live LDAP Lookup


Purpose: Configuration steps for setting up Live LDAP Lookup.

Step 1 - Update

\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0\Protect\config\

# Automatic lookup.
# Specifies whether the lookup should be triggered automatically when a new incident is detected. = true

Step 2: Define Custom Attribute Mappings

In the Enforce console, go to System > Incident Data > Lookup Plugins and click on the Custom Attributes tab.

Under New Plugin, select LDAP, Enter a Name, select the desired Directory Connection, then add the required attributes.

Here's an example:

## ----- Custom Attribute Mappings ------------
#  In the following section custom attributes in the Enforce server can be assigned
#  an LDAP query.  The format for this mapping is the following:
#        attr.CustomAttributeName = searchbase:(searchfilter=$variable$):ldapAttribute
#  If the CustomAttributeName requires a space character you should escape it with a backslash.
#  You can assign queries to temporary variables and use those variables in subsequent
#  queries.  For example:
#               attr.TemporaryVariable = <query here>
#  This would declare a variable called TemporaryVariable.  The value stored in this variable can
#  be referenced using $Temporary$ in subsequent queries.
attr.Title = ou=Users:(mail=$sender-email$):title
attr.Telephone\ Number = ou=Users:(mail=$sender-email$):telephoneNumber
attr.Country = ou=Users:(mail=$sender-email$):c
attr.Department = ou=Users:(mail=$sender-email$):department
attr.Manager = ou=Users:(mail=$sender-email$):manager
attr.Manager\ Email = ou=Users:(distinguishedName=$Manager$):mail

The syntax of the attribute string is as follows:

Before the equal sign is 'attr.' followed by the name of the custom attribute as configured on the DLP enforce server. The custom attribute names (e.g. 'attr.Title') MUST match custom attributes that already exist in System > Incident Data > Attributes on the Custom Attributes tab. Any spaces must be escaped with backslashes, as shown in the example above. Note that the complete string is also case-sensitive, including the 'attr.' prefix as well as the attribute name.

After the equal sign, the first section (before the first colon) is the location in the LDAP tree where the search for this attribute will be performed ('ou=Users' in this example). If the search will be done from the base DN, you should omit this part.

The second section (between the two colons) is the LDAP search filter. In this example, we are searching for any object whose 'mail' attribute matches the 'sender-email' variable retrieved from the incident.

The third section (after the last colon) is the LDAP attribute that will be searched for, and populated into the DLP custom attribute.

Steps to follow once the properties files are updated:

1. Restart the SymantecDLP services on the Enforce server whenever has been modified.
2. Navigate to Custom Attributes page and click Reload Lookup Plug-ins. Make sure you get a green success message.
3. Navigate to an incident snapshot and click Lookup to retrieve custom attributes. Verify that attribute values are populated.


NOTE: Reference article 160482 for finding LDAP output, this helps with knowing what attribute to map to.

Secondary NOTE:  For more information, please refer to our documentation under the section Managing and configuring lookup plug-ins



Applies To


The details in this technote apply to DLP versions earlier than 11.6.

In DLP 11.6, configuration of Lookup Plugins was moved to the UI.