Configuring LDAP Lookup Plugins in Symantec DLP 15.5+

By November 23, 2020Symantec DLP Enforce
You are here:
< Back

To configure one or more LDAP Lookup Plugins, need to follow the below procedure steps.
 

#Description
1Add directory connections from System > Settings > Directory Connections                a) Confirm Authentication test is successful                b) Go to Index Settings tab, complete rebuilding the index (MUST be completed at least once)                c) Go to Index and Replication Status – confirm information is populated with version number and date etc.
2Create custom attributes: (say)Employee Info———————TitleNamePhoneEmailOffice Location Business Info——————DivisionDepartment 
3Create a LDAP plug-in                a) Configure Lookup Parameters                b) Modify Lookup Plugin Chain to enable the plugin               c) Reload plugin each time any modification is made
4Test Lookup

It is important to understand the User Objects in Active Directory Users and Computers and their corresponding LDAP mappings. LADP mapping attributes may differ for different versions of AD schema. See the Microsoft artile for User Object User Interface Mapping.

Reference:
https://docs.microsoft.com/en-us/windows/desktop/ad/user-object-user-interface-mapping

http://edocs.mitel.com/UG/UCA_Web_Help/Admin_Web_Help/7.0/uca/common_ad_ldap_field_mappings.htm

You may need to run a powershell command to find all properties of the user with samAccountName and collerate attributes mapping. For example, you want see all properties of the user BobJones in your AD. Try the following command in powershell:  PS C:\> Get-ADUser BobJones -Properties *

Reference:

https://ss64.com/ps/get-aduser.html

Say you want to display the following Attributes and here’s the steps are needed:

AttributesAs per Microsoft KBUse Get-ADUser (your env)
Business Divisioncompanycompany
Business Departmentdepartmentdepartment
Employee TitletitlebusinessCategory
Employee NamedisplayNamedisplayName
Employee PhonetelephoneNumbermobile
Employee EmailE-mail-Addressesmail
Employee Office LocationphysicalDeliveryOfficeNameoffice

So the attribute will look like below:

attr.Name=:(|(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)):displayName

attr.Office\ Location=:(|(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)):office

attr.Office\ Phone=:(|(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)):mobile

attr.Email=:(|(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)):mail

attr.Division=:(|(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)):company

attr.Department=:(|(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)):department

attr.Title=:(|(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$file-owner$)):businessCategory

Was this article helpful?
0 out Of 5 Stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?