Data Loss Prevention

 View Only

  • 1.  Configuring LDAP Custom Attributes

    Posted Feb 28, 2013 04:44 PM

    ok so here is my problem. I have 3 different domains that include about 30,000 users. on occasion in each domain I might have users with the same login. just in a different domain.

    example: jdoe

    reality:

    domain1\jdoe

    domain2\jdoe

    The problem is DLP is confusing the two and mixing up managers and user names. So the manager is getting an email they should not get or the manager is getting the email but the persons name is different. In my lookup script that was setup prior to me it looked like this with custom attributes.

    attr.TempEmployee=:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):distinguishedName
    attr.TempManager=:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):manager
    attr.Manager\ Name=:(distinguishedName=$TempManager$):name
    attr.Employee\ Dept=:(distinguishedName=$TempEmployee$):department
    attr.Manager\ Email=:(distinguishedName=$TempManager$):mail
    attr.Employee\ Email=:(distinguishedName=$TempEmployee$):mail
    attr.Employee\ Office=:(distinguishedName=$TempEmployee$):physicalDeliveryOfficeName
    attr.Manager\ Title=:(distinguishedName=$TempManager$):title
    attr.Employee\ Name=:(distinguishedName=$TempEmployee$):name
    attr.Employee\ Title=:(distinguishedName=$TempEmployee$):title
    attr.Manager\ Phone=:(distinguishedName=$TempManager$):telephoneNumber
    attr.Employee\ Phone=:(distinguishedName=$TempEmployee$):telephoneNumber
    attr.Employee\ Phone=:(distinguishedName=$TempEmployee$):telephoneNumber
     
    I then tried to add the domain in and it completely breaks it. Like this...
     
    attr.TempEmployee=DC=charlie,DC=kaplan,DC=com:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):distinguishedName
    attr.TempManager=DC=charlie,DC=kaplan,DC=com:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):manager
    attr.Manager\ Name=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempManager$):name
    attr.Employee\ Dept=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempEmployee$):department
    attr.Manager\ Email=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempManager$):mail
    attr.Employee\ Email=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempEmployee$):mail
    attr.Employee\ Office=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempEmployee$):physicalDeliveryOfficeName
    attr.Manager\ Title=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempManager$):title
    attr.Employee\ Name=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempEmployee$):name
    attr.Employee\ Title=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempEmployee$):title
    attr.Manager\ Phone=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempManager$):telephoneNumber
    attr.Employee\ Phone=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempEmployee$):telephoneNumber
    attr.Employee\ Phone=DC=charlie,DC=kaplan,DC=com:(distinguishedName=$TempEmployee$):telephoneNumber
     
    I am not sure why it is breaking and I cannot figure out why this refuses to work. Can someone take a look at this and help me in the right direction?

     



  • 2.  RE: Configuring LDAP Custom Attributes

    Posted Mar 02, 2013 11:50 AM

    Hi Mike please refer

    https://www-secure.symantec.com/connect/articles/how-use-custom-attributes-symantec-data-loss-prevention-part-1-2

    https://www-secure.symantec.com/connect/articles/enabling-live-ldap-lookup-enforce

    https://www-secure.symantec.com/connect/forums/problems-live-ldap-lookup



  • 3.  RE: Configuring LDAP Custom Attributes

    Trusted Advisor
    Posted Mar 13, 2013 11:24 PM

    Mike..

    Being the one who worked on the LDAP plugin.. let me help you out. Though I will need some answers first.

    The issue might be resolved quickly if you just modify the System>Group Directories connection the LDAP plugin uses. Modify the Base DN there.. DC=charlie,DC=kaplan,DC=com

    This will work ONLY if you need to ONLY look at the specified domain/base dn

    Otherwise we will need to explore your needs.

    • Why is there an account with the same name in different domains, and are these different people or the same?
    • Is there a specific Domain that is the Truth all that we can point to?
    • What version of DLP are you on. 11.6 or previous?
    • If 11.6 please post a screen shot of the Group Directory used for LDAP
    • If previous to 11.6, please post the top portion of the LDAP lookup config file, sans the passwords
    • What DLP products do you have?


    Please call solved if possible!!

    Ronak



  • 4.  RE: Configuring LDAP Custom Attributes

    Posted Mar 14, 2013 09:27 AM
      |   view attached

    Hello Ronak, thanks for responding back. I have a ticket open with Symantec and they cannot figure this out at this point. To answer your questions.

    My company has been around for awhile and in the early stages we were divided into different domains for the different groups. Until very recently each group tried to remain separate but due to the economy and budget cuts the company has streamlined itself and brought most of the other domains in closer. Each domain the admins created users not knowing they were creating a user with the same name just under a different domain. We have since made our help desk aware that that practice will stop. I ran an AD pull of the enterprise and found just over 2,000 users that have the same login just under a different domain. It is a big task to have to reach out to each user and change not only their login name but in some cases the apps they login to match the new name. Plus it comes down to time and money to be spent to fix it.

    We do have one domain that is above the other two but it is not charlie. We have three major domains with one on top and the other two side by side below.

    I currenlt have our system running on DLP version 11.6.1 and screenshot is attached.

    We are currently using Network Monitor, Network Discover, Endpoint Prevent, Endpoint Discover, Network Prevent for E-mail.

     

    The odd thing is when I try to add the base dn into the lookup plugin everything breaks. Example below:

    attr.TempEmployee=DC=kaplaninc,DC=com:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):distinguishedName
    attr.TempManager=DC=kaplaninc,DC=com:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):manager

     

    Now if I take the base dn out everything works except for the users with identical logins.

    attr.TempEmployee=:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):distinguishedName
    attr.TempManager=:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$UserName$)):manager



  • 5.  RE: Configuring LDAP Custom Attributes

    Posted Mar 14, 2013 10:44 AM

    Hello,

    Is there any one here that think that something very bad happened with the last version of DLP?

    How come that Symantec did such major change with Attributes and didn't check it?
    Since the upgrade to 11.6.1 version, i do not see any attributes on DLP, and it seems a lot of companies as same problem.

    I have case which is opened 2 weeks allready with Symanetc support, and still there is no solution. All we tried didn't work.

    BTW- Also connectivity to SIEM was changed, without any notice.

    I just do not understand how come that no one updated customers about these changes.

    Thanks

     



  • 6.  RE: Configuring LDAP Custom Attributes

    Trusted Advisor
    Posted Mar 14, 2013 02:24 PM

    Dor.

    Check your settings for LDAP in 11.6.

    After the upgrade many of the installations changed the order of the LDAP, so you may need to put them in the right order.

     

    Post your settings and we can see if we can find the answer.

     

    Do you have multiple domains (tree) in your enviornment?

     

    Ronak



  • 7.  RE: Configuring LDAP Custom Attributes
    Best Answer

    Trusted Advisor
    Posted Mar 14, 2013 06:17 PM

    Mike..

    You cannot add the Basdn to the configuration, that is already defined in the Connection setting. The connecton states where in the LDAP tree to strart searching from. So adding it to the config lines, is telling it to go to DC=kaplan,DC=com,DC=charlie,DC=kaplan,DC=com, which does not exist.

    The issue you have here is that the search criteria is based off of the username and the top of the domain. So if there are multiple usernames with the same name, it may not pull the right one.

    If it searches for juser it will find the first juser. Then populate it with the first details it finds.So if it found the wrong one, then it will have errors.

    I bet this is happening ONLY with Endpoint and Discover incidents.. that is if each user have a different email address?

    This will work for all of the SMTP incidnets, but not for Discover or Endpoint (these too are username based searches).

    Overall your search is corrupted.

    Marked Solved if possible!!

    Ronak



  • 8.  RE: Configuring LDAP Custom Attributes

    Posted Mar 18, 2013 02:32 PM

    Ronak, you were on the right path. I did go ahead and change the lookup to go off of the top domain in the heirarchy. It has always been this way till about the upgrade to version 11.6.1 and we never had any issues.

     

    I did change the lookup order and it did make it better!?! not sure how or why it seems like it is working but it is.

     

    Also this is only happening with Endpoint incidents. I will go ahead and mark it solved as I ended up changing the lookup order. Hopefully I will not see any other issues.