Sender-email does not match mail attribute in LDAP for a given user.


Article ID: 169554


Updated On:


Data Loss Prevention Enforce


Attributes are defined in LDAP for a given user that changes their "send as" email address.

Custom Attributes do not populate.


Because the sender email is not the same as the value of the mail attribute for the user, the default LDAP lookups will not work out-of-the-box.


The Administration Guide for DLP specifies the following string as an example for an LDAP lookup string:

attr.CustomAttributeName = search_base:(search_filter=$variable$):ldapAttribute

For additional context, here are the ownership qualities for each section of that string:

attr.CustomAttributeName This is a DLP attribute
= search_base:  This is an LDAP value
(search_filter= This is an LDAP value
$variable$ This is a DLP variable
):ldapAttribute This is an LDAP value

Furthermore, the Administration Guide states,  “In cases where multiple plug-ins are chained together, the parameter might be a variable that is passed to the LDAP Lookup Plug-In by a previous plug-in.” 

To implement an LDAP Lookup Plug-In

  1. Create the following custom attributes at System > Attributes > Custom Attributes:


  1. Create a directory connection for the Active Directory server at System > Settings > Directory Connections.
  2. Test the connection. The system indicates if the connection is successful.
  3. Create a new LDAP plug-in at System > Lookup Plugins > New Plugin > LDAP.

Name: LDAP Lookup Plug-in 0
Description: Description for the LDAP Plug-in.

  1. Select the directory connection created in Step 2.
  2. Map the attributes to LDAP metadata.
  1. Save the plug-in. Verify that the correct save message for the plug-in is displayed.
  2. Enable the following keys at the System > Lookup Plugins > Lookup Parameters page.
    • Incident
    • Message
    • Sender
  3. Create an incident that generates one of the lookup parameters. For example, an email incident exposes the sender-email attribute. There must be some corresponding information in the Active Directory server.
  4. Open the Incident Snapshot for the incident.
  5. Click the Lookup button and verify the custom attributes created in the Step 1 are populated in the right panel.

The end result will be a new custom attribute, located on the right hand side of the incident snapshot, where the sender address == newTargetAddress.

attr.First\ Name=:(mail=$newTargetAddress$):givenName
attr.Last\ Name=:(mail=$newTargetAddress$):sn